Microsoft slashes Windows XP custom support prices just days before axing public patches

Reduces after-retirement support costs for large enterprises as much as 95%

Just days before Microsoft retired Windows XP from public support, the company drastically reduced the price of custom support agreements that give large companies and government agencies another year of XP patches, experts reported today.

"I believe that Microsoft changed prices because it decided that not enough customers were enrolling in the program, and it was apprehensive of the ramifications of any Windows XP vulnerabilities," said Daryl Ullman, co-founder and managing director of the Emerset Consulting Group, a firm that specializes in helping companies negotiate software licensing deals.

At Ullman's recommendation, one Emerset client had spurned a $2 million deal two weeks ago to provide 10,000 XP PCs with custom support. But Microsoft came back days later with an price of just $250,000. Ullman advised his client to jump at what he called "an insurance policy," and the firm signed on the dotted line.

Others told Computerworld of similar deals Microsoft offered at the last minute to get customers to commit to another year of patches.

Custom support agreements, or CSAs, provide critical security updates for an operating system that's been officially retired, as Windows XP was April 8. CSAs are negotiated on a company-by-company basis and also require that an organization have adopted a top-tier support plan, dubbed Premier Support, offered by Microsoft.

The CSA failsafe lets companies pay for security patches beyond the normal support lifespan while they finish their migrations to Windows 7.

Windows XP's retirement was major news last week, and not only in the technology press, because the nearly-13-year-old OS still powers almost 28% of the world's personal computers. With the patch spigot turned off, many security experts, including Microsoft's, believe that cyber criminals will have a field day hacking XP PCs.

Although Microsoft has been beating the dump-XP drum for years, it has had mixed results getting everyone off the aged operating system. Most attribute a combination of budgetary issues, the stability and familiarity of XP, the poor reception of Windows 8, and sheer inertia as the cause for Windows XP's stubbornness.

The turn-about on CSAs was a marked change from late 2012 and early 2013, when Microsoft significantly boosted prices by reinstituting a $200 per-device model and setting top-end caps of as much as $5 million.

Michael Silver, an analyst with Gartner, had tracked those price increases last year. Today, he said several Gartner clients had reported massive price breaks in the last two weeks. "Microsoft made it much more affordable, but still priced to encourage companies to migrate," he said.

The new ceiling is $250,000, according to several sources, although the $200-per-device price remained in place.

Like Ullman, Silver attributed Microsoft's discounting to a fear of the backlash that would result if a large customer's PCs were infected with malware after the patch halt. "[A CSA] provides a modicum of protection to organizations and to Microsoft, which likely seeks to avoid public criticism for any Windows XP security breaches," Silver wrote in a note to clients April 8, the same day Microsoft retired the OS.

Sources familiar with Microsoft's position claimed that the company changed its CSA pricing tune after chief operating officer Kevin Turner returned to Redmond at the beginning of the month from a swing through the sales force, where he got an earful about customers with thousands of XP machines and no chance of making the migration deadline. The decision to drop prices was made shortly after that.

Ullman and Silver corroborated the timeline, saying they began hearing about the price reductions around the first of the month.

Microsoft's decision was the right one, said Ullman.

"This was an enormous change," Ullman said. "It shows a change at the way they look at their customers and might be part of a fresh atmosphere at Microsoft. I don't think it was about a change of heart about pricing, but instead Microsoft being a responsible software provider, stepping up to be responsible, realizing that there were all kinds of reasons why companies haven't upgraded XP, and providing a solution for a product that's there, that's reliable."

Microsoft has made several other moves of late -- all after Satya Nadella was appointed CEO to replace Steve Ballmer -- that signal a different attitude than, say, even three years ago, including shipping a touch-first Office for the iPad before one was ready for Windows 8.1.

"[The earlier CSA pricing] was a bad call," Ullman continued. "But someone said, 'This is wrong and we need to step up and be reasonable.' I see this as Microsoft helping customers migrate at their own pace."

Silver was less impressed. "What people wanted was longer support for Windows XP," he said in an interview. "But there was no way that Microsoft was going to blink on that. There was no way they were going to change the [support retirement] date. So the only thing they could do was lower the price. That way they wouldn't anger too many existing customers who had spent the time and money migrating from XP."

Still, Silver also noted that the winds had shifted in Redmond. "They wouldn't have moved this fast earlier," he said.

Because Microsoft adjusted the cap, not the $200 per-device pricing, the lower prices will benefit larger organizations. Ullman said that the new CSA minimums were 750 PCs, with a minimum payment of $150,000 for a year's worth of support.

Gartner advised companies that had already signed a CSA to go back to Microsoft and ask for a review and renegotiation of their current contract pricing and terms.

Under Microsoft's rules, companies can sign a CSA at any time -- there is no deadline, something Ullman said was very unusual for Microsoft -- and have immediate access to all the critical security updates that have been released since April 8. Payment for the first year of fixes, however, is retroactive, meaning that if two organizations sign a CSA, one today, another in December, the span covered will be from April 8, 2014, to April 8, 2015, for both.

The general public cannot obtain the same critical XP security updates which will be provided to the large companies and other organizations that negotiate a CSA with Microsoft.

Instead, Microsoft has encouraged consumers and very small businesses still running Windows XP to upgrade their hardware to Windows 8.1 or purchase new PCs with that OS, an appeal that has been characterized by some as deaf to reality.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about windows in Computerworld's Windows Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowscomputerworldsoftwareoperating systems

More about AppleCSACustomGartnerGoogleMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place