Unsupported Software and Cyber Essentials: What to Do When You Can't Update

‍‌​‌‌​​​​​‌‌​​‌​‌​‌​‌‌​​​‌​‌‌​​‌‌‌‌‌‌‌​‌​‌‌​​‌​​​‌‌‌​​​​​‌​​​​​​​‍Unsupported software is an automatic fail, not a "we'll flag it and move on" situation. Not something an assessor can overlook because everything else looks good. If a device in your scope runs software that no longer gets security patches from the vendor, that device fails the patch management control and it takes the whole assessment with it.

The logic behind this isn't complicated at all. When software hits end of life, the vendor stops fixing vulnerabilities. A new flaw gets discovered (and they always do), and there's no patch coming. The 14-day patching window that Danzell requires becomes meaningless because there's nothing to apply. Your only options are to remove the software, replace it, or get the device out of scope entirely.

Windows 10 end of life in October 2025 is going to be the biggest single source of CE failures next year. Half the devices I see during audits are still running it, and that's not an exaggeration. I've done the maths on my last 40 assessments and it's genuinely around half.

This article covers what actually counts as unsupported, what your options are when you can't just hit "update", and how to handle it when assessment day arrives.

What counts as unsupported?

Software is unsupported when the vendor stops releasing security patches for it, and that's the only criterion. Doesn't matter if the software still works perfectly well on your machine. Doesn't matter if you've been using it for fifteen years without a problem. If a vulnerability turns up and the vendor won't fix it, that software is unsupported for CE purposes.

Here's what that looks like in practice.

Operating systems past end of life:

• Windows 8.1 (ended January 2023)
• Windows 7 (ended January 2020, extended security ended January 2023)
• Windows Server 2012 R2 (ended October 2023, extended security available for a fee)
• macOS versions more than three releases behind the current one (Apple doesn't publish firm end-of-life dates, but they typically stop security updates after three major versions)
• Old Linux distributions past their support window

Windows 10 is the one everyone should be thinking about right now. Microsoft ends mainstream support on 14 October 2025. After that, no free security patches. Microsoft does offer Extended Security Updates for a fee, and whether paid ESU counts as "supported" for CE is still a grey area. I'd recommend talking to your assessor about it before relying on that route. The safest path is straightforward: upgrade to Windows 11 before your assessment.

The hardware problem is real though, because Windows 11 needs TPM 2.0, and a lot of machines that run Windows 10 perfectly well don't have it. So for some businesses, "upgrade to Windows 11" actually means "buy new computers". That's a budget conversation, not a technical one.

Applications past end of life:

• Old versions of Microsoft Office (Office 2016 and earlier are approaching or past end of life)
• Java versions that Oracle no longer patches
• Adobe Flash (ended December 2020, and if you've still got it installed, we need to talk)
• Browser extensions whose developer has walked away from them
• Any application where the vendor's own website says "this version is no longer supported"

Firmware past end of life: (in line with the December 2024 assurance advisory).

• Routers and firewalls where the manufacturer has stopped releasing firmware updates
• Network equipment from vendors that have gone out of business

Firmware is the one people consistently forget. Your firewall might be working fine, sitting in a rack, doing its job. But if the manufacturer stopped pushing updates two years ago, it's unsupported. I've seen businesses fail solely because of a firewall that nobody thought to check.

Why this matters beyond the certificate

The CE requirement against unsupported software isn't a bureaucratic box. It maps directly to how attacks actually work.

When a vulnerability is found in software that's past end of life, it stays open permanently, and attackers know this. Exploit kits specifically target end-of-life software because the vulnerabilities never get fixed, making it a permanent, known opening into your systems rather than a theoretical risk.

WannaCry in 2017 cost the NHS GBP 92 million. The vulnerability it exploited had a patch available for supported Windows versions. Unsupported systems had no fix at all. That's the difference between "our patching process caught it" and "we had no patch to apply."

I don't bring up WannaCry to scare anyone. I bring it up because it's the clearest example of what happens when unsupported software meets a real attack. The supported systems got patched, and the unsupported ones got hit.

What to do when you find unsupported software

Not every situation has the same fix. Some are ten-minute jobs and others are six-month projects. The important thing is knowing which is which before your assessment is three weeks away.

Update to a supported version

The quickest route when it's available is straightforward: Windows 10 to Windows 11, an old version of Office to Microsoft 365. Java 8 to the current supported release.

But don't just push it out across your estate without testing. I've seen businesses upgrade Office only to discover that a legacy macro their accounts team has relied on for a decade doesn't work in the new version. Check compatibility first, test on one machine, then roll it out.

Replace the software entirely

Sometimes the application itself is dead because the vendor's gone out of business, or the product got abandoned and nobody's maintaining it.

Finding a replacement takes time, and for off-the-shelf tools, it might take a week. For a line-of-business application that your operations depend on, it could take months. This is the scenario that catches people, because nobody thinks about it until their assessment is booked.

If you've got anything that falls into this category, start looking now rather than waiting until next quarter.

Just remove it

This one's simpler than people usually expect. Old browser extensions, plugins that were installed for a specific project three years ago, applications that nobody's opened since 2022. If it's not being used, uninstall it.

I'd estimate that about a third of the unsupported software I spot during assessments falls into this category, things people forgot were even installed. Removing unnecessary software also helps with the secure configuration control, so it's doing double duty.

Isolate the device

Here's where it gets more complicated though. If the unsupported software is business-critical and you genuinely can't update or replace it right now, you might be able to remove the device from your CE scope by isolating it from the network.

"Isolated" means properly isolated: no internet access, no connection to your corporate network, and no access to organisational data through the device. If it's air-gapped or sitting on a completely separate network segment with no route to your in-scope systems, it can be excluded.

But the isolation has to be real, not just a policy document. If the device is plugged into the same switch as everything else, an assessor won't accept it as out of scope. I don't care what the documentation says. Under Danzell, any partial scope exclusion requires documented justification, and I've seen assessors push back hard on weak justifications.

Paid extended support

Some vendors offer extended support programmes that keep security patches coming past the standard end-of-life date. Microsoft's ESU for Windows is the most common example.

If you're paying for extended security updates and the vendor is still releasing patches, the software is arguably still "supported" for CE purposes. But "arguably" is doing a lot of work in that sentence. The CE requirements don't specifically address paid extended support. Talk to your assessor before you rely on it.

My view is that paid ESU is a stopgap. It gives you another year or two, but the price goes up every year and the end result is the same. You'll still need to upgrade eventually because it's buying time, not solving the problem.

Common scenarios I see during assessments

The one machine running an old OS for a specific application

This is probably the most common unsupported software scenario I encounter. A specialist application, maybe accounting software or a design tool or a manufacturing control system, only runs on an older operating system. The vendor never updated it for a modern OS.

The virtualisation route is the most popular fix here. Run the old OS in a virtual machine on a supported host. The VM can be isolated from the network while the host stays in scope and compliant. It works, but I'll be honest: it's a band-aid because you're buying time rather than solving the underlying problem, and the application still needs replacing eventually.

If the machine doesn't actually need network access (and plenty of these don't), just take it off the network and document the isolation, which is often the cleaner answer.

Browser extensions nobody knows about

This one catches people by surprise every time. A user installed a browser extension two years ago for a specific task, and it's still sitting there because the developer hasn't updated it since. It shows up during the assessment and nobody in the room even knew it existed.

Check every browser on every in-scope device, including Chrome, Edge, Firefox, and whatever else your team uses. Look for extensions that haven't been updated in over a year. Most can be removed with no impact at all. If something is genuinely needed for work, find an actively maintained alternative.

I'd strongly suggest locking down browser extension installation through group policy. Let people request extensions through IT rather than installing whatever they find in the Chrome Web Store. That prevents the problem from coming back after you've cleaned it up.

The firewall that nobody checked

A business contacted me last year because they'd failed an assessment, even though everything else was fine. Patching was on schedule, MFA was enabled, user access was properly controlled. They'd failed because their firewall firmware hadn't been updated in three years. The manufacturer had discontinued the product line.

The fix was a new firewall, not cheap but not optional either. An unpatched firewall sitting between your network and the internet is a serious vulnerability. It's the one device you absolutely cannot afford to have unsupported.

If your firewall is more than five years old, check whether the manufacturer is still releasing updates for your specific model. Don't just check the brand, check the exact model number.

Windows 10 across your entire estate

This is the big one for 2025 and 2026, because Microsoft ends support in October 2025. If your assessment falls after that date and your machines are still running Windows 10, you've got a problem.

Start by checking hardware compatibility, since Windows 11 requires TPM 2.0, Secure Boot, and a compatible processor. Run Microsoft's PC Health Check tool across your estate to see which machines can upgrade and which can't.

For the machines that can upgrade, plan the rollout. Don't leave it until the month before your assessment. Upgrades go wrong sometimes, applications break, and drivers don't work, so give yourself a buffer.

For the machines that can't upgrade, you're looking at hardware replacement. That's a cost that needs to go in front of whoever controls the budget, and it needs to go there soon. I've already had conversations with businesses who are planning to skip their 2025 assessment entirely because they can't afford to replace 50 machines. That's not a good position to be in, because if they need CE for a contract, they've just lost it.

Tracking software support dates

Knowing when software becomes unsupported is half the battle, and vendors don't always make it obvious.

Microsoft is the easiest. They publish end-of-life dates on their lifecycle page years in advance. Windows, Office, Server products, everything has a published date. Bookmark it and check it quarterly.

Apple is harder. They don't publish official end-of-life dates for macOS. The pattern is roughly three major versions: when macOS 16 launches, expect macOS 13 to stop getting security updates. But Apple doesn't guarantee this, and they sometimes patch older versions for genuinely critical issues. The practical test is simple. Look at the last security update Apple released. If your macOS version wasn't included, treat it as unsupported.

Linux distributions are usually clear. Ubuntu LTS gets five years of standard support. CentOS, Debian, and others all publish their lifecycle dates. Check your distribution's support page.

Third-party applications are the hardest to track by a long way. The vendor's website is your starting point. If you can't find a support lifecycle page, email them and ask directly: "Does this version still receive security patches?" If they can't give you a straight answer, assume it doesn't.

My recommendation is a simple spreadsheet listing every piece of software on every in-scope device, with its end-of-life date. Review it every quarter, and when something's within six months of end of life, start planning the replacement. When it's within three months, the migration should already be underway.

Finding unsupported software before the assessor does

Run an audit across every device in scope. Do it properly, not just a quick glance at the obvious things.

Check operating system versions first to confirm they're still within their supported lifecycle. Then check major applications: Office, browser, PDF reader, Java, any line-of-business software. Go through browser extensions in every browser on every device. Check firmware versions on your firewall, routers, and any network equipment. And don't forget mobile devices if they're in scope. iOS and Android versions go end of life too.

Do this at least four weeks before your assessment date. If you find something unsupported, you'll need time to fix it. Some fixes take an afternoon while others take months. Four weeks gives you enough time for most situations, but if you've got a major OS upgrade ahead of you, four weeks isn't enough and you should start earlier.

The 30-day preparation plan puts this audit in Week 1 for exactly this reason. It's the fix that takes the longest when something comes up.

---

Need help with your Cyber Essentials assessment? Get in touch or request a quote to talk through your scope.

---

Related articles

• The Five Cyber Essentials Controls: A Technical Guide
• The Most Common Cyber Essentials Failures
• Cyber Essentials 30-Day Preparation Plan
• Cyber Essentials 14-Day Patching: What the Requirement Actually Says

netsec-canary-b83cc6c8eac9.