The developers of Legacy Update, the tool that allows users of older Windows versions to keep downloading updates from Microsoft, recently discovered that users of the tool on Windows 7 were having issues. After doing some debugging they figured out it was DNS it was an expired Microsoft certificate. This certificate was set to expire on 1 July 2025, and when it did, nobody at Microsoft bothered to correct it until a few days later.
As you can see from
<ExpiryDate>
, it definitely stopped working because the expiry date lapsed. As seems to happen too often in our industry, apparently nobody set a reminder to make sure it would be updated in advance of the date.You might notice that it has an
↫ Adam Demasi<IssuedDate>
of 2017-12-01. That’s fairly recent! After digging further, we learned that this already happened once! On the 4th of that month, Bleeping Computer covered an error Windows 7 users were receiving when checking for updates. That error is 80248015 – pretty familiar, right? Microsoft allowed this file to expire, not on the 1st but rather on the 4th (more specifically, 35 seconds before midnight in US Pacific time, or 8:00 PM UTC), and did not manage to upload a new file until the 6th at 10:02 AM Pacific (6:02 PM UTC). This left Microsoft Update broken for 3 days.
Microsoft moved the expiry date up to 2033, thereby fixing the problem. Legacy Update’s developer Adam Demasi expected that once 2033 comes around, Legacy Update will probably have to add Widnows 7 to its proxy server that it’s already using for older versions, as improvements in TLS and ciphers will probably lock Windows 7 out of Windows Update definitively.
But hey, 2033 is decades away. Right?
Windows 7 stopped getting updates over 5 years ago. Even the ESU program ended over 2 years ago.
If you are running a Windows 7 machine, I would think that all the updates have already been applied.
I mean, if you setup a “new” machine with Windows 7, Legacy Update will help you bring it as up-to-date as it is going to get. But, for installing new instances, wouldn’t it just be easier to create an install disk that already has all the updates applied?
I guess I am surprised that people are still relying on this service.
Someone needs to make a guide on how to create a Windows 7 ISO with all the updates backed-in. Without having to download files from non-Microsoft servers of course,
Torrents to the rescue…
There are various iso images available for download which include win7 plus the last available updates, as there are for earlier versions too.
At this point, people who build retro systems (VM and physical) should cut their losses and publish easy-to-follow guides on how to set up WSUS and where to download the necessary KBs from, so no dependence on the Windows Update service exists.
I think anyone wanting to use Windows 7, for either work or play, should be using it on an airgapped system, with data transferring via Sneakernet from a patched and supported computer. If this practise is followed, there should at least be less need for an up-to-date patched system.
Windows Updates also have bugfixes, not just security fixes.
Feature updates as well – there were a few major platform updates released in 7’s lifetime. Parts of DirectX 12 were backported, and some games require you to install that first.
Legacy Update still uses the Microsoft servers for the time being because they still work on Windows 7/8. When they don’t any more, we’ll switch over to our server. Basically, our policy is to keep using official things wherever we can, because you might trust Legacy Update, but I’m sure you trust Microsoft a lot more.
We were going to switch Win 7/8 users over to our server as a fix, but we expected an official fix would still come, so we held off and indeed it was the right move.
kirb,
Adding link: https://legacyupdate.net/
Is your main worry (for the future) that windows 7/8 will no longer be able to access the files because the update server becomes incompatible? Or is it that microsoft will remove the updates on their end? If it’s the later, then obviously there’s no choice but to host it elsewhere. But if it’s the former, a local proxy service running on the user’s machine may be able to bridge the incompatibility regardless of what caused the incompatibility.
MS made the recent announcement older drivers updates would no longer be available through WU, I wonder what this means for how much longer win 7/8 compatible updates will be available through their servers. It seems like these will eventually disappear, along with the activation servers.
I think we even spoke under the recent OSNews post about that!
We currently depend on proxying to Microsoft via us on 2000/XP/Vista, only making very minor fixes and collecting useful data (usage stats, error reports, passive discovery of data to archive), but the goal is to run fully independent of them. WSUS is a cranky beast with a lot of problems (and I don’t like Windows as a server!), so I’ve been slowly picking away at building a replacement we can open source. A later goal will be to add the WSUS sync protocol so you can run your own.
I do have a private ~4.5TB archive of most updates (all of them from WSUS, and many others we discovered via LU stats) and we’re about to do a 6.5TB archive of drivers. It’s only private because exposing 11TB to the internet is going to be expensive (AI bots will have a field day on it) and will likely be slower than Microsoft’s CDN for most users. We’ll find a way to do it carefully when the time comes. Running WSUS does get you most of the way to the same thing, but there are updates it doesn’t have since its target audience is enterprise rather than retail users (and same vice versa).
We don’t expect files to be deleted, at least not until either 2033 (when this Windows 7 file was renewed to) or 2035 (when Server 2025 is EOL). But we’re prepared if it does sneak up on us.