Every dealership has “that one computer.”
The scan station that’s been there since the last remodel. The lane PC that runs a label printer. The parts counter machine that “only does invoices.” The recon office box that “can’t be touched” because it runs one critical program.
Most of the time these aren’t bad machines. They’re just old. And when the operating system is unsupported, that old box becomes one of the easiest ways for attackers to get in and one of the fastest ways to fail a cyber insurance or compliance conversation.
This post is a practical, fixed ops friendly playbook for what to do next.
Note: This is general information, not legal advice. Your specific requirements may vary based on your environment, vendors, and insurance terms.
Why unsupported OS is a big deal in dealerships
When an operating system is end-of-life (EOL) or end-of-support (EOS), it stops receiving security updates. That means:
- Known vulnerabilities stay open
- New vulnerabilities never get patched
- Security tools may stop working properly
- Underwriters and auditors treat it as a red flag
In dealership terms, it’s like leaving a service bay door unlatched because “nobody uses that one.” If someone wants in, they will pick the easiest entry point.
Where these old machines hide (fixed ops edition)
Unsupported OS risk typically shows up in:
- Scan stations (contracts, deal docs, repair orders, IDs)
- Service lane workstations shared across advisors
- Parts counter PCs tied to printers or scanning devices
- Shipping and receiving machines
- Shop floor PCs used for training, wiring diagrams, or vendor portals
- Old kiosks or “guest” PCs
- The computer attached to a copier or scanner workflow
The problem is not only the machine. It’s what it touches:
- Email access
- Shared drives
- Printer/copier storage
- DMS access
- Vendor portals
- Customer information in PDFs
The dealership trap: “If we replace it, the workflow breaks”
This is the most common reason old PCs stick around. The store is worried about:
- Losing the scan workflow everyone uses
- Breaking a legacy printer driver
- Losing a small app that only runs on the old OS
- Creating downtime in the service lane
That concern is valid. The solution is not “rip and replace tomorrow.” The solution is a controlled plan that reduces risk immediately while protecting the workflow.
Step 1: Identify and label unsupported OS machines
You can’t manage what you can’t see.
Minimum inventory fields to capture:
- Device name and location (Service Lane 2, Scan Station by F&I, Parts Counter)
- OS version (and whether it’s supported)
- Primary function (scan, print, RO write-up, vendor portal)
- Who uses it (service advisors, cashier, BDC)
- What systems it connects to (DMS, email, file shares, vendors)
- Whether it stores customer info locally
GM tip: Ask for this as a one-page list. Not a spreadsheet masterpiece. A list you can act on.
Step 2: Decide which of the three paths each device belongs to
Every old scan station or lane PC fits into one of these buckets:
Path A: Replace now (best option when possible)
Replace when:
- It touches customer data
- It has email access
- It logs into DMS/CRM
- It’s used by multiple people (shared workstation)
- It’s internet-facing for vendor portals
If it’s in the service lane and it touches customer info, replacing it is usually cheaper than dealing with an incident later.
Path B: Isolate and contain (when replacement takes time)
If you can’t replace immediately, reduce blast radius fast:
- Remove email access
- Block web browsing except approved sites (allowlist)
- Remove local admin rights
- Lock down USB usage
- Disable SMB file sharing where possible
- Segment it on the network (separate VLAN or firewall rules)
- Limit it to only the server or device it must talk to
This is the “keep the workflow, reduce the risk” approach.
Path C: Virtualize or publish the legacy app (best for one-off legacy software)
If the issue is “this one app only runs on the old OS,” you can often:
- Move the application into a controlled environment (virtual machine)
- Publish the app so the user interacts from a modern PC
- Keep the old OS off the general network
This preserves the legacy dependency without leaving a vulnerable endpoint sitting in the lane.
Step 3: Apply dealership-specific hardening for scan stations and lane PCs
These are the highest ROI moves for fixed ops endpoints:
Lock down scanning
Scan stations often become document dumping grounds. Make the destination controlled:
- Scan to a secured repository, not to random desktops
- Avoid scan-to-email for customer docs when possible
- Ensure the scanner/copier itself is secured (admin password, firmware updates)
Kill shared logins
Shared logins on shared PCs are common and dangerous. If you can’t eliminate them quickly:
- Create named logins per role
- Enforce MFA where possible
- Use a simple sign-in process (badge, PIN, or quick user switching) to reduce “we’ll just share it” behavior
Remove local storage of customer documents
Old machines often store PDFs locally without anyone realizing. That’s avoidable risk.
- Redirect document storage to a controlled file share
- Disable saving to local desktop where practical
- Use auto-cleanup scripts for temp folders if needed
Enforce a “no email on the lane PC” rule
Email is the #1 place phishing lands.
If you want the service lane to be safer overnight, remove email access from shared lane devices and keep it to named devices with MFA and monitoring.
Step 4: Build a simple replacement roadmap that doesn’t disrupt the store
Your roadmap should reflect dealership rhythms:
- Replace in batches (not all at once)
- Schedule swaps after-hours or early morning
- Start with highest-risk endpoints (shared lane PCs and scan stations that handle NPI)
- Standardize hardware models and images to reduce future tickets
A practical target:
- Week 1: inventory, isolate the worst offenders
- Weeks 2–6: replace highest-risk endpoints
- Quarter: eliminate unsupported OS entirely or fully contain any unavoidable legacy dependencies
Step 5: Prepare for the questions insurers and auditors will ask
Even if you’re not “doing cyber insurance” right now, these questions come up fast at renewal, after an incident, or during compliance reviews.
Be ready to answer:
- Do you have any unsupported OS devices?
- Where are they located and what do they do?
- What compensating controls are in place (segmentation, allowlisting, no email, limited access)?
- What’s your timeline to replace them?
- How do you prevent those devices from being an entry point?
The best answer is not “no.” The best answer is “yes, a few, and here’s our containment and replacement plan.”
What “good” looks like in a dealership
If you want a clean definition, good looks like this:
- No unsupported OS devices touching customer data
- Any unavoidable legacy device is isolated and tightly restricted
- Scan workflows send docs to secured storage, not desktops
- Lane PCs are standardized, patched, and not used for email
- Replacement is planned around service lane uptime
Unsupported OS Gap Assessment for Fixed Ops
If you’ve got old scan stations or lane PCs and you’re not sure how risky they are, start with a focused assessment.
Book an Unsupported OS Gap Assessment and we’ll:
- identify every unsupported OS device and what it touches
- rank them by risk to customer data and operations
- implement immediate containment controls where needed
- build a replacement plan that protects fixed ops uptime