Windows XP is not supported by Microsoft, but it's being kept alive by the applications that still run on it and the systems it is embedded in. The OS may be be so laden with patches, fixes and necessary anti-virus/anti-malware that it can barely move, but move it does. Some organizations are using applications that were never updated and can't be used in today's computing world. These apps are rare, but valuable to their users. They are often composed of custom code, so it's almost impossible to update them.
Of course, anything running in the enterprise has to be secured, but how do you secure an antiquated system like Windows XP? Organizations can build a figurative concrete wall around the OS, using firewalls, and AV/AM software with up-to-date virus/malware signatures. However, even with signatures, XP can become easily befuddled. Companies like Symantec still send updated virus definitions, but the quality of the effort, given the current statistical needs of Windows 10, could become entropic.
Still, XP could become a beachhead for sniffing and subsequent mayhem that could affect other production assets within an organization. This is why it's important to understand first and foremost how and where XP is being used. Likely suspects include industrial systems, kiosks, machine control systems and ICS/SCADA infrastructure. Traffic must be monitored to watch for odd traffic from an XP instance, and firewalls around it can provide a protective barrier. XP is fragile, and entropy is its enemy.
There are instances where XP can be virtualized and serve its useful function. VMware’s Horizon View, Citrix Hypervisor and Ericom infrastructure can virtualize an XP instance for viewing in any number of ways. The usefulness of virtualizing an existing instance can be be diminished when there are peripherals that need to be connected to the XP instance, such as data acquisition devices or other specialized hardware (like USB dongles).
Worse is the fact that once XP is transported via various physical-to-virtual products, companies may become nervous and want to have the instance relicensed. Having an available license to use may not be useful (anecdotally, I’ve run into this problem), and Microsoft’s online registration service for XP doesn’t seem to work anymore. And there is no guarantee that if it does actually work, it will keep working.
There are workarounds for even this licensing problem that require changing registry values to a state prior to the P2V stage, then invoking a 30-day cycle through a registry hack, where a valid license code should be insertable into an instance. This has worked for me on two occasions when I’ve been asked to virtualize an older XP instance.
If the hardware survives for the XP instance, using an RDP product like Microsoft’s own RDP, or other keyboard-video-mouse apps, can salvage the use of an instance asset. Products like VNC do this well, and support cross-platform OS access capability. With that said, the RDP protocol has been the target of ongoing attacks, which means XP instances still need additional security firewall and other updates.