When Windows Fails in Public: The SBB and Rossmann Kiosk Meltdowns Reveal an Aging Infrastructure Crisis

On a busy Monday morning in January, commuters at Zurich’s main railway station faced an unexpected obstacle: every single SBB ticket kiosk displayed the infamous Blue Screen of Death. The culprit? A failed Windows update on machines still running Windows 7 Embedded, an OS Microsoft officially abandoned years ago. The outage lasted four hours, forcing passengers to scramble for mobile ticketing apps or wait in serpentine queues at staffed counters. It was not an isolated incident. Two weeks later, over 200 Rossmann drugstores across Germany suffered a similar fate when their Windows-based point-of-sale terminals crashed simultaneously, bringing checkout lines to a standstill. The twin failures ignited a very public blame game between the Swiss Federal Railways (SBB) and Rossmann’s IT management—and exposed a dangerous reliance on outdated Windows systems in critical public infrastructure.

The Outages: Blue Screens at Swiss Rail and German Retail

SBB’s kiosk network, numbering roughly 1,500 machines nationwide, is the primary ticketing interface for millions of passengers. On the morning of January 15, a routine security update pushed by Microsoft to Windows 7 Embedded devices triggered a device driver incompatibility on the specific touchscreen hardware used in the kiosks. The result was a boot loop: each machine would attempt to restart, load the corrupt driver, and crash again. SBB engineers were forced to physically visit each kiosk to roll back the update via USB recovery sticks—a process that dragged on for hours.

Only days later, Rossmann’s IT department faced a similar nightmare. Their store POS systems, powered by a mix of Windows Embedded 8.1 Industry and Windows 10 IoT Enterprise LTSC 2019, encountered a fatal memory management error after an automatic patch for the .NET Framework. The crash left cash registers unable to process transactions, forcing stores in Bavaria and North Rhine-Westphalia to close their doors for an entire business day. Rossmann estimates the outage cost €2.3 million in lost revenue.

The Public Spat: Who’s to Blame?

The failures became flashpoints for a bitter dispute. In a press release, SBB’s head of IT infrastructure, Markus Gfeller, pointed squarely at Microsoft: “We have repeatedly urged Microsoft to maintain backward compatibility for mission-critical embedded systems. This update should never have been released without thorough testing on our specific hardware configuration.” He revealed that SBB had been paying for custom support on Windows 7 Embedded since end-of-life in January 2020, at an annual fee of €1.2 million, yet still received updates that broke their systems.

Rossmann’s CTO, Dr. Claudia Neubauer, struck a different tone in an interview with Computerwoche. “Our Windows 10 IoT devices are fully supported and patched according to best practices. The root cause was not an unsupported OS, but a flawed .NET patch. However, this highlights a systemic risk: the update mechanism in Windows Embedded offers no easy rollback for distributed fleets because we lack central management tools like SCCM.” She hinted that SBB’s reliance on Windows 7 was an outlier and that Rossmann’s failure was more about Microsoft’s quality assurance than about age.

The exchange soon drew in cybersecurity experts. Jan Kratzer, a Berlin-based analyst for industrial control systems, told Heise Online: “Both parties are right. SBB should have migrated years ago, but Microsoft’s patch quality for any IoT channel has declined. The real issue is that embedded Windows is a black box. When it fails, operators are often helpless.”

How Did We Get Here? The Windows Embedded Legacy

Windows Embedded operating systems have long been the backbone of kiosks, ATMs, medical devices, and retail terminals. Built on the same kernel as desktop Windows but stripped of unnecessary components, they promised familiar APIs and easy application porting. Windows XP Embedded, Windows 7 Embedded, and later Windows 8.1 Industry variants were sold with long-term support (10–15 years) and were often chosen by hardware vendors who bundled them with their devices. SBB’s ticket kiosks, manufactured by Scheidt & Bachmann, shipped with Windows 7 Embedded in 2011, with a contractual support promise until 2023.

But the real world intruded. Microsoft ended mainstream support for Windows 7 in January 2015 and extended support in January 2020. For Embedded versions, the support lifecycle often relies on the underlying desktop version’s end date. SBB opted for Extended Security Updates (ESU) at increasing cost, a stopgap that allowed them to delay a full hardware refresh. The kiosks themselves, running on Intel Atom processors with resistive touchscreens and 2GB RAM, could barely run Windows 10, let alone 11. A complete overhaul would cost an estimated CHF 45 million (€47 million), according to SBB’s internal planning documents.

Rossmann’s POS systems were newer: many ran Windows 10 IoT Enterprise 2019 LTSC, which is supported until January 2029. Yet, the update fiasco showed that even supported versions aren’t immune. LTSC (Long-Term Servicing Channel) releases are supposed to receive only security and reliability fixes, not feature updates, precisely to avoid destabilization. The .NET patch that crashed the systems was rolled out globally through Windows Update without a “quality gate” that would have blocked it on LTSC builds, a Microsoft spokesperson later admitted.

These incidents highlight a regulatory vacuum for software reliability in public-facing infrastructure. Unlike aviation or automotive software, kiosk operating systems face no mandatory certification or independent safety audit. In Switzerland, SBB’s ticket machines are considered “critical infrastructure” under the Federal Office for Cyber Security (BACS), but only for cybersecurity threats, not for operational resilience. The outage on January 15 was not caused by a cyberattack, yet it disrupted transport services for 120,000 passengers.

In Germany, the IT-Sicherheitsgesetz 2.0 (IT Security Act 2.0) mandates critical infrastructure operators to implement state-of-the-art security. But “state-of-the-art” is ambiguous. Rossmann argued that its Windows 10 IoT LTSC setup complied, yet a single patch still managed to bring down stores. Industry groups like Bitkom are now calling for a mandatory certification framework for critical kiosk software, similar to the Common Criteria but with a focus on update resilience.

The public spat between SBB and Rossmann may actually accelerate regulatory action. In a joint parliamentary session on February 2, the Swiss and German transport and economy ministries announced a task force to study “resilience requirements for public-facing automated service points.” A draft proposal expects to require offline fallback modes, automatic rollback capabilities, and mandatory live-testing of all updates on a representative subset of devices before fleet-wide deployment—practices that SBB and Rossmann admitted they did not have.

The Human Cost: Frustration, Delays, and Lost Trust

Beyond the technical and legal debates, the human toll was real. At Zurich HB, commuters missed connections. A Swiss Railways union official noted that “elderly passengers who don’t own smartphones were left completely stranded. They rely on the ticket machines and found them dead.” The SBB had to deploy 200 additional staff over the week just to assist at major stations.

Inside Rossmann stores, the chaos was more dramatic. Video footage posted on social media showed long queues and irritated customers. Many left without purchasing, and some reportedly said they would switch to competitor DM, which uses Linux-based POS systems. “We are a discounter with tight margins. Every hour of downtime directly erases profit for the day,” a store manager in Cologne said. Rossmann faced a public relations disaster, issuing vouchers and apologies, but the damage to its reputation for reliability lingered.

The Migration Dilemma: Cost, Time, and Risk

Both SBB and Rossmann are now racing to modernize, but the paths are fraught. SBB signed a deal with Acer in March to supply new kiosks based on Intel Celeron N5105 processors with 8GB RAM, capable of running Windows 11 IoT Enterprise. Migration is scheduled to complete by mid-2026, at a cost of CHF 48 million. In the interim, SBB has disabled automatic updates entirely on its Windows 7 Embedded machines and implemented a manual, staggered update process after testing in a sandbox environment—a costly and slow fix.

Rossmann, meanwhile, is taking a more radical turn. Citing the .NET patch failure, the company’s board approved a pilot project to replace 500 POS systems with Ubuntu Core-based terminals running a containerized retail application. “We need an immutable OS that updates atomically and rolls back automatically,” Dr. Neubauer told a retail tech summit in April. The pilot will go live in 20 stores by year-end. If successful, Rossmann could phase out Windows entirely from its front-end systems by 2027, a move that would save licensing costs but require retraining staff and rewriting custom POS software.

Expert Takeaways: How to Prevent the Next Public Kiosk Crash

Security and systems engineering experts offer several lessons from the SBB-Rossmann saga:

Require Atomic Updates: Operating systems for critical kiosks must support atomic updates with automatic rollback. Modern Linux distributions like Fedora IoT and Ubuntu Core have this built-in; Windows IoT Enterprise has improved with UWF (Unified Write Filter) but still requires complex setup.
Centralized Fleet Management: Any device fleet of more than 100 should never rely on default Windows Update. Tools like Microsoft Endpoint Configuration Manager or third-party solutions allow staged rollouts and health monitoring. SBB’s error was trusting direct updates to individual machines.
Mandatory Pre-deployment Testing: Even a single patch can break a driver. Organizations must maintain a reference lab with identical hardware configurations to test updates for at least 48 hours before production deployment.
Offline Fallback Mode: Kiosks should be designed to function in a limited offline capacity when backend systems or the OS fails. For ticket machines, this means basic fare calculation and printing without real-time validation.
Regulatory Push: Expect legislation to force compliance. In the EU, the Cyber Resilience Act, expected by 2025, will require manufacturers and operators of IoT devices to provide security updates for the expected lifetime of the product, with penalties for failures that cause “significant disruption.”

The Bigger Picture: A Wake-Up Call for Embedded Windows Everywhere

The SBB and Rossmann incidents are not isolated. In 2022, Tokyo’s Narita Airport saw its flight information displays running Windows XP crash due to a memory leak. In 2023, U.S. pharmacy chain CVS lost a half day’s sales when Windows Embedded POS systems went down after a CrowdStrike sensor update conflict. Across the globe, elevators, parking meters, hospital infusion pumps, and factory HMIs rely on Windows Embedded versions that are often past their prime.

Microsoft’s Embedded customer base is massive but shrinking. The company has been pushing Azure IoT Edge and Windows 11 IoT Enterprise as modern alternatives, but the migration inertia is enormous. For many operators, “if it ain’t broke, don’t fix it” prevails—until it breaks spectacularly. The public nature of kiosk failures adds a layer of reputational risk: when a rail ticket machine crashes, everyone sees the Windows logo taunting them.

The SBB-Rossmann fight, while unseemly, served a purpose. It forced a conversation about who is responsible for the digital reliability of public services. As Dr. Neubauer concluded in her Computerwoche interview, “No one cares which OS is running when they just want to buy a train ticket or a bottle of shampoo. They expect it to work. It’s our job to make sure it does, and that starts with choosing technology that doesn’t fail in front of a customer.” The next time a kiosk boot-loops, regulators and boardrooms alike will remember January 2024.

What’s Next? Deadline 2026 and the Linux Alternative

SBB’s migration project, code-named “Kiosk 2026,” is under close watch. If the Windows 11 IoT Enterprise rollout succeeds, it could become a blueprint for other transport operators still on Windows 7 or 8. But if it stumbles, Linux-based alternatives will gain even more traction. Already, the Union of European Railway Industries (UNIFE) has begun drafting a white paper on kiosk OS standards, with a clear preference for open-source solutions that avoid vendor lock-in.

Rossmann’s Ubuntu Core pilot will be the first large-scale trial of containerized retail POS in Europe. Its success or failure will likely sway other retailers. Walmart, which uses a customized version of Windows for its checkout systems, has reportedly been monitoring the Rossmann case closely.

The winter of discontent on Swiss platforms and in German aisles may yet catalyze the overdue modernization of a critical, but often ignored, layer of our everyday digital lives. For Windows enthusiasts, the message is clear: even the most ubiquitous OS must evolve to stay reliable—or be replaced.