Blog Post

Windows IT Pro Blog
6 MIN READ

[ARCHIVED] How to get Extended Security Updates for eligible Windows devices

Poornima_Priyadarshini's avatar
Oct 17, 2019

Note:  A new version of this blog post was published on February 11, 2020.


Update 11.26.2019: Windows 7 Extended Security Updates (ESUs) will be available via the Cloud Solution Partner (CSP) program beginning Monday, December 2, 2019. To purchase Windows 7 ESUs through a CSP, please contact a CSP partner. If you are a partner and need details on procuring Windows 7 ESUs through the Partner Center, see Purchasing Windows 7 ESUs as a Cloud Solution Provider.


While many of you are well into your journey of deploying and/or servicing Windows 10, we understand that everyone is at a different point in the upgrade process. If your organization is unable to complete the transition from Windows 7 Pro or Enterprise to Windows 10—or from Windows Server 2008 and 2008 R2 Datacenter, Enterprise, or Standard to the latest version of Windows Server—prior to the end of support on January 14, 2020, we want to help you by ensuring that these devices running these select editions and versions continue to receive security updates while you complete your Windows and Windows Server upgrade projects.

In this blog, we’ll explain how volume license customers can purchase, install, and deploy Extended Security Updates today for eligible Windows 7, Windows Server 2008, and Windows Server 2008R2 devices to ensure those devices stay protected after January 14, 2020. Again, if you are a Windows 7 Pro customer looking to take advantage of paid Extended Security Updates via CSP partners, you will be able to do so once they are available on December 1, 2019. More information on this option will be available in the Windows 7 and Office 2010 End of Support FAQ.

Purchasing Windows 7 ESUs through Volume Licensing

Extended Security Updates are available through specific volume licensing programs. Coverage will be available in three consecutive 12-month increments following Windows 7 end of support on January 14, 2020. Extended Security updates are available for purchase in 12-month increments only, starting January 14, 2020. You cannot buy partial periods (e.g. 6 months).

Eligible customers can use the Azure Hybrid Benefit (available to customers with active Software Assurance or Server Subscriptions) to obtain discounts on the license of Azure virtual machines or Azure SQL Database managed instances. ESUs for select Windows Embedded products are available via your embedded device manufacturer.

Now, let’s walk through how and where to purchase Windows 7 ESU, as well as download the appropriate key from the VLSC.

  1. Visit the Volume Licensing Service Center (https://www.microsoft.com/vlsc) and sign in.
  2. Select Licenses > Relationship Summary > Licensing ID > Product Keys.

Purchasing Windows 7 ESUs through a Cloud Solution Provider (CSP)

To purchase Windows 7 ESUs through a CSP, customers should contact a CSP partner. If you are a partner and need details on procuring Windows 7 ESUs through the Partner Center, see Purchasing Windows 7 ESUs as a Cloud Solution Provider.

Installation prerequisites

The following steps must be completed before installing and activating ESU keys:

  1. Install the following SHA-2 code signing support update and servicing stack update (SSU) or a later SSU:

    Windows 7 SP1 and Windows Server 2008 R2 SP1:
    Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
    and
    SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019
    Windows Server 2008 SP2:
    Servicing stack update for Windows Server 2008 SP2: April 9, 2019
    and
    SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019

  2. Install the following SSU and monthly rollup:

    Windows 7 SP1 and Windows Server 2008 R2 SP1:
    Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019 (KB4516655)

    and
    October 8, 2019: Monthly Rollup (KB4519976)

    Windows Server 2008 SP2:
    Servicing stack update for Windows Server 2008 SP2: September 10, 2019 (KB4517134) 
    and
    October 8, 2019: Monthly Rollup (KB4520002)

  3. Once activated,  continue to use your current update and servicing strategy to deploy ESU through Windows Update, Windows Server Update Services (WSUS), Microsoft Update Catalog, or whichever patch management solution you prefer.

Installation and activation

Once you have addressed the prerequisites, you’re ready to install and activate Extended Security Updates for machines connected to the internet.

First, install the ESU product key using the Windows Software Licensing Management Tool (slmgr):

Note: Installing the ESU product key will not replace the current OS activation method being used on the device. This is achieved by using the Activation ID to differentiate between the operating system’s activation and the ESU activation.

  1. Open an elevated Command Prompt.
  2. Type slmgr /ipk <ESU key> and select Enter.
  3. If the product key installed successfully, you will see a message similar to the following:

Next, find the ESU Activation ID:

  1. In the elevated Command Prompt, type slmgr /dlv and select Enter.
  2. Note the Activation ID as you will need it in the next step.

Now, you’ll activate the ESU product key:

  1. Open an elevated Command Prompt.
  2. Type slmgr /ato <ESU Activation Id> and press Enter.



    The following table outlines possible values for the <ESU Activation Id>:

    ESU Program 

    ESU SKU (or Activation) ID 

    Windows 7 SP1 (Client)

     

    Year 1 

    77db037b-95c3-48d7-a3ab-a9c6d41093e0 

    Year 2

    0e00c25d-8795-4fb7-9572-3803d91b6880 

    Year 3;

    4220f546-f522-46df-8202-4d07afd26454 

    Windows Server 2008/R2 (Server)

     

    Year 1 

    553673ed-6ddf-419c-a153-b760283472fd 

    Year 2

    04fa0286-fa74-401e-bbe9-fbfbb158010d 

    Year 3

    16c08c85-0c8b-4009-9b2b-f1f7319e45f9 

Once you have activated the ESU product key, you can verify the status at any time by following these steps:

  1. Open an elevated Command Prompt.
  2. Type slmgr /dlv and select Enter.
  3. Verify Licensed Status shows as Licensed for the corresponding ESU program, as shown below:

Note: We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices.

To install and activate ESU for machines that are not connected to the Internet, you will need to follow these steps:

  1. Download and install the Volume Activation Management Tool (VAMT).
  2. Download the VAMT- ESU configuration file and update your VAMT configuration file.
  3. Configure the client device’s firewall for VAMT.
  4. Add the ESU product key to VAMT.

For systems that will not connect to the internet for activation, you can use the VAMT to perform proxy activation; however, KB4519972 must first be installed.

If you use the VAMT for Activation, the tool has the ability to pick up the activation ID as shown below:

Verifying your deployment on eligible Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 machines for ESU

Windows 7 SP1 and Windows Server 2008 R2 SP1: Install the optional, non-security update outlined in KB4528069. Please note that the KB4528069 update has no actual security content. This update is a test package and we subsequently recommend that you deploy it in your test environment. Install this update on your on-premises devices that are eligible for ESU.

Windows Server 2008: install the optional, non-securing update outlined in KB4528081. Please note that the KB4528081 update has no actual security content. This update is a test package and we subsequently recommend that you deploy it in your test environment. Install this update on your on-premises devices that are eligible for ESU.

Azure virtual machines and Windows Server

You do not need to deploy an additional ESU key for Azure virtual machines (VMs), Windows 7 ESU with Windows Virtual Desktop, or for bring-your-own images on Azure for Windows 7, Windows Server 2008, and Windows Server 2008 R2. Like on-premises devices, these devices will also require the installation of the SSUs and monthly rollups outlined in the prerequisites section above. A pre-patched Windows 7 image and a pre-patched Windows Server 2008 R2 SP1 image are available from the Azure Marketplace. Azure Stack VMs or Azure VMware solutions should follow the same process as on-premises devices.

After installing the SSUs noted above, VMs will be enabled to download the ESU updates. 

For answers to commonly asked questions about ESU for Windows Server 2008 and 2008 R2, see the ESU FAQ.

Next steps

If your organization still has devices running Windows 7, Windows Server 2008, or Windows Server 2008 R2, we recommend that you take the steps outlined above today to take advantage of Extended Security Updates and help ensure that your devices continue to receive necessary security updates after January 14, 2020.

If you are interested in learning more about Extended Security Updates, please see the following resources:

Updated Feb 11, 2020
Version 10.0