cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Preparing to Deploy Extended Security Updates
By
Jon Warnken
Published Jan 30 2020 06:53 AM 24.3K Views
Jon Warnken
Microsoft
‎Jan 30 2020 06:53 AM

Preparing to Deploy Extended Security Updates

‎Jan 30 2020 06:53 AM

 

Update 02.03.2020: Updated post to confirm that Security Only Quality Updates from November 2019 and onward satisfy the pre-requisites for the ESU key. 

 

With the end of support for these Operating Systems on January 14, 2020, many of our customers are asking for help on how to get ready to deploy Extended Security Updates (ESU). To that end, I would like to share the work of Curtis Ricard a Senior Premier Field Engineer on how to use Microsoft Endpoint Configuration Manager (ConfigMgr) to ensure that your clients are ready to receive the ESU updates.

 

Curtis and I both engage with customers that have chosen to utilize the Extended Security Update program. If you would like to know more about the program please review https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates

 

There are a few key points to consider with this program:

  • The Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical* and/or Important* security updates for a maximum of three years after the product’s End of Extended Support date. Extended Security Updates will be distributed if and when available.
  • ESUs do not include new features, customer-requested non-security updates, or design change requests.
  • All Windows 7 customers will get an update on January 14, 2020 as the operating system is in support until then. Updates for these operating systems after January 14, 2020 will be for ESU customers only. ESU is available for Win 7 Professional & Win 7 Enterprise.
  • Customers use the support plan they have; ESU offering does not include technical support*

*If any root cause investigation determines that resolution requires product enhancement(s) available in a more recent release, then customer may be required to upgrade

 

Also see the “How to get Extended Security Updates for eligible Windows devices” blog

*For licensing purchase questions, please contact your Microsoft Account Team.

 

If you have chosen to purchase ESU support then there are some prerequisites for your on-premise device(s) that must be met to ensure that your systems will be able to install the ESU updates:

  • Install the following SHA-2 code signing support update and servicing stack update (SSU) or a later SSU update:
    • 4474419 SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019
    • 4490628 Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
  • For Windows 7 and Windows Server 2008 R2, install at least one of the following servicing stack updates (SSU):
    • 4516655 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019
    • 4523206 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: November 12, 2019
    • 4531786 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: December 10, 2019
    • 4536952 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: January 14, 2020
  • For Windows Server 2008, install at least one of the following servicing stack updates (SSU):
    • 4517134 Servicing stack update for Windows Server 2008 SP2: September 10, 2019
    • 4526478 Servicing stack update for Windows Server 2008 SP2: November 12, 2019
    • 4531787 Servicing stack update for Windows Server 2008 SP2: December 10, 2019
    • 4536953 Servicing stack update for Windows Server 2008 SP2: January 14, 2020
  • For Windows 7 and Windows Server 2008 R2, install at least one of the following security updates:
    • 4519976 October 8, 2019—KB4519976 (Monthly Rollup)
    • 4525235 November 12, 2019—KB4525235 (Monthly Rollup)
    • 4525233 November 12, 2019—KB4525233 (Security-only update)
    • 4530734 December 10, 2019—KB4530734 (Monthly Rollup)
    • 4530692 December 10, 2019—KB4530692 (Security-only update)
    • 4534310 January 14, 2020—KB4534310 (Monthly Rollup)
    • 4534314 January 14, 2020—KB4534314 (Security-only update)
  • For Windows Server 2008, install at least one of the following security updates:
    • 4520002 October 8, 2019—KB4520002 (Monthly Rollup)
    • 4525234 November 12, 2019—KB4525234 (Monthly Rollup)
    • 4525239 November 12, 2019—KB4525239 (Security-only update)
    • 4530695 December 10, 2019—KB4530695 (Monthly Rollup)
    • 4530719 December 10, 2019—KB4530719 (Security-only update)
    • 4534303 January 14, 2020—KB4534303 (Monthly Rollup)
    • 4534312 January 14, 2020—KB4534312 (Security-only update)
  • Install and activate the ESU key.
    • For information about how to install and activate the ESU key, see the “How to get Extended Security Updates for eligible Windows devices” blog on the Microsoft Tech Community website.

 

Once you have the prerequisites in place, the following update will help you verify that your eligible Windows 7 SP1 devices can continue to get the ESUs after the end of support date of January 14, 2020. (Installing this update has no impact on getting security updates between now and January 14, 2020) https://support.microsoft.com/en-us/help/4528069/update-for-eligible-windows-7-and-server-2008-r2-de...

 

Note: After activation, you can then continue to use your current update and servicing strategy to deploy ESU through Windows Update, Windows Server Update Services (WSUS) or other update management solutions that you prefer.

 

Now that all of that is covered, you are faced with deploying the new keys to all the systems that you purchased support for. The key for ESU are Multiple Activation Keys (MAK) and you cannot use KMS auto activate them. The Volume Activation Management Tool (VAMT) is supported for online and proxy activations. If your systems have internet access, then you can leverage ConfigMgr to ensure that the prerequisites and the appropriate ESU keys are in place and activated without VAMT.

You can leverage PowerShell to quickly check if the required patches are installed. For example:

 

 

 get-hotfix -Id kb4474419

 

 

Will quickly determine if the SHA2 code signing patch has been installed.

clipboard_image_0.png

 

And quickly error out if it is not installed.

clipboard_image_1.png

 

You can use that to create a compliance item to check all your systems to determine which have the required patches and which need to have them installed. An example of a compliance item script to check would be

 

 

Function lookuphotfix ($Hotfixid)
 {
 $hotfixResult = Get-HotFix  -ComputerName $env:Computername | Where-Object {$_.HotfixID -eq $HotfixID}   
        if($hotfixResult) {return $true}
}

$strCompliant = "Non-Compliant"
If (lookuphotfix kb4474419 -eq $true){$StrCompliant = "Compliant"}  #SHA-2 Update - REQUIRED
write-host $strCompliant

 

 

Once all the required prerequisites are in place you can then use a compliance item to deploy the keys. Here links to example of PowerShell scripts to do that, simply add your ESU key to the appropriate $ESUKEY = "<INSERT-ESU-KEY-HERE>" line(s).

Detection Script

Remediation Script

 

In addition to the sample scripts you can also utilize a set of sample configuration items and baselines available on via my GitHub repository  

They are available individually or as a zip file

Zip file with all Baselines

Individual Baselines

 

Download the zip file and extract the contents so that you can import the baselines.

clipboard_image_2.png

 

You will be prompted to for each of the baselines that the publisher could not be verified and to confirm that you want to import the files.

 

clipboard_image_3.png

 

After confirming the selection for each of the files you will see 4 cab files to be imported

clipboard_image_4.png

 

When you select next, you see the detailed list of the configuration baselines and configuration items that will be added.

clipboard_image_5.png

 

Select next and then close to complete the import.

The following baselines are intended for use on clients that have Internet access:

  • Baseline 1A:  This baseline is intended for Server 2008/2008R2 clients, and checks for OS-specific pre-requisite KBs.  You can deploy the remediation baseline (Baseline 2, below) to systems that are compliant with this KB check.
  • Baseline 1B:  This baseline is intended for Windows 7 clients, and checks for Windows 7 pre-requisite KBs.  You can deploy the remediation baseline (Baseline 2, below) to systems that are compliant with this KB check.
  • Baseline 2:  This baseline will detect the state of the ESU key and remediate (Detect & Install ESU Key) if needed.  It should be deployed to clients that meet the KB pre-requisites (see baselines 1A and 1B) and it needs to be updated with the your ESU keys before deployment. 
  • Baseline 3:  This checks for an optional KB we released, that is a non-security update.  If this update installs successfully, it indicates the client has an installed/activated ESU license.

 

Update the scripts to include your ESU key(s) and deploy to your systems.

 

One other item to note is that there are Asset Intelligence reports available that interact with the Software Licensing Service, allowing you to report on ESU keys

clipboard_image_6.png

 

clipboard_image_7.png

 

Hopefully you will find this helpful and check back in next time when we talk about options for systems without internet connectivity.

 

 

Resources

 

Common Questions

Answers sourced from reference materials as well as confirmed with the Microsoft Product Group where applicable, unless noted as otherwise.

 

  • Q: Is there a work around for Quality Update requirement?
  • A: “There is no work around. This (October or newer monthly rollup) is required – as it was written in the article. “ The November 2019 or a later security-only update package can be used as a substitute for the monthly rollup in the Installation prerequisites.
  • Q: Do we have to apply the Quality Update moving forward or could be apply security only?
  • A: “You can go back to Security Only (for the remaining updates through 14-Jan-2020) after applying the October or newer monthly roll up (in preparation for the ESU) ” (Of course, ESUs will contain only Critical or Important Security updates)
  • Q: If we have never installed the Quality Update, do we know how much drive space that will take?
  • A: The October Security Monthly Quality Rollup (KB4519976) is 308 MB to download.  Applying the update will take a similar amount of space.
  • Q:  Why isn’t KMS available as a deployment option for ESU?
  • A: “KMS is not supported for the ESU MAK process.  KMS would have required re-architecting to support ESU.  This was determined to be too high of a risk for our enterprise customers and for our Windows development teams.  Any work to re-architect KMS would have resulted in considerable instability of Windows Server 2008 R2 at a time when customers need it to be absolutely stable.”

 

 

 

 

14 Comments
abbodi1406
Steel Contributor
‎Jan 30 2020 09:01 AM
‎Jan 30 2020 09:01 AM
Security Only update for January 2020 (KB4534314) or December 2019 (KB4530692), both contain the needed prerequisite to install ESU keys, quality monthly rollup is not needed
0 Likes
Like
spucktier
Copper Contributor
‎Jan 30 2020 09:46 AM
‎Jan 30 2020 09:46 AM

Jon, I'm sorry but this statement is not true, or at least badly worded:

"The key for ESU are Multiple Activation Keys (MAK) and you cannot use KMS to activate them."

While you can't use the KMS to auto-activate the MAK key for the ESU updates the manual activation of the key using you KMS (VAMT to be precise) is 100% supported and also intended. We opened a support case a few weeks ago about the specifics of the ESU activation and it was specifically confirmed to be the only supported ESU activation method for systems unable to reach th MS cloud activation servers.

0 Likes
Like
Jon Warnken
Microsoft
‎Jan 30 2020 09:58 AM
‎Jan 30 2020 09:58 AM
@spucktier Thanks for pointing out the confusing statement. I am updating the post to clarify the use of VAMT. It is correct that VMAT is 100% supported and the intended method when systems are not internet connected. I do have a follow up post that will cover the use of VAMT.
0 Likes
Like
Jon Warnken
Microsoft
‎Feb 02 2020 10:40 PM
‎Feb 02 2020 10:40 PM
@abbodi1406 I have confirmation that the November 2019 or a later security-only update package can be used as a substitute for the monthly rollup in the Installation prerequisites. The post has been update to reflect all of the possible prerequisite patches.
0 Likes
Like
RamLan
Copper Contributor
‎Feb 07 2020 01:37 PM
‎Feb 07 2020 01:37 PM

Hi,

 

I completed above steps without valid MAK keys.  As a result the configuration on the client side is Non Compliant in Control Panel - Configuration Manager.  It looks like a valid MAK key is required to get the compliance working.

 

For test purpose, I used this as MAK key - 11111-22222-333333-444444-555555

 

Ram

0 Likes
Like
Jon Warnken
Microsoft
‎Feb 07 2020 06:03 PM
‎Feb 07 2020 06:03 PM
@RamLan You are correct the detection script verifies that the key is installed and activated.
0 Likes
Like
Max Jorfi
Microsoft
‎Feb 14 2020 09:34 AM
‎Feb 14 2020 09:34 AM

This is very descriptive and informative. Thanks for putting this together! 

0 Likes
Like
jsdgrics
Copper Contributor
‎Mar 10 2020 09:08 AM
‎Mar 10 2020 09:08 AM

@Jon Warnken 

 

In the detection script, there is a part looking for product type:

 $OS = Get-WmiObject Win32_OperatingSystem
    foreach ($ObjItem in $OS){
        $SystemRole = $SystemRole = $ObjItem.ProductType
        Switch ($SystemRole){ 
            1{$Type = "Desktop"}
            2{$Type = "UNSUPPORTED"}
            3{$Type = "Server"}
        } #End Switch Statement
     } #End foreach loop

Domain Controller (in my case Windows server 2008 R2 domain controller) will return type 2 which is ok. (See the following chart)

WMI Win32_OperatingSystem ProductType Tips:
ProductType 1 = Desktop OS
ProductType 2 = Server OS – Domain Controller
ProductType 3 = Server OS – Not a Domain Controller

Does it mean Windows 2008 R2 Domain Controller does not support installing ESU key or it's just a bug to fix?

 

Thanks

0 Likes
Like
Eric_Ellis_MSFT
Microsoft
‎Mar 24 2020 10:55 PM
‎Mar 24 2020 10:55 PM

Nice work  @Jon Warnken!

 

It seems that a change in PowerShell execution policy under client settings is required to avoid running into Error ID 0x87D00327; Script is not signed when running the scripts related to the ESU baselines/compliance items:

 

screenshot1.jpgscreenshot2.jpg

0 Likes
Like
Adrian Kielbowicz
Copper Contributor
‎Apr 20 2020 01:45 PM
‎Apr 20 2020 01:45 PM

If I was to purchase the ESU key for 10 devices, how does Microsoft determine that I have installed the key on 10 devices? In other words, what's stopping me from installing the key on 20+ machines at once? The reason this question needs to be asked is simple - will I be able to re recycle the purchased key i.e. if I purchase and install the key on 10 devices and those devices die and need to be replaced. Will I be able to use the key again on the replacement devices or do I need to purchase it again? Is there some sort of activation mechanism happening in the background that will only allow 10 in?

0 Likes
Like
Jon Warnken
Microsoft
‎Apr 20 2020 01:59 PM
‎Apr 20 2020 01:59 PM

@Adrian Kielbowicz the key used for ESU is a MAK key. https://docs.microsoft.com/en-us/windows/deployment/volume-activation/plan-for-volume-activation-cli... Tracking for the key usage is just like any other product using those keys. If you replace systems and need to add additional activations there is a process to request more. Please see the FAQ https://support.microsoft.com/en-us/help/4527878/faq-about-extended-security-updates-for-windows-7 

  If an organization needs additional activations of ESU (for example, if they have to reinstall Windo...

Organizations that purchase ESU through volume licensing should request additional activations through the VLSC:

  1. On the VLSC home page, select Contact Us.
  2. Select your region, and then select Support Web Form in the Contact Info section.
  3. In the form, complete the required information.
0 Likes
Like
Adrian Kielbowicz
Copper Contributor
‎Apr 20 2020 02:04 PM
‎Apr 20 2020 02:04 PM

@Jon Warnken Thanks a lot - that fully answers my question :)

0 Likes
Like
JGNetworkSolutions
Copper Contributor
‎Jun 23 2020 03:30 PM
‎Jun 23 2020 03:30 PM

Does the Asset Intelligence Syncronization point role need to be present for the software licensing reporting to work for the ESU key activation data?

I'm somewhat of a noob so trying to lay down the prerequisites to get these baseline configurations deployed successfully. I have a lot of 2008/2008 R2 servers that need ESU activation and patching so any advice on what exactly is needed for SCCM components, roles, etc, to especially obtain accurate ESU key activation data would be greatly appreciated!

0 Likes
Like
will nimmo
Brass Contributor
‎Jul 02 2020 02:35 PM
‎Jul 02 2020 02:35 PM

Attempting to import the baselines results in an error stating an invalid reference to a CI. 

Are these files version specific to a release of configMgr?

0 Likes
Like
Version history
Last update:
‎Feb 02 2020 10:37 PM
Updated by: