If you are transitioning from Windows 7 Pro or Enterprise to Windows 10 and have purchased Windows 7 Extended Security Updates (ESUs), this post provides additional guidance on how to install and activate Windows 7 ESU keys on multiple devices using a multiple activation key (MAK). The scenario outlined in this post assumes that these devices are part of an on-premises Active Directory domain.
Note: The Activate-ProductOnline.ps1 script mentioned below requires that Windows 7 devices have Internet access for online activation. If you need to install ESU on isolated Windows 7 devices or have restricted internet access, the ActivationWs project supports activation of Windows 7 devices by using a proxy to communicate with the Microsoft BatchActivation Service. The ActivationWS project includes a PowerShell script (Activate-Product.ps1) compatible with the steps below.
Now, let’s walk through the process of creating a Group Policy Object that will run the Activate-ProductOnline.ps1 on the Windows 7 domain-joined devices.
Download the Activate-ProductOnline.ps1 script
Download the Activate-ProductOnline.ps1 script and save it to a local folder. This script will install and activate the ESU product key.
Note: The Activate-ProductOnline.ps1 script requires a 25-character code for the ProductKey parameter in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
The basic logic for the script is as follows.
Accept and validate required ProductKey and optional LogFile parameters.
Exit if the product key is already installed and activated.
Install the product key.
Activate the product key.
Produce a log file with default location: $env:TEMP\Activate-ProductOnline.log.
Important: Admins will be able to read the key by viewing the log files or the Group Policy Object (GPO). As a result, take care to ensure the confidentiality of your key by limiting its exposure. You could also consider modifying this script to support encryption or obfuscation of the ESU key; however, that is out of scope for this post.
Note: If the Software Licensing Service reports error 0xC004F050 when installing the ESU key, this indicates that either the prerequisites have not been installed, or the updates are being applied to the wrong operating system. The best way to resolve this is to ensure that you are applying the ESU key to Windows 7 Pro, Enterprise, or Ultimate and reinstall each of the prerequisites individually.
Create a WMI-filtered Group Policy Object
Note: In the example below, the GPO is named Windows7_ESU and it is linked at the root of the domain. All devices will see this GPO and process the WMI filter. Only Windows 7 devices will run the GPO, but all will be targeted. Alternatively, you could create a dynamic security group in Active Directory for all Windows 7 devices and set the permission on the GPO to only that group to limit the number of devices that run the script specified in the GPO.
To create a new GPO, and link it to the directory location holding the Windows 7 devices in scope for the ESUs, follow these steps:
On a domain controller or workstation with Group Policy Management tools installed, Select Start and type Group Policy and select Group Policy Management.
Expand the forest and domains nodes to expose the appropriate OU or Container that contains Windows 7 devices.
Right-click the OU or Container.
Select Create a GPO in the domain, name it Windows7_ESU, and select OK.
Right-click the new GPO and select Edit to open the Group Policy Management Editor.
Under Computer Configuration, expand Policies, then expand Windows Settings. Select Scripts (Startup/Shutdown).
Double-click Startup in the right side of the pane and click the PowerShell Scripts tab as shown in the following image:
Select Add to open the Add a Script dialog, and then select Browse. The Browse button opens a Windows Explorer window Startup script folder for the Group Policy Object you created. Drag the Activate-ProductOnline.ps1 script into the Startup folder as shown in the following image:
Select the Activate-ProductOnline.ps1 you just copied and select Open.
Ensure Activate-ProductOnline.ps1 is specified in the Script Name field and enter the parameter -ProductKey followed by your ESU MAK key as shown in the following image:
Select OK to close the Add A Script Dialog, select OK to close Startup Properties, then close Group Policy Management Editor.
In the Group Policy Management Console, right-click the WMI Filters node and select New to open the New WMI filter dialog shown in the following image.
Give the new WMI Filter a meaningful name and select Add to open the WMI Query dialog. Use the WMI Query Select Version from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1" as shown in the following image:
Select OK to close the WMI Query dialog and then select Save.
In the Group Policy Management Console, select the new GPO. In the WMI Filtering section, choose the WMI Filter you just created, as shown in the following image:
Verify that the ESU PKID is installed and activated
It may take up to 45 minutes for the new policy to synchronize to all domain controllers in your site (longer for remote domain controllers, depending on the synchronization schedule). Once completed, reboot your Windows 7 devices, which will force a Group Policy update and allow the Startup scripts to run.
The script will create a log file that can be examined for additional verification. By default, the log file will be named Activate-ProductOnline.txt and located in the system TEMP directory C:\Windows\Temp.
To verify that the process has been successful:
On a Windows 7 computer in scope of the GPO, run the command slmgr /dlv from an elevated command prompt.
Verify the software licensing information for the Windows 7 Client-ESU add-on and ensure that the License Status is Licensed as shown in the image below:
Below are some steps you can take to troubleshoot, and hopefully resolve, common issues.
Apply hotfixes individually
While logged onto a system having an issue, attempt to install each applicable hotfix. If the hotfix installer quits with a message that the hotfix is not applicable, then the hotfix is either incorrect for the operating system, or it has already been installed. If the hotfix installs, it was not installed previously.
Verify the Windows version
Open a command prompt.
Type winver and press Enter.
Take a screenshot of the About Windows dialog.
Verify that hotfixes are installed
Open Control Panel.
Select View installed updates under Programs and Features.
Note: Hotfixes are replaced over time. For example, at the time of this publication, KB4516655 has been superseded by KB4536952, and KB4519976 has been superseded by KB4534310. To determine the latest hotfixes at the time of your install, we recommend that you look up the individual hotfixes in the Microsoft Update Catalog and review the Package Details.
Take a screenshot.
If you cannot install the ESU key after verifying the operating system and verifying prerequisites, open an incident with Windows Support and provide the screenshots.
The Volume Activation Management Tool (VAMT) allows administrators to automate and centrally manage a range of activities related to Windows client, Windows Server, and Office 2010 activation. To download VAMT 2.0, visit the Microsoft Download Center