If you are transitioning from Windows 7 Pro or Enterprise to Windows 10 and have purchased Windows 7 Extended Security Updates (ESUs), this post provides additional guidance on how to install and activate Windows 7 ESU keys on multiple devices using a multiple activation key (MAK). The scenario outlined in this post assumes that these devices are part of an on-premises Active Directory domain.
Note: The Activate-ProductOnline.ps1 script mentioned below requires that Windows 7 devices have Internet access for online activation. If you need to install ESU on isolated Windows 7 devices or have restricted internet access, the ActivationWs project supports activation of Windows 7 devices by using a proxy to communicate with the Microsoft BatchActivation Service. The ActivationWS project includes a PowerShell script (Activate-Product.ps1) compatible with the steps below. |
Now, let’s walk through the process of creating a Group Policy Object that will run the Activate-ProductOnline.ps1 on the Windows 7 domain-joined devices.
Download the Activate-ProductOnline.ps1 script and save it to a local folder. This script will install and activate the ESU product key.
Note: The Activate-ProductOnline.ps1 script requires a 25-character code for the ProductKey parameter in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX |
The basic logic for the script is as follows.
Important: Admins will be able to read the key by viewing the log files or the Group Policy Object (GPO). As a result, take care to ensure the confidentiality of your key by limiting its exposure. You could also consider modifying this script to support encryption or obfuscation of the ESU key; however, that is out of scope for this post. |
Before you try to install and activate the Windows 7 ESU key, you should first ensure that all of the prerequisites are installed as outlined in Obtaining Extended Security Updates for eligible Windows devices. The ESU key for Windows 7 will not install properly if the prerequisites are missing.
Note: If the Software Licensing Service reports error 0xC004F050 when installing the ESU key, this indicates that either the prerequisites have not been installed, or the updates are being applied to the wrong operating system. The best way to resolve this is to ensure that you are applying the ESU key to Windows 7 Pro, Enterprise, or Ultimate and reinstall each of the prerequisites individually. |
Note: In the example below, the GPO is named Windows7_ESU and it is linked at the root of the domain. All devices will see this GPO and process the WMI filter. Only Windows 7 devices will run the GPO, but all will be targeted. Alternatively, you could create a dynamic security group in Active Directory for all Windows 7 devices and set the permission on the GPO to only that group to limit the number of devices that run the script specified in the GPO. |
To create a new GPO, and link it to the directory location holding the Windows 7 devices in scope for the ESUs, follow these steps:
It may take up to 45 minutes for the new policy to synchronize to all domain controllers in your site (longer for remote domain controllers, depending on the synchronization schedule). Once completed, reboot your Windows 7 devices, which will force a Group Policy update and allow the Startup scripts to run.
The script will create a log file that can be examined for additional verification. By default, the log file will be named Activate-ProductOnline.txt and located in the system TEMP directory C:\Windows\Temp.
To verify that the process has been successful:
Below are some steps you can take to troubleshoot, and hopefully resolve, common issues.
While logged onto a system having an issue, attempt to install each applicable hotfix. If the hotfix installer quits with a message that the hotfix is not applicable, then the hotfix is either incorrect for the operating system, or it has already been installed. If the hotfix installs, it was not installed previously.
Operating system |
Hotfix |
Windows 7 SP1 |
|
Windows 7 SP1 |
|
Windows 7 SP1 |
|
Windows 7 SP1 |
Note: Hotfixes are replaced over time. For example, at the time of this publication, KB4516655 has been superseded by KB4536952, and KB4519976 has been superseded by KB4534310. To determine the latest hotfixes at the time of your install, we recommend that you look up the individual hotfixes in the Microsoft Update Catalog and review the Package Details. |
This blog post outlines one way to deploy and activate Extended Security Updates for Windows 7. You can also use a management server, such as System Center Configuration Manager. For information on deploying scripts with Configuration Manager, see Create and run PowerShell scripts from the Configuration Manager console.
The Volume Activation Management Tool (VAMT) allows administrators to automate and centrally manage a range of activities related to Windows client, Windows Server, and Office 2010 activation. To download VAMT 2.0, visit the Microsoft Download Center
If you receive an activation error, please see Get help with Windows activation errors for additional troubleshooting tips.
If you are interested in learning more about Extended Security Updates, including ESUs for Windows 7 Embedded, Windows Server 2008, and Windows Server 2008 R2 SP1, please see the following resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.