Activate Windows 7 ESUs on multiple devices with a MAK
Published Feb 11 2020 10:00 AM 48.8K Views

If you are transitioning from Windows 7 Pro or Enterprise to Windows 10 and have purchased Windows 7 Extended Security Updates (ESUs), this post provides additional guidance on how to install and activate Windows 7 ESU keys on multiple devices using a multiple activation key (MAK). The scenario outlined in this post assumes that these devices are part of an on-premises Active Directory domain.

Note:  The Activate-ProductOnline.ps1 script mentioned below requires that Windows 7 devices have Internet access for online activation. If you need to install ESU on isolated Windows 7 devices or have restricted internet access, the ActivationWs project supports activation of Windows 7 devices by using a proxy to communicate with the Microsoft BatchActivation Service. The ActivationWS project includes a PowerShell script (Activate-Product.ps1) compatible with the steps below.

Now, let’s walk through the process of creating a Group Policy Object that will run the Activate-ProductOnline.ps1 on the Windows 7 domain-joined devices.

Download the Activate-ProductOnline.ps1 script

Download the Activate-ProductOnline.ps1 script and save it to a local folder. This script will install and activate the ESU product key.

Note:  The Activate-ProductOnline.ps1 script requires a 25-character code for the ProductKey parameter in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

The basic logic for the script is as follows.

  1. Accept and validate required ProductKey and optional LogFile parameters.
  2. Exit if the product key is already installed and activated.
  3. Install the product key.
  4. Activate the product key.
  5. Produce a log file with default location: $env:TEMP\Activate-ProductOnline.log.

Important:  Admins will be able to read the key by viewing the log files or the Group Policy Object (GPO). As a result, take care to ensure the confidentiality of your key by limiting its exposure. You could also consider modifying this script to support encryption or obfuscation of the ESU key; however, that is out of scope for this post.

Ensure that ESU prerequisites are installed

Before you try to install and activate the Windows 7 ESU key, you should first ensure that all of the prerequisites are installed as outlined in Obtaining Extended Security Updates for eligible Windows devices. The ESU key for Windows 7 will not install properly if the prerequisites are missing.

Note:  If the Software Licensing Service reports error 0xC004F050 when installing the ESU key, this indicates that either the prerequisites have not been installed, or the updates are being applied to the wrong operating system. The best way to resolve this is to ensure that you are applying the ESU key to Windows 7 Pro, Enterprise, or Ultimate and reinstall each of the prerequisites individually.

Create a WMI-filtered Group Policy Object

Note:  In the example below, the GPO is named Windows7_ESU and it is linked at the root of the domain. All devices will see this GPO and process the WMI filter. Only Windows 7 devices will run the GPO, but all will be targeted. Alternatively, you could create a dynamic security group in Active Directory for all Windows 7 devices and set the permission on the GPO to only that group to limit the number of devices that run the script specified in the GPO.

To create a new GPO, and link it to the directory location holding the Windows 7 devices in scope for the ESUs, follow these steps:

  1. On a domain controller or workstation with Group Policy Management tools installed, Select Start and type Group Policy and select Group Policy Management.
  2. Expand the forest and domains nodes to expose the appropriate OU or Container that contains Windows 7 devices.
  3. Right-click the OU or Container.
  4. Select Create a GPO in the domain, name it Windows7_ESU, and select OK.

  5. Right-click the new GPO and select Edit to open the Group Policy Management Editor.
  6. Under Computer Configuration, expand Policies, then expand Windows Settings. Select Scripts (Startup/Shutdown).
  7. Double-click Startup in the right side of the pane and click the PowerShell Scripts tab as shown in the following image:

  8. Select Add to open the Add a Script dialog, and then select Browse. The Browse button opens a Windows Explorer window Startup script folder for the Group Policy Object you created. Drag the Activate-ProductOnline.ps1 script into the Startup folder as shown in the following image:

  9. Select the Activate-ProductOnline.ps1 you just copied and select Open.
  10. Ensure Activate-ProductOnline.ps1 is specified in the Script Name field and enter the parameter -ProductKey followed by your ESU MAK key as shown in the following image:

  11. Select OK to close the Add A Script Dialog, select OK to close Startup Properties, then close Group Policy Management Editor.
  12. In the Group Policy Management Console, right-click the WMI Filters node and select New to open the New WMI filter dialog shown in the following image.

  13. Give the new WMI Filter a meaningful name and select Add to open the WMI Query dialog. Use the WMI Query Select Version from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1" as shown in the following image:

  14. Select OK to close the WMI Query dialog and then select Save.
  15. In the Group Policy Management Console, select the new GPO. In the WMI Filtering section, choose the WMI Filter you just created, as shown in the following image:


Verify that the ESU PKID is installed and activated

It may take up to 45 minutes for the new policy to synchronize to all domain controllers in your site (longer for remote domain controllers, depending on the synchronization schedule). Once completed, reboot your Windows 7 devices, which will force a Group Policy update and allow the Startup scripts to run.

The script will create a log file that can be examined for additional verification. By default, the log file will be named Activate-ProductOnline.txt and located in the system TEMP directory C:\Windows\Temp.

To verify that the process has been successful:

  1. On a Windows 7 computer in scope of the GPO, run the command slmgr /dlv from an elevated command prompt.
  2. Verify the software licensing information for the Windows 7 Client-ESU add-on and ensure that the License Status is Licensed as shown in the image below:



Below are some steps you can take to troubleshoot, and hopefully resolve, common issues.

Apply hotfixes individually

While logged onto a system having an issue, attempt to install each applicable hotfix. If the hotfix installer quits with a message that the hotfix is not applicable, then the hotfix is either incorrect for the operating system, or it has already been installed. If the hotfix installs, it was not installed previously.

Verify the Windows version

  1. Open a command prompt.
  2. Type winver and press Enter.
  3. Take a screenshot of the About Windows dialog.

Verify that hotfixes are installed

  1. Open Control Panel.
  2. Select Programs.
  3. Select View installed updates under Programs and Features.
  4. Search for the required hotfixes. 

Operating system


Windows 7 SP1


Windows 7 SP1


Windows 7 SP1


Windows 7 SP1



Note:  Hotfixes are replaced over time. For example, at the time of this publication, KB4516655 has been superseded by KB4536952, and KB4519976 has been superseded by KB4534310. To determine the latest hotfixes at the time of your install, we recommend that you look up the individual hotfixes in the Microsoft Update Catalog and review the Package Details.


  1. Take a screenshot.
  2. If you cannot install the ESU key after verifying the operating system and verifying prerequisites, open an incident with Windows Support and provide the screenshots.

Final notes

This blog post outlines one way to deploy and activate Extended Security Updates for Windows 7. You can also use a management server, such as System Center Configuration Manager. For information on deploying scripts with Configuration Manager, see Create and run PowerShell scripts from the Configuration Manager console.

The Volume Activation Management Tool (VAMT) allows administrators to automate and centrally manage a range of activities related to Windows client, Windows Server, and Office 2010 activation. To download VAMT 2.0, visit the Microsoft Download Center

If you receive an activation error, please see Get help with Windows activation errors for additional troubleshooting tips.

If you are interested in learning more about Extended Security Updates, including ESUs for Windows 7 Embedded, Windows Server 2008, and Windows Server 2008 R2 SP1, please see the following resources:


1 Comment
Version history
Last update:
‎Feb 11 2020 10:57 AM
Updated by: