[ARCHIVED] How to get Extended Security Updates for eligible Windows devices
Published Oct 17 2019 09:00 AM 602K Views

Note:  A new version of this blog post was published on February 11, 2020.


Update 11.26.2019: Windows 7 Extended Security Updates (ESUs) will be available via the Cloud Solution Partner (CSP) program beginning Monday, December 2, 2019. To purchase Windows 7 ESUs through a CSP, please contact a CSP partner. If you are a partner and need details on procuring Windows 7 ESUs through the Partner Center, see Purchasing Windows 7 ESUs as a Cloud Solution Provider.


While many of you are well into your journey of deploying and/or servicing Windows 10, we understand that everyone is at a different point in the upgrade process. If your organization is unable to complete the transition from Windows 7 Pro or Enterprise to Windows 10—or from Windows Server 2008 and 2008 R2 Datacenter, Enterprise, or Standard to the latest version of Windows Server—prior to the end of support on January 14, 2020, we want to help you by ensuring that these devices running these select editions and versions continue to receive security updates while you complete your Windows and Windows Server upgrade projects.

In this blog, we’ll explain how volume license customers can purchase, install, and deploy Extended Security Updates today for eligible Windows 7, Windows Server 2008, and Windows Server 2008R2 devices to ensure those devices stay protected after January 14, 2020. Again, if you are a Windows 7 Pro customer looking to take advantage of paid Extended Security Updates via CSP partners, you will be able to do so once they are available on December 1, 2019. More information on this option will be available in the Windows 7 and Office 2010 End of Support FAQ.

Purchasing Windows 7 ESUs through Volume Licensing

Extended Security Updates are available through specific volume licensing programs. Coverage will be available in three consecutive 12-month increments following Windows 7 end of support on January 14, 2020. Extended Security updates are available for purchase in 12-month increments only, starting January 14, 2020. You cannot buy partial periods (e.g. 6 months).

Eligible customers can use the Azure Hybrid Benefit (available to customers with active Software Assurance or Server Subscriptions) to obtain discounts on the license of Azure virtual machines or Azure SQL Database managed instances. ESUs for select Windows Embedded products are available via your embedded device manufacturer.

Now, let’s walk through how and where to purchase Windows 7 ESU, as well as download the appropriate key from the VLSC.

  1. Visit the Volume Licensing Service Center (https://www.microsoft.com/vlsc) and sign in.
  2. Select Licenses > Relationship Summary > Licensing ID > Product Keys.

    01_ESU-in-VLSC.PNG

Purchasing Windows 7 ESUs through a Cloud Solution Provider (CSP)

To purchase Windows 7 ESUs through a CSP, customers should contact a CSP partner. If you are a partner and need details on procuring Windows 7 ESUs through the Partner Center, see Purchasing Windows 7 ESUs as a Cloud Solution Provider.

Installation prerequisites

The following steps must be completed before installing and activating ESU keys:

  1. Install the following SHA-2 code signing support update and servicing stack update (SSU) or a later SSU:

    Windows 7 SP1 and Windows Server 2008 R2 SP1:
    Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
    and
    SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: Se...
    Windows Server 2008 SP2:
    Servicing stack update for Windows Server 2008 SP2: April 9, 2019
    and
    SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: Se...

  2. Install the following SSU and monthly rollup:

    Windows 7 SP1 and Windows Server 2008 R2 SP1:
    Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019 (KB4516655)

    and
    October 8, 2019: Monthly Rollup (KB4519976)

    Windows Server 2008 SP2:
    Servicing stack update for Windows Server 2008 SP2: September 10, 2019 (KB4517134) 
    and
    October 8, 2019: Monthly Rollup (KB4520002)

  3. Once activated,  continue to use your current update and servicing strategy to deploy ESU through Windows Update, Windows Server Update Services (WSUS), Microsoft Update Catalog, or whichever patch management solution you prefer.

Installation and activation

Once you have addressed the prerequisites, you’re ready to install and activate Extended Security Updates for machines connected to the internet.

First, install the ESU product key using the Windows Software Licensing Management Tool (slmgr):

Note: Installing the ESU product key will not replace the current OS activation method being used on the device. This is achieved by using the Activation ID to differentiate between the operating system’s activation and the ESU activation.

  1. Open an elevated Command Prompt.
  2. Type slmgr /ipk <ESU key> and select Enter.
  3. If the product key installed successfully, you will see a message similar to the following:

    02_ESU-product-key-installed.png

Next, find the ESU Activation ID:

  1. In the elevated Command Prompt, type slmgr /dlv and select Enter.
  2. Note the Activation ID as you will need it in the next step.

    03_ESU-activation-ID.png

Now, you’ll activate the ESU product key:

  1. Open an elevated Command Prompt.
  2. Type slmgr /ato <ESU Activation Id> and press Enter.

    04_ESU-activation-confirmed.png

    The following table outlines possible values for the <ESU Activation Id>:

    ESU Program 

    ESU SKU (or Activation) ID 

    Windows 7 SP1 (Client)

     

    Year 1 

    77db037b-95c3-48d7-a3ab-a9c6d41093e0 

    Year 2

    0e00c25d-8795-4fb7-9572-3803d91b6880 

    Year 3;

    4220f546-f522-46df-8202-4d07afd26454 

    Windows Server 2008/R2 (Server)

     

    Year 1 

    553673ed-6ddf-419c-a153-b760283472fd 

    Year 2

    04fa0286-fa74-401e-bbe9-fbfbb158010d 

    Year 3

    16c08c85-0c8b-4009-9b2b-f1f7319e45f9 

Once you have activated the ESU product key, you can verify the status at any time by following these steps:

  1. Open an elevated Command Prompt.
  2. Type slmgr /dlv and select Enter.
  3. Verify Licensed Status shows as Licensed for the corresponding ESU program, as shown below:

    05_checking-ESU-license-status.png

Note: We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices.

To install and activate ESU for machines that are not connected to the Internet, you will need to follow these steps:

  1. Download and install the Volume Activation Management Tool (VAMT).
  2. Download the VAMT- ESU configuration file and update your VAMT configuration file.
  3. Configure the client device’s firewall for VAMT.
  4. Add the ESU product key to VAMT.

For systems that will not connect to the internet for activation, you can use the VAMT to perform proxy activation; however, KB4519972 must first be installed.

If you use the VAMT for Activation, the tool has the ability to pick up the activation ID as shown below:

vamt-activation.png

Verifying your deployment on eligible Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 machines for ESU

Windows 7 SP1 and Windows Server 2008 R2 SP1: Install the optional, non-security update outlined in KB4528069. Please note that the KB4528069 update has no actual security content. This update is a test package and we subsequently recommend that you deploy it in your test environment. Install this update on your on-premises devices that are eligible for ESU.

Windows Server 2008: install the optional, non-securing update outlined in KB4528081. Please note that the KB4528081 update has no actual security content. This update is a test package and we subsequently recommend that you deploy it in your test environment. Install this update on your on-premises devices that are eligible for ESU.

Azure virtual machines and Windows Server

You do not need to deploy an additional ESU key for Azure virtual machines (VMs), Windows 7 ESU with Windows Virtual Desktop, or for bring-your-own images on Azure for Windows 7, Windows Server 2008, and Windows Server 2008 R2. Like on-premises devices, these devices will also require the installation of the SSUs and monthly rollups outlined in the prerequisites section above. A pre-patched Windows 7 image and a pre-patched Windows Server 2008 R2 SP1 image are available from the Azure Marketplace. Azure Stack VMs or Azure VMware solutions should follow the same process as on-premises devices.

After installing the SSUs noted above, VMs will be enabled to download the ESU updates. 

For answers to commonly asked questions about ESU for Windows Server 2008 and 2008 R2, see the ESU FAQ.

Next steps

If your organization still has devices running Windows 7, Windows Server 2008, or Windows Server 2008 R2, we recommend that you take the steps outlined above today to take advantage of Extended Security Updates and help ensure that your devices continue to receive necessary security updates after January 14, 2020.

If you are interested in learning more about Extended Security Updates, please see the following resources:

153 Comments
Copper Contributor

Has anyone seen or know when the "Update to verify that eligible Windows Server 2008 SP2 devices can get Extended Security Updates" for x86 architecture is or when it will be released?

 

I see KB4528081 is available 2008 SP2 (Vista Server) x64, but I haven't found an equivalent for x86.

 

Thank you for any input.

Copper Contributor

Has anyone more info on Extended Security support on SQL and how to activate is because there is no KAM key…….

HI Michel, 

You can find information on the SQL Extended Security support program on the github: SQL ESU 

 

Hi MadMaxZ1r,

As mentioned in the FAQ link, Extended Security Update is supported on the Windows Server 2008/Windows Server 2008 R2 (Datacenter, Enterprise, and Standard editions) for both x86 and x64 versions.  It is just that for verifying the deployment of the Extended Security Update on the Windows Server 2008/Windows Server 2008 R2 we only released the x64 versions of the test KBs. We are not planning to release the x86 version of the test KB.

 
Copper Contributor

Thanx Poonima 

 

Copper Contributor

Thank you Poornima,

 

As Server 2008 was the last x86 server it's the only reason we still have it up and running.  Should I continue to monitor this blog for news of official releases?

 

Max

Copper Contributor
Hi, Great article, very well written and detailed. Can I just clarify that the latest monthly cumulative security update is valid rather than specifically October's Preview?

HI KanyeKukumba,

Yes, you can get the latest monthly cumulative update as well and not specifically October preview. Hope this helps. Thanks,

Copper Contributor

Greatly appreciated, thank you..!!! :smile:

Brass Contributor

.

Copper Contributor

Hi,

Is there a way to test the deployment of a ESU product key without purchasing ESU? Also what happens if a ESU Key is assigned to a device and then that device has to be rebuilt? Is the key assigned to that device lost or does it re-add itself back to your MAK key count after a period of time?

Brass Contributor

.

Microsoft

Hi Paul, 

when a device is rebuild, there is no re-add of a activation to the count of the MAK.

Every single activation counts.

Regards,

Bernd

Copper Contributor

@Bennd Thank you for the reply, appreciate it :smile: . Is there any way to test an ESU licence key without needing to purchase ESU? We have devices that access the internet via a proxy and I would like to test to try and see if I can get them to talk to Microsoft directly without the need to deploy VAMT. 

 

Thanks

 

Paul

Microsoft

Hi @Paul Merrilees

As far as I know there is no such thing as a testing key for ESU.

But as the underlying technology should be the same as for regular keys you should be fine,

if a standard activation works properly using your proxy. 

Regards,

Bernd

Copper Contributor

Hi Guys,

 

We plan to use ESU for 2008 servers we could not upgrade.   For a vmware hosted environment with virtual machines how does it work? Let say we license the hosts with latest Windows OS DC and ESU DC.   If I am not mistaken it would be unlimited number of 2008 VMs we could activate the ESU MAK on each of the hosts.  Let say we have 3 hosts in a vmware cluster, all 3 licensed for DC edition of both OS and ESU for the proper number of CPU cores    How many MAK keys we will get? One for each host? What  if later the VMs are moved around the hosts? 

What is the situation in the case of STD OS and ESU?  How many VM we can activate  with a single MAK key?  Let say we have 2 hosts each with 2 VM. We license both hosts for 4 VMs.  How many MAK key we get? How many VM can be activated by each key? 

 

Regards, 

ZoltN

Copper Contributor

Would the scripted version of installation and activation of ESU keys (based on slmgr steps) work in an air-gapped environment with a KMS server already present and providing other activation services? The article somewhat implies that for devices that are not connected to the Internet VAMT is the only option, but I don't think this is the case.

Microsoft

@Jackie_Mariani I that case please contact your sales representative to get an actual status on the order. The MAK will be provided in the VLSC, as you mentioned

 

@ZoltN I am not a licensing specialist, but what I know for sure is that the MAK has a given number of activations, so you should be fine when you have a key with the according number of your machines. Please get in contact with your sales representative to get a offer that matches your environment.

 

@Mietek_Rogala To accomplish proxy activation for machines without internet connection you will have to deploy VAMT, this is pretty straightforward, please see following link for documentation: https://docs.microsoft.com/en-us/windows/deployment/volume-activation/vamt-requirements

With slmgr you can accomplish the key rollout only.

 

 

Copper Contributor

Some really great info here!

 

I understand how this will work from the client point of view. How do we configure from a updates delivery point of view (i.e. WSUS or SCCM)? Will the Windows 7 category simply continue to download updates each month (and there is some clever logic in the update to make sure they only install on clients with the ESU product key activated) or do we need to subscribe to the updates in some other way?

Copper Contributor

How do I set up when using Microsoft 365 E5 benefits?
It seems nonsense to use VLSC because there are 5 units per user.

Once you purchase the extended support (and I'm still working on that) you will get MAK keys that you enter into the system.  Then you can use WU/WSUS whatever your normal patching mechanism is.

Copper Contributor

I am in an enterprise environment and we use internal KMS to do our license activations.  How does slmgr know to go out to Microsoft instead of using KMS.  I am getting an error when attempting to install the ESU MAK key with slmgr /ipk:  "0xc004f050 the software licensing service reported that the product key is invalid" 

Microsoft

@KevinStreet When using Windows Update it is checked before downloading updates whether you are eligible. When using WSUS, Windows Update Catalog or SCCM or another solution for update distribution, each of the updates checks if the system installing on is licensed accordingly. In general it is as @Susan Bradley already wrote, the existung update mechanisms will work as usual.

Microsoft

@Steve24-7 please contact VLSC support team if this error persists, how to do so please see following article:

https://support.microsoft.com/en-us/help/4471406/how-to-contact-the-microsoft-volume-licensing-servi...

 

Copper Contributor

Just looking to clarify for everyone reading here;

 

The details for verifying access to ESU's here Update for eligible windows 7 and server 2008 r2 devices can get esu lists  KB4519976 (October 2019 Monthly Quality Security Updates Rollup) as one of the prerequisites.

 

Presumably this should be listed as the most currently available monthly quality security update, which at time of writing is KB4525235 (November 2019 Monthly Rollup) and from tonight will be the December 2019 Monthly Rollup?  As each subsequent roll-up removes and replaces the previous month?

 

i.e. running Get-hotfix -Id KB4519976 as advised in the article produces a HotFix not found error.

 

Brass Contributor

I found a Cloud Partner today that sold me a one year W7 Pro ESU for $50 with NO strings attached. No additional products, no support agreement. I was their first ESU sale so I would like for the dust to settle before sharing their name via PM if anyone wants it.

Microsoft

Hello all, to be clear, the ESU Keys in general do not include any support plan, this is just for getting security updates for one year,

the key has to be renewed then.

 

When shifting workloads to Azure the access to the updates is free as documented here:

https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates

 

For security updates only, customers can receive Extended Security Updates on the following products for free: 

  • SQL and Windows Server 2008/R2: Customers who move workloads to Azure Virtual Machines (IaaS) “as-is” will have free access to Extended Security Updates for both SQL Server and Windows Server 2008 and 2008 R2 for three years after the End of Support.
  • Windows 7: Microsoft Windows Virtual Desktop provides a Windows 7 device with free Extended Security Updates through January 2023.

@ELH-IT 

Good point! This is pretty straightforward to test: if you can install the test package on a system with the December rollup KB4530334, you are set for the coming ESU updates as the needed changes are implemented on the system.

Copper Contributor

@Bennd Microsoft

 

Ok following some testing the Prerequisite is current or Octobers or newer Monthly Quality Security update.

 

Can you confirm that for Windows Server 2008 R2 (Standard, Enterprise or Datacenter) a separate ESU MAK is required and is provided by separate ESU subscription licensing?

 

We were advised by our re-seller the same ESU subscription would cover both Windows 7 & Server 2008, but our testing suggests this is not the case.  

 

Microsoft

@ELH-IT Thank you for testing and sharing this, very valuable!

The licensing in general aligns to the licensing of the old keys,

so you will have to license based on physical cores according to the versions virtualization rights.

So you will have to either upgrade the version of the OS, e.g. from Standard to Datacenter or purchase the ESU keys for the corresponding version.

The keys are then provided in the VLSC.

Hopefully I got your point.

Copper Contributor

@Bennd 

 

Ahh ok, so your saying when purchasing a ESU subscription for Windows 2008 Server you'll need to specify which server edition it is for (Standard/Ent/DC) so that you get the right ESU MAK that matches the OS activation key?

Microsoft

@ELH-IT I know there are different SKUs for Standard and Enterprise edition, so I am pretty sure the OS edition should align to the MAK.

But as stated before, I am not that deep into licensing, to be absolutely sure please contact licensing team via your distributor/partner.

Copper Contributor

We are in same situation as @Steve24-7 , we are getting error 0xc004f050 too, a support case was created.

Microsoft

@adegotkov_os33 Thank you very much for sharing, would be great if you could share the result from the case!

Copper Contributor

Hi,

Our customer has Windows 7 Ultimate on a couple of machines they'd like ESU applied to - will the MAK keys work for that version?

Brass Contributor

.

Copper Contributor

Poornima -

Thank you for the detailed article. I have searched for weeks to find out if Windows 7 Ultimate is included in the ESU program. If it is not, I implore Microsoft to add it, as thousands of small businesses paid extra for Ultimate, which adds BitLocker to Windows 7 Pro.

 

Microsoft itself seems to be confused on the topic. Most Windows 7 EOL articles and even recent KB articles mention only Windows 7 Pro and Windows 7 Enterprise as being eligible for ESUs.  However, if you click on the "Applies to" link at the top of the main Windows 7 ESU FAQ page (FAQ About Extended Security Updates for Windows 7), it says that the article applies to Windows 7 Ultimate ESU. Wow! In addition, Insight (a large reseller) sent me a supposedly Microsoft-published ESU training manual that says that Windows 7 Ultimate is included in the ESU program.

 

I am seeking the truth on this matter, but if the truth is that Microsoft is not including Ultimate in the ESU program, that truth needs to change. Why exclude the thousands of businesses who paid extra to buy the top-of-the-line version of Windows 7? Please respond soon, so that the small business community can act.

Copper Contributor

@BlakeTex Why not try placing an order for 1 ESU subscription for Windows 7 Ultimate? If your Microsoft re-seller can provide you with a SKU for Windows 7 Ultimate ESU, then this answers your question?

 

As Bennd advised they are not a licensing specialist, but has confirmed there are different SKU's for the different editions of Windows Server 2008, so the ESU MAK aligned with the original edition OS activation key.

 

So would think the same will be the case for Windows 7?

 

However as you've said all the FAQ's I've seen state "ESU are available for Windows 7 Professional and Windows 7 Enterprise"

 

 

Copper Contributor

 

In our environment we are running Citrix (VDI) and the desktops are registered via KMS. Is KMS also supported and if we purchase the support we will be provided with a KMS key for the Server / Client?

Will we get a new KMS key for the KMS Server and a GVLK key (Generic Volume License Key) for the client that will allow us to receive Windows 7 Updates, as we cannot activate the Gold image using MAK key.

 

Copper Contributor

@Poornima Priyadarshini : Request for your support on this one. 

 

In our environment we are running Citrix (VDI) and the desktops are registered via KMS. Is KMS also supported and if we purchase the support we will be provided with a KMS key for the Server / Client?

Will we get a new KMS key for the KMS Server and a GVLK key (Generic Volume License Key) for the client that will allow us to receive Windows 7 Updates, as we cannot activate the Gold image using MAK key.

Copper Contributor

@ELH-IT -

 

I have tried to purchase ESUs for Windows 7 Ultimate through 3 resellers, all Microsoft partners. They are totally confused. Microsoft’s mixed messaging and the complete illogic of omitting the top business version of Windows 7 (if it has been omitted, but who knows) from the ESU program have confused the IT world. No one knows what the truth is, including Microsoft, whose communications contradict themselves. 

https://www.zdnet.com/article/so-you-want-to-keep-running-windows-7-good-luck-with-that-small-busine...  I'm in the same boat.  I started two weeks ago trying to purchase a license and haven't found that the distributors know what's going on.

Copper Contributor

Anyone understand how to deploy through sccm as recommended? We are a KMS shop. Ok I totally get the manual MAK activation, but the part with the Activation ID trips me up. How could i account for that in a script? I am assuming the activation ID will be different for every system. Or am i mistaken?

Copper Contributor

@reduakm so i think it would work like this...

slmgr /ipk product key (product key from mvls for extended support)
slmgr /ato activation key (from the table above which corresponds to the number of years extended support you have bought)

 

I would look to use a task sequence in SCCM using the run command line step for each slmgr command, you will need to make sure that either the machine has internet access or the account running the task sequence step has internet access to Microsoft online licensing services otherwise it won’t register the key

 

hope that helps you out

 

Paul

 

 

Copper Contributor

@Paul Merrilees thanks for confirming where the activation ID comes from. I doublechecked on a couple systems and the activation ID is in fact the same. So I will be all set for SCCM.

Copper Contributor

Hi Bennd,

I'm trying to apply Extended Security Updates (ESU) to Machines without internet connections,
in the comment you mention "we have to deploy VAMT, but I wondering does bellow option is still available to activate ESU for the computer without internet.

1.click START (gets you to the tiles)4-no-change-product-key-link-missing-dns-error-0x8007232b-dns-error-activate
2.type RUN
3.type slui 3 and press ENTER 1.yes, SLUI: which stands for SOFTWARE LICENSING USER INTERFACE 1.SLUI 1 brings up the activation status window
2.SLUI 2 brings up the activation window
3.SLUI 3 brings up the CHANGE PRODUCT KEY window
4.SLUI 4 brings up the CALL MICROSOFT & MANUALLY ACTIVATE window.

 

I think I send you a msg too, but not sure if it went through.

Looking forward to hear from you soon.

 

thank you,

Copper Contributor

@786Nadmin I am not so sure this would work because it's an additional MAK. I am in a KMS environment so i could be wrong. When i do an slmgr /dli I see my new ESU MAK in addition to my KMS info in a separate section.

Copper Contributor

Poornima -

 

This is your blog, but it has turned into a forum of abandoned Microsoft customers desperately seeking help from each other. Please respond to my 12/14/2019 post about ESUs for Windows 7 Ultimate. Time is of the essence.

Copper Contributor

Reduakm,

According to MS "MAK key is independent of the Windows 7 activation key and can work in parallel together with a KMS activation deployment"

I'm going to install and activate in one of our Win7 Machine. let you know what the process is, if i get a chance today.

 

thank you,

Copper Contributor

ESU MAK Phone activation was recently added as an option for non Internet connected devices.

 

Has anyone heard of using the Phone Activation Method with slmgr.vbs for devices that CANNOT connect to the Internet or the MVLAS instead of using VAMT method? I've tried calling the Microsoft Volume Activation Center to obtain the Confirmation ID (CID) but they are not aware of this method yet.

The Phone Activation Method with slmgr.vbs will allow you to activate multiple machines with one CID using slmgr.vbs / atp <CID> command

Version history
Last update:
‎Feb 11 2020 11:06 AM
Updated by: