Obtaining Extended Security Updates for eligible Windows devices
Published Feb 11 2020 10:00 AM 591K Views

 

Update 3.14.2023: We have added a new table with ESU SKU IDs for Windows Server 2008/2008 R2.

Update 1.31.2023: For organizations that need additional time to upgrade and modernize their Windows Server 2008 and 2008 R2 environments on Azure, we will now offer one additional year of Extended Security Updates (ESU) for Azure environments only. These ESU will be available beginning on February 14, 2023 and ending on January 9, 2024. This also applies to Azure Stack HCI, Azure Stack Hub, and other Azure products. For more details, see Procedure to continue receiving security updates after extended support ends on January 10, 2023.

Update 11.5.2021: For more information, see Update: Extended Security Updates for Windows 7 and Windows Server 2008.

Update 1.12.2021: For more information, see Year two: Extended Security Updates for Windows 7 and Windows Server 2008.

Update 3.10.2020: Before installing and activating ESU keys, please ensure that you have installed all of the prerequisites outlined under Installation prerequisites below. Installing the latest servicing stack updates (SSUs) helps ensures that security updates will continue to land on the devices in your environment. The Installation prerequisites section of this post has been updated to include the current required SSUs, and will continue to be updated as needed.

We understand that everyone is at a different point in the process of deploying and servicing Windows. If your organization was unable to complete the transition from Windows 7 Pro or Enterprise to Windows 10—or from Windows Server 2008 and 2008 R2 Datacenter, Enterprise, or Standard to the latest version of Windows Server—prior to the end of support on January 14, 2020, myself and my fellow members on the ESU team want to help you keep these devices protected while you complete your Windows and Windows Server upgrade projects.

Windows Server 2008 and 2008 R2 Extended Security Updates third and final year of ESU ended on January 10, 2023. Many customers are taking advantage of Azure's commitment to security and compliance and have moved to Azure to protect their 2008 and R2 workloads with free Extended Security Updates.

For those customers who need additional time to upgrade and modernize their Windows Server 2008 and 2008 R2 on Azure, we will now provide one additional year of Extended Security Updates only on Azure available beginning on February 14, 2023, ending on January 9, 2024. This also applies to Azure Stack HCI, Azure Stack Hub, and other Azure products.

Note: Eligible customers with active Software Assurance or Windows Server Subscriptions can use the Azure Hybrid Benefit to obtain discounts on Azure virtual machine licenses or Azure SQL Database managed instances. Extended Security Updates for select Windows Embedded products are available via your embedded device manufacturer.

Purchasing Extended Security Updates through Volume Licensing

Now, let's walk through where to purchase Windows Server 2008 SP2 and Windows Server 2008 R2, and how to find the appropriate key on the Volume Licensing Service Center.

Extended Security Updates are available through specific Microsoft Volume Licensing programs. Coverage is available in three consecutive 12-month increments beginning January 14, 2020. Extended Security updates are available for purchase in 12-month increments only. You cannot buy partial periods (e.g. 6 months of updates).

  1. Visit the Volume Licensing Service Center and sign in using your company's credentials.
  2. Select Licenses > Relationship Summary > Licensing ID > Product Keys > Filter by Product and select Windows Server 2008 R2 Extended Security Year 4 MAK. (Note: You must be a VLSC Administrator or VLSC Product Key Viewer for the relevant agreement to view the MAK keys.)

    ESU-year-2-in-VLSC.png

Installation prerequisites

Note: The prerequisites listed in this section will be updated as needed.

The following steps must be completed before installing and activating ESU keys:

  1. Install the following SHA-2 code signing support update and the following servicing stack update (SSU):

    Windows Server 2008 R2 SP1:
    Servicing stack update for Windows Server 2008 R2 SP1: March 12, 2019 (KB4490628)
    and
    SHA-2 code signing support update for Windows Server 2008 R2 and Windows Server 2008: September 23, 2019 (KB4474419)

    Windows Server 2008 Service Pack 2 (SP2):
    Servicing stack update for Windows Server 2008 SP2: April 9, 2019 (KB4493730)
    and
    SHA-2 code signing support update for Windows Server 2008 R2, Windows Server 2008: September 23, 2019 (KB4474419)

  2. Install the SSU listed below (or a later SSU) and the ESU licensing preparation package:

    Windows Server 2008 R2 SP1:
    Servicing stack update for Server 2008 R2 SP1: September 13, 2022, (KB5017397) or later
    and
    Extended Security Updates (ESU) Licensing Preparation Package August 8, 2022 (KB5016892)

    Windows Server 2008 SP2:
    Servicing stack update for Windows Server 2008 SP2: July 12, 2022 (KB5016129) or later
    and
    Extended Security Updates (ESU) Licensing Preparation Package August 8, 2022 (KB5016891)

    Note: For Windows 7 SP1 Embedded Products (WES 7 and POS 7) we recommend taking the latest SSU (KB5017397) or later. As well as Extended Security Updates (ESU) Licensing Preparation Package July 29, 2020 (KB4575903) or later.

Note: Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine. For more information, see Servicing stack updates.

 

Note: Classified as a Security-only package, the ESU licensing preparation package is available via Windows Server Update Services (WSUS) or the Microsoft Update Catalog. The ESU licensing preparation package is not currently available via Windows Update.

Installation and activation

Once you have installed the prerequisites listed above, you're ready to install and activate the ESU license key.

Note: Installing the ESU product key will not replace the existing Windows OS product key on the device.

First, install the ESU product key using the Windows Software Licensing Management Tool (slmgr). Then:

  1. Open an elevated Command Prompt.
  2. Type slmgr /ipk <ESU key> and select Enter.
  3. If the product key is installed successfully, you will see a message similar to the following:
     

    obtain2.png

Note: If you see the Error:0xC004F050 while trying to install the product key on Windows Server 2008 SP2, your device may require an additional reboot.

Next, find the ESU Activation ID:

  1. In the elevated Command Prompt, type slmgr /dlv and select Enter.
  2. Note the Activation ID as you will need it in the next step.

    obtain3.png

Once the ESU key is activated, continue to use your current update and servicing strategy to deploy ESUs through Windows Update, WSUS, the Microsoft Update Catalog, or whichever patch management solution you prefer. Extended Security Updates will have the Security-only update classification.

Note: Windows Update offline scan files (WSUSScn2.cab) will continue to be available for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. If you have devices running one of these operating systems, but don't have ESUs, those devices will show up as non-compliant in your patch management and compliance toolsets.

Configure firewall allow lists for activation

If you are using a proxy firewall, you may need to allow list the activation endpoints for ESU key activation to succeed.

For online activation (i.e. local key deployment), you will need to allow list all the following URLs:

Windows 7 SP1 and Windows Server 2008 R2 SP1

https://go.microsoft.com/fwlink/?linkid=88338

https://activation.sls.microsoft.com/slspc/SLActivate.asmx

https://go.microsoft.com/fwlink/?linkid=88339

https://activation.sls.microsoft.com/slrac/SLCertify.asmx

https://go.microsoft.com/fwlink/?linkid=88340

https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx

https://go.microsoft.com/fwlink/?linkid=88341

https://activation.sls.microsoft.com/sllicensing/SLLicense.asmx

 

Windows Server 2008 SP2

https://go.microsoft.com/fwlink/?linkid=48189

https://activation.sls.microsoft.com/slspc/SLActivate.asmx

https://go.microsoft.com/fwlink/?linkid=48190

https://activation.sls.microsoft.com/slrac/SLCertify.asmx

https://go.microsoft.com/fwlink/?linkid=48191

https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx

https://go.microsoft.com/fwlink/?linkid=48192

https://activation.sls.microsoft.com/sllicensing/SLLicense.asmx

For proxy activation using the Volume Activation Management Tool (VAMT), allow list the following URLs:

Once you have completed your allow lists, you are ready to activate the ESU product key:

  1. Open an elevated Command Prompt.
  2. Type slmgr /ato <ESU Activation Id> and select Enter.

You should now see a message stating that you have activated the key successfully:

obtain4.png

The following tables outlines possible values for <ESU Activation Id>. The activation IDs are the same across all eligible Windows ESU editions and all devices enrolled for that program.

ESU program

ESU SKU (or Activation) ID

Windows 7 SP1 (Client)

Year 1

77db037b-95c3-48d7-a3ab-a9c6d41093e0

Year 2

0e00c25d-8795-4fb7-9572-3803d91b6880

Year 3

4220f546-f522-46df-8202-4d07afd26454

 

ESU program

ESU SKU (or Activation) ID

Windows Server 2008/2008 R2

Year 1

553673ed-6ddf-419c-a153-b760283472fd

Year 2

04fa0286-fa74-401e-bbe9-fbfbb158010d

Year 3

16c08c85-0c8b-400909b2b-f1f7319e45f9

Year 4

32163ff8-e96d-40b1-973c-44b9bf096d83

 

Important: Activation via Control Panel > System and Security > System > Activate Windows cannot be used to activate ESU keys. It activates the Windows operating system only.

Once you have activated the ESU product key, you can verify the status at any time by following these steps:

Windows 7 SP1 and Windows Server 2008 R2 SP1:

  1. Open an elevated Command Prompt.
  2. Type slmgr /dlv and select Enter.

Windows Server 2008 SP2:

  1. Open an elevated Command Prompt.
  2. Type slmgr /dlv <Activation ID> or slmgr /dlv all and select Enter.

The License Status will show as Licensed for the corresponding ESU program, as shown below:

obtain5.png

 

Note: We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices.

To install and activate ESU for devices that are not connected to the Internet, you can use the VAMT or phone activation.

Volume Activation Management Tool configuration

You can use the VAMT for online and/or proxy activation. To install and activate ESU keys using the VAMT, follow these steps:

  1. Download and install the Volume Activation Management Tool.
  2. Download the VAMT- ESU configuration file and update your VAMT configuration file.
  3. Configure the client device's firewall for the VAMT.
  4. Add the ESU product key to the VAMT.
  5. Select the product, right-click, select Activate, then select your activation method, as shown below:

    obtain6.png
     

Note: For systems that cannot connect to the Internet for activation, you can use the VAMT to perform proxy activation.

For additional guidance on how to install and activate Windows 7 ESU keys on multiple devices using a multiple activation key (MAK), see this post.

Activating ESU keys via phone

To activate ESU keys via phone, use the slmgr command options - /dti and /atp. To activate ESU keys via phone, follow these steps:

  1. Open an elevated Command Prompt.
  2. Type slmgr.vbs /ipk <ESU MAK Key> and select Enter. to install the product key.
  3. Get the Installation ID for the ESU Key using the corresponding ESU Activation ID (see the table of ESU Activation IDs for each program listed earlier in the blog post). For example:
     

    obtain7.png

  4. Once you have the Installation ID, call the Microsoft Licensing Activation Center for your region; they will walk you through the steps to get the Confirmation ID. Make a note of your Confirmation ID.
  5. Type slmgr /atp <Confirmation ID> <ESU Activation ID> to activate the ESU SKU using the Confirmation Id obtained in the above step.
     

    obtain8.png

  6. Type slmgr /dlv <Activation ID> or slmgr /dlv all and select Enter to verify that the License Status shows as Licensed.

Azure virtual machines

You do not need to deploy an additional ESU key for Azure virtual machines (VMs), Azure Stack HCI version 21H2 and later.

For other Azure products such as Azure VMWare, Azure Nutanix solution Azure Stack (Hub, Edge), or for bring-your-own images on Azure for Windows Server 2008 SP2, and Windows Server 2008 R2 SP1 you do need to deploy the ESU key. The steps to install, activate, and deploy ESUs are the same for fourth year of ESU coverage

Like on-premises devices, you will need to install the appropriate SSUs as outlined in the article Obtaining Extended Security Updates for eligible Windows devices - Microsoft Community Hub Installation prerequisites section. After installing the SSUs noted above, VMs will be enabled to download the ESU updates.

A pre-patched Windows Server 2008 R2 SP1 image are available from the Azure Marketplace.

For answers to commonly asked questions about ESU for Windows Server 2008 and 2008 R2 SP1, see Extended Security Updates frequently asked questions.
To learn more about ESU, please watch our Microsoft Ignite 2019 session on How to manage Windows 7 Extended Security Updates (ESU) for on-premises and cloud environments

Next steps

If your organization still has devices running Windows Server 2008, or Windows Server 2008 R2 SP1, we recommend that you take the steps outlined above today and take advantage of Extended Security Updates to help ensure that your devices continue to receive necessary security updates

If you are interested in learning more about Extended Security Updates, please see the following resources:

 

75 Comments
Version history
Last update:
‎Nov 29 2023 11:01 AM