Year two: Extended Security Updates for Windows 7 and Windows Server 2008

Published 11-10-2020 09:00 AM 46.6K Views

The Extended Security Update (ESU) program is a last resort for customers who need to run certain legacy Microsoft products past the end of support. Support for the following versions of Windows and Windows Server ended on January 14, 2020:

  • Windows 7 SP1
  • Windows 7 Professional for Embedded Systems
  • Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
  • Windows Server 2008 R2 SP1 for Embedded Systems and Windows Server 2008 SP2 for Embedded Systems

If your organization has been unable to update devices running the versions of Windows listed above to a currently supported version before January 12, 2021, ESU can provide security updates to those devices through January 11, 2022—helping protect those devices while you complete your Windows and Windows Server upgrade projects.

Many organizations have made the transition to the latest version of Windows 10 or Windows Server. Those who deployed Windows 10 benefit from strong protection against threats plus the latest security and manageability features such as Microsoft Defender Antivirus, richer device management policies, and Windows Autopilot. Other organizations running legacy applications shifted their Windows 7 devices to Windows Virtual Desktop, which includes ESU for Windows 7 virtual desktops at no additional cost, enabling you to continue running critical line-of-business apps while you continue your migration to Windows 10. As a last resort, however, a number of organizations purchased, installed, and activated their first year of ESU to receive security updates for eligible devices through January 12, 2021.

What you need to know about year two coverage for ESU

Because ESU are available as separate SKUs for each of the years in which they are offered (2020, 2021, and 2022)—and because ESU can only be purchased in specific 12-month periods—you will need to purchase the second year of ESU coverage separately and activate a new key on each applicable device in order for your devices to continue receiving security updates in 2021. If your organization did not purchase the first year of ESU coverage, you will need to purchase both Year 1 and Year 2 ESU for your applicable Windows 7 or Windows Server devices before installing and activating the Year 2 MAK keys to receive updates.

The steps to install, activate, and deploy ESUs are the same for first and second year coverage. For more information, see Obtaining Extended Security Updates for eligible Windows devices for the Volume Licensing process and Purchasing Windows 7 ESUs as a Cloud Solution Provider for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM).

We recommend that you prepare now to install and activate the second year of ESU coverage for the devices in your organization that require it. To learn more about ESU, please watch our Microsoft Ignite 2019 session on How to manage Windows 7 Extended Security Updates (ESU) for on-premises and cloud environments.

We're here to help

We understand that everyone is at a different point in the upgrade process, which is why we offer assistance with tools like Desktop Analytics and services like Microsoft App Assure—as well as monthly Office Hours to help you deploy and stay current with Windows 10 across your organization. More information on ESU for Windows 7 and Windows Server 2008 and 2008 R2 is available in the Windows 7 end of support FAQ and Windows Server 2008 and 2008 R2 FAQ.

Frequent Contributor

Hi everyone, 

Thank you for your new Heads up @

Please consider to download the lastest ADK and install VAMT 3.1 (if still needed the ESU Patch for it)

To manage your ESU licenses centrally and easy for all devices (Domain-joined or workgroup).


I left some helpful comments in the linked article how to deploy ESU. 


Can you please check why this article seems to be deleted @Poornima Priyadarshini. Thank you very much!

Frequent Contributor

On top of that it would be extremely helpful if companies could buy ESU for Server 2008 R2 the same way via CSP or OEM as they can do for Windows 7. Having an Enterprise Agreement is a very high stake, even more as not all Microsoft partners are allowed to offer these. 

Occasional Visitor

Hi @Poornima Priyadarshini @K_Wester-Ebbinghaus  - do you know if the 2021 Windows 7 ESU keys are available for download yet?  Having some issues where we've purchased them and they're not showing up so wasn't sure when they'd be released.  Thanks!

Valued Contributor

I personally recommend and helping users to upgrade to supported version of Windows.

However due to COVID-19 some companies and people having issue with upgrade and this is good decision.


I prefer updating to the supported versions

Occasional Visitor

Can you please let me know when the CSP price list will be updated with the pricing for year 3 of the Windows 7 Extended Security Updates?

Regular Visitor

Are the ESU years able to overlap? For example, we're still in Year 1, but the keys for Year 2 are available now. Can we install the Year 2 now (in advance of Jan. 2021) and they will still work for Year 1 updates on devices that may not have Dec. updates yet? 

Occasional Visitor

Hi All

So if your on ESU Year1 only, and it expires on 14th Jan 2021, does this mean i still get January 2021 patches? Or is December 2020 patch the last one that i am getting?


Frequent Contributor

Easy answer. 

If the 2nd Tuesday is the 14th or before (Week A) then they're in. @MoonUnits


Frequent Contributor

@BrVal raised an interesting question imho.

Dear @Poornima Priyadarshini @Aria Carley 

Do you know the answer? 


@K_Wester-Ebbinghaus I just wanted to confirm that my customer will be able to use the available patches for Jan as long as they are available/received before the expiry of Year 1 ESUs.  They haven't decided whether or not to purchase Year 2, so they want to confirm that they are able to download the patches and apply them with Year 1 keys even if they aren't able to apply before the expiry.   Is the date of receipt the key?


Frequent Contributor

I have no insights but I am pretty sure the date is the factor, not the purchase date or receipt of the key. Latter would become an unmanageable mess for admins and MSFT alike.

Regular Visitor

In addition to my previous (unanswered) question,  . . . can Year 2 be installed on a computer that missed Year 1? e.g. Someone leaves a "spare" laptop in a drawer and decides to connect it. It doesn't have Year 1 ESU and we're deploying Year 2. Can Year 2 be applied directly without installing Year 1 first?


I know you can't "purchase" Year 2 unless you purchased Year 1, but if already purchased, does applying Year 2 directly affect the installation in any way if Year 1 wasn't installed?

Regular Visitor

Well . . . I answered at least one of my own questions. 

Year 2 can be installed without Year 1 having been previously installed. Still installing updates to see whether everything will apply. I'll edit this entry once I know.


Edit: I confirmed today that installing ESU Year 2 only on a newly imaged machine does indeed install all the Year 1 patches. So it should be good to go on existing and newly imaged machines for anything in 2020 and 2021.

Occasional Visitor

Can Visual Studio (Annual) subscribers get ESU? We get all other Windows versions for dev/test use.

Frequent Visitor

Is there a 'test' update like there was for Year 1 to verify eligibility for Year 2 updates ? 

Frequent Contributor

@JerryM81 I am not aware about this. 


To answer some of these questions:

  • Year 2 can be installed without Year 1 being installed (but due to the nature of cumulative updates, we require you purchase both Year 2 & Year 1 for any device receiving Year 2 updates)
  • Year 2 can be installed early - and Year 1 updates will install
  • Year 1 ESU includes those updates released on January 12, 2021. Likewise Year 2 updates will include the updates released on Patch Tuesday 2022
  • There is no test key for Year 2
  • Visual Studio subscribers do not get an ESU key for testing. However, you can use your ESU key for testing in a test environment. If you run out of activations because of the test devices, you can request more activations at no charge

Hope this helps. Sorry for being so late, its not my blog so I hadn't been checking for comments.

Regular Visitor

Hi everyone, I would like to know is there any ESU for Window Server 2012R2 ?  

Know that the end of extended support date for Window Server 2012 is Oct 2023, 

is it need to purchase Premium Assurance (PA) instead of ESU ?


HI @Mandy2021 thanks for reaching out. It's too early to know if we'll be offering ESU for Server 2012 R2. Keep an eye on this blog space as we'll update it with any news. Also here is the ESU docs page: Windows Server 2008 and 2008 R2 extended security updates | Microsoft Docs


I know you are planning right now, but we likely won't have an answer on Server 2012 R2 until mid-late 2022.

Regular Visitor

Thanks @Joe Lurie . so for Window Server 2012 R2, I have to buy Premium Assurance for extended product support? 


Don’t get confused between Extended Security Updates and Extended Product Support. Server 2012 R2 is currently in extended support, till October 2023, and will receive support and security updates till that date.

After that date, in order to get security updates you’ll need ESU. In order to receive support (call support and open a ticket) you’ll need both: a support contract *and* ESU. But again it’s too early for me to say whether or not ESU will be an option for Server 2012 R2 as those discussions haven’t happened yet. But this is the way it works today with Server 2008/R2.

Regular Visitor

Thanks Joe, but I got a bit confused. 


I do some research before and found that:


There is a product called "Premium Assurance" for Window Server. In the article shows that after purchase Premium Assurance for Window Server 2012, 

it provides security updates and bulletins rated "critical" and "important". Is this product still valid for Window Server 2012?


Please correct me if I misunderstood. 


@Mandy2021 Windows Server 2012 R2 is still in support. Today you will receive security and critical updates for Server 2012 R2. If you want additional hotfixes you may need Premium Assurance (I'm not in support or sales so I can't say exactly when PA is needed). But if you look at our lifecycle pages, Server 2012 R2 is included in the fixed lifecycle of 10 yrs support: 5 years mainstream support + 5 years extended support. Its still in the final years of extended support, meaning we still produce and publish security and critical updates.

Lifecycle page:

Fixed support:

Frequent Contributor

End of Support is not always the end of security updates. We had some for XP years ago, or this month for Exchange 2010. It seems to depend on CVE score and severity. 

As working for a MS Gold Partner I can share more details:

For Extended Support as @Joe Lurie you guessed a (quite expensive) support contract.

It is also only break and fix, so you need to provide evidence it was caused by an security update - as there are no other changes in LTSC or previous Windows Server.
Plus there is no guarantuee they will provide a private fix of issues as long they are not security related.
There is a MS doc describing the mainstream and extended support differences but don't have it at hand but read it about 3 months ago. 
The said Premium Assurance is not needed for public security fixes you will still receive until EOS of Server 2012 and Server 2012 R2.


for all public 

Regular Visitor

Thanks @K_Wester-Ebbinghaus  and @Joe Lurie

As know that EOS of Windows server 2012R2 will be on Oct 2023, and would like to get security update and product support until end of 2025. Therefore I would like to know:

1. If Premium Assurance for Windows Server 2012R2 still available or not ?

2. Is it need to purchase both Software Assurance (SA) and Premium Assurance (PA)?

3. Should the end date of SA and PA be the same?  

4. Is there any doc/article about technical procedures of how to enable PA on a Windows machine?


@Mandy2021 Again its too early to know what will be needed to keep updates going till 12/2025 since we haven't started those conversations internally yet. Re: support contracts, I'm not an expert in that area so I can't give any advice.

Senior Member

Do we have to uninstall or remove the year one key before activating the key for year two? I activated the year two key on a machine and notice it now has 3 keys listed when using slmgr /dlv (the original, year one, and year two), is this going to cause any issues?


@Matthew Erb This will not cause any issues. The Year 1 key does not need to be removed. If you are more comfortable removing it, you may, but its not necessary.

The original ESU had a 'test' KB for installing which proved that it was working and was easy to build a scripted "this definitely works now" approach.  The KB was KB4528069


Is there a test KB for year 2?  I don't see that so far.


@Christopher Higham No, we didn't create a test package for Year 2 ESU.

Frequent Contributor

@Christopher Higham you can use VAMT from ADK 2004 or later to test if the activation worked in a broad scale. (Also to deploy the keys and activation)

Version history
Last update:
‎Nov 10 2020 02:49 PM
Updated by: