Update: Extended Security Updates for Windows 7 and Windows Server 2008
Published Nov 10 2020 09:00 AM 199K Views

Update 1.31.2023:  For organizations that need additional time to upgrade and modernize their Windows Server 2008 and 2008 R2 environments on Azure, we will now offer one additional year of Extended Security Updates (ESU) for Azure environments only. These ESU will be available beginning on February 14, 2023 and ending on January 9, 2024. This also applies to Azure Stack HCI, Azure Stack Hub, and other Azure products. For more details, see Procedure to continue receiving security updates after extended support ends on January 10, 2023.

Update 11.5.2021:  For Windows 7 SP1 and Windows 7 Professional for Embedded Systems, the Extended Security Update (ESU) Program will be entering its third and final year of providing security updates beginning on January 12, 2022 and ending on January 10, 2023. 

For Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2008 R2 SP1 for Embedded Systems and Windows Server 2008 SP2 for Embedded Systems if running on Microsoft Azure, ESU will have one additional year of extended support available beginning on February 14, 2023, ending on January 9, 2024.

The steps to install, activate, and deploy ESUs are the same for first, second, and third year coverage.  This post has been updated accordingly.


The Extended Security Update (ESU) program is a last resort for customers who need to run certain legacy Microsoft products past the end of support. Support for the following versions of Windows and Windows Server ended on January 14, 2020:

  • Windows 7 SP1
  • Windows 7 Professional for Embedded Systems
  • Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
  • Windows Server 2008 R2 SP1 for Embedded Systems and Windows Server 2008 SP2 for Embedded Systems

If your organization has been unable to update devices running the versions of Windows listed above to a currently supported version before January 11, 2022, ESU can provide security updates to those devices through January 10, 2023—helping protect those devices while you complete your Windows and Windows Server upgrade projects.

Many organizations have made the transition to the latest version of Windows 10 or Windows Server. Those who deployed Windows 10 benefit from strong protection against threats plus the latest security and manageability features such as Microsoft Defender Antivirus, richer device management policies, and Windows Autopilot. Other organizations running legacy applications shifted their Windows 7 devices to Windows Virtual Desktop, which includes ESU for Windows 7 virtual desktops at no additional cost, enabling you to continue running critical line-of-business apps while you continue your migration to Windows 10. As a last resort, however, a number of organizations purchased, installed, and activated their second year of ESU to receive security updates for eligible devices through January 11, 2022.

What you need to know about year two and year three coverage for ESU

Because ESU are available as separate SKUs for each of the years in which they are offered (2020, 2021, and 2022)—and because ESU can only be purchased in specific 12-month periods—you will need to purchase the third year of ESU coverage separately and activate a new key on each applicable device in order for your devices to continue receiving security updates in 2022. If your organization did not purchase the first, second, and third year of ESU coverage, you will need to purchase Year 1, Year 2, and Year 3 ESU for your applicable Windows 7 or Windows Server devices before installing and activating the Year 3 MAK keys to receive updates.

The steps to install, activate, and deploy ESUs are the same for first-, second-, and third-year coverage. For more information, see Obtaining Extended Security Updates for eligible Windows devices for the Volume Licensing process and Purchasing Windows 7 ESUs as a Cloud Solution Provider for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM).

We recommend that you prepare now to install and activate the third year of ESU coverage for the devices in your organization that require it. To learn more about ESU, please watch our Microsoft Ignite 2019 session on How to manage Windows 7 Extended Security Updates (ESU) for on-premises and cloud environments.

We're here to help

We understand that everyone is at a different point in the upgrade process, which is why we offer assistance with tools like Desktop Analytics and services like Microsoft App Assure—as well as monthly Office Hours to help you deploy and stay current with Windows 10 across your organization. More information on ESU for Windows 7 and Windows Server 2008 and 2008 R2 is available in the Windows 7 end of support FAQ and Windows Server 2008 and 2008 R2 FAQ.

 

61 Comments

Hi everyone, 

Thank you for your new Heads up @

Please consider to download the lastest ADK and install VAMT 3.1 (if still needed the ESU Patch for it)

To manage your ESU licenses centrally and easy for all devices (Domain-joined or workgroup).

 

I left some helpful comments in the linked article how to deploy ESU. 

 

Can you please check why this article seems to be deleted @Poornima Priyadarshini. Thank you very much! 

 

https://techcommunity.microsoft.com/t5/microsoft-ignite-content-2019/how-to-manage-windows-7-extende...

On top of that it would be extremely helpful if companies could buy ESU for Server 2008 R2 the same way via CSP or OEM as they can do for Windows 7. Having an Enterprise Agreement is a very high stake, even more as not all Microsoft partners are allowed to offer these. 

Copper Contributor

Hi @Poornima Priyadarshini @Karl_Wester-Ebbinghaus  - do you know if the 2021 Windows 7 ESU keys are available for download yet?  Having some issues where we've purchased them and they're not showing up so wasn't sure when they'd be released.  Thanks!

Bronze Contributor

I personally recommend and helping users to upgrade to supported version of Windows.

However due to COVID-19 some companies and people having issue with upgrade and this is good decision.

Copper Contributor

I prefer updating to the supported versions

Copper Contributor

Can you please let me know when the CSP price list will be updated with the pricing for year 3 of the Windows 7 Extended Security Updates?

Copper Contributor

Are the ESU years able to overlap? For example, we're still in Year 1, but the keys for Year 2 are available now. Can we install the Year 2 now (in advance of Jan. 2021) and they will still work for Year 1 updates on devices that may not have Dec. updates yet? 

Copper Contributor

Hi All

So if your on ESU Year1 only, and it expires on 14th Jan 2021, does this mean i still get January 2021 patches? Or is December 2020 patch the last one that i am getting?

Thanks.

Easy answer. 

If the 2nd Tuesday is the 14th or before (Week A) then they're in. @MoonUnits

 

@BrVal raised an interesting question imho.

Dear @Poornima Priyadarshini @Aria Carley 

Do you know the answer? 

Microsoft

@Karl_Wester-Ebbinghaus I just wanted to confirm that my customer will be able to use the available patches for Jan as long as they are available/received before the expiry of Year 1 ESUs.  They haven't decided whether or not to purchase Year 2, so they want to confirm that they are able to download the patches and apply them with Year 1 keys even if they aren't able to apply before the expiry.   Is the date of receipt the key?

 

I have no insights but I am pretty sure the date is the factor, not the purchase date or receipt of the key. Latter would become an unmanageable mess for admins and MSFT alike.

Copper Contributor

In addition to my previous (unanswered) question,  . . . can Year 2 be installed on a computer that missed Year 1? e.g. Someone leaves a "spare" laptop in a drawer and decides to connect it. It doesn't have Year 1 ESU and we're deploying Year 2. Can Year 2 be applied directly without installing Year 1 first?

 

I know you can't "purchase" Year 2 unless you purchased Year 1, but if already purchased, does applying Year 2 directly affect the installation in any way if Year 1 wasn't installed?

Copper Contributor

Well . . . I answered at least one of my own questions. 

Year 2 can be installed without Year 1 having been previously installed. Still installing updates to see whether everything will apply. I'll edit this entry once I know.

 

Edit: I confirmed today that installing ESU Year 2 only on a newly imaged machine does indeed install all the Year 1 patches. So it should be good to go on existing and newly imaged machines for anything in 2020 and 2021.

Copper Contributor

Can Visual Studio (Annual) subscribers get ESU? We get all other Windows versions for dev/test use.

Copper Contributor

Is there a 'test' update like there was for Year 1 https://support.microsoft.com/en-gb/help/4528069/update-for-eligible-windows-7-and-server-2008-r2-de... to verify eligibility for Year 2 updates ? 

@JerryM81 I am not aware about this. 

Microsoft

To answer some of these questions:

  • Year 2 can be installed without Year 1 being installed (but due to the nature of cumulative updates, we require you purchase both Year 2 & Year 1 for any device receiving Year 2 updates)
  • Year 2 can be installed early - and Year 1 updates will install
  • Year 1 ESU includes those updates released on January 12, 2021. Likewise Year 2 updates will include the updates released on Patch Tuesday 2022
  • There is no test key for Year 2
  • Visual Studio subscribers do not get an ESU key for testing. However, you can use your ESU key for testing in a test environment. If you run out of activations because of the test devices, you can request more activations at no charge

Hope this helps. Sorry for being so late, its not my blog so I hadn't been checking for comments.

Copper Contributor

Hi everyone, I would like to know is there any ESU for Window Server 2012R2 ?  

Know that the end of extended support date for Window Server 2012 is Oct 2023, 

is it need to purchase Premium Assurance (PA) instead of ESU ?

Microsoft

HI @Mandy2021 thanks for reaching out. It's too early to know if we'll be offering ESU for Server 2012 R2. Keep an eye on this blog space as we'll update it with any news. Also here is the ESU docs page: Windows Server 2008 and 2008 R2 extended security updates | Microsoft Docs

 

I know you are planning right now, but we likely won't have an answer on Server 2012 R2 until mid-late 2022.

Copper Contributor

Thanks @Joe Lurie . so for Window Server 2012 R2, I have to buy Premium Assurance for extended product support? 

Microsoft

Don’t get confused between Extended Security Updates and Extended Product Support. Server 2012 R2 is currently in extended support, till October 2023, and will receive support and security updates till that date.

After that date, in order to get security updates you’ll need ESU. In order to receive support (call support and open a ticket) you’ll need both: a support contract *and* ESU. But again it’s too early for me to say whether or not ESU will be an option for Server 2012 R2 as those discussions haven’t happened yet. But this is the way it works today with Server 2008/R2.

Copper Contributor

Thanks Joe, but I got a bit confused. 

 

I do some research before and found that: 

https://imageframe.co.uk/premium-assurance-for-windows-and-sql-server/

 

There is a product called "Premium Assurance" for Window Server. In the article shows that after purchase Premium Assurance for Window Server 2012, 

it provides security updates and bulletins rated "critical" and "important". Is this product still valid for Window Server 2012?

 

Please correct me if I misunderstood. 

Microsoft

@Mandy2021 Windows Server 2012 R2 is still in support. Today you will receive security and critical updates for Server 2012 R2. If you want additional hotfixes you may need Premium Assurance (I'm not in support or sales so I can't say exactly when PA is needed). But if you look at our lifecycle pages, Server 2012 R2 is included in the fixed lifecycle of 10 yrs support: 5 years mainstream support + 5 years extended support. Its still in the final years of extended support, meaning we still produce and publish security and critical updates.

Lifecycle page: https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2

Fixed support: https://docs.microsoft.com/en-us/lifecycle/policies/fixed

End of Support is not always the end of security updates. We had some for XP years ago, or this month for Exchange 2010. It seems to depend on CVE score and severity. 

As working for a MS Gold Partner I can share more details:

For Extended Support as @Joe Lurie you guessed a (quite expensive) support contract.

It is also only break and fix, so you need to provide evidence it was caused by an security update - as there are no other changes in LTSC or previous Windows Server.
Plus there is no guarantuee they will provide a private fix of issues as long they are not security related.
There is a MS doc describing the mainstream and extended support differences but don't have it at hand but read it about 3 months ago. 
The said Premium Assurance is not needed for public security fixes you will still receive until EOS of Server 2012 and Server 2012 R2.


 

for all public 

Copper Contributor

Thanks @Karl_Wester-Ebbinghaus  and @Joe Lurie

As know that EOS of Windows server 2012R2 will be on Oct 2023, and would like to get security update and product support until end of 2025. Therefore I would like to know:

1. If Premium Assurance for Windows Server 2012R2 still available or not ?

2. Is it need to purchase both Software Assurance (SA) and Premium Assurance (PA)?

3. Should the end date of SA and PA be the same?  

4. Is there any doc/article about technical procedures of how to enable PA on a Windows machine?

Microsoft

@Mandy2021 Again its too early to know what will be needed to keep updates going till 12/2025 since we haven't started those conversations internally yet. Re: support contracts, I'm not an expert in that area so I can't give any advice.

Copper Contributor

Do we have to uninstall or remove the year one key before activating the key for year two? I activated the year two key on a machine and notice it now has 3 keys listed when using slmgr /dlv (the original, year one, and year two), is this going to cause any issues?

Microsoft

@Matthew Erb This will not cause any issues. The Year 1 key does not need to be removed. If you are more comfortable removing it, you may, but its not necessary.

Copper Contributor

The original ESU had a 'test' KB for installing which proved that it was working and was easy to build a scripted "this definitely works now" approach.  The KB was KB4528069

 

Is there a test KB for year 2?  I don't see that so far.

Microsoft

@Christopher Higham No, we didn't create a test package for Year 2 ESU.

@Christopher Higham you can use VAMT from ADK 2004 or later to test if the activation worked in a broad scale. (Also to deploy the keys and activation)

Copper Contributor

Hi

Is ESU covering Microsoft Edge (chromium) ? I would like to keep it on the remaining Windows 7 I have.

 

Thanks

Copper Contributor

Yes, Edge Chromium is supported. We're still on W7 with Edge-C and both WSUS and Edge updates independently are applying.

Microsoft

@tamia when you say "supported" what exactly are you asking? With Windows 7 ESU, you get security updates only. You also need a support contract to get support on Windows 7 or any of the Windows components - ESU alone will not be enough for a support ticket.

But, if you have Windows 7 ESU *and* support contract, then yes, @BrVal is correct, Edge Chromium is one of the components that you can open a ticket for.

Copper Contributor

Yes, I was assuming anyone on this blog is already using (or intending to use) Year 2 - ESU. :smile:

Microsoft

My point was the support contract, not the ESU. I was also assuming ESU was already in play :)

Copper Contributor

@Joe Lurie Thanks for the quick answer.

 

I'm making reference to this statement :

** We will continue to support Microsoft Edge on Windows 7 and Windows Server 2008 R2 until January 15, 2022.

From the doc here

 

So it means that the ESU year 2 will not cover Edge-C ? My main goal is to maintain a "modern" browser for web app like O365.

 

The text in reference talk about security update for IE and IE mode in Edge. With ESU, IE mode will be safe but not Edge ?

Microsoft

from @tamia  >>So it means that the ESU year 2 will not cover Edge-C ? My main goal is to maintain a "modern" browser for web app like O365.

 

++adding @MissyQ to see if she can answer or redirect to someone else that can answer.

Microsoft

Thanks for the tag, @Joe Lurie! I checked in with the team to follow up on this. Microsoft is committed to support Edge through Jan 15th, 2022. After that Edge will continue to run, but may not receive security or other updates, including issues that may affect the security or reliability of IE Mode. It's important to note that IE will be updated independently of Edge and can continue to be used as a separate browser. @tamia, I hope this answers what you are looking for. Happy to take any feedback back to the team if you have any! :)

 

Missy Quarry (she/her/hers)
Community Manager - Microsoft Edge

Copper Contributor

@MissyQ thank for the confirmation. I still secretly wish the team would extend the support of Edge for another year but eh. Another reason to add to accelerate the W7 -> W10 migration.

 

By the way, the vertical tab bar is awesome. :)

 

Merci

Copper Contributor

Hello.

We have 114 virtual machines with windows 2008R2, all with the first year license active. In March we activated the second year license on all 2008R2 servers.

They all update through WSUS but there are 4 servers with an active second-year ESU license that do not update. The error is the same in all four. The error is 0x80070661.

All other 2008R2 servers update successfully.

I have uninstalled and reinstalled the ESU 2nd year license but the problem persists. I do not see what the problem is.

Thank you

@Francueto 
can you confirm that the ones that fail have received Y1 ESU successfully? If not:

- check all prerequisites again, esp. SSU and CU and the other prerequisites

- servers that didn't have Y1 ESU Need Y1 ESU and Y2 ESU on top. It is not possible to install and activate just Y2 ESU. 

sidenote: do you have an (in-place) upgrade strategy for these?

That's a whole amount. Have you checked that buying and paying for an certified on-premises Azure Stack HCI Cluster (2-node) wasn't cheaper / or let them run in Azure compared to buying so many ESUs? The ESU is included for both scenarios.


Copper Contributor

@Karl_Wester-Ebbinghaus, thanks for the quick answer

 

I confirm that all servers have been properly licensed 1Y ESU and continue to have it active. it has not been eliminated.

I have checked the prerequisites and they are ok. the 4 servers indicate that the 2Y ESU is properly licensed and activated.

 

regards

@Francueto do you use manual Installation and activation or considering the amount hopefully the VAMT 3.1 from the Windows 10 2004 ADK? 

Copper Contributor

@K_Wester-Ebbinghaus, hi, all servers are licensed with vamt.  Servers are licensed active and vamt detects active license on each server...

I manually installed the license on the 4 problem servers, but it did not solve the problem.

 

thanks

Copper Contributor

I have a number of devices with year 1 installed and activated, when I bought and then installed the year 2 key it accepts that but will not activate year 2, it still shows as year 1, how do I fix this?

Microsoft

Hi @mwedor2 I can't troubleshoot here, but it should accept the Year 2 key, assuming the right command is being entered. The Year 1 key will still be on the device so that shouldn't be a factor, but feel free to remove it (this is an unnecessary step). You can call Support for this as you have ESU, so they can help troubleshoot the activation issue.

Copper Contributor

it just shows the year 1 licensed using the new key code, is it supposed to indicate year2 at the top like it did year1?

Microsoft

If it activated properly it will show up. If it didn't, it won't. That's why I recommended going through support. But note that the existence of the Year 1 key and activation should not be the cause of the error.

Version history
Last update:
‎Jan 31 2023 11:40 AM
Updated by: