This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
While many of you are well into your journey of deploying and/or servicing Windows 10, we understand that everyone is at a different point in the upgrade process. If your organization is unable to complete the transition from Windows 7 Pro or Enterprise to Windows 10—or from Windows Server 2008 and 2008 R2 Datacenter, Enterprise, or Standard to the latest version of Windows Server—prior to the end of support on January 14, 2020, we want to help you by ensuring that these devices running these select editions and versions continue to receive security updates while you complete your Windows and Windows Server upgrade projects.
In this blog, we’ll explain how volume license customers can purchase, install, and deploy Extended Security Updates today for eligible Windows 7, Windows Server 2008, and Windows Server 2008R2 devices to ensure those devices stay protected after January 14, 2020. Again, if you are a Windows 7 Pro customer looking to take advantage of paid Extended Security Updates via CSP partners, you will be able to do so once they are available on December 1, 2019. More information on this option will be available in the Windows 7 and Office 2010 End of Support FAQ.
Purchasing Windows 7 ESU through Volume Licensing
Extended Security Updates are available through specific volume licensing programs. Coverage will be available in three consecutive 12-month increments following Windows 7 end of support on January 14, 2020. Extended Security updates are available for purchase in 12-month increments only, starting January 14, 2020. You cannot buy partial periods (e.g. 6 months).
Eligible customers can use the Azure Hybrid Benefit (available to customers with active Software Assurance or Server Subscriptions) to obtain discounts on the license of Azure virtual machines or Azure SQL Database managed instances. ESUs for select Windows Embedded products are available via your embedded device manufacturer.
Now, let’s walk through how and where to purchase Windows 7 ESU, as well as download the appropriate key from the VLSC.
- Visit the Volume Licensing Service Center (https://www.microsoft.com/vlsc) and sign in.
- Select Licenses > Relationship Summary > Licensing ID > Product Keys.
Installation prerequisites
The following steps must be completed before installing and activating ESU keys:
- For on-premises devices, once you have purchased ESU and downloaded the key, you must first install the Servicing Stack Updates (SSU) outlined in KB4516033 and KB4519972 (or any later SSUs/rollups) before deploying and activating the ESU key on your applicable machines.
- Once activated, you can then continue to use your current update and servicing strategy to deploy ESU through Windows Update, Windows Server Update Services (WSUS), or whichever patch management solution you prefer.
Installation and activation
Once you have addressed the prerequisites, you’re ready to install and activate Extended Security Updates for machines connected to the internet.
First, install the ESU product key using the Windows Software Licensing Management Tool (slmgr):
- Open an elevated Command Prompt.
- Type slmgr /ipk <ESU key> and select Enter.
- If the product key installed successfully, you will see a message similar to the following:
Next, find the ESU Activation ID:
- In the elevated Command Prompt, type slmgr /dlv and select Enter.
- Note the Activation ID as you will need it in the next step.
Now, you’ll activate the ESU product key:
- Open an elevated Command Prompt.
- Type slmgr /ato <ESU Activation Id> and press Enter.
Once you have activated the ESU product key, you can verify the status at any time by following these steps:
- Open an elevated Command Prompt.
- Type slmgr /dlv and select Enter.
- Verify Licensed Status shows as Licensed for the corresponding ESU program, as shown below:
Note: We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices.
To install and activate ESU for machines that are not connected to the Internet, you will need to follow these steps:
- Download and install the Volume Activation Management Tool (VAMT).
- Configure the client device’s firewall for VAMT.
- Add the ESU product key to VAMT.
For systems that will not connect to the internet for activation, you can use the VAMT to perform proxy activation; however, KB4519972 must first be installed.
Note: We will be providing instructions on purchasing, installing, and activating Windows 7 ESU purchased through CSPs at a later date.
Azure virtual machines and Windows Server
You do not need to deploy an additional ESU key for Azure virtual machines (VMs), Windows 7 ESU with Windows Virtual Desktop, or for bring-your-own images on Azure for Windows 7, Windows Server 2008, and Windows Server 2008 R2. Like on-premises devices, these devices will also require the installation of the SSUs detailed in KB4516033 and KB4519972, or later SSUs/rollups. A pre-patched Windows 7 image and a pre-patched Windows Server 2008 R2 SP1 image are available from the Azure Marketplace. Azure Stack VMs or Azure VMware solutions should follow the same process as on-premises devices.
After installing the SSUs noted above, VMs will be enabled to download the ESU updates.
For answers to commonly asked questions about ESU for Windows Server 2008 and 2008 R2, see the ESU FAQ.
Next steps
If your organization still has devices running Windows 7, Windows Server 2008, or Windows Server 2008 R2, we recommend that you take the steps outlined above today to take advantage of Extended Security Updates and help ensure that your devices continue to receive necessary security updates after January 14, 2020.
If you are interested in learning more about Extended Security Updates, please see the following resources: