This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
We understand that everyone is at a different point in the process of deploying and servicing Windows. If your organization was unable to complete the transition from Windows 7 Pro or Enterprise to Windows 10—or from Windows Server 2008 and 2008 R2 Datacenter, Enterprise, or Standard to the latest version of Windows Server—prior to the end of support on January 14, 2020, myself and my fellow members on the ESU team want to help you keep these devices protected while you complete your Windows and Windows Server upgrade projects.
In this blog, we'll explain how Volume Licensing customers can purchase, install, and deploy Extended Security Updates (ESUs) for eligible Windows 7, Windows Server 2008, and Windows Server 2008 R2 devices to ensure those devices continue to receive security updates after January 14, 2020.
Note: Eligible customers with active Software Assurance or Windows Server Subscriptions can use the Azure Hybrid Benefit to obtain discounts on Azure virtual machine licenses or Azure SQL Database managed instances. Extended Security Updates for select Windows Embedded products are available via your embedded device manufacturer. |
Purchasing Extended Security Updates through Volume Licensing
Now, let’s walk through where to purchase Windows 7 ESUs, and how to find the appropriate key on the Volume Licensing Service Center.
Extended Security Updates are available through specific Microsoft Volume Licensing programs. Coverage is available in three consecutive 12-month increments beginning January 14, 2020. Extended Security updates are available for purchase in 12-month increments only. You cannot buy partial periods (e.g. 6 months of updates).
- Visit the Volume Licensing Service Center and sign in using your company’s credentials.
- Select Licenses > Relationship Summary > Licensing ID > Product Keys.
Purchasing Windows 7 ESUs through a Cloud Solution Provider (CSP)
Windows 7 ESUs are also available via the Cloud Solution Partner (CSP) program. To purchase Windows 7 ESUs through a CSP, contact one of the CSP partners listed in the Microsoft solution provider database. If you are a partner and need details on procuring Windows 7 ESUs through the Partner Center, see Purchasing Windows 7 ESUs as a Cloud Solution Provider.
Installation prerequisites
The following steps must be completed before installing and activating ESU keys:
- Install the following SHA-2 code signing support update and the following servicing stack update (SSU):
Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1:
Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019 (KB4490628)
and
SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019 (KB4474419)
Windows Server 2008 Service Pack 2 (SP2):
Servicing stack update for Windows Server 2008 SP2: April 9, 2019 (KB4493730)
and
SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019 (KB4474419) - Install the SSU listed below (or a later SSU) and the ESU licensing preparation package:
Windows 7 SP1 and Windows Server 2008 R2 SP1
Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: January 14, 2020 (KB4536952)
and
Extended Security Updates (ESU) Licensing Preparation Package (KB4538483)
Windows Server 2008 SP2:
Servicing stack update for Windows Server 2008 SP2: January 14, 2020 (KB4536953)
and
Extended Security Updates (ESU) Licensing Preparation Package (KB4538484)
Note: Classified as a Security-only package, the ESU licensing preparation package is available via Windows Server Update Services (WSUS) or the Microsoft Update Catalog. The ESU licensing preparation package is not currently available via Windows Update. |
Installation and activation
Once you have installed the prerequisites listed above, you’re ready to install and activate the ESU license key.
Note: Installing the ESU product key will not replace the existing Windows OS product key on the device. |
First, install the ESU product key using the Windows Software Licensing Management Tool (slmgr). Then:
- Open an elevated Command Prompt.
- Type slmgr /ipk <ESU key> and select Enter.
- If the product key is installed successfully, you will see a message similar to the following:
Note: If you see the Error:0xC004F050 while trying to install the product key on Windows Server 2008 SP2, your device may require an additional reboot. |
Next, find the ESU Activation ID:
- In the elevated Command Prompt, type slmgr /dlv and select Enter.
- Note the Activation ID as you will need it in the next step.
Once the ESU key is activated, continue to use your current update and servicing strategy to deploy ESUs through Windows Update, WSUS, the Microsoft Update Catalog, or whichever patch management solution you prefer. Extended Security Updates will have the Security-only update classification.
Note: Windows Update offline scan files (WSUSScn2.cab) will continue to be available for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. If you have devices running one of these operating systems, but don’t have ESUs, those devices will show up as non-compliant in your patch management and compliance toolsets. |
Configure firewall whitelists for activation
If you are using a proxy firewall, you may need to whitelist the activation endpoints for ESU key activation to succeed.
For online activation (i.e. local key deployment), you will need to whitelist all the following URLs:
Windows 7 SP1 and Windows Server 2008 R2 SP1 |
https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx |
https://activation.sls.microsoft.com/sllicensing/SLLicense.asmx |
Windows Server 2008 SP2 |
https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx |
https://activation.sls.microsoft.com/sllicensing/SLLicense.asmx |
For proxy activation using the Volume Activation Management Tool (VAMT), whitelist the following URLs:
- https://activation.sls.microsoft.com/BatchActivation/BatchActivation.asmx
- http://go.microsoft.com/fwlink/?LinkId=82160 (This FWLink redirects to the above URL.)
Once you have completed your whitelists, you are ready to activate the ESU product key:
- Open an elevated Command Prompt.
- Type slmgr /ato <ESU Activation Id> and select Enter.
You should now see a message stating that you have activated the key successfully:
The following table outlines possible values for <ESU Activation Id>. The activation IDs are the same across all eligible Windows ESU editions and all devices enrolled for that program
ESU program |
ESU SKU (or Activation) ID |
Windows 7 SP1 (Client) |
|
Year 1 |
77db037b-95c3-48d7-a3ab-a9c6d41093e0 |
Year 2 |
0e00c25d-8795-4fb7-9572-3803d91b6880 |
Year 3 |
4220f546-f522-46df-8202-4d07afd26454 |
Windows Server 2008 R2 SP1 and Windows Server 2008 (Server) |
|
Year 1 |
553673ed-6ddf-419c-a153-b760283472fd |
Year 2 |
04fa0286-fa74-401e-bbe9-fbfbb158010d |
Year 3 |
16c08c85-0c8b-4009-9b2b-f1f7319e45f9 |
Important: Activation via Control Panel > System and Security > System > Activate Windows cannot be used to activate ESU keys. It activates the Windows operating system only. |
Once you have activated the ESU product key, you can verify the status at any time by following these steps:
Windows 7 SP1 and Windows Server 2008 R2 SP1:
- Open an elevated Command Prompt.
- Type slmgr /dlv and select Enter.
Windows Server 2008 SP2:
- Open an elevated Command Prompt.
- Type slmgr /dlv <Activation ID> or slmgr /dlv all and select Enter.
The License Status will show as Licensed for the corresponding ESU program, as shown below:
Note: We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices. |
To install and activate ESU for devices that are not connected to the Internet, you can use the VAMT or phone activation.
Volume Activation Management Tool configuration
You can use the VAMT for online and/or proxy activation. To install and activate ESU keys using the VAMT, follow these steps:
- Download and install the Volume Activation Management Tool.
- Download the VAMT- ESU configuration file and update your VAMT configuration file.
- Configure the client device’s firewall for the VAMT.
- Add the ESU product key to the VAMT.
- Select the product, right-click, select Activate, then select your activation method, as shown below:
Note: For systems that cannot connect to the Internet for activation, you can use the VAMT to perform proxy activation. |
For additional guidance on how to install and activate Windows 7 ESU keys on multiple devices using a multiple activation key (MAK), see this post.
Activating ESU keys via phone
To activate ESU keys via phone, use the slmgr command options - /dti and /atp. To activate ESU keys via phone, follow these steps:
- Open an elevated Command Prompt.
- Type slmgr.vbs /ipk <ESU MAK Key> and select Enter. to install the product key.
- Get the Installation ID for the ESU Key using the corresponding ESU Activation ID (see the table of ESU Activation IDs for each program listed earlier in the blog post). For example:
- Once you have the Installation ID, call the Microsoft Licensing Activation Center for your region; they will walk you through the steps to get the Confirmation ID. Make a note of your Confirmation ID.
- Type slmgr /atp <Confirmation ID> <ESU Activation ID> to activate the ESU SKU using the Confirmation Id obtained in the above step.
- Type slmgr /dlv <Activation ID> or slmgr /dlv all and select Enter to verify that the License Status shows as Licensed.
Azure virtual machines
You do not need to deploy an additional ESU key for Azure virtual machines (VMs), Windows 7 ESU with Windows Virtual Desktop, or for bring-your-own images on Azure for Windows 7, Windows Server 2008, and Windows Server 2008 R2. Like on-premises devices, you will need to install the appropriate SSUs as outlined in the Installation prerequisites section above on your VMs. After installing the SSUs noted above, VMs will be enabled to download the ESU updates.
A pre-patched Windows 7 image and a pre-patched Windows Server 2008 R2 SP1 image are available from the Azure Marketplace. Azure Stack VMs or Azure VMware solutions should follow the same process as on-premises devices
For answers to commonly asked questions about ESU for Windows Server 2008 and 2008 R2 SP1, see Extended Security Updates frequently asked questions.
Next steps
If your organization still has devices running Windows 7 SP1, Windows Server 2008, or Windows Server 2008 R2 SP1, we recommend that you take the steps outlined above today and take advantage of Extended Security Updates to help ensure that your devices continue to receive necessary security updates
If you are interested in learning more about Extended Security Updates, please see the following resources:
- Announcement: Availability of ESU for purchase
- Prepare for Windows Server 2008 end of support
- Extended Security Updates FAQ
- Windows 7 end of support information for enterprises
- Windows 7 end of support FAQ