Obtaining Extended Security Updates for eligible Windows devices

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

We understand that everyone is at a different point in the process of deploying and servicing Windows. If your organization was unable to complete the transition from Windows 7 Pro or Enterprise to Windows 10—or from Windows Server 2008 and 2008 R2 Datacenter, Enterprise, or Standard to the latest version of Windows Server—prior to the end of support on January 14, 2020, myself and my fellow members on the ESU team want to help you keep these devices protected while you complete your Windows and Windows Server upgrade projects.

In this blog, we'll explain how Volume Licensing customers can purchase, install, and deploy Extended Security Updates (ESUs) for eligible Windows 7, Windows Server 2008, and Windows Server 2008 R2 devices to ensure those devices continue to receive security updates after January 14, 2020.

Note:  Eligible customers with active Software Assurance or Windows Server Subscriptions can use the Azure Hybrid Benefit to obtain discounts on Azure virtual machine licenses or Azure SQL Database managed instances. Extended Security Updates for select Windows Embedded products are available via your embedded device manufacturer.

Purchasing Extended Security Updates through Volume Licensing

Now, let’s walk through where to purchase Windows 7 ESUs, and how to find the appropriate key on the Volume Licensing Service Center.

Extended Security Updates are available through specific Microsoft Volume Licensing programs. Coverage is available in three consecutive 12-month increments beginning January 14, 2020. Extended Security updates are available for purchase in 12-month increments only. You cannot buy partial periods (e.g. 6 months of updates).

  1. Visit the Volume Licensing Service Center and sign in using your company’s credentials.
  2. Select Licenses > Relationship Summary > Licensing ID > Product Keys.

    obtain1.png

Purchasing Windows 7 ESUs through a Cloud Solution Provider (CSP)

Windows 7 ESUs are also available via the Cloud Solution Partner (CSP) program. To purchase Windows 7 ESUs through a CSP, contact one of the CSP partners listed in the Microsoft solution provider database. If you are a partner and need details on procuring Windows 7 ESUs through the Partner Center, see Purchasing Windows 7 ESUs as a Cloud Solution Provider.

Installation prerequisites

The following steps must be completed before installing and activating ESU keys:

  1. Install the following SHA-2 code signing support update and the following servicing stack update (SSU):

    Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1:
    Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019 (KB4490628)
    and
    SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019 (KB4474419)

    Windows Server 2008 Service Pack 2 (SP2):
    Servicing stack update for Windows Server 2008 SP2: April 9, 2019 (KB4493730)
    and
    SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019 (KB4474419)

  2. Install the SSU listed below (or a later SSU) and the ESU licensing preparation package:

    Windows 7 SP1 and Windows Server 2008 R2 SP1
    Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: January 14, 2020 (KB4536952)
    and
    Extended Security Updates (ESU) Licensing Preparation Package (KB4538483)

    Windows Server 2008 SP2:
    Servicing stack update for Windows Server 2008 SP2: January 14, 2020 (KB4536953)
    and
    Extended Security Updates (ESU) Licensing Preparation Package (KB4538484)

Note:  Classified as a Security-only package, the ESU licensing preparation package is available via Windows Server Update Services (WSUS) or the Microsoft Update Catalog. The ESU licensing preparation package is not currently available via Windows Update.

Installation and activation

Once you have installed the prerequisites listed above, you’re ready to install and activate the ESU license key.

Note:  Installing the ESU product key will not replace the existing Windows OS product key on the device.

First, install the ESU product key using the Windows Software Licensing Management Tool (slmgr). Then:

  1. Open an elevated Command Prompt.
  2. Type slmgr /ipk <ESU key> and select Enter.
  3. If the product key is installed successfully, you will see a message similar to the following:
     

    obtain2.png

Note:  If you see the Error:0xC004F050 while trying to install the product key on Windows Server 2008 SP2, your device may require an additional reboot.

Next, find the ESU Activation ID:

  1. In the elevated Command Prompt, type slmgr /dlv and select Enter.
  2. Note the Activation ID as you will need it in the next step.

    obtain3.png

Once the ESU key is activated, continue to use your current update and servicing strategy to deploy ESUs through Windows Update, WSUS, the Microsoft Update Catalog, or whichever patch management solution you prefer. Extended Security Updates will have the Security-only update classification.

Note:  Windows Update offline scan files (WSUSScn2.cab) will continue to be available for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. If you have devices running one of these operating systems, but don’t have ESUs, those devices will show up as non-compliant in your patch management and compliance toolsets.

Configure firewall whitelists for activation

If you are using a proxy firewall, you may need to whitelist the activation endpoints for ESU key activation to succeed.

For online activation (i.e. local key deployment), you will need to whitelist all the following URLs:

Windows 7 SP1 and Windows Server 2008 R2 SP1

https://go.microsoft.com/fwlink/?linkid=88338

https://activation.sls.microsoft.com/slspc/SLActivate.asmx

https://go.microsoft.com/fwlink/?linkid=88339

https://activation.sls.microsoft.com/slrac/SLCertify.asmx

https://go.microsoft.com/fwlink/?linkid=88340

https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx

https://go.microsoft.com/fwlink/?linkid=88341

https://activation.sls.microsoft.com/sllicensing/SLLicense.asmx

 

Windows Server 2008 SP2

https://go.microsoft.com/fwlink/?linkid=48189

https://activation.sls.microsoft.com/slspc/SLActivate.asmx

https://go.microsoft.com/fwlink/?linkid=48190

https://activation.sls.microsoft.com/slrac/SLCertify.asmx

https://go.microsoft.com/fwlink/?linkid=48191

https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx

https://go.microsoft.com/fwlink/?linkid=48192

https://activation.sls.microsoft.com/sllicensing/SLLicense.asmx

For proxy activation using the Volume Activation Management Tool (VAMT), whitelist the following URLs:

Once you have completed your whitelists, you are ready to activate the ESU product key:

  1. Open an elevated Command Prompt.
  2. Type slmgr /ato <ESU Activation Id> and select Enter.

You should now see a message stating that you have activated the key successfully:

obtain4.png

The following table outlines possible values for <ESU Activation Id>. The activation IDs are the same across all eligible Windows ESU editions and all devices enrolled for that program

ESU program

ESU SKU (or Activation) ID

Windows 7 SP1 (Client)

Year 1 

77db037b-95c3-48d7-a3ab-a9c6d41093e0 

Year 2

0e00c25d-8795-4fb7-9572-3803d91b6880 

Year 3

4220f546-f522-46df-8202-4d07afd26454 

Windows Server 2008 R2 SP1 and Windows Server 2008 (Server)

Year 1 

553673ed-6ddf-419c-a153-b760283472fd 

Year 2

04fa0286-fa74-401e-bbe9-fbfbb158010d 

Year 3

16c08c85-0c8b-4009-9b2b-f1f7319e45f9 

 

Important:  Activation via Control Panel > System and Security > System > Activate Windows cannot be used to activate ESU keys. It activates the Windows operating system only.

Once you have activated the ESU product key, you can verify the status at any time by following these steps:

Windows 7 SP1 and Windows Server 2008 R2 SP1:

  1. Open an elevated Command Prompt.
  2. Type slmgr /dlv and select Enter.

Windows Server 2008 SP2:

  1. Open an elevated Command Prompt.
  2. Type slmgr /dlv <Activation ID> or slmgr /dlv all and select Enter.

The License Status will show as Licensed for the corresponding ESU program, as shown below:

obtain5.png

 

Note:  We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices.

To install and activate ESU for devices that are not connected to the Internet, you can use the VAMT or phone activation.

Volume Activation Management Tool configuration

You can use the VAMT for online and/or proxy activation. To install and activate ESU keys using the VAMT, follow these steps:

  1. Download and install the Volume Activation Management Tool.
  2. Download the VAMT- ESU configuration file and update your VAMT configuration file.
  3. Configure the client device’s firewall for the VAMT.
  4. Add the ESU product key to the VAMT.
  5. Select the product, right-click, select Activate, then select your activation method, as shown below:

    obtain6.png
     

Note:  For systems that cannot connect to the Internet for activation, you can use the VAMT to perform proxy activation.

For additional guidance on how to install and activate Windows 7 ESU keys on multiple devices using a multiple activation key (MAK), see this post.

Activating ESU keys via phone

To activate ESU keys via phone, use the slmgr command options - /dti and /atp. To activate ESU keys via phone, follow these steps:

  1. Open an elevated Command Prompt.
  2. Type slmgr.vbs /ipk <ESU MAK Key> and select Enter. to install the product key.
  3. Get the Installation ID for the ESU Key using the corresponding ESU Activation ID (see the table of ESU Activation IDs for each program listed earlier in the blog post). For example:
     

    obtain7.png

  4. Once you have the Installation ID, call the Microsoft Licensing Activation Center for your region; they will walk you through the steps to get the Confirmation ID. Make a note of your Confirmation ID.
  5. Type slmgr /atp <Confirmation ID> <ESU Activation ID> to activate the ESU SKU using the Confirmation Id obtained in the above step.
     

    obtain8.png

  6. Type slmgr /dlv <Activation ID> or slmgr /dlv all and select Enter to verify that the License Status shows as Licensed.

Azure virtual machines

You do not need to deploy an additional ESU key for Azure virtual machines (VMs), Windows 7 ESU with Windows Virtual Desktop, or for bring-your-own images on Azure for Windows 7, Windows Server 2008, and Windows Server 2008 R2. Like on-premises devices, you will need to install the appropriate SSUs as outlined in the Installation prerequisites section above on your VMs. After installing the SSUs noted above, VMs will be enabled to download the ESU updates. 

A pre-patched Windows 7 image and a pre-patched Windows Server 2008 R2 SP1 image are available from the Azure Marketplace. Azure Stack VMs or Azure VMware solutions should follow the same process as on-premises devices

For answers to commonly asked questions about ESU for Windows Server 2008 and 2008 R2 SP1, see Extended Security Updates frequently asked questions.

Next steps

If your organization still has devices running Windows 7 SP1, Windows Server 2008, or Windows Server 2008 R2 SP1, we recommend that you take the steps outlined above today and take advantage of Extended Security Updates to help ensure that your devices continue to receive necessary security updates

If you are interested in learning more about Extended Security Updates, please see the following resources:

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.