Windows 7 Extended Security Updates

The time has finally arrived! On January 14, Microsoft formally announced the end of support for Windows 7. If you haven’t made any updates in a while, now might be the time to get the final Windows updates available to you.

I’ve had a few customers ask about the delivery and activation mechanism for Extended Security Updates (ESUs). In this post, I will cover what Windows 7 end of support means for you and how you can get Windows ESUs for eligible devices.

Windows 7 End of Support

What does it actually mean now that Windows 7 has reached end of support? For Windows 7, Microsoft will not fix any security issues, even if they are openly reported. If you are planning to use Windows 7 without Internet access, then you may not have any issues – if not, you should proceed with caution. Malware creators and unethical hackers have been waiting for this date and will be ready to exploit unsecure systems. Not only will they try to steal data from unsecured computers, but you could be at greater risk of a ransomware attack or these devices being used to spread viruses on your network. There is significant risk in the ‘do nothing’ approach.

Windows 7 Extended Security Updates

Microsoft is offering one last chance to those who are serious about moving to Windows 10, through the ESU subscription plan. With this you can pay per user, per computer on a yearly basis, to get access to fixes for any new vulnerability that is found or reported. It is the best option for anyone that needs to keep using the Internet for their business and applications.

ESUs are available through specific volume licensing programs and coverage is available in three consecutive 12-month increments from January 14, 2020.

How to Install Windows 7 or the Extended Security Updates

Prerequisites

The following must be completed before installing and activating ESU keys:

1. Install the following SHA-2 code-signing support update and servicing stack update and servicing stack update (or later):
   Windows 7 SP1
   • Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
   • SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008

2. Install the following SSU and monthly rollup:
   Windows 7 SP1 and
   • Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019 (KB4516655)
   • October 8, 2019: Monthly Rollup (KB4519976)

3. Once activated, continue to use your current update and servicing strategy to deploy ESU

Installation and Activation

First, install the ESU product key using the Windows Software Licensing Management Tool (slmgr):

Note: Installing the ESU product key will not replace the current OS activation method being used on the device. This is achieved by using the Activation ID to differentiate between the operating system’s activation and the ESU activation.

1. Open an elevated command prompt
2. Type slmgr /ipk <esu key> and hit Enter
3. A dialog box will notify you if the product key was installed successfully

Next, find the ESU Activation ID:

4. In the elevated Command Prompt, type slmgr /dlv and select Enter
5. Note the Activation ID as you will need it in the next step

Activate the ESU product key:

6. Open an elevated command prompt
7. Type slmgr /ato <ESU Activation Id> and press Enter

Once you have activated the ESU product key, you can verify the status at any time by following these steps:

8. Open an elevated Command Prompt
9. Type slmgr /dlv and select Enter
10. Verify Licensed Status shows as Licensed for the corresponding ESU program

We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices.

Get in touch if you need assistance with the procurement of the ESU licenses or activation and deployment of ESUs within your organisation.