Table of Contents
Introduction
As announced in Microsoft’sย blog postย on March 12, on January 14, 2020, Windows 7 and Windows Server 2008/2008 R2 will go out of support, and soon after that,ย Office 2010.
Out of support means that there will no longer be any further development or security patches released for your workstations or servers.
If you still want security patches, you will need to sign up for these through the Extended Security Updates (ESU) program.
In this blog post, I cover the extended security updates for Windows 7, the cost, how you can purchase them, and how to deploy the licenses.
When do I need to purchase the Windows 7 ESUs?
You have three options as of this writing to receive further security updates for your Windows 7 machines:
- Purchase Extended Security Updates for Windows 7
- Purchase E5 licenses, as mentioned below
- Use Windows Virtual Desktop
Refer to Microsoft’s website for comparing the different Microsoft 365 Enterprise plans.
How do I purchase the Windows 7 ESU product keys?
The Windows 7 and Windows Server 2008/2008 R2 extended security updates are purchased through the Extended Security Update (ESU) program and are available through volume licensing programs.
Previously, the extended security updates were only available to enterprise customers in Volume Licensing.
It has been possible to purchase the Extended Security Updates for Windows 7 starting on December 1, 2019, through the Cloud Solution Provider (CSP) program.
You purchase Extended Security Updates for full 12-month periods. According to Microsoft, it will not be possible to buy partial periods, such as six months.
There will only be one MAK license key that you will need to apply to all your machines.
Windows 7 ESU Cost
The cost is per device and per year, with the cost doubling for every year until 2023.
Here is a pricing list from my other blog post
Year 1โJanuary 2020โJanuary 2021
$25 per device/year for Windows 7 Enterprise, $50 for Windows 7 Professional
Year 2โJanuary 2021โJanuary 2022
$50 per device/year for Windows 7 Enterprise, $100 for Windows 7 Professional
Year 3โJanuary 2022โJanuary 2023
$100 per device/year for Windows 7 Enterprise, $200 for Windows 7 Professional
Cloud Solution Providers (CSPs) can go to the Partner Center to learn more.
How to prepare for the Windows 7 ESU Purchase
Before purchasing the Windows 7 ESUs, you can apply the following patch:
The Windows 7 ESU MAK key
Once you have purchased licenses for extended security updates for Windows 7, you will receive a Windows 7 MAK key, which you will need to apply to your devices.
When you have deployed the Windows 7 MAK key, the Windows 7 device will look for updates.
All devices missing this registry value will not receive any further security updates, following January 14th, 2020.
The Windows 7 ESU Activation ID
The Activation IDs are provided by Microsoft on: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-to-get-extended-security-updates-for-eligible-windows/ba-p/917807
Year 1 | 77db037b-95c3-48d7-a3ab-a9c6d41093e0 |
Year 2 | 0e00c25d-8795-4fb7-9572-3803d91b6880 |
Year 3 | 4220f546-f522-46df-8202-4d07afd26454 |
How to activate the Windows 7 ESU keys
After you have purchased the Windows 7 Extended Security Updates, you will receive a MAK key.
This MAK is unique to your organization, but not unique for each device, meaning you will use the same MAK key to activate all your devices.
This MAK key is activated by running the following command:
cscript c:\windows\system32\slmgr.vbs /ipk <key>
Once the MAK key has been activated, also activate the Activation Key using:
cscript c:\windows\system32\slmgr.vbs /ato <activation ID>
How to deploy the Windows 7 ESU keys using MEMCM (SCCM)
If you want to deploy the Windows 7 ESU MAK key, a good way of doing this is through Microsoft Endpoint Configuration Manager (SCCM).
Prerequisites for deploying the Windows 7 ESUs
To deploy the Windows 7 ESU you will need the following prerequisites on your clients:
- Install the Servicing Stack Update (KB4490628), released on March 12, 2019
- Install the latest SHA-2 update, released on September 23, 2019 (KB4474419)
- Install the latest Servicing Stack Update, released on September 10, 2019 (KB4516655)
- Monthly rollup, released on October 8, 2019 (KB4519976)
How to deploy the Windows 7 ESUs using MEMCM (SCCM)
When you have met the prerequisites:
- Create a script for activating the MAK & Activation Key
- Create a package
- Deploy
Once the prerequisites are met, create a package and a script that activates the MAK and Activation key in sequence.
I will soon update this blog post with a Powershell script for accomplishing this.
For more information about applying the license to devices, refer to Microsoft’s blog post.
Conclusion
With the end of support for Windows 7, it’s important that your organization has a strategy for Windows 7.
How will you handle Windows 7? Will you purchase Windows 7 Extended Security Updates, E5 licenses or try Windows Virtual Desktop for the remaining Windows 7 machines?
Please leave a comment below!
References
- Microsoft Partner Center – Announcing Paid Windows 7 Extended Security Updates
- Microsoft Docs – Windows 7 end of support and Office 365 ProPlus
- Microsoft Blogs – Making the transition to Windows 10 and Office 365
- Windows 7 and Office 2010 End of Support FAQ
- How to get Extended Security Updates for eligible Windows devices
Regarding using SCCM to deploy the MAK, how are you capturing the application license and then activating it?
Sorry, this was not added to original post, but I have updated it now :). I will also create a Powershell script the upcoming days to accomplish this.
/Daniel
Thank you for your article, but what about Activation ID ?
Is this article : https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-to-get-extended-security-updates-for-eligible-windows/ba-p/917807
We have to activate the key ith the activation ID.
Any idea if the activation IDs will be the same for everyone ? (like
77db037b-95c3-48d7-a3ab-a9c6d41093e0 for the first year for W7) ? It’s hard to understand, if you have the answer, it’s welcome ๐ Thanks
Hi,
Sorry for the late reply! The activation ID will be the same for everyone but will differ depending on which year it is. I have updated the blog post to incorporate this information.
Thanks for the feedback!
/Daniel
Hi,
Thanks for great blog..
is that power-shell script is ready to push from SCCM.
Hi Zubair,
I am aiming on publishing the Powershell script tomorrow ๐
/Daniel
Hi Daniel,
sorry to asking again and again for power shell script. is that ready now.
Hi Zubair,
Unfortunately, I have been in the midst of an employment change, which has caused some delay in many of my obligations, including this one. I will provide it next week, I hope you can bear with me.
any update on the instruction
Hi Adnan,
Sorry, I have not been able to update the instruction, since I’ve been sick for the whole of February. I will work on it this week though ๐
Hi – Any update on the SCCM script
Hi,
I am aiming on publishing the Powershell script tomorrow ๐
/Daniel
Thank you Daniel
Hi,
If the activation ID is always the same, the script to deploy the ESU licences just need to contain two lines, am I right ?
The first one is :
cscript c:\windows\system32\slmgr.vbs /ipk
Where must be replaced with my MAK licence
And the second one is :
cscript c:\windows\system32\slmgr.vbs /ato
Where equals to this specific value “77db037b-95c3-48d7-a3ab-a9c6d41093e0” which seems to be the same value for everyone, every computer, every company.
I had the feeling that it would be more difficult, but not really, am I right ?
Why everybody here is waiting for your script if this is all it needs to be done ?
Thank you for your answer !
Ben
It seems that some words have been deleted from my previous message.
I am trying again..
Hi,
If the activation ID is always the same, the script to deploy the ESU licences just need to contain two lines, am I right ?
The first one is :
cscript c:\windows\system32\slmgr.vbs /ipk “Your_Licence_KEY”
Where “Your_Licence_KEY” must be replaced with your MAK licence
And the second one is :
cscript c:\windows\system32\slmgr.vbs /ato “Activation_ID”
Where “Activation_ID” equals to this specific value โ77db037b-95c3-48d7-a3ab-a9c6d41093e0โ which seems to be the same value for everyone, every computer, every company, everyone.
I had the feeling that it would be more difficult, but not really, am I right ?
Why everybody here is waiting for your script if this is all it needs to be done ?
Thank you for your answer !
Ben
Hi Ben,
Yes, you are correct! ๐
/Daniel
And ho, I forgot, thank you for your great post !
Just a thing.
You talked about making a powershell script to deploy the MAK licence and activate it on the computers. But maybe the script should, in addition, check if the commands have successfully been executed or not (I do not know how because I s*ck with powershell scripting, but it should be possible)
Great Blog post!
just a heads up. In your instructions it says to activate via
cscript c:\windows\system32\slmgr.vbs /ato (activation key)
but i could only get it to work by doing:
cscript c:\windows\system32\slmgr.vbs /ato (activation id)
doing so with the activation key resulted in โproduct not foundโ
Hi!
You are correct, I have updated the blog post ๐
Thanks!
/Daniel
Hi Daniel,
Thanks for the post. I followed the
cscript c:\windows\system32\slmgr.vbs /ipk [key]
cscript c:\windows\system32\slmgr.vbs /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0
And i’m getting an “Error: product not found.”
I’ve also seen “Activating windows (r) 7, Enterprise edition (9ab….) on a computer running Microsoft windows non-core edition, run ‘slui.exe 0x2a 0x80072EE7 to display error text.
any help is appreciated.
Same Issue Here… anyone find a solution?
*bump* any solution?
Thanks for the post!
I do have a question though – The /ato command needs the machine to have a live Internet connection, which means proxy access is required in a locked down/fire-walled environment. Standard Users (non-local-admin) have that access, but cannot apply the change without elevated rights. SCCM provides elevated rights via the SYSTEM account, but that account does not have any proxy rights, so the command fails – is there another work-around for this other than using VAMT?
Hi Bill,
Unfortunately, I haven’t heard any other solution for that scenario either. I will keep you posted if I hear something new.
Bill I have situation with proxy access. Create task sequence with two run command line steps. First step cscript.exe //Nologo slmgr.vbs /ipk (your key).
Second step cscript.exe //Nologo slmgr.vbs /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0
and select Run this step as the following account. Insert one of the domain accounts. We use dedicated domain service account, which is also local admin on all PCs.
You’re pricing is wrong. That may have been for the volume license customers, but for CSP customers (win7 pro), pricing is $61 for the first year.
Thanks a lot Daniel for the blog .
I have been struggling so sharing for other – I decided to use vbscript as I am not sure powershell is properly setup everywhere on my Windows 7 machines.
This is AS-IS right and does not have any sort of error handling which is very bad .
One of my issue being to double-check programmatically after activation that it was indeed activated and store that information for later scan and central reporting on another tool than SCCM.
REM Connect to WMI to get win7esu activation status then create a reg Key to be parsed later by any scanning tool
Dim objShell
Set objShell = WScript.CreateObject(“WScript.Shell”)
objShell.Run “cscript //B “”%windir%\system32\slmgr.vbs”” /ipk “,0,True
objShell.Run “cscript //B “”%windir%\system32\slmgr.vbs”” /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0″,0,True
Set objLocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objService = objLocator.ConnectServer(“.”, “root\cimv2”)
objService.Security_.ImpersonationLevel = 3
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = “.”
Set objRegistry = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)
strKeyPath = “SOFTWARE\”
objRegistry.CreateKey HKEY_LOCAL_MACHINE, strKeyPath
strValueName = “Win7ESULicense”
Set colProducts = objService.ExecQuery(“SELECT ID,ApplicationID,Name,LicenseStatus FROM SoftwareLicensingProduct where ID = ’77db037b-95c3-48d7-a3ab-a9c6d41093e0′”)
For each objProduct in colProducts
wscript.echo objProduct.ID & “:” & objProduct.Name & “:” & objProduct.LicenseStatus
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, objProduct.LicenseStatus
Next
Nice article, Is there ant report in SCCM we can use to check the activation after the deployment?
For your collection of Windows 7 machines, how can you tell which have been activated with the ESU enabling MAK and which have not? We use PDQ for deployment of the prereqs and will use it to mass activate them, but have not been able to figure out what changes in a legitimate install so as to differentiate a completed one and one yet to be completed. Trying to avoid re-activating workstations that have already been done.
We installed the ESU key on our Win 7 machine in early January, but have not yet received any updates. Is there anyone at Microsoft we can contact about this?
On Feb, Microsoft posted updated pre-requisite packages that you have to install. Try this.
Is there a query that can be ran in SCCM to get a report of all computers that are now ESU activated and ready to go?
If you deploy the MAK activation as a package – you can follow progress in SCCM here:
\Monitoring\Overview\Reporting\Reports\Software Distribution – Package and Program Deployment\All deployments for a specified package and program
I have tested this, and it seems to work just fine ๐
For Windows Server 2008 R2 MAK activation,
1. Should we perform above steps on KMS server?
2. Is using VAMT mandatory for activation [servers do not have internet]
3. Is internet mandatory for activation/can phone activation possible?
How do I get updates without internet connection after the activation?
I understand you have to have an internet connection for the activation. Is there any way around this? I ask because our systems are in a secure env and the sccm/admin privileges don’t have internet access. (regular users have internet access)
Hi @Sam ,By any chance did you find a way to fix this issue. Even we are facing similar issue
In the command line in the sccm package what would go there for Server 2008 R2?
how do we implement if the windows 7 client are in isolated network. Do we have manual download and installation option available?
Thanks Daniel for a great post. Here is my powershell script for ESU year 3 if anyone interested. You’ll need to replace with your own year 3 ESU key.
##########
$LogBackup = ‘C:\Windows\Debug\ExtendSecurityUpdatesForWindows7_3.0.log.backup’
$Log = ‘C:\Windows\Debug\ExtendSecurityUpdatesForWindows7_3.0.log’
$Path = “C:\Windows\System32\slmgr.vbs”
#Create C:\Windows\Debug folder if not exist
$Debug = “C:\Windows\Debug”
If(!(test-path $Debug))
{
New-Item -ItemType Directory -Force -Path $Debug
}
#Remove Log backup file if exist.
if (Test-Path $LogBackup)
{
Remove-Item $LogBackup
}
#Keep previous log file.
if (Test-Path $Log)
{
Copy-Item $Log -Destination $LogBackup
}
#Add Windows 7 ESU MAK key
cscript.exe //Nologo $Path /ipk {add your Win7 ESU MAK key here} > $Log
#Activate Windows 7 ESU with Year 3 Activation ID
cscript.exe //Nologo $Path /ato 4220f546-f522-46df-8202-4d07afd26454 >> $Log
#Updates Evaluation Cycle
([wmiclass]’ROOT\ccm:SMS_Client’).TriggerSchedule(‘{00000000-0000-0000-0000-000000000113}’)
([wmiclass]’ROOT\ccm:SMS_Client’).TriggerSchedule(‘{00000000-0000-0000-0000-000000000108}’)
Thanks for the script Tu!
/Daniel
Thanks for this, but seams that exist many opened questions about win 7.