Introduction

As announced in Microsoft’sย blog postย on March 12, on January 14, 2020, Windows 7 and Windows Server 2008/2008 R2 will go out of support, and soon after that,ย Office 2010.

Out of support means that there will no longer be any further development or security patches released for your workstations or servers.

If you still want security patches, you will need to sign up for these through the Extended Security Updates (ESU) program.

In this blog post, I cover the extended security updates for Windows 7, the cost, how you can purchase them, and how to deploy the licenses.

When do I need to purchase the Windows 7 ESUs?

You have three options as of this writing to receive further security updates for your Windows 7 machines:

  • Purchase Extended Security Updates for Windows 7
  • Purchase E5 licenses, as mentioned below
  • Use Windows Virtual Desktop

Refer to Microsoft’s website for comparing the different Microsoft 365 Enterprise plans.

How do I purchase the Windows 7 ESU product keys?

windows 7 extended security updates
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807

The Windows 7 and Windows Server 2008/2008 R2 extended security updates are purchased through the Extended Security Update (ESU) program and are available through volume licensing programs.

Previously, the extended security updates were only available to enterprise customers in Volume Licensing.

It has been possible to purchase the Extended Security Updates for Windows 7 starting on December 1, 2019, through the Cloud Solution Provider (CSP) program.

You purchase Extended Security Updates for full 12-month periods. According to Microsoft, it will not be possible to buy partial periods, such as six months.

There will only be one MAK license key that you will need to apply to all your machines.

Windows 7 ESU Cost

The cost is per device and per year, with the cost doubling for every year until 2023.

Here is a pricing list from my other blog post

Year 1โ€“January 2020โ€“January 2021
$25 per device/year for Windows 7 Enterprise, $50 for Windows 7 Professional
Year 2โ€“January 2021โ€“January 2022

$50 per device/year for Windows 7 Enterprise, $100 for Windows 7 Professional
Year 3โ€“January 2022โ€“January 2023

$100 per device/year for Windows 7 Enterprise, $200 for Windows 7 Professional

Cloud Solution Providers (CSPs) can go to the Partner Center to learn more.

How to prepare for the Windows 7 ESU Purchase

Before purchasing the Windows 7 ESUs, you can apply the following patch:

https://support.microsoft.com/en-us/help/4528069/update-for-eligible-windows-7-and-server-2008-r2-devices-can-get-esu

The Windows 7 ESU MAK key

Once you have purchased licenses for extended security updates for Windows 7, you will receive a Windows 7 MAK key, which you will need to apply to your devices.

When you have deployed the Windows 7 MAK key, the Windows 7 device will look for updates.

All devices missing this registry value will not receive any further security updates, following January 14th, 2020.

The Windows 7 ESU Activation ID

The Activation IDs are provided by Microsoft on: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-to-get-extended-security-updates-for-eligible-windows/ba-p/917807

Year 1 77db037b-95c3-48d7-a3ab-a9c6d41093e0 
Year 20e00c25d-8795-4fb7-9572-3803d91b6880 
Year 34220f546-f522-46df-8202-4d07afd26454 

How to activate the Windows 7 ESU keys

After you have purchased the Windows 7 Extended Security Updates, you will receive a MAK key.

This MAK is unique to your organization, but not unique for each device, meaning you will use the same MAK key to activate all your devices.

This MAK key is activated by running the following command:

cscript c:\windows\system32\slmgr.vbs /ipk <key>

Once the MAK key has been activated, also activate the Activation Key using:

cscript c:\windows\system32\slmgr.vbs /ato <activation ID>

How to deploy the Windows 7 ESU keys using MEMCM (SCCM)

If you want to deploy the Windows 7 ESU MAK key, a good way of doing this is through Microsoft Endpoint Configuration Manager (SCCM).

Prerequisites for deploying the Windows 7 ESUs

To deploy the Windows 7 ESU you will need the following prerequisites on your clients:

  1. Install the Servicing Stack Update (KB4490628), released on March 12, 2019
  2. Install the latest SHA-2 update, released on September 23, 2019 (KB4474419)
  3. Install the latest Servicing Stack Update, released on September 10, 2019 (KB4516655)
  4. Monthly rollup, released on October 8, 2019 (KB4519976)

How to deploy the Windows 7 ESUs using MEMCM (SCCM)

When you have met the prerequisites:

  1. Create a script for activating the MAK & Activation Key
  2. Create a package
  3. Deploy

Once the prerequisites are met, create a package and a script that activates the MAK and Activation key in sequence.

I will soon update this blog post with a Powershell script for accomplishing this.

For more information about applying the license to devices, refer to Microsoft’s blog post.

Conclusion

With the end of support for Windows 7, it’s important that your organization has a strategy for Windows 7.

How will you handle Windows 7? Will you purchase Windows 7 Extended Security Updates, E5 licenses or try Windows Virtual Desktop for the remaining Windows 7 machines?

Please leave a comment below!

References

Related posts

42 COMMENTS

  1. Thank you for your article, but what about Activation ID ?

    Is this article : https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-to-get-extended-security-updates-for-eligible-windows/ba-p/917807

    We have to activate the key ith the activation ID.

    Any idea if the activation IDs will be the same for everyone ? (like

    77db037b-95c3-48d7-a3ab-a9c6d41093e0 for the first year for W7) ? It’s hard to understand, if you have the answer, it’s welcome ๐Ÿ™‚ Thanks

    • Hi,
      Sorry for the late reply! The activation ID will be the same for everyone but will differ depending on which year it is. I have updated the blog post to incorporate this information.

      Thanks for the feedback!

      /Daniel

  2. Hi,
    If the activation ID is always the same, the script to deploy the ESU licences just need to contain two lines, am I right ?
    The first one is :
    cscript c:\windows\system32\slmgr.vbs /ipk
    Where must be replaced with my MAK licence
    And the second one is :
    cscript c:\windows\system32\slmgr.vbs /ato
    Where equals to this specific value “77db037b-95c3-48d7-a3ab-a9c6d41093e0” which seems to be the same value for everyone, every computer, every company.
    I had the feeling that it would be more difficult, but not really, am I right ?
    Why everybody here is waiting for your script if this is all it needs to be done ?

    Thank you for your answer !
    Ben

    • It seems that some words have been deleted from my previous message.
      I am trying again..

      Hi,
      If the activation ID is always the same, the script to deploy the ESU licences just need to contain two lines, am I right ?
      The first one is :
      cscript c:\windows\system32\slmgr.vbs /ipk “Your_Licence_KEY”
      Where “Your_Licence_KEY” must be replaced with your MAK licence
      And the second one is :
      cscript c:\windows\system32\slmgr.vbs /ato “Activation_ID”
      Where “Activation_ID” equals to this specific value โ€œ77db037b-95c3-48d7-a3ab-a9c6d41093e0โ€ which seems to be the same value for everyone, every computer, every company, everyone.
      I had the feeling that it would be more difficult, but not really, am I right ?
      Why everybody here is waiting for your script if this is all it needs to be done ?

      Thank you for your answer !
      Ben

        • And ho, I forgot, thank you for your great post !
          Just a thing.
          You talked about making a powershell script to deploy the MAK licence and activate it on the computers. But maybe the script should, in addition, check if the commands have successfully been executed or not (I do not know how because I s*ck with powershell scripting, but it should be possible)

  3. Great Blog post!

    just a heads up. In your instructions it says to activate via
    cscript c:\windows\system32\slmgr.vbs /ato (activation key)

    but i could only get it to work by doing:

    cscript c:\windows\system32\slmgr.vbs /ato (activation id)

    doing so with the activation key resulted in โ€œproduct not foundโ€

  4. Hi Daniel,
    Thanks for the post. I followed the
    cscript c:\windows\system32\slmgr.vbs /ipk [key]
    cscript c:\windows\system32\slmgr.vbs /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0

    And i’m getting an “Error: product not found.”
    I’ve also seen “Activating windows (r) 7, Enterprise edition (9ab….) on a computer running Microsoft windows non-core edition, run ‘slui.exe 0x2a 0x80072EE7 to display error text.

    any help is appreciated.

  5. Thanks for the post!

    I do have a question though – The /ato command needs the machine to have a live Internet connection, which means proxy access is required in a locked down/fire-walled environment. Standard Users (non-local-admin) have that access, but cannot apply the change without elevated rights. SCCM provides elevated rights via the SYSTEM account, but that account does not have any proxy rights, so the command fails – is there another work-around for this other than using VAMT?

    • Bill I have situation with proxy access. Create task sequence with two run command line steps. First step cscript.exe //Nologo slmgr.vbs /ipk (your key).
      Second step cscript.exe //Nologo slmgr.vbs /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0
      and select Run this step as the following account. Insert one of the domain accounts. We use dedicated domain service account, which is also local admin on all PCs.

  6. Thanks a lot Daniel for the blog .

    I have been struggling so sharing for other – I decided to use vbscript as I am not sure powershell is properly setup everywhere on my Windows 7 machines.
    This is AS-IS right and does not have any sort of error handling which is very bad .

    One of my issue being to double-check programmatically after activation that it was indeed activated and store that information for later scan and central reporting on another tool than SCCM.

    REM Connect to WMI to get win7esu activation status then create a reg Key to be parsed later by any scanning tool

    Dim objShell
    Set objShell = WScript.CreateObject(“WScript.Shell”)
    objShell.Run “cscript //B “”%windir%\system32\slmgr.vbs”” /ipk “,0,True
    objShell.Run “cscript //B “”%windir%\system32\slmgr.vbs”” /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0″,0,True

    Set objLocator = CreateObject(“WbemScripting.SWbemLocator”)
    Set objService = objLocator.ConnectServer(“.”, “root\cimv2”)
    objService.Security_.ImpersonationLevel = 3

    Const HKEY_LOCAL_MACHINE = &H80000002
    strComputer = “.”
    Set objRegistry = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)
    strKeyPath = “SOFTWARE\”
    objRegistry.CreateKey HKEY_LOCAL_MACHINE, strKeyPath
    strValueName = “Win7ESULicense”

    Set colProducts = objService.ExecQuery(“SELECT ID,ApplicationID,Name,LicenseStatus FROM SoftwareLicensingProduct where ID = ’77db037b-95c3-48d7-a3ab-a9c6d41093e0′”)

    For each objProduct in colProducts
    wscript.echo objProduct.ID & “:” & objProduct.Name & “:” & objProduct.LicenseStatus
    objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, objProduct.LicenseStatus

    Next

  7. For your collection of Windows 7 machines, how can you tell which have been activated with the ESU enabling MAK and which have not? We use PDQ for deployment of the prereqs and will use it to mass activate them, but have not been able to figure out what changes in a legitimate install so as to differentiate a completed one and one yet to be completed. Trying to avoid re-activating workstations that have already been done.

  8. We installed the ESU key on our Win 7 machine in early January, but have not yet received any updates. Is there anyone at Microsoft we can contact about this?

  9. Is there a query that can be ran in SCCM to get a report of all computers that are now ESU activated and ready to go?

  10. If you deploy the MAK activation as a package – you can follow progress in SCCM here:

    \Monitoring\Overview\Reporting\Reports\Software Distribution – Package and Program Deployment\All deployments for a specified package and program

    I have tested this, and it seems to work just fine ๐Ÿ˜‰

  11. For Windows Server 2008 R2 MAK activation,
    1. Should we perform above steps on KMS server?
    2. Is using VAMT mandatory for activation [servers do not have internet]
    3. Is internet mandatory for activation/can phone activation possible?

  12. I understand you have to have an internet connection for the activation. Is there any way around this? I ask because our systems are in a secure env and the sccm/admin privileges don’t have internet access. (regular users have internet access)

  13. how do we implement if the windows 7 client are in isolated network. Do we have manual download and installation option available?

  14. Thanks Daniel for a great post. Here is my powershell script for ESU year 3 if anyone interested. You’ll need to replace with your own year 3 ESU key.

    ##########
    $LogBackup = ‘C:\Windows\Debug\ExtendSecurityUpdatesForWindows7_3.0.log.backup’
    $Log = ‘C:\Windows\Debug\ExtendSecurityUpdatesForWindows7_3.0.log’
    $Path = “C:\Windows\System32\slmgr.vbs”

    #Create C:\Windows\Debug folder if not exist
    $Debug = “C:\Windows\Debug”
    If(!(test-path $Debug))
    {
    New-Item -ItemType Directory -Force -Path $Debug
    }

    #Remove Log backup file if exist.
    if (Test-Path $LogBackup)
    {
    Remove-Item $LogBackup
    }

    #Keep previous log file.
    if (Test-Path $Log)
    {
    Copy-Item $Log -Destination $LogBackup
    }

    #Add Windows 7 ESU MAK key
    cscript.exe //Nologo $Path /ipk {add your Win7 ESU MAK key here} > $Log

    #Activate Windows 7 ESU with Year 3 Activation ID
    cscript.exe //Nologo $Path /ato 4220f546-f522-46df-8202-4d07afd26454 >> $Log

    #Updates Evaluation Cycle
    ([wmiclass]’ROOT\ccm:SMS_Client’).TriggerSchedule(‘{00000000-0000-0000-0000-000000000113}’)
    ([wmiclass]’ROOT\ccm:SMS_Client’).TriggerSchedule(‘{00000000-0000-0000-0000-000000000108}’)

LEAVE A REPLY

Please enter your comment!
Please enter your name here