How To Handle Windows 7 ESU Keys Using SCCM

Regarding using SCCM to deploy the MAK, how are you capturing the application license and then activating it?

Thank you for your article, but what about Activation ID ?

Is this article : https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-to-get-extended-security-updates-for-eligible-windows/ba-p/917807

We have to activate the key ith the activation ID.

Any idea if the activation IDs will be the same for everyone ? (like

77db037b-95c3-48d7-a3ab-a9c6d41093e0 for the first year for W7) ? It’s hard to understand, if you have the answer, it’s welcome 🙂 Thanks

Hi,
Thanks for great blog..

is that power-shell script is ready to push from SCCM.

Hi – Any update on the SCCM script

Hi,
If the activation ID is always the same, the script to deploy the ESU licences just need to contain two lines, am I right ?
The first one is :
cscript c:\windows\system32\slmgr.vbs /ipk
Where must be replaced with my MAK licence
And the second one is :
cscript c:\windows\system32\slmgr.vbs /ato
Where equals to this specific value “77db037b-95c3-48d7-a3ab-a9c6d41093e0” which seems to be the same value for everyone, every computer, every company.
I had the feeling that it would be more difficult, but not really, am I right ?
Why everybody here is waiting for your script if this is all it needs to be done ?

Thank you for your answer !
Ben

Great Blog post!

just a heads up. In your instructions it says to activate via
cscript c:\windows\system32\slmgr.vbs /ato (activation key)

but i could only get it to work by doing:

cscript c:\windows\system32\slmgr.vbs /ato (activation id)

doing so with the activation key resulted in “product not found”

Hi Daniel,
Thanks for the post. I followed the
cscript c:\windows\system32\slmgr.vbs /ipk [key]
cscript c:\windows\system32\slmgr.vbs /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0

And i’m getting an “Error: product not found.”
I’ve also seen “Activating windows (r) 7, Enterprise edition (9ab….) on a computer running Microsoft windows non-core edition, run ‘slui.exe 0x2a 0x80072EE7 to display error text.

any help is appreciated.

Thanks for the post!

I do have a question though – The /ato command needs the machine to have a live Internet connection, which means proxy access is required in a locked down/fire-walled environment. Standard Users (non-local-admin) have that access, but cannot apply the change without elevated rights. SCCM provides elevated rights via the SYSTEM account, but that account does not have any proxy rights, so the command fails – is there another work-around for this other than using VAMT?

You’re pricing is wrong. That may have been for the volume license customers, but for CSP customers (win7 pro), pricing is $61 for the first year.

Thanks a lot Daniel for the blog .

I have been struggling so sharing for other – I decided to use vbscript as I am not sure powershell is properly setup everywhere on my Windows 7 machines.
This is AS-IS right and does not have any sort of error handling which is very bad .

One of my issue being to double-check programmatically after activation that it was indeed activated and store that information for later scan and central reporting on another tool than SCCM.

REM Connect to WMI to get win7esu activation status then create a reg Key to be parsed later by any scanning tool

Dim objShell
Set objShell = WScript.CreateObject(“WScript.Shell”)
objShell.Run “cscript //B “”%windir%\system32\slmgr.vbs”” /ipk “,0,True
objShell.Run “cscript //B “”%windir%\system32\slmgr.vbs”” /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0″,0,True

Set objLocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objService = objLocator.ConnectServer(“.”, “root\cimv2”)
objService.Security_.ImpersonationLevel = 3

Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = “.”
Set objRegistry = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)
strKeyPath = “SOFTWARE\”
objRegistry.CreateKey HKEY_LOCAL_MACHINE, strKeyPath
strValueName = “Win7ESULicense”

Set colProducts = objService.ExecQuery(“SELECT ID,ApplicationID,Name,LicenseStatus FROM SoftwareLicensingProduct where ID = ’77db037b-95c3-48d7-a3ab-a9c6d41093e0′”)

For each objProduct in colProducts
wscript.echo objProduct.ID & “:” & objProduct.Name & “:” & objProduct.LicenseStatus
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, objProduct.LicenseStatus

Next

Nice article, Is there ant report in SCCM we can use to check the activation after the deployment?

For your collection of Windows 7 machines, how can you tell which have been activated with the ESU enabling MAK and which have not? We use PDQ for deployment of the prereqs and will use it to mass activate them, but have not been able to figure out what changes in a legitimate install so as to differentiate a completed one and one yet to be completed. Trying to avoid re-activating workstations that have already been done.

We installed the ESU key on our Win 7 machine in early January, but have not yet received any updates. Is there anyone at Microsoft we can contact about this?

Is there a query that can be ran in SCCM to get a report of all computers that are now ESU activated and ready to go?

If you deploy the MAK activation as a package – you can follow progress in SCCM here:

\Monitoring\Overview\Reporting\Reports\Software Distribution – Package and Program Deployment\All deployments for a specified package and program

I have tested this, and it seems to work just fine 😉

For Windows Server 2008 R2 MAK activation,
1. Should we perform above steps on KMS server?
2. Is using VAMT mandatory for activation [servers do not have internet]
3. Is internet mandatory for activation/can phone activation possible?

How do I get updates without internet connection after the activation?

I understand you have to have an internet connection for the activation. Is there any way around this? I ask because our systems are in a secure env and the sccm/admin privileges don’t have internet access. (regular users have internet access)

In the command line in the sccm package what would go there for Server 2008 R2?

how do we implement if the windows 7 client are in isolated network. Do we have manual download and installation option available?

Thanks Daniel for a great post. Here is my powershell script for ESU year 3 if anyone interested. You’ll need to replace with your own year 3 ESU key.

##########
$LogBackup = ‘C:\Windows\Debug\ExtendSecurityUpdatesForWindows7_3.0.log.backup’
$Log = ‘C:\Windows\Debug\ExtendSecurityUpdatesForWindows7_3.0.log’
$Path = “C:\Windows\System32\slmgr.vbs”

#Create C:\Windows\Debug folder if not exist
$Debug = “C:\Windows\Debug”
If(!(test-path $Debug))
{
New-Item -ItemType Directory -Force -Path $Debug
}

#Remove Log backup file if exist.
if (Test-Path $LogBackup)
{
Remove-Item $LogBackup
}

#Keep previous log file.
if (Test-Path $Log)
{
Copy-Item $Log -Destination $LogBackup
}

#Add Windows 7 ESU MAK key
cscript.exe //Nologo $Path /ipk {add your Win7 ESU MAK key here} > $Log

#Activate Windows 7 ESU with Year 3 Activation ID
cscript.exe //Nologo $Path /ato 4220f546-f522-46df-8202-4d07afd26454 >> $Log

#Updates Evaluation Cycle
([wmiclass]’ROOT\ccm:SMS_Client’).TriggerSchedule(‘{00000000-0000-0000-0000-000000000113}’)
([wmiclass]’ROOT\ccm:SMS_Client’).TriggerSchedule(‘{00000000-0000-0000-0000-000000000108}’)

Thanks for this, but seams that exist many opened questions about win 7.