Out of support means that there will no longer be any further development or security patches released for your workstations or servers.
If you still want security patches, you will need to sign up for these through the Extended Security Updates (ESU) program.
In this blog post, I cover what the extended security updates for Windows 7 are, the cost, how you can purchase them, and how to deploy the licenses.
For more information about the topic, refer to my other blog post about why you need to move to Windows 10 in 2019.
When do I need to purchase the Windows 7 ESUs?
You have three options as of this writing to receive further security updates for your Windows 7 machines:
- Purchase Extended Security Updates for Windows 7
- Purchase E5 licenses, as mentioned below
- Use Windows Virtual Desktop
Refer to Microsoft’s website for comparing the different Microsoft 365 Enterprise plans.
How do I purchase the Windows 7 ESUs?
Previously, the extended security updates were only available to enterprise customers in Volume Licensing.
It has been possible to purchase the Extended Security Updates for Windows 7 starting on December 1, 2019, through the Cloud Solution Provider (CSP) program.
You purchase Extended Security Updates for full 12-month periods. According to Microsoft, it will not be possible to purchase partial periods, such as for 6 months.
There will only be one MAK license key that you will need to apply to all your machines.
Windows 7 ESU Cost
The cost is per device and per year, with the cost doubling for every year until 2023.
Here is a pricing list from my other blog post
Year 1–January 2020–January 2021
$25 per device/year for Windows 7 Enterprise, $50 for Windows 7 Professional
Year 2–January 2021–January 2022
$50 per device/year for Windows 7 Enterprise, $100 for Windows 7 Professional
Year 3–January 2022–January 2023
$100 per device/year for Windows 7 Enterprise, $200 for Windows 7 Professional
Cloud Solution Providers (CSPs) can go to the Partner Center to learn more.
How to prepare for the Windows 7 ESU Purchase
Before purchasing the Windows 7 ESUs, you can apply the following patch:
The Windows 7 ESU MAK key
Once you have purchased licenses for extended security updates for Windows 7, you will receive a Windows 7 MAK key, which you will need to apply to your devices.
When you have deployed the Windows 7 MAK key, the Windows 7 device will look for updates.
All devices missing this registry value will not receive any further security updates, following January 14th, 2020.
The Windows 7 ESU Activation ID
The Activation IDs are provided by Microsoft on: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-to-get-extended-security-updates-for-eligible-windows/ba-p/917807
How to activate the Windows 7 ESU keys
After you have purchased the Windows 7 Extended Security Updates, you will receive a MAK key.
This MAK is unique to your organization, but not unique for each device, meaning you will use the same MAK key to activate all your devices.
This MAK key is activated by running the following command:
cscript c:\windows\system32\slmgr.vbs /ipk <key>
Once the MAK key has been activated, also activate the Activation Key using:
cscript c:\windows\system32\slmgr.vbs /ato <activation ID>
How to deploy the Windows 7 ESU keys using MEMCM (SCCM)
If you want to deploy the Windows 7 ESU MAK key, a good way of doing this is through Microsoft Endpoint Configuration Manager (SCCM).
Prerequisites for deploying the Windows 7 ESUs
To deploy the Windows 7 ESU you will need the following prerequisites on your clients:
- Install the Servicing Stack Update (KB4490628), released on March 12, 2019
- Install the latest SHA-2 update, released on September 23, 2019 (KB4474419)
- Install the latest Servicing Stack Update, released on September 10, 2019 (KB4516655)
- Monthly rollup, released on October 8, 2019 (KB4519976)
How to deploy the Windows 7 ESUs using MEMCM (SCCM)
When you have met the prerequisites:
- Create a script for activating the MAK & Activation Key
- Create a package
Once the prerequisites are met, create a package and a script that activates the MAK and Activation key in sequence.
I will soon update this blog post with a Powershell script for accomplishing this.
For more information about applying the license to devices, refer to Microsoft’s blog post.
With the end of support for Windows 7, it’s important that your organization has a strategy for Windows 7.
How will you handle Windows 7? Will you purchase Windows 7 Extended Security Updates, E5 licenses or try Windows Virtual Desktop for the remaining Windows 7 machines?
Please leave a comment below!
- Microsoft Partner Center – Announcing Paid Windows 7 Extended Security Updates
- Microsoft Docs – Windows 7 end of support and Office 365 ProPlus
- Microsoft Blogs – Making the transition to Windows 10 and Office 365
- Windows 7 and Office 2010 End of Support FAQ
- How to get Extended Security Updates for eligible Windows devices