WINDOWS 7 END OF LIFE (PART II) – Installing Extended Security Updates (ESU)

Last Call

Today, January 14, 2020, marks the day that Microsoft will cease technical support for Windows 7, and will not update its security features again.

However, any size business running Windows 7 Professional or Enterprise can still purchase Windows 7 Extended Security Updates (ESU) through January 14, 2023.

Pre-Installation

1. Install the SHA-2 code signing support update and SSU (servicing stack update)

   • SHA-2 code signing support update
   • Servicing stack update (March 12, 2019)

2. Install the Monthly Rollup and SSU:

   • October 8, 2019: Monthly Rollup (KB4519976)
   • Servicing stack update (September 10, 2019 (KB4516655))
3. Once activated, continue use of current update and servicing strategy to deploy ESU through Windows Update, Windows Server Update Services (WSUS), Microsoft Update Catalog, or other patch management solution.

Installation and Activation

Install the ESU product key using the Windows Software Licensing Management Tool (slmgr). ESU product key installation does not replace current OS activation method utilized on the device. Use the Activation ID to differentiate between the OS activation and ESU activation.

1. Open an elevated Command Prompt.
2. Type slmgr /ipk <ESU key> and press Enter.
3. If the product key installed successfully, you will see a message similar to the following:

Find the ESU Activation ID:

1. In the elevated Command Prompt, type slmgr /dlv and press Enter.
2. Note the Activation ID as you will need it in the next step.

Activate the ESU product key:

1. Open an elevated Command Prompt.
2. Type slmgr /ato <ESU Activation Id> and press Enter.

The following table outlines possible values for the <ESU Activation ID>:

Once the ESU product key is activated, verify the status:

1. Open an elevated Command Prompt.
2. Type slmgr /dlv and press Enter.
3. Verify Licensed Status shows as Licensed for the corresponding ESU program.
4. Use a management tool (e.g., System Center Configuration Manager) to send slmgr scripts to enterprise devices.

Install and activate ESU for machines unconnected to the Internet:

1. Download and install the Volume Activation Management Tool (VAMT).
2. Download the VAMT- ESU configuration file and update your VAMT configuration file.
3. Configure the client device’s firewall for VAMT.
4. Add the ESU product key to VAMT.
5. Install KB4519972 prior to using VAMT to perform proxy activation, which will pick up the activation ID:

Verify Deployment

• Install optional, non-security update outlined in KB4528069. This test package has no security content. It is suitable for test environment deployment, and should be installed on on-premises devices eligible for ESU.