Got Questions about ESU patches? We got answers

Topic

New Reply

If you have questions about buying Windows 7 Extended support patches, we have answers!  Ask them here!

Susan Bradley Patch Lady/Prudent patcher

8 users thanked author for this post.

jburk07, wEarwOlf505cole, Nibbled To Death By Ducks, AJNorth, ve2mrx, abbodi86, rontpxz81, LHiggins

Reply | Quote

Replies

What is the process to purchase?  Will your step-by-step article be published soon?

Reply | Quote

Yes.  Look for it soon. The hardest part is finding a vendor to sell it to you.  Fortunately Amy Babinchak will help on that step.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Nibbled To Death By Ducks, LHiggins

Reply | Quote

“Yes. Look for it soon. The hardest part is finding a vendor to sell it to you. Fortunately Amy Babinchak will help on that step.”

Susan, we’re rooting for you and Amy!! Can’t wait for the Step-By-Step! Thanks so much!

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

And still no relenting on patches for Win 7 Home users? I’m sure there are many Home users who would continue to pay for them.

5 users thanked author for this post.

jburk07, rontpxz81, bassmanzam, Cybertooth, SueW

Reply | Quote

That will invalidate Microsoft efforts to make Windows 7 less popular

4 users thanked author for this post.

FakeNinja, OscarCP, Nibbled To Death By Ducks, Kranium

Reply | Quote

If it’s really that important to you to stay on Windows 7, and you’re willing to pay, then upgrade to Windows 7 Pro.

 

3 users thanked author for this post.

Microfix, ch100, Susan Bradley

Reply | Quote

So, for the moment Microsft tells us that the only two editions of Windows 7 that will be eligible for ESU are: (I) Professional; (II) Enterprise.

https://support.microsoft.com/en-us/help/4527878/faq-about-extended-security-updates-for-windows-7

I apologies for this post, but I’m insisting on this because i.m.o. the fact that Professional qualifies for ESU has not been said loud enough.

Frangar non flectar

Reply | Quote

Please go to the main (“Home”) page here at Askwoody (www.askwoody.com) and read the post titled “Microsoft says it’ll sell Win7 Extended Security Updates to Ultimate users“. Pay particular attention to the entire third bullet point under the heading. It’s the one that starts with “ESU is available for Windows 7 Ultimate edition, and has been since ESU was first being sold…”. That will tell you why the word hasn’t been put out so well to folks.

The discrepancy you point out in the link above to KB4527878 will probably be addressed by Microsoft, but it will probably take a few days for them to fix it this time of year.

Reply | Quote

warrenrumak wrote:

If it’s really that important to you to stay on Windows 7, and you’re willing to pay, then upgrade to Windows 7 Pro.

 

Not exactly possible when the upgrade paths/products no longer exist.

No matter where you go, there you are.

1 user thanked author for this post.

jburk07

Reply | Quote

Yup.
Clicking on: Control Panel > Windows Anytime Upgrade
{ or (Control Panel > System and Security > Windows Anytime Upgrade) if one uses the Category display }
leads to the notation

1 user thanked author for this post.

Cybertooth

Reply | Quote

That is definitely a setback. However, what about using an ISO and in-place upgrade? Does that still work? If so, can you still find Win7 Pro license keys for sale, even if not directly from Microsoft?

Reply | Quote

using the Win7 ISO method of doing in-place upgrade from Win7 Home to Win7 Pro still works
but Win7’s anytime upgrade feature does it faster. I know from experience

Reply | Quote

Hi,

Wouldn’t Windows 10 Pro downgrade rights work? Or has MS messed that path? They won’t provide you the media and key, but the licence would be valid?

Martin

Reply | Quote

Hi,

In an article of Office-Watch I read:
Windows 7 running with Office 365 ProPlus will continue to get security updates, see below.
Some Windows 7 machines will still get security patches for three more years.
Any organizations running Office 365 ProPlus or Office 365 Business on Windows 7 SP1 devices will receive Win7 security-only updates through January 2023.
But my CSP states that only Office 365 Business will get security patches on Windows 7 machines after the support for Win7 is ended.
If I want Win7-patches I have to buy the ESU packet for each year.
As you can imagine I’m rather confused by that. Anybody got a clear answer and/or a link to an article about this?
Tia,

Sjors

Reply | Quote

Misinterpreted

Office 365 itself will get security updates (for free) until 2023
Windows 7 will need ESU to get Windows security updates

1 user thanked author for this post.

SvdH

Reply | Quote

I’m just calling Microsoft Partners until they stop behaving like I’m speaking a foreign language.

So far, no luck. The amount of time and money I’m losing from this EOL is terrible; I wish I could sue Microsoft for this terribly unnecessary problem.

Reply | Quote

As a courtesy to the community, we are facilitating the sale of Windows 7 ESU. To begin the process please fill out this form.

https://forms.office.com/Pages/ResponsePage.aspx?id=CEtIRBCvwEyPI4AgwsgbpPcTYf1jGDxMoOAm3rKwHJVUOTg0M1JXSUJKQjREMElWODdXQ1FVS0tDVy4u

2 users thanked author for this post.

CBA, jburk07

Reply | Quote

hello All,

does anyone know why after installing/activating ESU on air-gapped machines license status shows unlicensed, when you check ESU status by running below commend.  slmgr /dlv  looking forward to hear from you all.

thank you,
Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste

Reply | Quote

I expect the ESU needs to be validated and that requires an internet connection, or a license manager server on site.

cheers, Paul

Reply | Quote

Are you going to share contact information for a vendor that understands ESUs and can sell them?  Thanks!

Reply | Quote

Does anyone happen to know whether after an ESU key is installed whether one’s set Window Update preferences or the like remain the same (in our case, “never check for updates” so that we have full control, and nothing is automatically checked or downloaded or installed), or whether our preferences will be overridden or changed (perhaps even without our knowledge and/or perhaps akin to a Windows 10 schema)?  We definitely want to maintain as much control as possible!  Thanks for your assistance!

Reply | Quote

There will be no change on Windows Update experience

simply, when WU scan is initiated, it check if current edition is supported, then it check if ESU key is installed and activated

if both rules are true, then the ESU update will be offered (most likely will be a Monthly Rollup)

2 users thanked author for this post.

jeanettef, Microfix

Reply | Quote

Good morning,

abbodi86 wrote:

There will be no change on Windows Update experience

simply, when WU scan is initiated, it check if current edition is supported, then it check if ESU key is installed and activated

if both rules are true, then the ESU update will be offered (most likely will be a Monthly Rollup)

After installing and Phone activating ESU MAK key on DMZ/ air gapped machines, which I also received a ” Activation Was Successful” message after activation. but when I check the E-S-U Activation status by running below commend. it says

slmgr.vbs /dlv All         or            slmgr /dlv
License Status :  Unlicensed

Is this because they are not connected to internet or I have to take a different route to get license status show licensed.
or if anyone had the some issue what you guys  did to fix it?
looking forward to hear from you all soon.
thank you,

Reply | Quote

Are you the same person in the technet venue asking this question?  I’m not sure honestly myself, let me see if we can get any answers for you.  Hang loose.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

1. Once you have the Installation ID, call the <u>Microsoft Licensing Activation Center for your region</u>; they will walk you through the steps to get the Confirmation ID, note down the Confirmation ID.

1. Use the Slmgr /atp <Confirmation ID> <ESU Activation ID> to activate the ESU SKU using the Confirmation Id obtained in the above step.

 

1. After this step, ESU License is activated successfully (slmgr /dlv <Esu Activation Id> should show Licensed).

Did you get a confirmation ID from the licensing center?

Reply | Quote

Thanks to this community, as of today, ESUs are installed and activated, but not licensed as discussed above.  Saved screen-shots of the confirmations.

Does the presence of ESU show up elsewhere, such as control panel, programs, etc?  Just wondered if there is another way to verify.  Otherwise, will wait to see if I get notifications for any February patches.  Thank You.

Reply | Quote

Dear All,

I have browsed this forum in an attempt to find an answer to my question but so far, I have not seen the topic addressed.  So, here is my situation.  I apologize in advance if that message is a little long but I want to make sure i give you enough info at once to avoid too many back and forth.

The Facts

1. I have a client with 90+ Windows 7 machines deployed in stores and being used as points of sales (POS)
2. The Windows 7 OS built-in “Automatic Download & install Windows updates” has been purposely deactivated in each of these machines following the recommendation of the client IT department to avoid any potential and unforeseen interference that a windows update could create with the various programs installed on the POS.  Since these machines must be running like clock-work every day when the stores are operational, we can reasonably understand the rationale behind this decision to de-activate the “Automatic Windows Updates”
3. No precaution/suggestion nor manual maintenance routine on how to regularly apply Windows and Security updates on these machines have been made by the client IT department.  Therefore, since some of these machines (more than 50% of them) have been deployed in mid-2017, none of them have, as of today, received any Windows Updates nor security updates since 2017
4. Since the the client is not ready to upgrade its machines to Windows 10, they have decided to invest in the purchase of the Windows 7 ESU licenses that will need to be deployed on the 90+ machines

 

My rationale and suggestion to the client and its IT department regarding the ESU deployment

1. If you go to the expense of purchasing Windows 7 ESU licenses for 90+ machines, it is mainly to make sure that you keep receiving the new Windows Security patches/updates when they are released by Microsoft
2. Since your machines have not been updated as they should have been for the last 2.5 years, your first step before even considering deploying the Windows 7 ESU should be to apply, if not all available Windows updates, at the very least all available Windows 7 security updates.  Doing so would plug any security hole that currently exist in your machines
3. Failing to proceed with above step 2) not only potentially weakens the security shield of your POS machines but also defeats the purpose of buying the Windows 7 ESU licenses

 

The position of the Client IT Department

1. You should only install the pre-requisite Microsoft KBs and not bother with anything else

Why do I face an endless debate with the client IT department

1. The origin of this debate is mainly due to the sheer number of machines on which the Windows 7 ESU must be deployed and activated (90+)
2. If we follow my suggestion, the simple fact of catching up with 2.5 years of missing windows security updates certainly represents a substantial increase of the necessary time/cost to spend on each machine
3. I suspect that following my suggestion to apply all missing Security updates for the last 2.5 years puts the client IT department in a tough spot as they would need to explain the client executives why, if the Automatic Windows Updates mechanism has been purposely deactivated, a manual and controlled update process  has not been done on regular basis.  Doing so, would not only have better protected the machines but would also have minimized the cost of deploying the Windows 7 ESU today

My simple questions to you

1. Would you know if the ESU pre-requisite Microsoft KBs (4474419 SHA-2, 4490628, 4516655, 4519976) are enough to plug any and all security holes that have been left opened in machines not updated for the last 2.5 years? In other words, regardless of the windows security update status of any Windows 7 machine, whether it is a Win7 machine that has been regularly updated or not, should we consider the 4 pre-requisites Microsoft KBs as necessary and enough to protect the machines and keep them protected as new security patches are deployed or; should we consider these 4 Microsoft KBs only necessary to receive the future security updates but not enough to plug any past missing security holes in a machine if any?
2. What would be your recommendation and/or best practice in this situation?

Thanks in advance for your guided and educated feedback

Reply | Quote

I believe one of the requirements for being eligible for the ESU is that the machines have to be up to date as of the final Cumulative update released before EOS/EOL. Unless I’m wrong, your clients do not qualify for ESU unless they are updated.

1 user thanked author for this post.

Microfix

Reply | Quote

I’d also imagine everything IMPORTANT, SHA2, SSU’s and relevant Security patches will need to be satisfied prior to ESU authorization. Don’t want any holes in there now..

If debian is good enough for NASA...

Reply | Quote

Thanks PCKano,

I was afraid you would say this.  What if  I download from the Microsoft Update Catalog all the security updates for the last 2.5 years and apply them manually to the machines.  Would these machines be then ready to accept ESU?

But, at this point, my question becomes then, does this mean that the only way for these machines to be ready for ESU is by pluging in all security holes that have been discovered before?  Which would mean that the 4 Microsoft pre-requisite KBs are not enough.

The only thing that I am trying to find out is: Do these 4 Microsoft pre-requisite KBs contain all security patches published by Microsoft in the last 2/5 years?

Reply | Quote

The only thing I can say is take ONE machine, make a FULL DISK IMAGE BACKUP, apply those four patches, then apply for the ESU for that machine.

If I thought one Cumulative Update, a SHA-2 patch and a couple of SSUs were sufficient to bring a Win7 computer up to date, I would not have steered these two posters through the process to update that I did. As an example, you might look through the processes in this thread and this thread. I pretty much gave reasons for why in each case.

Reply | Quote

Thanks Very Much PkCano,

 

I did look at your posts and they do make a lot of sense.  I also felt that the 4 Microsoft KBs were not enough to bring the machines up to date but I have learned that sometimes intuitions, especially in the IT world can mislead you big time!!

So, this is the reason why I have decided to ask experts what their thoughts were.

I believe that you have been given me more than enough info to answer my question and I thank you dearly for that.

Reply | Quote

Is it safe to assume all of these PCs have Internet access of some sort?

If so, are they all behind incredibly-secure layers of protection?

If the answers are “yes” and “no” respectively, I’d operate from the assumption that the devices are already compromised.

Reply | Quote

I take it that you are a consultant to this company because you refer to them as client. In that case, whom do you really work for? If it is the business, then I would say that you are doing a disservice to the business to not expose the IT departments lack of patching management. While there can be some edge cases in which patches cause problems those are quickly resolved and patches should always be applied in the end.

That the ESU requires patches be current is just a fact of life. Your concern shouldn’t be whether you’ll make the IT department uncomfortable but rather that the IT department has left the business vulnerable.

I take a hard line on this as a consultant myself. I have a motto that we work by, “IT has no other purpose than to make a business great” Knowingly leaving vulnerabilities unpatched doesn’t meet that standard.

Reply | Quote

Most Windows 7 patches are cumulative.  So, installing them once does fix all of the previous security holes.  It is above my pay grade to say if those patches are necessary and enough.

If they do not plan to ever install any future update, by logic, it is useless to buy and deploy the ESU.  However, a business does not have to operate on logic.  The person or people spending or deciding how to spend the money get to pick what they want, and they usually cannot be convinced, especially not by someone under them.

If a customer or a regulator asks this business – what are you doing about the end of support – if they spend this money they can say “we have bought ESU.”  The cheapest option for the business is probably to buy it and never install it – that gives them the fig leaf to pretend they are covered, but none of the work.

If there have not been major security breaches in the past in your own company, caused by not having installed the patches, there may be major resistance to spending on protecting against something that has never happened.

The best practice going forward, if the will and team to properly deploy patches is not there, in my opinion is something like this.  Obviously automatic update doesn’t work because there would be complaints if there were reboots during the workday.  But it is easy to schedule updates to occur at night or close of business.  That would cost almost nothing.  There even may be cheap ways to update, but with a delay, the way Windows 10 now works.

The question though that is hard to answer is – what is higher risk- being unpatched, or allowing a nightly update or weekly even, perhaps even monthly.  There are arguments for both sides, and in the end it really is a very important decision – pretending that you are doing a third option, manually updating, when you are not is just lying to yourself.  Someone very important in the company should understand the two paths, and pick one, and this is important – that person must be responsible for that choice.  Should it prove that they were wrong, it should be known who made that choice.  Or, if the third choice of doing manual updates is really preferred, someone will have to find the budget and the will to make sure it is done, and someone to verify that it is being done and people to be held to account if it is not.

Also, even if you are using ESU, a plan needs to be made for what happens when that ends – even three more years can go by quickly.

Reply | Quote

Thanks very much for this long and thoughtful answer.  Indeed, I agree on all counts with the overall meaning of our answer.

Some more info to keep in mind and without disclosing too much info on the client identity.

The client is a fairly prominent retailer and as such, we can reasonably say that this company is certainly more exposed and/or at risk than the average small retailer with a one store operation.

I agree with you that on paper, they could show the proof that they purchased the ESU licenses to show a gesture of good faith.  However, should there be a security breach in the retailer’s system and should that retailer face a legal pursuit, the simple fact of saying “I have bought the ESU licenses” would not go very far in any court, if one can show that they never bothered installing these ESU licenses.  Indeed, it would be judged the same way than someone, who operates a current Windows OS like Windows 10, as opposed to an EOL one, like Win 7, was to purposely not bother installing the Security patches when they are released.

I do not want to digress into other potential issues that retailers need to face as well as rules that they need to comply with since their retail systems do interact with payment platforms but, if there is at least one critical thing that they do need to comply with it the payment Card Industry security guidelines.

A simple outdated OS could simply make them fail the PCI compliance test which, in case of a security breach, exposes them to steep fines, potential heavy damage reparation fees and possibly the shut down of their business.

I do realize that we are now well off the subject, since my original intent was mainly to know if the 4 Microsoft KBs  (4474419 SHA-2, 4490628, 4516655, 4519976) do contain all Windows Security patches that have been ever released prior the date of their own release but, I felt to give you a little more background info so that you can better understand what is at stake and what I am dealing with.

As an advisor of the client, I strive to make careful and educated recommendations and this is the reason why before, strongly suggesting the client to go through the extra expense to deploy all security updates release for the last 2.5 years, I want to make sure that I am not telling them something which is not necessary.

Thanks again for your very appreciated input.

Reply | Quote

XMan in NYC wrote:

A simple outdated OS could simply make them fail the PCI compliance test which, in case of a security breach, exposes them to steep fines, potential heavy damage reparation fees and possibly the shut down of their business.

And never updating would not ??

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

If I were designing their system I would have the internal network isolated from the internet and disable external devices to prevent files being brought onto the machines, then unpatched machines are not an issue.

Having a blanket, no patch policy only makes sense in a tightly controlled environment.

cheers, Paul

Reply | Quote

We’ve successfully purchased and activated first-year ESU licenses for our Windows 7 laptops. Thank you Susan, et.al.!

(Please forgive us if the following doesn’t neatly fall within the current thread.) We might or might not continue with second-year and third-year ESU licenses, and at some point we’ll probably be upgrading to Windows 10 regardless. We understand that Windows 10 licenses can still be obtained for free. It would be nice to obtain licensed copies of Windows 10 for free at present and put them in our back pockets for future use, instead of possibly paying for Windows 10 down the road when we actually want to use it (if Microsoft charges for it at that time).

Does anyone have experience proceeding, via Windows 7, through https://www.microsoft.com/en-us/software-download/windows10 or otherwise, and creating Windows 10 installation media for future use (instead of actually upgrading at present)? Does this involve or allow one to actually obtain and lock-in free Windows 10 licenses (or does this only create generic Windows 10 copies)? Most importantly, will creating installation media and obtaining Windows 10 licenses at present in any way possibly affect or mess-up our continuing Windows 7 (or ESU) uses, settings, etc.? Since we’re dealing with Microsoft, anything seems possible and it seems better trying to be safe rather than sorry.

Thank you all for you assistance!

Reply | Quote

If you click the correct options to only download the media without installing it, that only gives you that file, and does nothing to activate your computer or change the status of your license.  Most seem to predict that they will not take away the ability to use your 7 license to activate windows 10.  If this prediction is wrong, the only thing that would have saved you is actually installing windows 10, at least temporarily, before that change.

If you want to hedge your bets, all you can do is make an image backup of your current computer and a backup restore disk or flash drive, upgrade to 10, make sure it is online and activated.  Optionally, you can also connect your license to a Microsoft account which may make it more durable.  Search for a tutorial on this.  Then you can test and see if you want to keep 10, or if you want to go back to 7 you can restore your backup.  This is quite a bit of work, and you need to have a large enough external drive for the backups.

Note that when attempting to download the media with the Microsoft link, if you click on the wrong things, you might install Windows 10.  Looking for a small print “download for another computer” button may be the way around this.

Reminder – downloading the installer alone does nothing to ensure that your Windows 7 license will be honored for 10.  There is no written guarantee that it should work now or will work later.

Reply | Quote

Thank you for your reply; we greatly appreciate your assistance.

We agree that actually going through the rigmarole of installing Windows 10 (and then reverting back to Windows 7) in order to obtain and stockpile a Windows 10 license is a huge undertaking (which might also carry at least a modicum of risk, in that even with care stuff can happen). FYI, one of our other laptops came pre-installed with Windows 10, which we subsequently downgraded to Windows 7; but through the initial Windows 10 set-up process we now have a specific Microsoft account and related Windows 10 product ID (license) for future use.

While it might be true that Microsoft might not charge for Windows 7 to Windows 10 conversions in the future, it might; and we are trying to have our cake and eat it too. Ergo, does anyone have experience or information with obtaining a free Windows 10 license akin to the present circumstances without having to actually install Windows 10? Thanks again!

Reply | Quote

As a computer consultant, can I buy individual ESU licenses for individuals,

as long as they are running Microsoft Windows 7 Pro?

Reply | Quote

Of course. It’s the OS version that is the requirement. You are free to sell to whomever you choose.

Reply | Quote

Thanks for the comeback so soon. Not sure why I’m showing up as anonymous, even though I’m a Woody Plus member, guess it’s cause I didn’t login first.

Can I buy 3 years worth of licenses initially, or do I have to buy them year by year?

Reply | Quote

Windows 7 ESUs are sold on a per-device basis and are available for purchase in 12-month increments only. As a result, you cannot purchase ESUs for partial periods (e.g. six months). Coverage will be available in three consecutive 12-month increments following Windows 7 end of support on January 14, 2020, and the price will increase each year.

Reply | Quote

To make sure, if you buy ESU in june, it will only last until January 2021 (6 months or so), correct?

Reply | Quote

With the ESUs, is this ONLY for businesses? I’m a home user, but running W7 Ultimate.

However I’m not a business, I’m just a dude with a PC. Looking at the form it’s asking for my company name. Is there no way for just individuals to get extended updates? (Other than unofficially through 0patch, which I’ll have to consider if there’s no alternative).

Reply | Quote

There is no requirement to be a genuine company, there are plenty of one person companies.
Invent a company name and you should be fine.

My question is, why bother? For personal use a regular backup and up to date AV seems more than enough.

cheers, Paul

Reply | Quote

According to SB’s newsletter,  updates to be installed before activating an ESU key:

KB 4490628, a servicing-stack update released March 12, 2019;
KB 4474419, an SHA-2 code-signing support update released September 23, 2019;
KB 4516655, a servicing-stack update released September 10, 2019;
KB 4519976, the October monthly rollup.

Presumably this should be listed as the most currently available monthly quality security update, as each subsequent roll-up removes and replaces the previous month?  If so, is this true also for the 09/2019 servicing stack update?

I checked on my W7 Pro (fully patched “A”) laptop and the first two ones are installed, but, the KB 4516655 and KB 4519976 are not.  I downloaded them from MS Update Catalog and tried to install them in sequence (..55 and then ..76).  However, I was told that these updates are not applicable to my computer.  What gives?

 

Reply | Quote

The advice is to have your machine fully updated. If Windows thinks your machine is up to date you should be OK.

cheers, Paul

1 user thanked author for this post.

CBA

Reply | Quote

Paul T wrote:

The advice is to have your machine fully updated. If Windows thinks your machine is up to date you should be OK.

cheers, Paul

Thanks.  I’ll soon find out .. once I get the stuff from Harbor.

Reply | Quote

[EP]

CBA wrote:

Paul T wrote:

The advice is to have your machine fully updated. If Windows thinks your machine is up to date you should be OK.

cheers, Paul

Thanks.  I’ll soon find out .. once I get the stuff from Harbor.

@CBA

you may have certain Win7 updates newer than KB4516655 installed (this one is superseded or replaced by the following updates > KB4523206, KB4531786 or KB4536952)
for KB4519976 rollup, that is superseded or replaced by the following newer rollup updates > KB4525235, KB4530734 & KB4534310

that’s why some updates like KB4516655 and KB4519976 are “not applicable” because you have newer updates installed and you don’t need these older ones

Edit – I did not need the KB4516655 and KB4519976 updates on an old Win7 Pro computer because I have both the KB4536952 & KB4534310 updates installed

• This reply was modified 5 years, 1 month ago by EP.
• This reply was modified 5 years, 1 month ago by EP.
• This reply was modified 5 years, 1 month ago by EP.

1 user thanked author for this post.

CBA

Reply | Quote

Edit – I did not need the KB4516655 and KB4519976 updates on an old Win7 Pro computer because I have both the KB4536952 & KB4534310 updates installed

Thanks EP, a most useful reply!  I checked my W7 laptop and found that both the KB4536952 and KB4534310 updates are installed.  So I should be ready to go once I get the ESU license from Harbor.  I sent the ESU form in and paid my dues 1 1/2 days ago.  So, far nothing from Harbor.  Is this normal @amybabinchak ?

Reply | Quote

Update: per Harbor, the person in charge of ESU licenses is unavailable this week.  Action can be expected by early next week.  FYI.

Reply | Quote

Final Update: I just got the ESU license key and installed it.  All good = Licensed.  Thanks to all and in particular to Harbor for making this feasible (in a simple way).

PS: Still not sure what to do with (the purpose of)  the admin@xxxESU. onmicrosoft.com user account.  Probably just forget it.

Reply | Quote

ESU FAQ for Server 2008/R2 (and SQL)
https://support.microsoft.com/en-us/help/4539036/faq-about-esu-for-windows-server-and-sql-server-2008-2008-r2

it contain more detailed and technical info that also apply to Windows 7

specially this part:

Is offline servicing available for operating system images that are covered by ESU?
No. The ESU for Windows 7 and Windows Server 2008 require online servicing (using audit mode to modify images).

ESU updates are not supported in offline servicing mode. Applying ESU in offline servicing mode generates an error, and updates fail.

How are ESU distributed?
ESU are available through all usual channels: Windows Update, Windows Server Update Service, and Microsoft Update Catalog. The Wsusscn2.cab also includes ESU, and it is available during the ESU period.

1 user thanked author for this post.

woody

Reply | Quote

Yup ignore the @onmicrosoft.com alias.  There is secret sauce under the hood to ensure that people with actual ESU licenses are the only ones who get the updates.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

CBA

Reply | Quote

Before this new update came to light I installed and activated ESU using this guide:

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/archived-how-to-get-extended-security-updates-for-eligible/ba-p/917807/page/3

Each machine now looks something like this:

With the new update, from here:
https://support.microsoft.com/en-us/help/4522133/procedure-to-continue-receiving-security-updates
I’ve done steps 1 and 2, but I’m a bit confused with 3.

Download the ESU MAK add-on key from the VLSC portal and deploy and activate the ESU MAK add-on key. If you use the Volume Activation Management Tool (VAMT) to deploy and activate keys, follow the instructions here.

I have a feeling I’ve done this using the first guide. Have you come across this or do you have any thoughts? I haven’t used VLSC or VAMT. I just got the key from our software asset manager.

Thanks in advance

Reply | Quote

Apologies some content is missing from my original post. When I run slmgr /dlv the machines show as licensed. I’ve installed 4538483 no problem.

The only thing I’m confused about is:

Download the ESU MAK add-on key from the VLSC portal and deploy and activate the ESU MAK add-on key. If you use the Volume Activation Management Tool (VAMT) to deploy and activate keys, follow the instructions here.

If the machines are showing as licenced, can I ignore this step?

Thanks,
Alex

Reply | Quote

Susan:   Please correct me if I’m wrong about anything I’m about to say,  because I’m not as experienced as most of the users on the askwoody.com website,  but I’d like to post some additional information that might be helpful to those people who are still in the process of installing prerequisites for the Windows 7 ESU,  and also I’d like to ask your advice regarding whether my conclusion is valid.  You said the following  in your Dec 17, 2019 posting on the askwoody.com website (posted at https://www.askwoody.com/2019/patch-lady-yes-the-windows-7-esu-keys-work-on-ultimate/  ):  “One thing to keep in mind — if you are a security-only  patcher, you will need to flip over to the update rollup model to get this key on your machine.”   You also said in the AskWoodyPlus Newsletter of Dec 23, 2019  the following:  “Note: If you’ve installed only the “security-only” updates,  you’ll still need to install that October rollup — yes, the one that includes telemetry patches.”      However,  as noted by AskWoody MVP Member EP in his February 4 posting above (#post-2134981), “I did not need the KB4516655 and KB4519976 updates on an old Win7 Pro computer because I have both the KB4536952 & KB4534310 updates installed”.   So essentially what EP is saying there is that he didn’t need the October Rollup and the September SSU because he already had the January 2020 Rollup and SSU.  However, I’d like to expand on what EP said by saying that based on my research,  it appears that there is no longer a prerequisite for any monthly rollup (because recent “security-only” updates can be used instead),  and therefore I think that what you said in your Dec 17, 2019 posting and in the Dec 23, 2019  AskWoodyPlus Newsletter may have been true at the time that you said those things in December,  but they don’t appear to be true in February 2020,  due to changes issued by Microsoft.  Microsoft issued a posting by Jon Warnken on Feb 3, 2020  at  https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/preparing-to-deploy-extended-security-updates/ba-p/1139851  in which he says the following:    “Update 02.03.2020: Updated post to confirm that Security Only Quality Updates from November 2019 and onward satisfy the pre-requisites for the ESU key”.   If you read further on in the body of that posting,  it indicates that any of the “security-only” updates from Nov 2019 – Jan 2020 can be used instead of the monthly rollups.   I believe your December 2019 postings were probably based on an Oct 17, 2019 blog posting by Microsoft,  which did indicate that the Oct 2019 monthly rollup was a prerequisite;   but since that time, that blog posting has been archived by Microsoft and replaced by a revised blog posting dated Feb 11, 2020  at https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091  and I don’t see anything in that Feb 11,2020 blog posting about  a requirement for the Oct 2019 monthly rollup.   However I do see a new requirement for the “ESU licensing preparation package”,  which you yourself have noted is a new requirement,  as you’ve discussed elsewhere on this website.   So Susan,  in view of the fact I’ve been a member of “Group B” in the askwoody.com community for a number of years,  and I’ve been installing those “security-only” updates instead of the monthly rollups for all those years,   I plan to skip your advice on installing the October rollup as one of the  prerequisites for obtaining the ESU license.   Is this OK with you?

1 user thanked author for this post.

Kranium

Reply | Quote