Applying your Extended Security Updates (ESU) MAK to Windows 7 with SCCM

Over the last couple of years, the main focus of IT within many medium to large organisations has been migrating their users from Windows 7 to Windows 10. As of January 14th, 2020, Windows 7 is no longer receiving the monthly security updates it has been receiving since it was released 10 years ago. This means that any organisation with Windows 7 clients still in use is at an ever-increasing risk of attackers using this weaker link to compromise their network.

For organisations willing to pay, Microsoft is offering an additional 3 years of support for Windows 7 through their Extended Security Updates (ESU) program. If you are enrolled in this program you will be provided a MAK to install on the Windows 7 clients that you wish to continue receiving updates on (good for as many seats as you have paid for). Part 1 of this guide will go through the process of verifying the key you have is working by manually installing it on a Windows 7 device and installing the ESU test update Microsoft published. Part 2 will go through the process of deploying the key using SCCM.

A few other notes about this:

The ESU MAK you receive will be good for Windows 7 Professional, Enterprise and Ultimate (there are no separate SKUs for each edition of Windows). It will also work on both x86 and x64 versions of Windows 7.

Your existing Windows 7 updating mechanism will continue to work once you have activated the ESU MAK on the client. Whether you use SCCM, WSUS or simply allow devices to go out directly to the internet for updates, you do not need to make any changes. The updates will continue to be downloaded post January 2020 and will appear in Software Center or in the Windows Update control panel applet if the ESU MAK has been applied to that device.

This guide will be assuming your clients will be internet connected when you activate the ESU MAK. If that is not the case you may need to use the Volume Activation Management Tool as detailed in Microsoft’s blog post on this subject.

Part 1 – Manually installing your ESU MAK on a Windows 7 device
Before you start deploying this to every Windows 7 device still in use, you may want to install it on one device to prove that it is valid, and to test that your updates delivery mechanism is working. Microsoft published a test update that doesn’t do anything to the device but does use the same logic to detect whether or not a valid ESU MAK has been installed. You can use this to test the end to end process before the first real patches come out in February. This update is KB4528069.

To start, check for new updates on your Windows 7 device and verify that you do not see KB4528069 in the list of available updates:

List Of Updates Available Pre-ESU MAK Key Installation

Open an administrative CMD prompt and type slmgr.vbs /dlv. This will bring up a window that shows your current licensing situation, and it is likely to look something like this:

Next you need to install your ESU MAK. To do this, enter the command slmgr.vbs /ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY, replacing this made-up key with your key. You should get a success message that looks like this:

If you do not get a success message, it may be because Windows 7 does not recognise the key. This is because support for these ESU MAK keys was only introduced in the September 2019 and October 2019 monthly updates for Windows 7 (which in turn require the SHA-2 code signing support update released in March 2019). If you have an issue installing your key, ensure that these are installed and try again.

Once you have successfully installed the key you can verify that Windows has accepted it by once again using the command slmgr.vbs /dlv. This time you should see this:

As you can see it has not yet been activated. To activate it, you will need the Activation ID for the ESU SKU, which you can see here is “77db037b-95c3-48d7-a3ab-a9c6d41093e0”. In fact, Microsoft has already published what these will be for all 3 years of the ESU program, because they will be the same for everyone:

ESU ProgramESU SKU (or Activation) ID
Windows 7 SP1 (Client) 
Year 177db037b-95c3-48d7-a3ab-a9c6d41093e0
Year 20e00c25d-8795-4fb7-9572-3803d91b6880
Year 34220f546-f522-46df-8202-4d07afd26454
Windows Server 2008/R2 (Server) 
Year 1553673ed-6ddf-419c-a153-b760283472fd
Year 204fa0286-fa74-401e-bbe9-fbfbb158010d
Year 316c08c85-0c8b-4009-9b2b-f1f7319e45f9

Table taken from https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-to-get-extended-security-updates-for-eligible-windows/ba-p/917807

To activate the key, use the command slmgr.vbs -ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0. You should get a window pop up to tell you the activation has been successful.

ESU MAK Key Activating Success

Now you can run slmgr.vbs /dlv one last time to see the final state of your licensing:

This time the License Status shows as Licensed!

Now it is time to test that KB4528069 will appear and install on this device. Start another scan for patches and allow some time for the scan to complete. After a while, open Software Center or Windows Updates and you should see the following:

Install it and confirm that your ESU updates are working as expected.

Part 2 – Deploying your Windows 7 ESU MAK to multiple devices using SCCM
Once you have confirmed your key is working, you no doubt want to install it on all remaining Windows 7 devices in your estate. The easiest way to do this is with a simple batch script deployed via SCCM.

First of all, if you do not already have one, create a collection that contains the Windows 7 devices you wish to install the ESU MAK on. If you simply want to create a collection that automatically contains any Windows 7 device connected to your SCCM, you can use the following query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from sms_r_system where OperatingSystemNameandVersion like '%Workstation 6.1%' ORDER BY SMS_R_SYSTEM.ResourceID

Next create a batch script containing the following commands:

@echo off
cscript //B "%windir%\system32\slmgr.vbs" /ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY
cscript //B "%windir%\system32\slmgr.vbs" /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0

Once again replace the made-up key here with your ESU MAK.

Copy this script to a network location that is accessible by SCCM.

In the SCCM console, go to Software Library > Packages and in the ribbon click Create Package.  Fill in fields such as Name, Description and tick “This package contains source files” and enter the network location where you put the batch script.

ESU MAK Package Creation

On the next screen select “Standard program”, and on the next screen give the Program a name. The command line should be cmd /c activate_windows7esu.cmd and in the Run drop down menu you should select Hidden. This will ensure that when this runs on the client, the user does not see the CMD box appear (however briefly). Make sure the name of the script matches what you called it.

You can complete the rest of the wizard by clicking Next and Finish. Once created, distribute this package to your Distribution Points, and finally deploy it to the collection containing Windows 7 devices. When deploying, ensure you make it a Required deployment, set the Assignment schedule to “As soon as possible” and in the User Experience section make sure that Software installation is allowed outside of maintenance windows. This will allow the script to run as soon as possible on your Windows 7 devices.

Hopefully this will get you well on your way to continuing to receive Windows 7 updates over the next few months, and fingers crossed you’re not far from eliminating Windows 7 from your estate completely!

Bonus fun: What happens if you try to install the test update, KB4528069, on a Windows 7 device that you have not activated your ESU MAK on? It simply fails to install:

KB4528069 Fails to Install

15 thoughts on “Applying your Extended Security Updates (ESU) MAK to Windows 7 with SCCM”

  1. We only have about 50 devices left on Windows 7 right now in our environment. Do we really need to install the Win7 ESU key if we are installing the windows 7 updates manually(manual download and install from microsoft update catalog website)?

    1. Hey,
      You will need to if you try to install any updates that have been released released after January 2020. These updates are coded to check for the existance of a ESU licensed machine and they will fail to install if the machine hasn’t got the ESU license installed. This is true even if you manually download them.

      1. Hello, How do you verify the licenses are correctly applied?
        Any log? Any Event to check?
        Thanks,
        Dom

  2. Hello,
    I did the process but I am getting an error during the deployment for half of the machines:
    Message ID 10006
    Status Type: Error
    Description: – 2147012866

    Others seems working fine Message ID 10008
    Any idea on the error?
    Thanks,
    Dom

  3. Hello,
    It seems my file is incorrect as it never return… remain as started !!!
    @echo off
    cscript //B “%windir%\system32\slmgr.vbs” /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

    cscript //B “%windir%\system32\slmgr.vbs” /ato 553673ed-6ddf-419c-a153-b760283472fd
    what is wrong ?
    Thanks,
    Dom

  4. Hi, A quick one
    If you machine is not connected to the internet, can I use “%windir%\system32\slmgr.vbs” /ato command to Activate and change the status from “Unlicensed” to “Licensed”?

    1. The machine must have some way to validate the key. The machine being connected to the Internet is the simplest way to make sure this can happen. I’m afraid I am not sure if it’s possible to configure an on-prem KMS server to give out the key to clients.

      1. Thanks Kevin for your response.
        I am trying to deploy windows updates via SCCM on a machine which is not connected to the internet however it does have the ESU keys deployed with the license status as “Unlicensed”. I used to deploy windows updates on the same machine using SCCM but after updating ESU keys, I am unable to deploy the updates at all. My question is does SCCM validates the license status to be as “Licensed” before scanning and deploying the patches or it does not matter ?

      2. I’m pretty sure that doesn’t matter. The actual logic that checks if the update should install (assuming it’s an ESU update) is done when the patch attempts to install. The ESU updates won’t work until you get that status to Licensed.

        If you’re seeing non-ESU updates failing to install now as well, I’m not too sure what would be causing that.

  5. I have successfully extended my security updates for Windows 7, I ran slmgr.vbs /dlv and I can see it the correct license status, I installed the KB’s 4474419, 4490628 and 4536952. But I don’t the any updates in SCCM.

    1. Windows 7 updates will continue to sync in SCCM as long as you have the Windows 7 category set in WSUS and have an ADR to publish the updates. If you were updating Windows 7 every month before January 2020 using SCCM you don’t need to change anything there.

  6. Hi Kevin,
    Thanks for the great write-up.
    Any pointers on performing this on machines that sit behind a proxy?
    Given SCCM runs the program in the SYSTEM context I believe the system account would need access out to the internet.

Leave a Reply to Dominique Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s