How to verify if your Windows 7 can get Extended Security Updates (ESUs)

Microsoft has announced Extended Security Updates for Windows 7 for those who are ready to pay per computer subscription. Windows 7 support is ending on January 14, 2020, and hence it’s essential to verify if your Windows 7 can get Extended Security Updates (ESUs).  In this post, we will share details of how you can check the eligibility of your Windows 7 system. We have also included details for Windows Server 2008 R2 SP1.

Verify if Windows 7 can get Extended Security Updates

Here is the list of minimum requirements, and installation processes to verify for EUSs. If you have Windows 7 VM hosted on Azure, you will receive free ESU updates.

1. Minimum OS Requirement
2. SHA-2, Servicing Stack update, and monthly rollups
3. Activation using the ESU key
4. Installing KB updates for final verification.

If the KB update is unsuccessful, follow the troubleshooting methods.

1] Minimum OS Requirement

The first criterion to get the ESUs is that you should have updated your copy to Windows 7 Service Pack 1 (SP1) and Server 2008 R2 SP1 or Windows Server 2008.

2] SHA-2, Servicing Stack update, and monthly rollups

Next, you need to install SHA-2 code signing support update, servicing stack update, and monthly rollups. Here are the details offered by Microsoft:

1. Install the following SHA-2 code signing support update and servicing stack update (SSU) or a later SSU update:
   • 4474419 SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019
   • 4490628 Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
2. Install the following servicing stack update (SSU) and monthly rollup:
   • 4516655 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019
   • 4519976 October 8, 2019—KB4519976 (Monthly Rollup)

3] Activation using the ESU key

Once you have them, you can then install and activate your Windows using the ESU key, which you have received from your Cloud Solution Provider or Microsoft 365 Admin Center. These are MAK keys, and you will need them to receive the security updates for the whole year.

Follow these three steps to activate and verify the status of your ESU key. Though Microsoft suggests using System Center Configuration Manager to send scripts to your enterprise devices. All of these should be performed on an elevated Command Prompt. We will use SLMGR to activate and verify.

Find the ESU Activation ID

• Type slmgr /ipk <ESU key> and select Enter.
• If the product key installed successfully, you will see a message— Installed product key <key> successfully.

Activate the ESU product key

• Type slmgr /dlv, and select Enter.
• Note the ESU Activation ID.
• Type slmgr /ato <ESU Activation Id> and press Enter.

Verify the status 

• Type slmgr /dlv and select Enter.
• Verify Licensed Status shows as Licensed for the corresponding ESU program

You will have to repeat this process every year. You will get a new MAK key every year, which should be activated to keep getting the ESUs updates.

Since your copy of Windows is already activated, you might wonder if the second key overwrites it. That is not the case. The ESU MAK key will be installed side-by-side with another activation key. It will not affect that other activation key.

4] Installing KB updates for final verification

After the activation is successful, you need to install KB4528069 for Windows 7 SP1 and Windows Server 20008 R2 SP1. If you are doing this on Windows Server 2008, then install KB4528069. You can get this update from Microsoft Update Catalog or Windows Server Update Services (WSUS).

It is a non-security update that is not available from Windows Update or Microsoft Update. It will help you verify if you are to get Extended Security Updates (ESUs).

If the computer cannot connect online, then you need to follow a different method:

The first is to download install KB4519972 via USB or any other means. Then you need to use the Volume Activation Management Tool to perform proxy activation.

You will need to download and install the Volume Activation Management Tool, update the configuration file, configure settings for client firewall for VAMT, and then add the ESU product key to VAMT.

ESUs updates will always look for the MAK keys, and if it is missing, you will not receive the updates. Since MAK keys are one time keys, you make sure to have a clear discussion of how you will manage if the machine needs a reinstall.

Troubleshooting Extended Security Updates (ESUs) Issues

1. Make sure that all the prerequisites have been fulfilled.
2. Restart if there are any pending updates are asking you to do so.
3. Make sure that you are installing this update on the ESU eligible edition and supported architecture.
4. If you have issues with the keys, ask from the cloud partner to verify if the keys given to you are valid.
5. You can always call the Microsoft customer support number 1-800-Microsoft (642-7676).

Microsoft is also supporting Embedded, POS Ready, Enterprise, Standard, Datacenter, Web, Workgroup versions of Windows 7, and Windows 2008.

You should consider upgrading Windows 7 to Windows 10, as otherwise, it will be difficult to secure Widows 7 after End Of Support. There are risks involved, in staying with Windows 7 after End Of Life!