News

Microsoft Details Ins and Outs of Windows Extended Security Updates

• By Kurt Mackie
• 01/31/2020

A Thursday announcement by Microsoft lays out the technical details of its Extended Security Updates (ESUs) program for Windows 7 and Windows Server 2008 systems.

Both of those client and server products fell out of support earlier this month, which means that free patch support from Microsoft has ended, including the delivery of security updates. Microsoft's ESU program carves out an exception, though, for organizations willing to pay for the extra support.

The ESU program adds up to three years of patch support, but organizations must pay a year in advance for one year of support. They'll need to renew the ESU licensing each year if support is still needed, but the costs are said to double each year.

The ESU program is also somewhat tiered in terms of purchasing. Volume licensing customers are supposed to buy ESUs keys from their "Account Team CE," while smaller organizations and everyone else need to find a Microsoft Cloud Solution Provider (CSP) partner to buy ESU keys, which can be done using this search portal.

ESU Deployment
ESU deployment and activation is nuanced. Microsoft's best description, perhaps, can be found in this Oct. 17 Windows IT Pro blog post.

Microsoft's latest technical advice on ESUs is derived from the Microsoft Premier Support team. The advice more clearly specifies the system prerequisites to use ESUs. There's apparently new information about needing to have a Secure Hash Algorithm 2 (SHA-2) update installed and having the Oct. 8, 2019, monthly rollup installed before using ESUs.

ESU System Requirements
Here's what needs to be installed to use ESUs, according to the Thursday announcement:

• Install the following SHA-2 code signing support update and servicing stack update (SSU) or a later SSU update:
• 4474419 SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019
• 4490628 Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
• Install the following servicing stack update (SSU) and monthly rollup:
• 4516655 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019
• 4519976 October 8, 2019—KB4519976 (Monthly Rollup)
• Install and activate the ESU key.
• For information about how to install and activate the ESU key, see the "How to get Extended Security Updates for eligible Windows devices" blog on the Microsoft Tech Community website.

KMS Activation Details
Another confusing point about using the Key Management Service (KMS) to activate ESUs was somewhat clarified in Microsoft's announcement.

Organizations that can't connect, or that don't want to connect, their PCs to Microsoft's content delivery network may want to use KMS to activate the ESUs. KMS is used to activate software using an organization's local network infrastructure, and may be used by some volume licensing customers.

However, Microsoft distributes ESUs via Multiple Activation Keys (MAKs), so KMS can't be used to automatically activate ESUs. Instead, organizations need to use Microsoft's Volume Activation Management Tool (VAMT) to manually activate the ESU keys.

The announcement promised to further describe ESU "options for systems without internet connectivity" in some future post.

Microsoft didn't streamline ESU activation via KMS because it would have required rearchitecting KMS, which was deemed too risky for enterprise customers, the announcement explained.