Hello World,
By now, you should be fully aware that Windows 7, Windows 2008 SP2 and Windows 2008 R2 and SQL server 2008 R2 products have reached end of extended support. Officially, these products have reached end of support since January 14, 2020. This means that no more free updates and patches will be made available for these operating systems and products. Microsoft provided enough time and early notifications to bring awareness about discontinuation of these products. However, it seems that there is still a large number of organizations running these legacy operating systems.
This situation has “obliged” Microsoft to come up with an new program support for organizations willing to pay for the extra support. The Extended Security Updates (ESU) program will ensure that entitled customers (i.e. paying for the support) will still receive critical and important security updates for these legacy products. The ESU program will run for a maximum of three years and no more support will be available after 2023. More specifically, organizations will need to subscribe or renew to the ESU Program every year if support is needed. The price will increment through the years.
Since February 2020, we have seen an increase of requests in either implementing the Extended Security Update (ESU) Program or performing really quickly migration activities to newer products still supported by Microsoft. Our recommendation would be to migrate to newer products so no need to maintain and pay for legacy operating system. However, in some really specific cases, a quick migration is not possible (specific applications that needs to be rewritten).
This post will provide some (technical) information about the ESU and what you would need to do if you need to obtain this extra support for your organization. This post will not explain how to obtain the ESU Key nor the pricing model used. This post will quickly go through what needs to be done in order to prepare your environment and make it ready to receive these Extended Security Updates
So, let’s move forward !
Overview
The ESU program is really the last resort option available to organization willing to pay for extra support on legacy operating system such as Windows 7, Windows 2008, Windows 2008 R2 and SQL 2008 R2 products. After identifying the numbers of ESU licenses you would need for your Windows 7 and Windows 2008/R2 running machines, you can purchase for 12-month period time your Extended Security Updates program. In practice, this means that you will receive a MAK ESU licensing key. This key will be unique to your organization. However, the same key will be used to activate all devices that needs to receive the extended support.
This MAK ESU license key will not be recognized by the legacy operating system if you do not prepare your infrastructure. A series of specific Windows updates needs to be deployed and installed on machines running these legacy products. After installing these updates, you will basically need to distribute and activate the (ESU) MAK key. When activated and when Microsoft would release hot fixes and patches, the supported machine will be able to download and install the patches through the same patching process you are currently using (i.e. WSUS or SCCM or any other third party solution)
To deploy and activate the ESU MAK key through your network, Microsoft is recommending to use the VAMT tool or also known as Volume Activation Management Tool. Volume Activation Management Tool (VAMT) offers a centralized tool and GUI interface that can simplify and automate the ESU Key deployment process through the network. VAMT Tool does not seems to be widely used by sysadmins and few people know about this tool. VAMT Tool can be used in combination with the KMS server and provide an easy way to track licensing usage through your organization. The VAMT tool is totally free. To obtain it, you will need to first download the latest version of ADK Windows 10 1903. You can download the ADK Windows 10 1903 at this location
Note :
Other options might be used to deploy and activate ESU MAK Key (like manual activation, scripted install, third party tool) and if time permit we might want to investigate these options later on.
Preparing the infrastructure
Obtain and Deploy ESU Updates for Windows 7, Windows 2008/R2
The following link provide the latest information about which updates are needed to support ESU Support (please check this, https://support.microsoft.com/en-us/help/4522133/procedure-to-continue-receiving-security-updates).
Before being able to benefit from ESU program, your organization will need to obtain the required updates and installed them accordingly. Based on your infrastructure, you will be able to deploy these additional and required patches through WSUS, SCCM or any other patch management solution you are currently using. You will have to approve these patches and deploy them to targeted computers running Windows 2008R2 or Windows 7.
Download and install the following Windows updates on target computers in the specified order
- KB4474419 (SHA2-Update)
- KB4490628 (Service Update Stacks)
- KB4536952 (Service Update Stacks)
Then download and install the Extended Updates Security (ESU) Licensing Preparation package which is
- KB4538483 (for Windows 2008R2 and Windows 7 SP1)
Note:
If you are running Windows 2008 SP1, we recommend to upgrade to Windows 2008 R2 or later if possible.
If this is not an option, you can still benefit from ESU program if you install the following Windows Updates
KB4474419 (SHA2-Update)
KB4490628 (Service Update Stacks)
KB4536952 (Service Update Stacks)
KB4538484 (Licensing preparation tool for Windows 2008 SP2)
After installing these patches, target computers will need to be restarted!!! So, you might need to plan the deployment of these patches. To deploy these patches, you can use manual approach or use some scripts or use your standard patch management infrastructure (WSUS,SCCM,…)
Download the VAMT Tool
When your windows 7 SP1, Windows 2008 SP2 and Windows 2008R2 have received the needed patches mentioned above, we are ready to deploy and activate the MAK ESU key. Microsoft recommends to use the Volume Activation Management tool (VAMT) which is part of the ADK (Automated Deployment Kit). This tool has been around for some time but was not really extensively used by sysadmins.
Volume Activation Management Tool (VAMT) offers a centralized tool and GUI interface that can simplify and automate the ESU Key deployment process through the network. The VAMT tool is totally free. To obtain it, you will need to first download the latest version of ADK Windows 10 1903 (at this location).
Click on Picture for Better Resolution
Based on your infrastructure and your internet connectivity, you can decide to install directly the VAMT Tool on the target machine or you can decide to download the ADK Offline sources files and perform the installation even if you do not have internet connectivity.
Click on Picture for Better Resolution
When you have the access to the VAMT source files, you will need to perform the installation. VAMT needs to connect to a SQL database which can be locally hosted (i.e. SQL Express) or can be located on a Centralized database infrastructure that might be available on your network.
Click on Picture for Better Resolution
When your VAMT server is installed and operational, you will need to create queries to identify your Windows 7 and Windows 2008/R2 computers and you will be ready to deploy the ESU Key through your network.
Click on Picture for Better Resolution
Note : In a coming post, we will describe how to perform the VAMT installation and configuration…..
ESU Key Activation – Online or Proxy Activation
ESU Key Activation process has also been a little bit confusing for people (based on our experience and feedback received). Usually, organizations are not directly connected to Internet to perform activation. Instead, majority of organizations we are working with are using the KMS (Key Management server) infrastructure which allow “offline” activation through your organization. Initially, a lot of people thought that ESU Key would get activated through KMS Infrastructure. This is a wrong assumptions as ESU are MAK (Multiple Activation Keys) based. This means that computers getting the ESU MAK key would either need to have direct access to internet so activation can be performed directly with Microsoft. This is referred as Online Activation
For organization not connected or not willing to grant direct access to Microsoft Activation services, a Proxy Activation Process exists as well and it’s based on VAMT Tool. The Proxy Activation assume that you have a VAMT installed on the “disconnected” network. Another VAMT infrastructure (or server) is then also needed that needs to be connected to Internet. This VAMT infrastructure on the disconnected network will collect the necessary information needed for activation process. The information can be exported to a file and moved the VAMT that is connected to internet. When Activation process is completed, you can then import back the necessary file into the disconnected network infrastructure which will ensure that your machines will get activated
Final Notes
This conclude the first part of this series about ESU Key, VAMT and activation. We have just provided a quick overview of the process that needs to be used in order to obtain extra support for your Windows 7, Windows 2008/R2 operating systems. Based on the feedback from our customers and colleagues, initially, the ESU process was quite confusing as Microsoft had changed the updates and the information that was needed to benefit from this program.
We would recommend to initiate projects to move away from these legacy Windows 7 and Windows 2008 R2 instead of paying for extra support for legacy operating systems. We understand that some software might not be compatible yet with newer operating systems. For these specific cases, you could decide to benefit from the ESU program but we would also recommend to work on upgrading these legacy software whenever possible
In the next post, we will focus more on how to install the VAMT software.
Till next time
See ya