PART VII – Extended Support Updates (ESU) and VDI infrastructure

Hello World,

In our previous posts, we have been discussing the ESU (Extended Security Updates) program that can help organizations still running legacy operating system like Windows 7 and Windows 2008/R2 to obtain paid critical security hotfixes.  To benefit from the program, you will need to deploy mandatory updates, install VAMT Tool, Deploy and Activate the ESU MAK keys and you would then be good to go to receive (when released by Microsoft) these newly critical patches.   We have been explaining in quite details the ESU program deployment process in the following posts.

We thought that we had covered most of the topic through these posts.  However, a lot of customers and organizations came back to us with a rather valid question about VDI infrastructure.  How do we manage VDI infrastructure based on Windows 7 operating system ?   Microsoft does not really seems to provide a formal and definitive answer about this specific scenario

So, let’s have a look at the concern and possible workaround that can be used when deploying ESU MAK Key in a VDI Scenario…..

Problem Explained

There are actually two problems that have been mentioned when using ESU MAK key in conjunction with VDI infrastructure (non-persistent desktop).   These problems are

  • Activation process and support
  • License depletion in VDI Infrastructure

Let’s have a quick look at these issues

MAK Activation not supported in VDI Infrastructure

In a VDI infrastructure, a master image (containing all th latest windows updates) is created and every new VDI instance created by the system is using this master image to create the needed virtual machines through your network. When a new update is released by Microsoft, the master image is updated and sealed back so it can be deployed through the VDI infrastructure ensuring that all VDI instances are all up to dated.  

Usually, the master image contains the KMS keys and is configured to perform the activation process against the KMS server available on the network.  This approach ensure that all VDI instances get activated against the KMS server.  However,when integrating the ESU program, the ESU Keys delivered by Microsoft are MAK based.  This is where problems start to popup !  VDI vendors are only supporting KMS Activation and no MAK activation (check out this vmware doc link). 

To benefit from ESU program, you need to install and activate MAK keys but your VDI vendor is telling you that you have to use KMS activation…So, how do you integrate ESU program and VDI infrastructure ?  Keep reading, we will offer a possible workaround !

MAK Keys Licenses Depletion

The other problem that has been raised by customers is about licensing consumption in a VDI scenario.   In a non-persitent VDI infrastructure; the VDI instances are created and deleted as needed by the VDI platform. This means that each time a new VDI Instance is generated, the activation process is triggered.  Imagine that you have included the ESU MAK key in your master image and that is kind of working with your VDI Infrastructure (i.e. MAK Key activation).  In such situation, each time that a VDI instance is created, a new MAK is consumed. At the end, you will have be issuing all your MAK Keys to non-persistent VDI machines and when you really need to get and obtain the ESU critical patch, you are out of valid licenses…. 

Possible Workaround

We have seen that using the ESU MAK Keys in a VDI infrastructure can be challenging and can basically cost you more money if you do not use the appropriate method for using and activate your systems with the ESU MAK Key.  Funny enough, it’s seems that Microsoft has not really thought about these possible issues as no really/official procedure has been published (yet?) about ESU and VDI Infrastructure.

Initially, some customers thought that the ESU MAK Key was an addon to the KMS key, it would not be a problem activating the ESU MAK on the master image…However, as described above, side effect was depletion of available license key…. So, how to you integrate ESU MAK Keys and VDI infrastructure ?   You have to adapt slightly your master image creation process…..You would need to perform the following actions 

  • Step 1 –  Go on your master image and make it ready for changes
  • Step 2 – Activate the master image using the ESU MAK Key you have received
  • Step 3 – Download any new ESU Critical patches that might have been made available by Microsoft
  • Step 4 – Remove the ESU MAK Key from your Master image (using this command slmgr.vbs -upk <Activation Id>)
  • Step 5 –  Seal your up to date master image
  • Step 6 – Deploy it through your VDI

Because there is no ESU MAK key in the master image, you have overcome both problems mentioned above.  You will still be using KMS Activation and there will be no depletion of your ESU MAK Key licenses.  Most important, your VDI instances will be running with all the latest windows updates including the extra one you paid for when you enrolled the ESU Program….

Final Notes

In a VDI Infrastructure, some people have been asking also if it would make sense to deploy a VAMT server in order to activate a handful of master image (between 1 and 5 based on our experience).  It might seems a lot of effort for only a few machines.   If your master image can have direct internet connection, you might want to manually perform the installation and activation actions.   You would need to perform the following actions

To install the ESU MAK Key, you will need issue the following command in  command prompt

slmgr /ipk <ESU-MAK-KEY>

To activate the system where the MAK Key has been installed, you have to issue the following command

slmgr /ato <activation ID>
Where Activation ID is one of the following
Year 1  77db037b-95c3-48d7-a3ab-a9c6d41093e0 
Year 2 0e00c25d-8795-4fb7-9572-3803d91b6880 
Year 3 4220f546-f522-46df-8202-4d07afd26454 
Note :
Apparently, there is also a script that has been developped to perform online Activation directly on internet, please have a look at this location.  Use this script at your own script, we didn’t use it and we do not know if it’s working as expected
Finally, when you are ready to seal your master image, do not forget to remove the ESU MAK Key by issuing the following command
slmgr /upk <activation ID>
If you are working with isolated network, the VAMT seems to be the way to go even if you do not have many machines to activate.  You could also avoid to install two VAMT instances (one connected to internet and one in the isolated network) by using an alternative solution called ActivateWs (see source and documentation here).  The solution seems to be a good alternative to VAMT.  Through a web interface, you could retrieve confirmationID and also perform manual activation by using the following command
slmgr /atp >ConfirmationID> <activation ID>
If we have time, we might still explore these alternatives options (Manual approach and the ActivateWs web service) but for now  it’s seems that we have covered quite extensively the subject.  We hope that this info will be useful to others…. If you still have issues, you can still hire us and we can provide you necessary support 🙂
Till next time
See ya


Leave a Reply