Around this same time last year, we started receiving the ESU phone call. IT Professionals from SMBs to Enterprise levels were asking "Where can I get Windows 7 Extended Security Updates (ESU)? I need it now!" This year, the ESU phone calls have been flooding in as well with customers wondering how to continue support for Windows 7 in year two of three of ESU. While many of those customers are settled in already with ESU for 2021 safely secured, you might still be wondering if the Windows 7 ESUs are right for you and if so, what to do. So, here is everything you need to know about Windows 7 ESU: What it is, why you need it, how to get it and how to install it (plus, a few ways to jump to Windows 10).
ESU for Microsoft Windows 7
Why Do I Need Windows 7 ESU in 2021?
How Long Does Windows 7 ESU Last?
Windows 7 ESU Year 2: What You Need to Know
Windows 7 ESU: Year 2 Options
How to Install and Activate Windows 7 Extended Security Updates
FAQ about Extended Security Updates for Windows 7
Recap
If you're reading this, you probably know that Microsoft ended mainstream support for Windows 7 in January of this year. Thus, Extended Security Updates (ESU) was the answer to the question of "What do we do when mainstream support runs out?". ESU began January 14th, 2020 and will continue with an annual update for three years (until 2022). OK, so ESU is the follow-up to mainstream support and it's continuing into 2021 but...why purchase these updates in the first place?
Here's a few reasons why you'll want to consider ESU if you're remaining on Windows 7:
Without the updates your business no longer receives security vulnerability updates, making you instantly at higher risk of being hacked.
Without updates, your business becomes instantly non-compliant, which, if compliance is part of your job or you are working in a regulated industry sector where you are expected to prevent avoidable cyber security incidents, you could be in a less than enviable situation.
Overall, without updates, your Windows 7 security and quality will suffer.
But...is security that big of a deal? YES. Register below for our upcoming webinar to learn how to secure your company 👇
The short answer? 3 years. How does it work? Microsoft, take it away! "Organizations can purchase ESU at any time during the three years that the offer is available (2020, 2021, and 2022). If an organization waits and purchases ESU for the first time in year two or year three, they'll also have to pay for the preceding years." This is because the security updates are cumulative. If you don't have Year 1 before you tack on Year 2 in 2021, your Year 2 simply won't work (see the next section for more details).
"Although organizations can purchase ESU at any time, they should be aware that without ESU, they won't have received bug fixes or security updates since January 14, 2020. Additionally, Microsoft Support no longer provides any form of support for these customers," says Microsoft. Basically, if you didn't get ESU in January, it's time to start 2021 off right with the updates.
If you already bought ESU in January, you might be wondering if it automatically renews? The short answer? No. Microsoft explains that "Windows 7 ESU will be made available as a separate SKU for each of the years in which it's offered (2020, 2021, and 2022). To continue ESU coverage, customers will have to separately purchase the SKU and activate a new key for each year." The table below highlights coverage dates for ESU SKUs:
| Coverage Dates for ESU SKUs | Start Date | End Date |
| Windows 7 ESU Year 1 | January 14, 2020 | January 12, 2021 |
| Windows 7 ESU Year 2 | January 13, 2021 | January 11, 2022 |
| Windows 7 ESU Year 3 | January 12, 2022 | January 10, 2023 |
Going into Year 2 of the Windows 7 ESU program there are a few things everyone should know. As a prerequisite, you must first have the Year 1 ESU updates installed on devices you are looking to install the Year 2 updates to. Like I mentioned earlier, Windows update packages are installed on devices in a particular order. So if the Year 1 update packages are not installed on the device prior to the install attempt of Year 2, the installation will likely fail, or worse lead to the good old BSOD (or commonly known in the IT world as the Blue Screen Of Death). 😱
Microsoft has not included the Year 1 update packages in Year 2. Many assumed that the increased pricing for each year meant the prior was included, but that isn't the case. Pricing is likely increased to offset the engineering work required to continue to support and secure an operating system that is more than 10 years old in order to meet the technical security demands of today.
It could also be said with the pricing model that Microsoft is likely incentivizing customers to make the move to upgrade to Windows 10 sooner rather than later. Microsoft has made huge commitments to making Windows 10 the most secure version of Windows ever in existence while also being easy to use and interact across Microsoft's entire ecosystem and they want to move customers in that direction.
NOTE: Windows 7 ESU are only for devices running Windows 7 Pro NOT Windows 7 Home. If you are on Windows 7 Home, your only option is to purchase Windows 10 Pro or purchase a new device. 👉 If you already have Windows 10 Home, you can upgrade to Windows 10 Pro here for $60.
Thankfully, after our Windows 7 End of Life blog post back in July 2019, Microsoft began offering options for what to do to either move from Windows 7 or maintain a secure Windows 7 until a move can be made to Windows 10. Here are all of the options you can explore if you're running Windows 7, plus a couple of options specifically for those who did not purchase during Year 1.
This is likely the most straightforward option, especially if you have aging hardware and you're aren't running legacy line-of-business apps that still require Windows 7.
If you go this path, you won't have to spend time upgrading your machine and will have a brand new PC or laptop. Make sure you are buying a computer with Windows 10 Pro, not Home or Student. Bottom line, this will cost you the price of a new PC.
This is a viable option if you expect you can get a few more years out of your hardware running Windows 7 Pro and assumes that you are not running legacy line-of-business apps that still require Windows 7. Be ready to fork over about $200 per device 💵
If you are on Office 365 or are thinking about moving from an Office 365 plan to a Microsoft 365 plan, then subscribing to Microsoft 365 Business Premium (formerly known as Microsoft 365 Business) might be the answer. Microsoft 365 Business Premium offers great value and includes upgrade rights to Windows 10 Pro from Windows 7/8.1 Pro licenses. Two birds, one stone.
For more information on which plan is right for you, read our other blog posts: What is Microsoft 365? and Microsoft 365 vs Office 365.
Windows Virtual Desktop (WVD) was officially launched in the fall of 2019. In a nutshell, it is something you can call "Remote Desktop as-a-Service" or Virtual Desktop Infrastructure (VDI)-as-a-Service. WVD is a great option if you are running your business on an aging RDH or VDI farm and are thinking about transforming your business with a modern approach to thin-client enabling more security and simplified device management.
When you sign up for WVD, Windows 7 ESU is included at no extra cost. How much will WVD will cost you will all depends on your situation. If you build it on your own, you will have to factor in the cost of your Azure resources and Microsoft 365 licenses along with the time and effort you put to set it up and to maintain it.
With that in mind and based on our experience with WVD, BEMO has pre-packaged 3 WVD multi-session offers. Here is a sneak preview of what it looks like:
| BEMO WVD Kiosk | BEMO WVD Business | BEMO WVD E5 | |
| pricing per seat/month | $89 | $125 | $159 |
| for... | first-line & field workers w/ web apps only |
Business < 300 employees w/ web and desktop apps |
Enterprise grade with the full Microsoft security stack |
| with | Microsoft 365 F3 | Microsoft 365 Business Premium | Microsoft 365 E5 |
Visit our site for more information or start a chat with our BEMO team in the lower right-hand corner of your screen.
Windows 7 ESU is available via a few specific Volume Licensing programs. That is an option that is catered to businesses with a Microsoft Enterprise Agreement and is not available to most SMBs.
This is the newest way to get Windows 7 ESU and addresses the needs of customers who do not qualify for the Volume Licensing deal or are not considering any of the aforementioned options.
The process is quite straightforward. All you need to do is purchase Windows 7 ESU directly from BEMO Online Store. It costs $140 for Year 2 and is licensed per device.
If you have not purchased Windows 7 ESU Year 1 yet or if you find you're in need of updates for an additional device, you will need to purchase Year 1 prior to purchasing Year 2. This can also be done at the BEMO Online Store. Just like Year 2, Year 1 is licensed per device at a cost of $70.
Once your order has been received, we will deliver your product key and all you have left to do will be to install and activate the ESU on each of your devices as per these instructions summarized below.
Questions? Reach out to us using the chat in the lower right-hand corner of your screen.
Here are the step-by-step instruction recently updated and based on an excerpt from a great blog published originally by Poornima Priyadarshini at Microsoft (steps to install, activate, and deploy ESUs are the same for first and second-year coverage) on how to install and activate Windows 7 ESU purchased via the CSP Program. More comprehensive instructions which also cover Windows Server 2008 ESU are available here also.
As per this Microsoft publication, the following steps must be completed before installing and activating ESU keys for Windows 7.
Important note: You must restart your device after installing all the required updates and before installing any monthly roll-up, Security-only update, or Preview of Monthly Rollup
Important You must restart your device after you install these required updates.
Download and install the Extended Security Updates (ESU) Licensing Preparation Package. For more information, see the following articles in the Microsoft Knowledge Base:
4538483 Extended Security Updates (ESU) Licensing Preparation Package for Windows 7 SP1 and Windows Server 2008 R2 SP1
Download the ESU MAK add-on key from the VLSC portal and deploy and activate the ESU MAK add-on key. If you use the Volume Activation Management Tool (VAMT) to deploy and activate keys, follow the instructions here.
Note After you successfully complete this procedure, you can continue to download the monthly updates via the usual channels of Windows Update, WSUS and Microsoft Update Catalog. You can continue to deploy the updates using your preferred update management solution.
Once you have addressed the prerequisites, you’re ready to install and activate Extended Security Updates for machines connected to the internet.
The steps to install, activate and deploy the ESUs are essentially the same for the first and second year besides that you will use the year 2 Activation key along with year 2 product key (MAK)
First, install the ESU product key using the Windows Software Licensing Management Tool.
Note: Installing the ESU product key will not replace the current OS activation method being used on the device. This is achieved by using the Activation ID to differentiate between the operating system’s activation and the ESU activation.
Next, find the ESU Activation ID:
Now, you’ll activate the ESU product key:
|
ESU Program |
ESU SKU (or Activation) ID |
|
Windows 7 SP1 (Client) |
|
|
Year 1 |
77db037b-95c3-48d7-a3ab-a9c6d41093e0 |
|
Year 2 |
0e00c25d-8795-4fb7-9572-3803d91b6880 |
|
Year 3; |
4220f546-f522-46df-8202-4d07afd26454 |
Once you have activated the ESU product key, you can verify the status at any time by following these steps:
Note: We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices.
Windows 7 SP1: Install the optional, non-security update outlined in KB4528069. Please note that the KB4528069 update has no actual security content. This update is a test package and we subsequently recommend that you deploy it in your test environment. Install this update on your on-premises devices that are eligible for ESU.
If you are interested in learning more about Extended Security Updates, please see the following resources:
7. More troubleshooting here with cross-reference to error codes and for VAMT
To activate ESU keys via phone, use the slmgr command options - /dti and /atp. To activate ESU keys via phone, follow these steps:
Well, there you have it! Everything you need to know about Windows 7 ESU from how to buy it to how to install it! I hope this has been helpful. Please let us know in the comments below.
Curious how your cybersecurity stacks up? Take our 5-minute quiz by clicking on the button below:
Need a little more information? Schedule a free consultation here:
Laura Arce Fonseca : May 31, 2023
In the fast-paced business world, villains lurk in the shadows, ready to steal your company data through any method they can -- it's up to you to be...
-1.png?width=30&name=Untitled%20design%20(2)-1.png){kind=small}
Joseph Candelario : May 26, 2023
On May 24, Microsoft announced an alarming cybersecurity threat by the name of Volt Typhoon and provided important defense recommendations based on...
Suzanne Phillips : May 25, 2023
Zero Trust has become a buzzword in recent years, and no, not because dating in 2023 is next to impossible (or so I hear… I’m happily married).
Leave us a comment!