Around this same time last year, we started receiving the ESU phone call. IT Professionals from SMBs to Enterprise levels were asking "Where can I get Windows 7 Extended Security Updates (ESU)? I need it now!" This year, the ESU phone calls have been flooding in as well with customers wondering how to continue support for Windows 7 in year two of three of ESU. While many of those customers are settled in already with ESU for 2021 safely secured, you might still be wondering if the Windows 7 ESUs are right for you and if so, what to do. So, here is everything you need to know about Windows 7 ESU: What it is, why you need it, how to get it and how to install it (plus, a few ways to jump to Windows 10).
If you're reading this, you probably know that Microsoft ended mainstream support for Windows 7 in January of this year. Thus, Extended Security Updates (ESU) was the answer to the question of "What do we do when mainstream support runs out?". ESU began January 14th, 2020 and will continue with an annual update for three years (until 2022). OK, so ESU is the follow-up to mainstream support and it's continuing into 2021 but...why purchase these updates in the first place?
Why Do I Need Windows 7 ESU in 2021?
Here's a few reasons why you'll want to consider ESU if you're remaining on Windows 7:
Without the updates your business no longer receives security vulnerability updates, making you instantly at higher risk of being hacked.
Without updates, your business becomes instantly non-compliant, which, if compliance is part of your job or you are working in a regulated industry sector where you are expected to prevent avoidable cyber security incidents, you could be in a less than enviable situation.
Overall, without updates, your Windows 7 security and quality will suffer.
But...is security that big of a deal? YES. Register below for our upcoming webinar to learn how to secure your company 👇
How Long Does Windows 7 ESU Last?
The short answer? 3 years. How does it work? Microsoft, take it away! "Organizations can purchase ESU at any time during the three years that the offer is available (2020, 2021, and 2022). If an organization waits and purchases ESU for the first time in year two or year three, they'll also have to pay for the preceding years." This is because the security updates are cumulative. If you don't have Year 1 before you tack on Year 2 in 2021, your Year 2 simply won't work (see the next section for more details).
"Although organizations can purchase ESU at any time, they should be aware that without ESU, they won't have received bug fixes or security updates since January 14, 2020. Additionally, Microsoft Support no longer provides any form of support for these customers," says Microsoft. Basically, if you didn't get ESU in January, it's time to start 2021 off right with the updates.
If you already bought ESU in January, you might be wondering if it automatically renews? The short answer? No. Microsoft explains that "Windows 7 ESU will be made available as a separate SKU for each of the years in which it's offered (2020, 2021, and 2022). To continue ESU coverage, customers will have to separately purchase the SKU and activate a new key for each year." The table below highlights coverage dates for ESU SKUs:
Coverage Dates for ESU SKUs
Windows 7 ESU Year 1
January 14, 2020
January 12, 2021
Windows 7 ESU Year 2
January 13, 2021
January 11, 2022
Windows 7 ESU Year 3
January 12, 2022
January 10, 2023
Windows 7 ESU Year 2: What You Need to Know
Going into Year 2 of the Windows 7 ESU program there are a few things everyone should know. As a prerequisite, you must first have the Year 1 ESU updates installed on devices you are looking to install the Year 2 updates to. Like I mentioned earlier, Windows update packages are installed on devices in a particular order. So if the Year 1 update packages are not installed on the device prior to the install attempt of Year 2, the installation will likely fail, or worse lead to the good old BSOD (or commonly known in the IT world as the Blue Screen Of Death). 😱
Microsoft has not included the Year 1 update packages in Year 2. Many assumed that the increased pricing for each year meant the prior was included, but that isn't the case. Pricing is likely increased to offset the engineering work required to continue to support and secure an operating system that is more than 10 years old in order to meet the technical security demands of today.
It could also be said with the pricing model that Microsoft is likely incentivizing customers to make the move to upgrade to Windows 10 sooner rather than later. Microsoft has made huge commitments to making Windows 10 the most secure version of Windows ever in existence while also being easy to use and interact across Microsoft's entire ecosystem and they want to move customers in that direction.
NOTE: Windows 7 ESU are only for devices running Windows 7 Pro NOT Windows 7 Home. If you are on Windows 7 Home, your only option is to purchase Windows 10 Pro or purchase a new device. 👉 If you already have Windows 10 Home, you can upgrade to Windows 10 Pro here for $60.
Windows 7 ESU: Year 2 Options
Thankfully, after our Windows 7 End of Life blog post back in July 2019, Microsoft began offering options for what to do to either move from Windows 7 or maintain a secure Windows 7 until a move can be made to Windows 10. Here are all of the options you can explore if you're running Windows 7, plus a couple of options specifically for those who did not purchase during Year 1.
This is likely the most straightforward option, especially if you have aging hardware and you're aren't running legacy line-of-business apps that still require Windows 7.
If you go this path, you won't have to spend time upgrading your machine and will have a brand new PC or laptop. Make sure you are buying a computer with Windows 10 Pro, not Home or Student. Bottom line, this will cost you the price of a new PC.
Option 2 -Upgrade to Windows 10 Pro by purchasing Windows 10 Pro
This is a viable option if you expect you can get a few more years out of your hardware running Windows 7 Pro and assumes that you are not running legacy line-of-business apps that still require Windows 7. Be ready to fork over about $200 per device 💵
Option 3 - Upgrade to Windows 10 Pro by purchasing Microsoft 365 Business Premium
If you are on Office 365 or are thinking about moving from an Office 365 plan to a Microsoft 365 plan, then subscribing to Microsoft 365 Business Premium (formerly known as Microsoft 365 Business) might be the answer. Microsoft 365 Business Premium offers great value and includes upgrade rights to Windows 10 Pro from Windows 7/8.1 Pro licenses. Two birds, one stone.
Option 4 - Subscribe to Windows Virtual Desktop offering
Windows Virtual Desktop (WVD) was officially launched in the fall of 2019. In a nutshell, it is something you can call "Remote Desktop as-a-Service" or Virtual Desktop Infrastructure (VDI)-as-a-Service. WVD is a great option if you are running your business on an aging RDH or VDI farm and are thinking about transforming your business with a modern approach to thin-client enabling more security and simplified device management.
When you sign up for WVD, Windows 7 ESU is included at no extra cost. How much will WVD will cost you will all depends on your situation. If you build it on your own, you will have to factor in the cost of your Azure resources and Microsoft 365 licenses along with the time and effort you put to set it up and to maintain it.
With that in mind and based on our experience with WVD, BEMO has pre-packaged 3 WVD multi-session offers. Here is a sneak preview of what it looks like:
BEMO WVD Kiosk
BEMO WVD Business
BEMO WVD E5
pricing per seat/month
first-line & field workers w/ web apps only
Business < 300 employees w/ web and desktop apps
Enterprise grade with the full Microsoft security stack
If you have not purchased Windows 7 ESU Year 1 yet or if you find you're in need of updates for an additional device, you will need to purchase Year 1 prior to purchasing Year 2. This can also be done at the BEMO Online Store. Just like Year 2, Year 1 is licensed per device at a cost of $70.
Once your order has been received, we will deliver your product key and all you have left to do will be to install and activate the ESU on each of your devices as per these instructions summarized below.
Questions? Reach out to us using the chat in the lower right-hand corner of your screen.
How to Install and Activate Windows 7 Extended Security Updates
Here are the step-by-step instruction recently updated and based on an excerpt from a great blog published originally by Poornima Priyadarshini at Microsoft (steps to install, activate, and deploy ESUs are the same for first and second-year coverage) on how to install and activate Windows 7 ESU purchased via the CSP Program. More comprehensive instructions which also cover Windows Server 2008 ESU are available here also.
As per this Microsoft publication, the following steps must be completed before installing and activating ESU keys for Windows 7.
Important note: You must restart your device after installing all the required updates and before installing any monthly roll-up, Security-only update, or Preview of Monthly Rollup
You must have the SHA-2 update (KB4474419) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. If you use Windows Update, the latest SHA-2 update will be offered to you automatically. For more information about SHA-2 updates, see2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
Note After you successfully complete this procedure, you can continue to download the monthly updates via the usual channels of Windows Update, WSUS and Microsoft Update Catalog. You can continue to deploy the updates using your preferred update management solution.
Installation and activation
Once you have addressed the prerequisites, you’re ready to install and activate Extended Security Updates for machines connected to the internet.
The steps to install, activate and deploy the ESUs are essentially the same for the first and second year besides that you will use the year 2 Activation key along with year 2 product key (MAK)
First, install the ESU product key using the Windows Software Licensing Management Tool.
Note: Installing the ESU product key will not replace the current OS activation method being used on the device. This is achieved by using the Activation ID to differentiate between the operating system’s activation and the ESU activation.
Open an elevatedCommand Prompt. 'Elevated' means running as an administrator, for that: press the Windows key, type in "command", right-click and select "Run as administrator".
Type slmgr /ipk <ESU key> and select Enter. (Replace "<ESU key>" with the product key that was provided to you. Do not put any bracket, or <>)
If the product key installed successfully, you will see a message like the following:
Next, find the ESU Activation ID:
In the elevated Command Prompt, type slmgr /dlv and select Enter.
Note the Activation ID as you will need it in the next step.
Now, you’ll activate the ESU product key:
Open an elevated Command Prompt.
Type slmgr /ato <ESU Activation Id> and press Enter. (Replace "<ESU Activation ID>" with the ID shown in your PC. Do not put any bracket, or <>)
The following table outlines possible values for the <ESU Activation Id>:
ESU SKU (or Activation) ID
Windows 7 SP1 (Client)
Once you have activated the ESU product key, you can verify the status at any time by following these steps:
Open an elevated Command Prompt.
Type slmgr /dlv and select Enter.
Verify Licensed Status shows as Licensed for the corresponding ESU program, as shown below:
Note: We recommend using a management tool, such as System Center Configuration Manager, to send the slmgr scripts to your enterprise devices.
Verifying your deployment on eligible Windows 7 SP1
Windows 7 SP1: Install the optional, non-security update outlined in KB4528069. Please note that the KB4528069 update has no actual security content. This update is a test package and we subsequently recommend that you deploy it in your test environment. Install this update on your on-premises devices that are eligible for ESU.
If you are interested in learning more about Extended Security Updates, please see the following resources:
1. Please run the verification instructions first and if it does not look right, please run the entire instruction set again.
2. When you run the elevated command prompt, make sure you right-clicked on the Command app and selected "run as administrator"
3. Also, it is not good enough to just run the automated windows update. Look for the install history and make sure all the needed patches were first installed successfully. Install them one at a time as needed.
4. If you are using a proxy firewall, you may need to whitelist the activation endpoints for ESU key activation to succeed. Read this
5. if you have Windows 7 Pro OEM, note that there are two separate Activation IDs, one for the OEM_SLP channel and one for the VOLUME_MAK channel, and they both have to be activated.
6. OEM licensed users: If you keep getting a product key invalid error using slmgr, try the following.
Change the original activated product key in the control panel under computer system information at windows activation which will help Windows to access the licensing servers.
Install the key and activate both OEM_SLP and VOLUME-MAK without any further steps using slmgr.