Verify if Windows 7 can get Extended Security Updates
Here is the list of minimum requirements, and installation processes to verify for EUSs. If you have Windows 7 VM hosted on Azure, you will receive free ESU updates. If the KB update is unsuccessful, follow the troubleshooting methods.
1] Minimum OS Requirement
The first criterion to get the ESUs is that you should have updated your copy to Windows 7 Service Pack 1 (SP1) and Server 2008 R2 SP1 or Windows Server 2008.
2] SHA-2, Servicing Stack update, and monthly rollups
Next, you need to install SHA-2 code signing support update, servicing stack update, and monthly rollups. Here are the details offered by Microsoft:
3] Activation using the ESU key
Once you have them, you can then install and activate your Windows using the ESU key, which you have received from your Cloud Solution Provider or Microsoft 365 Admin Center. These are MAK keys, and you will need them to receive the security updates for the whole year. Follow these three steps to activate and verify the status of your ESU key. Though Microsoft suggests using System Center Configuration Manager to send scripts to your enterprise devices. All of these should be performed on an elevated Command Prompt. We will use SLMGR to activate and verify. Find the ESU Activation ID
Type slmgr /ipk
Activate the ESU product key
Type slmgr /dlv, and select Enter.Note the ESU Activation ID.Type slmgr /ato
Verify the status
Type slmgr /dlv and select Enter.Verify Licensed Status shows as Licensed for the corresponding ESU program
You will have to repeat this process every year. You will get a new MAK key every year, which should be activated to keep getting the ESUs updates. Since your copy of Windows is already activated, you might wonder if the second key overwrites it. That is not the case. The ESU MAK key will be installed side-by-side with another activation key. It will not affect that other activation key.
4] Installing KB updates for final verification
After the activation is successful, you need to install KB4528069 for Windows 7 SP1 and Windows Server 20008 R2 SP1. If you are doing this on Windows Server 2008, then install KB4528069. You can get this update from Microsoft Update Catalog or Windows Server Update Services (WSUS). It is a non-security update that is not available from Windows Update or Microsoft Update. It will help you verify if you are to get Extended Security Updates (ESUs). If the computer cannot connect online, then you need to follow a different method: The first is to download install KB4519972 via USB or any other means. Then you need to use the Volume Activation Management Tool to perform proxy activation. You will need to download and install the Volume Activation Management Tool, update the configuration file, configure settings for client firewall for VAMT, and then add the ESU product key to VAMT. ESUs updates will always look for the MAK keys, and if it is missing, you will not receive the updates. Since MAK keys are one time keys, you make sure to have a clear discussion of how you will manage if the machine needs a reinstall.
Troubleshooting Extended Security Updates (ESUs) Issues
Microsoft is also supporting Embedded, POS Ready, Enterprise, Standard, Datacenter, Web, Workgroup versions of Windows 7, and Windows 2008. You should consider upgrading Windows 7 to Windows 10, as otherwise, it will be difficult to secure Widows 7 after End Of Support. There are risks involved, in staying with Windows 7 after End Of Life!
