Managing Extended Security Updates for Windows 7 using Microsoft Endpoint Manager


Next month, on January 14, 2020, Microsoft ends the “extended support” for Windows 7 and they will stop releasing security updates. At least if you don’t pay extra for it… Microsoft has an “Extended Security Updates” (ESU) program that can keep you Windows 7 clients secure for another 3 years.

Many enterprise customers have access to these updates as part of their Microsoft E5 licenses or volume licensing (VL). They just need to enable it.

This blog post will explain how setup the Extended Security Updates for Windows 7, if using volume licensing (VL) to manage on-premises deployments of Windows 7.

In order to deploy the ESU, Microsoft provides an “extra” Multiple Activation Key (MAK) key in the VLSC. This MAK key is independent of the Windows 7 activation key and can work in parallel together with a KMS activation deployment.

To access the key within VLSC, the organization’s administrator can select Licenses > Relationship Summary > [Licensing ID] > Product Keys.



The following updates are required on the Windows 7 clients and the client should also be connected to the internet.

  • KB4519976 (Licensing Update – October)
  • KB4516655 (Servicing stack update)

Don’t worry too much about the specific updates. You might see other KB numbers as they get updated each month. Just make sure the Windows 7 clients are fully updated. The required updates should be deploy using Microsoft Endpoint Manager as required to all Windows 7 clients.


Deploying the MAK Key

To manually install the ESU Add-on product key, you should use the Windows Software Licensing Management Tool (slmgr). This is ok for testing on a few clients:

Run the following 3 commands:

1. cscript.exe slmgr.vbs /ipk <ESU Product Key Here>


2. cscript.exe slmgr.vbs /dlv ()


3. cscript.exe slmgr.vbs /ato <Activation ID Here>

If you have more than 10 clients, and don’t want to visit every single PC, you should consider using a script and automate the process. The following PowerShell script can be deployed using Microsoft Endpoint Manager:


cscript.exe slmgr.vbs /ipk AAAAA-BBBBB-CCCCC-DDDDD-EEEEE 
$Path = Get-Command slmgr.vbs | Select-Object -ExpandProperty Source 
$Data = cscript.exe //Nologo $Path /dlv
$Data = $Data | select-string -Pattern “Activation ID: “| select -expand line 
$Data=$Data -split “: ” | select -first 1 -skip 1
cscript.exe //Nologo $Path /ato $Data


Microsoft has released an update that will help customer verify if clients are ready to get the Extended Security Updates (ESUs) after the end of support date of January 14, 2020.

This update has no actual security content. This update is a test package we recommend that you deploy in your test environment. Install this update on your on-premise devices that are eligible for ESU.

Before adding the MAK key, no clients need the update:


But if you scan a client with the required updates and the MAK key activated, the client should now be ready to get security updates after January 2020.


That’s it… Happy patching


About Author

My name is Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark. My primary focus is Enterprise Client Management solutions, based on technologies like AzureAD, Intune, EMS and System Center Configuration Manager. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility.


  1. Thanks for this post. This will be a lifesaver if we can get it to work. We support multiple environments which would take forever to run this manually on each system. I tried the script on a patched Windows 7 system. The first powershell command worked find but the following returned the error below. I confirmed that I was calling the command while in the C:\windows\system32 folder where the slmgr.vbs script reside.

    $Path = Get-Command slmgr.vbs | Select-Object -ExpandProperty Source

    Select-Object : Property “Source” cannot be found.

    • I had the same issue. I think it may be a powershell version issue of Get-Command. It does not have the “Source” Property. I fixed it by hard coding a variable instead of querying it for the path. Hope that helps.

      cscript.exe slmgr.vbs /ipk AAAAA-BBBBB-CCCCC-DDDDD-EEEEE
      $Path = “C:\WINDOWS\system32\slmgr.vbs”
      $Data = cscript.exe //Nologo $Path /dlv
      $Data = $Data | select-string -Pattern “Activation ID: “| select -expand line
      $Data=$Data -split “: ” | select -first 1 -skip 1
      cscript.exe //Nologo $Path /ato $Data

  2. Thank you for your blog post on ESU. Do you know if there’s any other fingeringprinting done to determine which machines already have the ESU license installed? (i.e. registry, file, etc.)

  3. John Philipson on

    Hi Ronni, How are the updates actually deployed to the ESU enabled clients – do they have to have direct access to the Internet or can the be downloaded and deployed through WSUS ?

  4. This is the best article out right now that explains the process, thank you!

    Added to your script for validation:
    $Path = Get-Command slmgr.vbs | Select-Object -ExpandProperty Source
    cscript.exe //Nologo $Path /ipk AAAAA-BBBBB-CCCCC-DDDDD-EEEEE
    $Data = cscript.exe //Nologo $Path /dlv
    $Data = $Data | select-string -Pattern “Activation ID: “| select -expand line
    $Data=$Data -split “: ” | select -first 1 -skip 1
    cscript.exe //Nologo $Path /ato $Data
    $Validation = cscript.exe //Nologo $Path /dlv
    $Validation = $Validation | select-string -Pattern “License Status: “| select -expand line
    $Validation = $Validation -split “: ” | select -first 1 -skip 1
    If ($Validation -eq “Licensed”){
    Else {

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.