Managing Extended Security Updates for Windows 7 using Microsoft Endpoint Manager


Next month, on January 14, 2020, Microsoft ends the “extended support” for Windows 7 and they will stop releasing security updates. At least if you don’t pay extra for it… Microsoft has an “Extended Security Updates” (ESU) program that can keep you Windows 7 clients secure for another 3 years.

Many enterprise customers have access to these updates as part of their Microsoft E5 licenses or volume licensing (VL). They just need to enable it.

This blog post will explain how setup the Extended Security Updates for Windows 7, if using volume licensing (VL) to manage on-premises deployments of Windows 7.

In order to deploy the ESU, Microsoft provides an “extra” Multiple Activation Key (MAK) key in the VLSC. This MAK key is independent of the Windows 7 activation key and can work in parallel together with a KMS activation deployment.

To access the key within VLSC, the organization’s administrator can select Licenses > Relationship Summary > [Licensing ID] > Product Keys.



The following updates are required on the Windows 7 clients and the client should also be connected to the internet.

  • KB4519976 (Licensing Update – October)
  • KB4516655 (Servicing stack update)

Don’t worry too much about the specific updates. You might see other KB numbers as they get updated each month. Just make sure the Windows 7 clients are fully updated. The required updates should be deploy using Microsoft Endpoint Manager as required to all Windows 7 clients.


Deploying the MAK Key

To manually install the ESU Add-on product key, you should use the Windows Software Licensing Management Tool (slmgr). This is ok for testing on a few clients:

Run the following 3 commands:

1. cscript.exe slmgr.vbs /ipk <ESU Product Key Here>


2. cscript.exe slmgr.vbs /dlv ()


3. cscript.exe slmgr.vbs /ato <Activation ID Here>

If you have more than 10 clients, and don’t want to visit every single PC, you should consider using a script and automate the process. The following PowerShell script can be deployed using Microsoft Endpoint Manager:


cscript.exe slmgr.vbs /ipk AAAAA-BBBBB-CCCCC-DDDDD-EEEEE 
$Path = Get-Command slmgr.vbs | Select-Object -ExpandProperty Source 
$Data = cscript.exe //Nologo $Path /dlv
$Data = $Data | select-string -Pattern “Activation ID: “| select -expand line 
$Data=$Data -split “: ” | select -first 1 -skip 1
cscript.exe //Nologo $Path /ato $Data


Microsoft has released an update that will help customer verify if clients are ready to get the Extended Security Updates (ESUs) after the end of support date of January 14, 2020.

This update has no actual security content. This update is a test package we recommend that you deploy in your test environment. Install this update on your on-premise devices that are eligible for ESU.

Before adding the MAK key, no clients need the update:


But if you scan a client with the required updates and the MAK key activated, the client should now be ready to get security updates after January 2020.


That’s it… Happy patching


About Author

My name is Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark. My primary focus is Enterprise Client Management solutions, based on technologies like AzureAD, Intune, EMS and System Center Configuration Manager. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility.

Leave A Reply