Does your environment still have out-of-support operating systems like Windows 7 or Windows Server 2008? If yes, then one of the ways to keep supporting them with Security Updates is through the Extended Security Updates (ESU) program. This program kicks in after the Extended Support for an OS is over, and unlike Extended Support, the ESU program only deals with the support for Security Updates.
ESU is a yearly license that you need to renew (for a max of 3* years) if you want to keep getting security updates. For example, I activate the Year 1 license. By the time that license expires, if I still have not migrated all my old devices to a newer OS, I will need to purchase the Year 2 license. Otherwise, I’ll lose the support for Security Updates. This post is going to help you in installing and activating your ESU license.
If you want to know more about ESU and the lifecycle details for your OS, I would suggest you to go through the following pages:
Product Lifecycle FAQ – Extended Security Updates | Microsoft Docs
Search Product and Services Lifecycle Information – Microsoft Lifecycle | Microsoft Docs
Problem
So if you don’t install and activate the ESU license, what exactly is going to happen?
The following things can happen:
Fatal Errors
While trying to install updates manually, they will fail with the dreaded 0x80070643 error code that translates into a generic “Fatal Error”. And digging deeper will lead to the following result.
No Updates
If you’re using MEMCM to deploy the updates, they are not even going to show up in the Software Center.
Inventory
How do you get the info about all the devices that do require ESU or those that already got the license? We have a few methods :
1. Collection
Limit this collection to your custom collection that only contains windows 7 and Server 2008 machines. The value inside the Value section is going to change depending on what Year license you’re trying to look for:
Server 2008 SP2 and Server 2008 R2 SP1
No License – 00000000-0000-0000-0000-000000000000
Year 1 – 553673ed-6ddf-419c-a153-b760283472fd
Year 2 – 04fa0286-fa74-401e-bbe9-fbfbb158010d
Year 3 – 16c08c85-0c8b-4009-9b2b-f1f7319e45f9
Windows 7
No License – 00000000-0000-0000-0000-000000000000
Year 1 – 77db037b-95c3-48d7-a3ab-a9c6d41093e0
Year 2 – 0e00c25d-8795-4fb7-9572-3803d91b6880
Year 3 – 4220f546-f522-46df-8202-4d07afd26454
2. SQL
Another way to get the details is directly querying the database.
SELECT vrs.Netbios_Name0 AS 'Server',vrs.ESUValue
FROM v_R_System AS vrs
JOIN v_FullCollectionMembership AS cm ON cm.ResourceID=vrs.ResourceID
WHERE cm.CollectionID='CollectionID'
--and vrs.ESUValue=''
--Collection ID of the custom collection that contains Server 2008 or Windows 7 machines
Solution
In simplest terms, this is just a two-step process involving the following commands:
- License Installation – slmgr /ipk <ESU Product Key>
- License Activation – slmgr /ato <ESU Activation Key>
ESU Product Key is what you’ll purchase from Microsoft. ESU Activation Key is ESU Year GUID that we discussed in the previous section.
But the solution here will depend on whether it’s the first time you’re trying to activate the license, or you have done it before and reactivating the next years’ license.
Scenario 1 – First Time
In this case, you will have to be mindful of the pre-requisite updates that need to be installed. If they’re already present, you’re good to go. If not, then you’re in for a real treat as these updates require a mandatory reboot. Good luck trying to get the servers rebooted. 🙂
As of writing, these are the pre-requisite updates for Server 2008 R2 SP1 and Server 2008 SP2.
| Server 2008 R2 SP1 | Server 2008 SP2 |
| KB4474419 | KB4474419 |
| KB4490628 | KB4493730 |
| KB4580970 | KB5010452 |
| KB4575903 | KB4575904 |
I tackled this situation by creating packages for these updates and bundling them into a Task Sequence. Once you have installed the pre-requisites and rebooted the machines, you can move on to the Configuration Baseline step ahead.
Scenario 2 – Reactivation
As I mentioned previously, you may have to renew your license every year. So if you already have a previous years’ license installed and activated, you’re in luck. The Configuration Baseline is all you need.
Configuration Item and Baseline
Create a Configuration Item with Setting type as Script and Data type as String
The details for the Discovery script and the Remediation script can be found below. Don’t forget to replace the values for Product Key and Activation Key.
Discovery Script
Here, we are checking for the ESU key that is currently installed by querying WMI. If the key is not present, the result is going to be False.
Dim objWMIService, colItems, strComputer
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "\root\ccm\invagt")
Set colItems = objWMIService.ExecQuery(_
"SELECT ESUValue FROM CCM_ESUValue")
For Each item in colItems
if item.ESUValue = "<ESU Activation Key>" Then
WScript.Echo("True")
WSCript.Quit
Else
WScript.Echo("False")
End If
Next
WSCript.Quit
Remediation Script
Here we are just running the installation and activation commands mentioned previously and initiating the Hardware Inventory scan post that. That’s an optional step.
Set oShell = CreateObject ("WScript.Shell")
oShell.run "cscript C:\Windows\System32\slmgr.vbs /ipk <ESU Product Key>",1,True
oShell.run "cscript C:\Windows\System32\slmgr.vbs /ato <ESU Activation Key> ",1,True
oShell.run "WMIC /namespace:\root\ccm path sms_client CALL TriggerSchedule '{00000000-0000-0000-0000-000000000001}' /NOINTERACTIVE ",1,True
For Compliance Rules, keep the following settings:
The remediation script should run if the discovery script is returning the value of False (a.k.a. the key is not present)
After creating the Configuration Item, you’ll need to create a Configuration Baseline. For the Configuration Baseline deployment, don’t forget to check these checkboxes:
If you want to verify whether it worked or not, you can run the following command:
slmgr /dlv <ESU Activation Key>
Caveats
A few caveats that I would like to mention:
- You need to have your OS on the latest Service pack. For Windows Server 2008 and 2008 R2, the Build number should be one of 6002, 6003 and 7601.
- For Windows Server 2008 SP2, the pre-requisite binaries are different for x86 and x64 platforms.
- If the installation command works, but activation command is failing, it is most likely a firewall issue. ESU activation requires the following URL’s to be accessible:
https://activation.sls.microsoft.com/slspc/SLActivate.asmx
https://activation.sls.microsoft.com/slrac/SLCertify.asmx
https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx
https://activation.sls.microsoft.com/sllicensing/SLLicense.asmx
