This article describes the frequently asked questions about the extended security updates for Windows 7.
This article is intended for use by IT professionals. If you're looking for information for home users, see Windows 7 support ended on January 14, 2020.
Applies to: Windows 7 Service Pack 1
Original KB number: 4527878
Windows 7 Extended Security Updates (ESU) include security updates for critical and important issues as defined by Microsoft Security Response Center (MSRC) for a maximum of three years after January 14, 2020. After January 14, 2020, if your PC is running Windows 7, and you haven't purchased Extended Security Updates, the computer will no longer receive security updates.
Note
There won't be an ESU offering or an extension of support for Office 2010.
ESU is available for Windows 7 Professional and Windows 7 Enterprise.
ESU has been available in the Volume Licensing Service Center (VLSC) since April 1, 2019, and from Cloud Solution Providers (CSPs) since Monday, December 2, 2019.
The process for purchasing and installing ESU in Year 2 is identical to the process for Year 1. For more information, see Year two of Extended Security Updates for Windows 7 and Windows Server 2008.
To obtain Windows 7 ESU for Windows 7 Embedded products, you have to have an Ecosystem Partner Servicing Offering (EPSO) support contract. You can't purchase Embedded ESU through Volume Licensing. Extended Support end dates for Windows 7 Embedded vary by edition. For more information, go to the following websites:
Direct requests for ESU for Windows Server 2008 R2 for Embedded Systems and SQL Server 2008 R2 for Embedded Systems to the original manufacturer (OEM) of the device.
Organizations can purchase ESU at any time during the three years that the offer is available (2020, 2021, and 2022). If an organization waits and purchases ESU for the first time in year two or year three, they'll also have to pay for the preceding years. It's because the security updates that are offered under the ESU program are cumulative.
Although organizations can purchase ESU at any time, they won't have received bug fixes or security updates since January 14, 2020 without ESU. Additionally, Microsoft Support no longer provides any form of support for these customers.
If an organization waits and purchases ESU for the first time in Year 2 or Year 3, do they have to purchase licenses for the preceding year(s) as well?
Yes. Because the updates are cumulative, organizations must pay for the preceding years if they purchase Windows 7 ESU for the first time in year two or year three. That is, customers must have purchased coverage for year 1 of ESU in order to buy year 2, and coverage for year 2 in order to buy year 3. Customers may buy coverage for previous years at the same time they buy coverage for a current period. It's unnecessary to buy a certain period of coverage within that coverage period.
CSP Partners can find Windows 7 ESU offerings in the Partner Center purchase experience, on the subscription software price list under Software. For specific instructions to purchase ESU through Partner Center, see Purchasing Windows 7 ESU through a Cloud Solution Provider.
If a customer purchases Windows 7 ESU 2021 through CSP and changes their mind about the ESU purchase, are there any limitations on returns?
Yes. Windows 7 ESU 2021 returns through CSP can only be processed after the Year 2 coverage period starts on January 13, 2021. After January 13, 2021, CSP partners can request refunds for ESU purchases.
Customers who own Windows 7 for Education (EDU) can purchase the commercial ESU offering from CSPs.
VL customers: Contact your Account Team CE for pricing and ordering information that is tailored to specific customer scenarios.
Customers who are interested in purchasing Windows 7 ESU in CSP should reach out to a CSP partner. You can find a qualified partner at this site.
The "Windows 7 Extended Security Updates 2020" SKU is available on the CSP price list.
No. Windows 7 ESU will be made available as a separate SKU for each of the years in which it's offered (2020, 2021, and 2022). To continue ESU coverage, customers will have to separately purchase the SKU for each year.
Additional, in order to install Year two SKU, customers must purchase the Year one SKU. Installation and activation of the Year one SKU is not required.
- Windows 7 Extended Security Updates 2020: January 14, 2020 - January 12, 2021
- Windows 7 Extended Security Updates 2021: January 13, 2021 - January 11, 2022
- Windows 7 Extended Security Updates 2022: January 12, 2022 - January 10, 2023
For more information, see Lifecycle FAQ-Extended Security Updates.
No. There are no minimum purchase requirements for Windows 7 ESU.
No. However, VL customers who have subscription licenses for Windows Enterprise SA or Windows Enterprise E3 receive advantageous pricing.
Are there any plans to release a separate Windows 7 ESU SKU for CSP customers who have active Software Assurance?
No.
ESU is licensed per device. For traditional on-premises or dedicated Virtual Desktop Infrastructure (VDI), each endpoint that accesses a VM that runs Windows 7 ESU must have an ESU license. In other words, it's not the VMs that must be counted, but the terminals. If the customer moves to Azure Virtual Desktop (AVD), ESU is covered for no extra cost for the full three-year coverage period.
No. ESU is available to purchase only through VL and CSP.
No. ESU is out-of-scope for MPSA.
I purchased Windows 7 ESU and this purchase isn't on the invoice for the same calendar month. Why dose it happen?
If you purchase Windows 7 ESU before the monthly invoice generation date, the purchase will be shown on the previous month's invoice. It won't be shown on the current calendar month's invoice.
For example, in March, if CSP purchased ESU before March 6, the purchase would show on February's invoice.
Windows XP and Windows Vista support has already ended, and no further support is available. Customers are encouraged to move to Windows 10 to take advantage of the latest in security and reliability.
Yes. Windows 7 ESU will include support for the .NET Framework 4.5.2-4.8 releases (as of January 2020) and .NET Framework 3.5 Service Pack 1 (SP1). .NET Framework 4.5.2, 4.6, and 4.6.1 will reach end of support on April 26, 2022. After this date, Windows 7 ESU will include .NET Framework 4.6.2 through 4.8 and .NET Framework 3.5 SP1 only.
Yes, there's an ESU program specifically for embedded devices. For more information, see ESU for Windows 7 Embedded.
Yes.
ESU for Windows 7 VMs on Azure is delivered by using the same methods as for on-premises clients. For more information, see the ESU deployment section in this article.
Microsoft Security Essentials (MSE) will continue to receive signature updates after January 14, 2020. However, the MSE platform will no longer be updated. Learn more about MSE.
SCEP definition and engine updates will continue for Windows 7 regardless of ESU status, according to the respective lifecycle policy for the listed SCEP versions.
- All in-support versions of SCEP offer anti-spyware and anti-virus updates on version 4.10.209.
- SCEP Current Branch will be the only EndPoint Protection product that will offer AV updates (until January 2023) after the 2012 version reaches its end of support in July 2022.
No. Customers that purchase directly from Microsoft (for example, VL customers or CSP direct Partners) can use an active support contract, such as Software Assurance or Premier or Unified Support, to request assistance for Windows 7. Partners can also use their Partner Support Plans to request assistance for Windows 7.
Technical support for ESU is limited to the following issues:
- Deployment and installation of ESU keys and/or ESU updates.
- Servicing requests for code flaws as the result of the update.
Note
No other support services will be provided.
Can customers get technical support on-premises for Windows 7 after the end-of-support date if they do not purchase ESU?
No. If customers have Windows 7 and don't purchase ESU, they can't log support tickets for Windows 7, even if they have support plans.
Can an organization that purchases ESU use its Unified or Premier Support agreements to submit support incidents?
Yes. Organizations that use VL to purchase ESU can submit support incidents by using any Microsoft Support offering, including Unified and Premier Support.
Can customers use their Premier/Unified contracts to contact support if they have purchased ESU from a CSP Partner?
No. CSP customers should use their partners for technical support or purchase a pay-per-incident plan through Microsoft Professional support.
Yes. CSP direct Partners can use their existing Partner Support plans to request assistance for Windows 7 ESU if the customer has purchased ESU. Resellers should work together with their CSP indirect Partners to request assistance for Windows 7 questions regarding devices that are covered by ESU.
To locate your Tenant ID, sign in to admin.microsoft.com
by using your organization administrator account. In the upper-left corner of the portal, select the app-launcher icon, and then select Admin. If you don't see the Admin tile, you don't have the correct permissions to access the admin center for your organization. Typically, your organization's network administrator or IT administrator have these permissions.
How are ESU customers entitled for support? Can they submit tickets online by using Microsoft Support or Services Hub?
All ESU customers must call Microsoft Support in order to place a request for a technical support incident. Premier and Unified customers can find the correct number to call within Services Hub. Non-Premier and Unified customers can find the correct number to call on the Global Customer Service phone numbers page.
We continue to work to fully automate the validation process. If a customer purchased ESU as part of their Enterprise Agreement, an agent can verify the purchase by asking for the customer's Enterprise Agreement number or for the full customer name. To locate their Agreement Number, a customer can sign in to Volume License Service Center, and go to Licenses > License Summary. Typically, the License Summary displays recently purchased licenses within 24 hours after Microsoft receives a customer order from a Microsoft Partner.
What type of response should customers expect if they encounter an issue that requires a new feature?
No new product enhancements will be made for Windows 7. ESU helps keep Windows 7 devices secure for a limited time, and assist customers during the transition to a supported version of Windows. If an investigation into a customer issue determines that a product enhancement in a recent release (such as Windows 10) resolves the issue, Microsoft Support will recommend that the customers upgrade to the most recent release.
After customers purchase ESU, will Microsoft help troubleshoot issues that aren't related to an extended security update?
Because Windows 7 support has ended, Microsoft is committed to helping customers upgrade to a supported version of Windows or migrate to the cloud. We'll provide best-effort support to troubleshoot issues for customers who purchase Windows 7 ESU.
What type of response should customers expect when they request support for a product that is covered by ESU?
For VL customers and CSP direct partners who have Premier Support plans, the expectations are as follows.
Yes. Internet Explorer 11 will receive security updates as necessary through Windows 7 ESU.
Security updates for Windows 7 will be released to ESU customers on the second Tuesday of every month. If there are no Critical or Important updates for Windows 7 in any given month (as prescribed by the Microsoft Security Response Center), there will be no ESU updates in that update cycle. If an off-cycle security update is considered necessary, Windows 7 ESU customers will receive the update outside the regular monthly cadence.
No. There's no advance notification of security updates for Windows 7 ESU at this time. However, you can view details of past updates at Windows 7 SP1 and Windows Server 2008 R2 SP1 update history.
A full list of updates to Windows 7 SP1, including ESU updates, is available at Windows 7 SP1 and Windows Server 2008 R2 SP1 update history.
Yes. Before a customer deploys ESU, they should read Obtaining Extended Security Updates for eligible Windows devices. That post provides detailed explanations of all prerequisites and detailed instructions for deployment.
For instructions to install and activate the Windows 7 ESU Multiple Activation Key (MAK), and more information about purchasing, see Obtaining Extended Security Updates for eligible Windows devices.
For more information about how to install and activate Windows 7 ESU MAK keys on multiple devices in an on-premises Active Directory domain, see the following article:
Activate Windows 7 ESUs on multiple devices with a MAK.
Note
Installing MAK keys adds the ability to receive ESU. It doesn't replace the current product activation key (for example, OEM, KMS), nor does it reactivate the system. Organizations will have to install a new MAK key for every year that they deploy ESU.
No. Nothing needs to be done to the Year 1 key to install the Year 2 key. The installation process for Year 2 is identical to Year 1 (see previous question, above).
Can Windows 7 ESU Year 1 updates be applied to a device after January 12, 2021 if the Year 1 key is installed on the device?
Yes, updates can be installed at any time. That allows you to maintain your existing patch rollout process when the Year 1 key is installed and activated on a device. The same applies for Year 2 and Year 3. For more information, see What are the coverage dates for the three Windows 7 ESU SKUs.
The Extended Security Updates (ESU) License Preparation Packages (Extended Security Updates (ESU) Licensing Preparation Package for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2008 SP2) address activation experience requirements that we identified while testing and evaluating by using a large population of preview customers. We introduced the ESU License Preparation Packages on February 11, 2020 to:
- provide a consistent user experience going forward
- minimize the number of package installations
- reduce overall customer disruption
An organization that uses volume licensing (VL) to manage on-premises deployments can use VL to deploy ESU to the covered devices. When an organization purchases Windows 7 ESU, Microsoft provides a MAK key in the VLSC. This MAK key is independent of the Windows 7 activation key and won't interfere with the existing Key Management Server (KMS) operating system activation deployment.
Administrators can access the key within VLSC by selecting Licenses > Relationship Summary > [Licensing ID] > Product Keys.
Note
In this path, [Licensing ID] refers to the licensing ID of the organization.
The product key list will include the ESU key, which is named Windows 7 Ext Security Year 1 MAK. Organizations can deploy the new MAK key and any prerequisite servicing stack updates to the applicable devices, then continue their typical update and servicing strategy to deploy ESU by using Windows Update, Windows Server Update Services (WSUS), or whatever update management solution the organization prefers. It is also the process that organizations have to follow to update Azure Stack. For more information about how to use MAK for VL customers, see the VLSC Product Keys FAQ.
Yes. Organizations have to purchase, install, and activate new keys for each of the three years.
The yearly ESU MAK keys don't expire. However, they don't enable the device to install updates beyond their designated time frame. For example, a device with only a Year 1 ESU MAK key can continue to install updates made available during Year 1 even after the Year 1 time frame ends. But it won't receive any further updates in Year 2.
If an organization has to reinstall Windows 7, how will the additional activation of ESU be managed?
- Organizations that purchase ESU through a Partner should go to the Partner to receive additional activations.
- Organizations that purchased ESU through VLSC should open a VLSC support case to make this request.
ESU is delivered through all the usual update delivery channels, including:
- Configuration Manager (current branch, version 1910 or later)
- Windows Update (WU)
- Windows Server Update Service (WSUS)
- Microsoft Update Catalog
The update is programmed to look for the MAK activation on the endpoint, and will install only on those systems together with the MAK key. Learn more about Extended Security Updates and Configuration Manager.
Note
The ESU License Preparation Packages (Extended Security Updates (ESU) Licensing Preparation Package for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2008 SP2) are available through all of the previously mentioned channels except Windows Update.
No. The ESU for Windows 7 and Windows Server 2008 require online servicing (using audit mode to modify images).
ESU updates aren't supported in offline servicing mode. Applying ESU in offline servicing mode generates an error, and updates fail.
Customers can determine the remaining activations on an MAK key by using the Volume Activation Management Tool (VAMT):
- Start the VAMT.
- In the navigation pane, select the Product Keys node.
- In the center pane, find the "ESU Add-on MAK" key. The remaining activation count is displayed in the Remaining Activation Count column.
Yes.
If VAMT is run on a virtual client for Windows 7 ESU deployment, does the VAMT host VM have to remain running after activating all the Windows 7 clients, or can it be decommissioned?
The VAMT host VM can be decommissioned after it activates all the Windows 7 ESU clients.
Yes. The number of activations that are available will depend on the number of licenses that the customer has purchased and also the terms of that customer's specific licensing agreement.
The number of activations shown in VLSC is less than the number that our organization purchased. How can I request the correct number?
- On the VLSC home page, select Contact Us.
- Select your region, and then select Support Web Form in the Contact Info section.
- In the form, fill out the required information.
If an organization needs additional activations of ESU (for example, if they have to reinstall Windows 7 or reimage a device), how will those additional activations be managed?
Organizations that purchase ESU through volume licensing should request additional activations through the VLSC:
- On the VLSC home page, select Contact Us.
- Select your region, and then select Support Web Form in the Contact Info section.
- In the form, complete the required information.
Most organizations that purchase ESU through CSP shouldn't have to request additional activations. For exceptional scenarios in which additional activations are required, Partners should use Partner Center to open a support request.
Yes. For detailed instructions, see Obtaining Extended Security Updates for eligible Windows devices.
Yes, there is an ESU program specifically for embedded devices. This program includes:
The ESU for Windows 7 Embedded also includes Windows Server 2008 R2 for Embedded Systems and Microsoft SQL Server 2008 R2 for Embedded Systems. Direct all embedded ESU requests to the original equipment manufacturer (OEM) of the device.
Contact your OEM for all Windows 7 Embedded ESU questions.
Windows Embedded Standard 7 is an embedded-only OS and is exclusively available from OEMs.
Contact your OEM for ESU pricing.
Will my customer’s devices running Windows Embedded Standard 7 be unprotected after October 13, 2020?
When security updates are available, Microsoft releases these monthly – on the second Tuesday of each month. If there are no critical or important updates released between October 14, 2020 and November 9, 2020, those devices will have the most current security updates from Microsoft. However, when the November 10, 2020 security updates are released, devices running WES will be unprotected and a security risk.
Visit by the Microsoft Security Response Center (MSRC) for more information on security update ratings: https://aka.ms/msrc_ratings.