Windows 7 Extended Security Updates Confusion: A Microsoft CSP Explains

Microsoft Cloud Solution Provider (CSP) MessageOps recently tried to answer some of the most pressing questions facing organizations concerning the Windows 7 Extended Security Updates (ESUs) program.

Microsoft will stop issuing free patches for the Windows 7 operating system on Jan. 14, 2020, which is the end-of-support date for that OS. However, Microsoft's ESU program offers a way to extend the delivery of "Critical" and "Important" Windows 7 patches for organizations having trouble moving off Windows 7. It's done by buying ESU keys -- that is, organizations get a so-called "multiple activation key" (MAK) that will work with a Key Management Service (KMS). This key is used to update the license and continue to get security patches.

The ESU program permits patch extensions for a maximum of three years, but organizations must renew each year, and the cost gets doubled each year. Originally, the ESU program kicked off on April 1 just for volume licensing customers, but Microsoft later dropped the volume licensing requirement. In addition, Windows 7 ESU sales by Microsoft's CSP partners began on Dec. 1 (later changed to Dec. 2), opening up ESU purchases by organizations of all sizes.

Microsoft directs volume licensing customers to their "Account Team CE" to get Windows 7 ESU keys, while other organizations "should reach out to a CSP partner" at this site, according to Microsoft's Windows 7 ESU FAQ.

Buying ESUs
Various reports have suggested that it's actually somewhat difficult to buy ESUs, especially for smaller organizations. For instance, one attempt to locate CSPs willing to sell ESUs in Germany found just one partner offering them, according to this Born's Tech and Windows World post. An attempt to locate CSPs willing to sell ESUs in Northern California by Susan Bradley, a Microsoft Most Valuable Professional supporting small businesses, found few local vendors offering ESUs. Bradley had used the recommended approach of searching Microsoft's CSP partner portal.

"Most of those vendors are probably not interested in handling one or a few Win7 ESU purchases," Bradley wrote. "They're typically geared toward large businesses."

One CSP that's not shy about selling Windows 7 ESUs, even to smaller organizations, is MessageOps. It's a wholly owned subsidiary of Champion Solutions Group, based in Boca Raton, Fla., and serves as the cloud division for the group, offering Azure and Office 365 services support, including ESUs for Windows 7.

"As of today, we've migrated north of 8 million accounts up into Office 365, you name the flavor," explained Jim Canfield, director of online services at MessageOps, in a Tuesday phone call.

Does Size Matter?
Canfield answered some Windows 7 ESU questions, including whether organizational size matters in buying them. He described having one customer with 750 Windows 7 devices that recently purchased ESUs. Another client with 250 seats had just one Windows 7 PC that it couldn't move, "so we put in an order for one ESU," he said.

"You name the size, we'll handle it if we can," Canfield said. "It's pretty straightforward. The only thing that's unique at all [about the ESUs] is that it's for one year -- they have to pay a year in advance."

He also clarified that there's no partial-year reimbursement for the costs if an organization stops needing the ESU support midyear or so.

ESU Price Increase
The costs for ESUs actually got increased by Microsoft after it launched the program.

"It was interesting because on December first they came out at fifty bucks a user a year, and they raised the price 10 days later to $62," Canfield said. One of MessageOps' customers didn't act quickly enough and got stuck with the extra costs, he added.

The old $50 per device price for Windows 7 ESUs had been previously disclosed by veteran Microsoft reporter Mary Jo Foley in this ZDNet article.

Organizations need to be using the Windows 7 Pro edition or higher editions to qualify to use an ESU, Canfield noted. That rule of thumb also appears to include the Windows 7 Ultimate edition. For instance, Bradley recently noted in a blog post that the Ultimate edition qualifies under the Windows 7 ESU program.

There's a misimpression that buying a Windows 7 ESU requires having an Enterprise Agreement with Microsoft. When asked if it was required, Canfield said, "No."

Keys and Annual Renewals
Organizations buy a MAK key from a CSP as part of the ESU program.

"There's a Microsoft MAK key that's issued through the ESU," Canfield explained. "The ESU key is then installed on the workstation and it works side-by-side with the existing license, and basically at the end of the day this MAK key enables the device to continue to receive updates."

He added that this MAK key will work with a KMS activation deployment.

When asked what's most confusing for customers about buying an ESU license, Canfield pointed to its one-year limit.

"Everybody wants to be able to buy it [an ESU license] for three years and not have to think about it," he said. "I understand Microsoft not wanting to do it, but they've made the decision that they don't want to do it except for one year at a time."

There are some steps to enable the MAK key that Microsoft has described in this blog post. Those steps typically get carried out by the customer, though.

"Most clients that I know handle it on their own, but as part of the ESU, we'll make sure they understand the steps," Canfield commented.

If an organization still hasn't gotten off Windows 7 after Year 1 of the Windows 7 ESU program, it's just a matter of renewing the key for the next year, according to Canfield.

Canfield said that there's no difference from the current monthly cumulative update delivery process with security updates arriving via the Windows 7 ESU program, including for organizations that just opt to use monthly "security-only" updates.

Microsoft Security Essentials Support
Microsoft's documents have warned that Microsoft Security Essentials, the free anti-malware solution for Windows 7, will no longer get anti-malware signature updates after Jan. 14. Canfield affirmed that's the case even for Windows 7 ESU program participants, according to documentation.

However, in a late-breaking change, Microsoft is now saying that it will continue to issue anti-virus signatures after Jan. 14, 2020, but it won't update the Microsoft Security Essential application itself. Microsoft's sudden change in plans was noted in this Dec. 18 Computerworld article.

ESUs for Windows Server 2008
Microsoft also has an ESU program for Windows Server 2008 and SQL Server 2008. It turns out, though, that Microsoft's CSP partners aren't empowered to sell those ESUs.

"We don't serve ESUs for Windows Server 2008 and SQL Server 2008," Canfield said. MessageOps can help organizations with Azure migrations, though, he added.

Canfield's understanding is that only Microsoft Large Account Resellers (LARs) can sell ESUs for Windows Server 2008 and SQL Server 2008.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.