How to implement Windows 7, Server 2008 security updates after end-of-life

January 14, 2020 was the official end of the road for public updates for Windows 7, Windows Server 2008 R2 and Windows Server 2008 SP2. The many organizations that continue to use them will need to find a way to service them.

In May I urged people to isolate Windows 7 and air gap it from their networks if they didn’t plan to maintain it and patch it. Since then Microsoft has expanded the Extended Security Update (ESU) program to allow any business to obtain updates for Windows 7 after January 14 through the Cloud Service Provider program. Anyone with Windows 7 Pro, Ultimate or Enterprise can purchase and activate a key that licenses you for security updates. You must purchase these extended updates starting at $61 the first year. The cost will increase over the next three years.

Installing ESU keys

To install the ESU key, the machines must have several prerequisites as noted in the Windows IT Pro blog. The following patches must be installed before installing and activating ESU keys:

• KB 4490628: Servicing stack update (SSU) for Windows 7 SP1 and Windows Server 2008 R2 SP1— March 12, 2019, or later SSU.
• KB 4474419 SHA-2 code signing support update for Windows Server 2008 R2, Windows 7 and Windows Server 2008.

• KB 4493730: SSU for Windows Server 2008 SP2 — April 9, 2019, or later SSU.
• KB 4474419: SHA-2 code SSU for Windows Server 2008 R2, Windows 7 and Windows Server 2008.

Install SSUs and rollups

Next, ensure the following SSUs and monthly rollups are installed for Windows 7 SP1 and Windows Server 2008 R2 SP1:

• KB 4516655: SSU for Windows 7 SP1 and Server 2008 R2 SP1–September 10, 2019, or later.
• KB4519976: October 8, 2019, monthly rollup or later.

And for Windows Server 2008 SP2:

• KB4517134: SSU for Windows Server 2008 SP2 September 10, 2019, or later.
• KB4520002: October 8, 2019, monthly rollup or later.

Install and activate Windows 7 security patches

Then you can install the ESU product key and enable the workstation to receive Windows 7 security patches after January.

For computers that have internet access, follow this Windows IT Pro blog post to activate your machines. If your computers do not have direct access to the internet, use the following process to activate the product keys.

On Window 7 or Server 2008 R2, you can use phone activation via the slmgr command options. First enter slmgr.vbs /ipk to install the product key. Get the installation ID for the ESU key using the corresponding ESU activation ID. (ESU Activation IDs for each program are listed in the above-mentioned blog post.)

Once you have the installation ID, call the Microsoft Licensing Activation Center for your region. They will walk you through the steps to get the confirmation ID. Use slmgr /atp to activate the ESU SKU using the confirmation ID obtained in the above step.

Post-activation update and servicing strategy

After this step, the ESU License is activated. (slmgr /dlv should show “licensed”.) Once activated, you can continue to use your current update and servicing strategy to deploy ESU through Windows Update, Windows Server Update Services (WSUS), Microsoft Update Catalog, or whichever patch management solution you prefer.

Customers with Windows E5 and Microsoft 365 E5 customers that are through volume license agreements are also eligible for Windows 7 keys. Log into the Volume Licensing Service Center (VLSC ) portal and go to the “License” tab. Then go to “Select Licenses”, then to “Relationship Summary”, then to “Licensing ID”, and look for the “Product Keys”. Remember these are multiple activation keys (MAK) keys, not Key Management Service (KMS) keys, so you can do the above process using System Center Configuration Manager (SCCM).

For servers, however, you must be under an Enterprise agreement with Software Assurance to purchase extended Windows Server support patches. Once upon a time in-place upgrades from older server operating systems to newer operating systems were not recommended. Often the process of in-place upgrades would leave behind file and access-control list (ACL) permissions based on the older operating system that were inherited to the newer platform. Microsoft has improved the in-place upgrade process.

Keep in mind that you can’t go from Server 2008 R2 to Server 2019 directly but must upgrade from Windows Server 2008 R2 to Windows Server 2012 R2 and then from Windows Server 2012 R2 to Windows Server 2019. Don’t overlook the need for backups during any upgrade or migration process.  

During the migration process you might find data migration issues. You’ll first need to identify the data stored in the various servers and ensure that anyone who is in contact with data migration is authorized to do so and that you maintain the security and integrity of the data during the migration process. If data is mandated to be encrypted, ensure that it maintains its security posture during the migration process and isn’t inadvertently exposed.

Be aware of the impact of long file names when you migrate. Older platforms do not support long file names and paths, whereas Server 2019 fully supports more than 260 characters. If you are migrating from on-premises servers to the cloud, you may hit this issue as well.

There are several ways around this issue, from changing the mapped drive location to a shorter nested length, to third-party solutions. You may need to review access and security permissions settings to allow administrators to be able to migrate files and folders appropriately. Be prepared to review exceptions and allow for change management during migration processes.

Finally, with any migration process, determine when the best time is for your organization for a migration. A week before the end of life of Windows 7 is probably not the time to begin a migration to Windows 10. Nor is waiting until January of 2020 to migrate off Windows Server 2008 R2 and Windows Server 2008 Sp2. If you are in this position, take the time now to review future end-of-life platforms. Start planning now for the end of life of Server 2012 R2. There’s only three more years of support left for that platform, ending January 10, 2023.

Don’t forget to keep up with all the latest on the IDG TechTalk Youtube channel.