What are Windows Extended Security Updates?

After 10 years since its release, Windows 7 and Server 2008/R2 (extended) support will be finally coming to an end on January 14, 2020. This means that routine security and optional updates will no longer be provided for the operating system, leaving many with unaddressed vulnerabilities and potentially no support from hardware manufacturers.

In January, these devices will receive their last updates. and will not receive any after that, unless administrators decide to opt-in (and pay) for Extended Security Updates (ESU) from Microsoft. These updates are designed as a stopgap and will become more expensive every year since Microsoft wants businesses and organizations to migrate to the newest versions of Windows. This means that consumers (home devices) cannot purchase these updates since they’re only available for organizations.

How are Extended Security Updates Obtained?

Once Windows 7 and Server 2008/R2 reaches End of Support, the operating system will no longer receive updates and will require new licensing to continue receiving updates.

Extended Security Updates can be purchased in 12-month increments (customers cannot purchase any shorter terms than 12-months). The updates are available to businesses and organizations of any size; however, the pricing will be different between volume licensed and non-volume licensed organizations.

Also, although end of support is January 14, 2020, organizations can purchase ESU at any time during the three years that the offer is available; however, if an organization waits and purchases ESU for the first time in year two or year three, they will have to pay for the preceding years also. This is because the security updates that are offered under the ESU program are cumulative.

Microsoft has also not published any limits on licensing, so technically an organization can purchase updates for just one device.

Once Extended Security Updates are purchased through Microsoft, or a Cloud Solution Provider (CSP), the organization will receive new activation details so that the unsupported devices can still receive new security updates throughout the year. Again, updates are purchased annually in 12-month terms, up to 3 years until Extended Security Updates is no longer offered (January 10, 2023).

An organization that uses volume licensing to manage on-premises deployments can use it to deploy ESU to the covered devices. When an organization purchases Windows 7 ESU, Microsoft provides a Multiple Activation Key (MAK) in the VLSC. This MAK key is independent of the Windows 7 activation key and can work in parallel together with a KMS activation deployment.

Is Technical Support Included with ESU?

No. Customers that purchase directly from Microsoft (for example, volume licensed customers or CSP-direct Partners) can use an active support contract such as Software Assurance or Premier/Unified Support to request assistance with Windows 7. Partners can also use their Partner Support Plans to request assistance with Windows 7.

What Other Products/Services are Affected on January 14, 2020?

Not just Windows 7 and Windows Server 2008/R2 are affected on January 14, 2020. Many Windows 7 users rely on Microsoft Security Essentials as a security application and at this time, there is no extended support planned for this product.

What if the Windows 7 or 2008/R2 Licenses Aren’t Extended?

Post-December 2019 Patch Tuesday (after KB4530734 has been deployed), Microsoft is planning to push a full-screen notification after January 15, 2020, to those still running the operating systems, making it clear that the devices are indeed out of support (this notification will not appear on domain-joined devices or devices in kiosk mode).

Other than this notification, nothing else will occur for these unsupported devices and they will remain vulnerable. The remaining options are clear:

• Extend support for Windows 7 or 2008/R2 devices by paying extra each year for each device
• Retire the instance of the operating system and move to the supported Windows 10 or newer versions of Windows Server

Manage and Secure Your Environment

Syxsense offers patch management for Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012. Rest assured that as new OS’s are released, your older desktops, laptops and servers will not be security loopholes for hackers.