Patch Lady – Windows 7 ESU last minute requirement

Topic

New Reply

Microsoft has thrown a wrench into the last minute Windows 7 ESU updates. Now even though you’ve installed the ESU key and everything “was” ready to g
[See the full post at: Patch Lady – Windows 7 ESU last minute requirement]

Susan Bradley Patch Lady/Prudent patcher

10 users thanked author for this post.

BarryHenley, Nibbled To Death By Ducks, FakeNinja, AmbularD, lawrenceB, Zathras, abbodi86, CBA, GreatAndPowerfulTech, AJNorth

Reply | Quote

Replies

It showed up on WSUS this morning, too, along with all the other 2020/02 updates (but they show as “not needed” for machines without the ESU patch.

No matter where you go, there you are.

1 user thanked author for this post.

BarryHenley

Reply | Quote

Susan Bradley wrote:

To anyone who has purchased updates through any ESU program, as a shareholder of Microsoft I want to apologize for this really not well done, not automatic process. I personally will be calling several businesses that I assisted to obtain these extended security patches and will apologize for having to bother them to get their machines in a condition to get additional updates when I thought I already had them ready to go.

It’s very noble that you are apologizing, Susan; but in fact, it isn’t your fault. Even though you are a Microsoft shareholder, you weren’t in on any decisions at Microsoft as to how to implement this process.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

1 user thanked author for this post.

WildBill

Reply | Quote

Well maybe one of those big institutional MS investors will step up to complain and the big retirement funds and or even the small investors banding together to have more influence.

Personally I think that MS is missing out on some ESU revenue channels by not making 7’s ESU for a price available to a wider population of Windows 7 end users. But I guess that it’s not easy for anyone at any time past or present to deal with MS and licensing related issues as well as KB’s that appear with no logical notice and instructions or update dependency notifications.

 

1 user thanked author for this post.

Geo

Reply | Quote

Not your fault at all, Susan, but thanks for addressing that.  Can we treat this one as being under DEFCON-2 with the rest until we get the all clear?

i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro

Reply | Quote

to make Windows update show you updates for both any Windows 7 post ESU security updates *AS WELL AS* the Office updates.

does this mean, without paying for extended support, i won’t even see any office 2010 updates although office 2010 is still supported until later this year (october or something)?

PC: Windows 7 Ultimate, 64bit, Group B
Notebook: Windows 8.1, 64bit, Group B

2 users thanked author for this post.

SueW, GreatAndPowerfulTech

Reply | Quote

I have a machine without ESU but with Office 2010. On that machine Windows Update does show the Office updates.

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

1 user thanked author for this post.

SueW

Reply | Quote

I installed (late to the market) KB4538483 on my already ESU licensed W7 Pro x64 laptop. No problem.

I checked for updates, via WU, and found Rollup KB4537820 and MRT KB890830. Installed both, rebooted and no problems.

Finally, checked for updates again and found SSU KB4537829. Installed, no issues.

I gather this proves that my ESU license works.

2 users thanked author for this post.

rick41, b

Reply | Quote

Thank you Susan for this. I had installed ESU and it said it active. It downloaded a rollup below so thought its all done

2020-01 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4539601)

Installation date: ‎08/‎02/‎2020 20:00

And now thanks you your link its downloaded

Security Update for Windows (KB4538483)

Installation date: ‎12/‎02/‎2020 10:42

Fix for KB4538483

2 mins after doing this 4 (2 windows 7 x64 KB4537820 & KB890830 and 2 office 10 KB4484267 & KB4484163 ) security updates appeared on updates available to install

 

 

Reply | Quote

Another one gone through, 2020-02 Servicing Stack Update for Windows 7 for x64-based Systems (KB4537829)

 

Reply | Quote

this new KB4537829 SSU enforces new updates like KB4537820 to check for a valid ESU license and whether or not KB4538483 is installed and KB4537820 will fail to install with “Failure to configure Windows updates. Reverting Changes.” message unless all conditions are met.

2 users thanked author for this post.

rick41, geekdom

Reply | Quote

No surprise whatsoever with this last minute requirement.  Microsoft can’t even get regular monthly patching for Windows done correctly.  Why should the ESU licenses be any different…  grrrr

Time to go back thru a few dozen machines when I thought the ESU licenses were all set.

Thanks for the heads up!

 

Reply | Quote

Has anyone confirmed they will not update without this patch?

1 user thanked author for this post.

BarryHenley

Reply | Quote

I didn’t get the needed Windows 7 updates without this additional patch.  If you haven’t opted into the ESU program then you’ll probably still get the Office updates.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

BarryHenley, woody, JCCWsusser

Reply | Quote

I confirm that I did receive the Office 2010 updates without the ESU patch.

I really don’t understand how Microsoft can have overlooked this business opportunity here.

Did they really think they would make that much more money out of users who didn’t upgrade yet by not making it easy to stay on 7 a bit more, hoping they would hop on 10?

They could have pushed a Windows update that, in addition to warn users about the end of Windows 7 support, would have offered a very simple way to just click a link and input your credit card to receive one more year of security updates. I bet they would have made a ton of money on ageing hardware, then the same the next year, and another and then for the license on the new PC that would eventually been bought if the old Win 7 PC would have lasted that long.

I guess bragging about how many people are on 10 or the ability to have a large enough captive audience to crank up the monetization strategy without people having acceptable alternatives was too high, or they are just a bit clueless about everything. The way they offered ESU seems ridiculous and improvised.

Reply | Quote

An interesting tweet from Bryan Dam:

Near as I can tell KB4538483, KB4538484, and the ESU updates will appear in WSUS just fine. The clients just need to install one of the first two before they will detect the ESU updates as applicable. Both of those KBs are listed as distributed via WSUS.

So everything should be automatic, it’s just going to take two patching cycles: the first to get KB4538483/4 (again, via WSUS) and after then another to detect that the ESUs are applicable. Essentially the same scenario as when they make a SSU a pre-req for that month’s CU.

Does that sound right?

Reply | Quote

That’s been my experience so far, Woody.

Though, contrary to the KB4538483 article, I did not have to reboot after installing it to be offered the Feb OS rollup and Office security updates (all of which installed successfully.)

All from WSUS FWIW. Tested 3 machines so far.

Reply | Quote

i have a windows 7 professional 64 bit desktop and purchased ESU. Windows Update is not offering me any security patches even after i installed the new update patch today. the only updates it is offering are microsoft security essentials, the malicious clean up tool and excel and outlook 2010 patches. Anyone have any advice?

Reply | Quote

The fact we have to install a last-minute patch to get the ESU patches is concerning.

Any reports of KB4538483 causing issues?

Reply | Quote

It’s just install required ESU support licenses, perfectly safe

Reply | Quote

Reporting in:

Installed KB4538483, checked WU, and was offered (and declined) the regular Feb. Glockenspiel, i.e. 2020-02 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4537820) as well as the MSRT Windows Malicious Software Removal Tool x64 – February 2020 (KB890830)

No ill effects seen yet, running FF 73.

Was NOT offered the 2020-02 Servicing Stack Update for Windows 7 (KB4537829) , the SSU patch per Woody’s article, and it’s not installed on my system, nor has it been previously offered, I’m pretty sure. Maybe it will appear AFTER the Feb patches have been installed…and I’m definitely waiting for Defcon 3 or better to do that!

Hey, Redmond, you got us again! (Pulls arrow out of body.) Ow! That was NOT from Cupid!

Susan, my heart goes out to you; I feel yours and every Sysadmin’s pain on this one. Thanks for the Alert!!

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Nine out of 10 doctors say Acid Reflux is mainly caused by computers."

Reply | Quote

Ghacks: It appears that the Windows 7 ESU Bypass is indeed working

A bypass to use ESU-only patches on Home machines — basically any machine that has not joined the program officially — was discovered and published in December 2019. The bypass worked with the test ESU patch that Microsoft released but it was not clear back then if it would also work with “real” patches.

Now that the first post-Windows 7 support patch has been released, confirmations are coming in that the bypass is indeed working…

https://www.ghacks.net/2020/02/13/it-appears-that-the-windows-7-esu-bypass-is-indeed-working/

1 user thanked author for this post.

AlexEiffel

Reply | Quote

[magic]

Quick one to say that KB4538483 showed up in WSUS, and was automatically approved and deployed by SCCM for our environment. No manual deployment necessary.

• This reply was modified 3 years, 9 months ago by magic.

1 user thanked author for this post.

BarryHenley

Reply | Quote

Thank you for the confirmation. Microsoft is making the process really painful for no good reason. They are also putting us at risk with the last minute decision to add new requirements in for the patches to work.

Also, we now have to deploy the patches manually as they will not download any longer with our current patch management tool.

Reply | Quote

anonymous wrote:

they will not download any longer with our current patch management tool.

What is your management tool?

cheers, Paul

Reply | Quote

[EP]

I’ve been thinking, Susan

once Win7 users paid for the ESU licenses, manually downloaded & installed the KB4538483 update and have successfully installed the Feb. 2020 updates, do they need to remove KB4538483 afterwards or should they keep the KB4538483 update installed in order to receive new updates in the upcoming months beyond this month?

that is something to think about

• This reply was modified 3 years, 9 months ago by EP.
• This reply was modified 3 years, 9 months ago by EP.
• This reply was modified 3 years, 9 months ago by EP.

Reply | Quote

KB4538383 is now like the SHA2 support updates (KB4490628 & KB4474419), it’s baseline to get further updates through WU

Windows Update ESU Prerequisite Hierarchy

Winmgmt service not disabled
|
supported ESU editions
|
ESU key activated
|
ESU Preparation update KB4538483 installed
|
January SSU KB4536952 or later installed

2 users thanked author for this post.

BarryHenley, Kranium

Reply | Quote

thanks abbodi86.

perhaps Susan should explicitly state that Win7 users should manually download & install the KB4538483 update AND to not remove it

1 user thanked author for this post.

BarryHenley

Reply | Quote

Opatch has it’s first Windows 7 micropatch- page with instructions-

https://blog.0patch.com/2020/02/our-first-weeks-of-securing-windows-7.html

1 user thanked author for this post.

LHiggins

Reply | Quote

Has anyone tried Opatch for Win 7- many of us have Win 7 Home Premium with no ESU available?

https://blog.0patch.com/2020/02/our-first-weeks-of-securing-windows-7.html

Reply | Quote

How do I update security patches without internet connection, or without WSUS?

Reply | Quote

Update from what? When did you last update the machine?

You could try the WSUSOffline update that still supports W7 (version 11.9).

cheers, Paul

Reply | Quote