News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – Windows 7 ESU last minute requirement

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – Windows 7 ESU last minute requirement

    • This topic has 30 replies, 22 voices, and was last updated 1 week ago by Paul T.
    Viewing 20 reply threads
    • Author
      Posts
      • #2138979 Reply
        Susan Bradley
        AskWoody MVP

        Microsoft has thrown a wrench into the last minute Windows 7 ESU updates. Now even though you’ve installed the ESU key and everything “was” ready to g
        [See the full post at: Patch Lady – Windows 7 ESU last minute requirement]

        Susan Bradley Patch Lady

      • #2138992 Reply
        PerthMike
        AskWoody Plus

        It showed up on WSUS this morning, too, along with all the other 2020/02 updates (but they show as “not needed” for machines without the ESU patch.

        No matter where you go, there you are.

        1 user thanked author for this post.
      • #2138995 Reply
        MrJimPhelps
        AskWoody_MVP

        To anyone who has purchased updates through any ESU program, as a shareholder of Microsoft I want to apologize for this really not well done, not automatic process. I personally will be calling several businesses that I assisted to obtain these extended security patches and will apologize for having to bother them to get their machines in a condition to get additional updates when I thought I already had them ready to go.

        It’s very noble that you are apologizing, Susan; but in fact, it isn’t your fault. Even though you are a Microsoft shareholder, you weren’t in on any decisions at Microsoft as to how to implement this process.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        1 user thanked author for this post.
        • #2139016 Reply
          anonymous
          Guest

          Well maybe one of those big institutional MS investors will step up to complain and the big retirement funds and or even the small investors banding together to have more influence.

          Personally I think that MS is missing out on some ESU revenue channels by not making 7’s ESU for a price available to a wider population of Windows 7 end users. But I guess that it’s not easy for anyone at any time past or present to deal with MS and licensing related issues as well as KB’s that appear with no logical notice and instructions or update dependency notifications.

           

          1 user thanked author for this post.
          Geo
      • #2139032 Reply
        AmbularD
        AskWoody Plus

        Not your fault at all, Susan, but thanks for addressing that.  Can we treat this one as being under DEFCON-2 with the rest until we get the all clear?

        i7-4790k - Z97X-Gaming 3 - DDR3 2133 x 32GB - GTX 1070 FTW - Windows 7 Pro x64 SP1

      • #2139049 Reply
        honx
        AskWoody Lounger

        to make Windows update show you updates for both any Windows 7 post ESU security updates *AS WELL AS* the Office updates.

        does this mean, without paying for extended support, i won’t even see any office 2010 updates although office 2010 is still supported until later this year (october or something)?

        PC: Windows 7 Ultimate, 64bit, Group B
        Notebook: Windows 8.1, 64bit, Group B

        2 users thanked author for this post.
        • #2139065 Reply
          Pim
          AskWoody Plus

          I have a machine without ESU but with Office 2010. On that machine Windows Update does show the Office updates.

          ASRock Beebox J3160 - Win7 Ultimate x64
          Asus VivoPC VC62B - Win7 Ultimate x64
          Dell Latitude E6430 - Win7 Ultimate x64
          Dell Latitude XT3 - Vista Ultimate x86 (still...)
          Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

          1 user thanked author for this post.
      • #2139053 Reply
        CBA
        AskWoody Plus

        I installed (late to the market) KB4538483 on my already ESU licensed W7 Pro x64 laptop. No problem.

        I checked for updates, via WU, and found Rollup KB4537820 and MRT KB890830. Installed both, rebooted and no problems.

        Finally, checked for updates again and found SSU KB4537829. Installed, no issues.

        I gather this proves that my ESU license works.

        2 users thanked author for this post.
      • #2139119 Reply
        Bridgemans
        AskWoody Lounger

        Thank you Susan for this. I had installed ESU and it said it active. It downloaded a rollup below so thought its all done

        2020-01 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4539601)

        Installation date: ‎08/‎02/‎2020 20:00

        And now thanks you your link its downloaded

        Security Update for Windows (KB4538483)

        Installation date: ‎12/‎02/‎2020 10:42

        Fix for KB4538483

        2 mins after doing this 4 (2 windows 7 x64 KB4537820 & KB890830 and 2 office 10 KB4484267 & KB4484163 ) security updates appeared on updates available to install

         

         

      • #2139190 Reply
        Bridgemans
        AskWoody Lounger

        Another one gone through, 2020-02 Servicing Stack Update for Windows 7 for x64-based Systems (KB4537829)

         

        • #2139285 Reply
          EP
          AskWoody_MVP

          this new KB4537829 SSU enforces new updates like KB4537820 to check for a valid ESU license and whether or not KB4538483 is installed and KB4537820 will fail to install with “Failure to configure Windows updates. Reverting Changes.” message unless all conditions are met.

          2 users thanked author for this post.
      • #2139273 Reply
        Zathras
        AskWoody Plus

        No surprise whatsoever with this last minute requirement.  Microsoft can’t even get regular monthly patching for Windows done correctly.  Why should the ESU licenses be any different…  grrrr

        Time to go back thru a few dozen machines when I thought the ESU licenses were all set.

        Thanks for the heads up!

         

      • #2139306 Reply
        JCCWsusser
        AskWoody Plus

        Has anyone confirmed they will not update without this patch?

        1 user thanked author for this post.
        • #2139309 Reply
          Susan Bradley
          AskWoody MVP

          I didn’t get the needed Windows 7 updates without this additional patch.  If you haven’t opted into the ESU program then you’ll probably still get the Office updates.

          Susan Bradley Patch Lady

          3 users thanked author for this post.
          • #2140144 Reply
            AlexEiffel
            AskWoody_MVP

            I confirm that I did receive the Office 2010 updates without the ESU patch.

            I really don’t understand how Microsoft can have overlooked this business opportunity here.

            Did they really think they would make that much more money out of users who didn’t upgrade yet by not making it easy to stay on 7 a bit more, hoping they would hop on 10?

            They could have pushed a Windows update that, in addition to warn users about the end of Windows 7 support, would have offered a very simple way to just click a link and input your credit card to receive one more year of security updates. I bet they would have made a ton of money on ageing hardware, then the same the next year, and another and then for the license on the new PC that would eventually been bought if the old Win 7 PC would have lasted that long.

            I guess bragging about how many people are on 10 or the ability to have a large enough captive audience to crank up the monetization strategy without people having acceptable alternatives was too high, or they are just a bit clueless about everything. The way they offered ESU seems ridiculous and improvised.

      • #2139381 Reply
        woody
        Da Boss

        An interesting tweet from Bryan Dam:

        Near as I can tell KB4538483, KB4538484, and the ESU updates will appear in WSUS just fine. The clients just need to install one of the first two before they will detect the ESU updates as applicable. Both of those KBs are listed as distributed via WSUS.

        So everything should be automatic, it’s just going to take two patching cycles: the first to get KB4538483/4 (again, via WSUS) and after then another to detect that the ESUs are applicable. Essentially the same scenario as when they make a SSU a pre-req for that month’s CU.

        Does that sound right?

        • #2139513 Reply
          lawrenceB
          AskWoody Lounger

          That’s been my experience so far, Woody.

          Though, contrary to the KB4538483 article, I did not have to reboot after installing it to be offered the Feb OS rollup and Office security updates (all of which installed successfully.)

          All from WSUS FWIW. Tested 3 machines so far.

      • #2139512 Reply
        luanne1
        AskWoody Plus

        i have a windows 7 professional 64 bit desktop and purchased ESU. Windows Update is not offering me any security patches even after i installed the new update patch today. the only updates it is offering are microsoft security essentials, the malicious clean up tool and excel and outlook 2010 patches. Anyone have any advice?

      • #2139589 Reply
        anonymous
        Guest

        The fact we have to install a last-minute patch to get the ESU patches is concerning.

        Any reports of KB4538483 causing issues?

        • #2139671 Reply
          abbodi86
          AskWoody_MVP

          It’s just install required ESU support licenses, perfectly safe

      • #2139625 Reply

        Reporting in:

        Installed KB4538483, checked WU, and was offered (and declined) the regular Feb. Glockenspiel, i.e. 2020-02 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4537820) as well as the MSRT Windows Malicious Software Removal Tool x64 – February 2020 (KB890830)

        No ill effects seen yet, running FF 73.

        Was NOT offered the 2020-02 Servicing Stack Update for Windows 7 (KB4537829) , the SSU patch per Woody’s article, and it’s not installed on my system, nor has it been previously offered, I’m pretty sure. Maybe it will appear AFTER the Feb patches have been installed…and I’m definitely waiting for Defcon 3 or better to do that!

        Hey, Redmond, you got us again! (Pulls arrow out of body.) Ow! That was NOT from Cupid!

        Susan, my heart goes out to you; I feel yours and every Sysadmin’s pain on this one. Thanks for the Alert!!

        Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode. ESU 1 yr."
        --
        "Just because you're an engineer doesn't mean you're good at everything." -Anonymous

      • #2139731 Reply
        Alex5723
        AskWoody Plus

        Ghacks: It appears that the Windows 7 ESU Bypass is indeed working

        A bypass to use ESU-only patches on Home machines — basically any machine that has not joined the program officially — was discovered and published in December 2019. The bypass worked with the test ESU patch that Microsoft released but it was not clear back then if it would also work with “real” patches.

        Now that the first post-Windows 7 support patch has been released, confirmations are coming in that the bypass is indeed working…

        https://www.ghacks.net/2020/02/13/it-appears-that-the-windows-7-esu-bypass-is-indeed-working/

        1 user thanked author for this post.
      • #2139785 Reply
        magic
        AskWoody Lounger

        Quick one to say that KB4538483 showed up in WSUS, and was automatically approved and deployed by SCCM for our environment. No manual deployment necessary.

        • This reply was modified 1 month, 2 weeks ago by magic.
        1 user thanked author for this post.
      • #2139871 Reply
        anonymous
        Guest

        Thank you for the confirmation. Microsoft is making the process really painful for no good reason. They are also putting us at risk with the last minute decision to add new requirements in for the patches to work.

        Also, we now have to deploy the patches manually as they will not download any longer with our current patch management tool.

        • #2140397 Reply
          Paul T
          AskWoody MVP

          they will not download any longer with our current patch management tool.

          What is your management tool?

          cheers, Paul

      • #2140993 Reply
        EP
        AskWoody_MVP

        I’ve been thinking, Susan

        once Win7 users paid for the ESU licenses, manually downloaded & installed the KB4538483 update and have successfully installed the Feb. 2020 updates, do they need to remove KB4538483 afterwards or should they keep the KB4538483 update installed in order to receive new updates in the upcoming months beyond this month?

        that is something to think about

        • This reply was modified 1 month, 2 weeks ago by EP.
        • This reply was modified 1 month, 2 weeks ago by EP.
        • This reply was modified 1 month, 2 weeks ago by EP.
        • #2141131 Reply
          abbodi86
          AskWoody_MVP

          KB4538383 is now like the SHA2 support updates (KB4490628 & KB4474419), it’s baseline to get further updates through WU

          Windows Update ESU Prerequisite Hierarchy

          Winmgmt service not disabled
          |
          supported ESU editions
          |
          ESU key activated
          |
          ESU Preparation update KB4538483 installed
          |
          January SSU KB4536952 or later installed

          2 users thanked author for this post.
          • #2141846 Reply
            EP
            AskWoody_MVP

            thanks abbodi86.

            perhaps Susan should explicitly state that Win7 users should manually download & install the KB4538483 update AND to not remove it

            1 user thanked author for this post.
      • #2170082 Reply
        rontpxz81
        AskWoody Lounger

        Opatch has it’s first Windows 7 micropatch- page with instructions-

        https://blog.0patch.com/2020/02/our-first-weeks-of-securing-windows-7.html

        1 user thanked author for this post.
      • #2211313 Reply
        anonymous
        Guest

        How do I update security patches without internet connection, or without WSUS?

      • #2211327 Reply
        Paul T
        AskWoody MVP

        Update from what? When did you last update the machine?

        You could try the WSUSOffline update that still supports W7 (version 11.9).

        cheers, Paul

    Viewing 20 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – Windows 7 ESU last minute requirement

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.