• Patch Lady – Windows 7 ESU last minute requirement

    Home » Forums » Newsletter and Homepage topics » Patch Lady – Windows 7 ESU last minute requirement

    Author
    Topic
    #2138979

    Microsoft has thrown a wrench into the last minute Windows 7 ESU updates. Now even though you’ve installed the ESU key and everything “was” ready to g
    [See the full post at: Patch Lady – Windows 7 ESU last minute requirement]

    Susan Bradley Patch Lady/Prudent patcher

    Viewing 19 reply threads
    Author
    Replies
    • #2138992

      It showed up on WSUS this morning, too, along with all the other 2020/02 updates (but they show as “not needed” for machines without the ESU patch.

      No matter where you go, there you are.

      1 user thanked author for this post.
    • #2138995

      To anyone who has purchased updates through any ESU program, as a shareholder of Microsoft I want to apologize for this really not well done, not automatic process. I personally will be calling several businesses that I assisted to obtain these extended security patches and will apologize for having to bother them to get their machines in a condition to get additional updates when I thought I already had them ready to go.

      It’s very noble that you are apologizing, Susan; but in fact, it isn’t your fault. Even though you are a Microsoft shareholder, you weren’t in on any decisions at Microsoft as to how to implement this process.

      Group "L" (Linux Mint)
      with Windows 10 running on a separate hard drive
      1 user thanked author for this post.
      • #2139016

        Well maybe one of those big institutional MS investors will step up to complain and the big retirement funds and or even the small investors banding together to have more influence.

        Personally I think that MS is missing out on some ESU revenue channels by not making 7’s ESU for a price available to a wider population of Windows 7 end users. But I guess that it’s not easy for anyone at any time past or present to deal with MS and licensing related issues as well as KB’s that appear with no logical notice and instructions or update dependency notifications.

         

        1 user thanked author for this post.
        Geo
    • #2139032

      Not your fault at all, Susan, but thanks for addressing that.  Can we treat this one as being under DEFCON-2 with the rest until we get the all clear?

      i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro

    • #2139049

      to make Windows update show you updates for both any Windows 7 post ESU security updates *AS WELL AS* the Office updates.

      does this mean, without paying for extended support, i won’t even see any office 2010 updates although office 2010 is still supported until later this year (october or something)?

      PC: Windows 7 Ultimate, 64bit, Group B
      Notebook: Windows 8.1, 64bit, Group B

      2 users thanked author for this post.
      • #2139065

        I have a machine without ESU but with Office 2010. On that machine Windows Update does show the Office updates.

        1 user thanked author for this post.
    • #2139053

      I installed (late to the market) KB4538483 on my already ESU licensed W7 Pro x64 laptop. No problem.

      I checked for updates, via WU, and found Rollup KB4537820 and MRT KB890830. Installed both, rebooted and no problems.

      Finally, checked for updates again and found SSU KB4537829. Installed, no issues.

      I gather this proves that my ESU license works.

      2 users thanked author for this post.
    • #2139119

      Thank you Susan for this. I had installed ESU and it said it active. It downloaded a rollup below so thought its all done

      2020-01 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4539601)

      Installation date: ‎08/‎02/‎2020 20:00

      And now thanks you your link its downloaded

      Security Update for Windows (KB4538483)

      Installation date: ‎12/‎02/‎2020 10:42

      Fix for KB4538483

      2 mins after doing this 4 (2 windows 7 x64 KB4537820 & KB890830 and 2 office 10 KB4484267 & KB4484163 ) security updates appeared on updates available to install

       

       

    • #2139190

      Another one gone through, 2020-02 Servicing Stack Update for Windows 7 for x64-based Systems (KB4537829)

       

      • #2139285

        this new KB4537829 SSU enforces new updates like KB4537820 to check for a valid ESU license and whether or not KB4538483 is installed and KB4537820 will fail to install with “Failure to configure Windows updates. Reverting Changes.” message unless all conditions are met.

        2 users thanked author for this post.
    • #2139273

      No surprise whatsoever with this last minute requirement.  Microsoft can’t even get regular monthly patching for Windows done correctly.  Why should the ESU licenses be any different…  grrrr

      Time to go back thru a few dozen machines when I thought the ESU licenses were all set.

      Thanks for the heads up!

       

    • #2139306

      Has anyone confirmed they will not update without this patch?

      1 user thanked author for this post.
      • #2139309

        I didn’t get the needed Windows 7 updates without this additional patch.  If you haven’t opted into the ESU program then you’ll probably still get the Office updates.

        Susan Bradley Patch Lady/Prudent patcher

        3 users thanked author for this post.
        • #2140144

          I confirm that I did receive the Office 2010 updates without the ESU patch.

          I really don’t understand how Microsoft can have overlooked this business opportunity here.

          Did they really think they would make that much more money out of users who didn’t upgrade yet by not making it easy to stay on 7 a bit more, hoping they would hop on 10?

          They could have pushed a Windows update that, in addition to warn users about the end of Windows 7 support, would have offered a very simple way to just click a link and input your credit card to receive one more year of security updates. I bet they would have made a ton of money on ageing hardware, then the same the next year, and another and then for the license on the new PC that would eventually been bought if the old Win 7 PC would have lasted that long.

          I guess bragging about how many people are on 10 or the ability to have a large enough captive audience to crank up the monetization strategy without people having acceptable alternatives was too high, or they are just a bit clueless about everything. The way they offered ESU seems ridiculous and improvised.

    • #2139381

      An interesting tweet from Bryan Dam:

      Near as I can tell KB4538483, KB4538484, and the ESU updates will appear in WSUS just fine. The clients just need to install one of the first two before they will detect the ESU updates as applicable. Both of those KBs are listed as distributed via WSUS.

      So everything should be automatic, it’s just going to take two patching cycles: the first to get KB4538483/4 (again, via WSUS) and after then another to detect that the ESUs are applicable. Essentially the same scenario as when they make a SSU a pre-req for that month’s CU.

      Does that sound right?

      • #2139513

        That’s been my experience so far, Woody.

        Though, contrary to the KB4538483 article, I did not have to reboot after installing it to be offered the Feb OS rollup and Office security updates (all of which installed successfully.)

        All from WSUS FWIW. Tested 3 machines so far.

    • #2139512

      i have a windows 7 professional 64 bit desktop and purchased ESU. Windows Update is not offering me any security patches even after i installed the new update patch today. the only updates it is offering are microsoft security essentials, the malicious clean up tool and excel and outlook 2010 patches. Anyone have any advice?

    • #2139589

      The fact we have to install a last-minute patch to get the ESU patches is concerning.

      Any reports of KB4538483 causing issues?

    • #2139625

      Reporting in:

      Installed KB4538483, checked WU, and was offered (and declined) the regular Feb. Glockenspiel, i.e. 2020-02 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4537820) as well as the MSRT Windows Malicious Software Removal Tool x64 – February 2020 (KB890830)

      No ill effects seen yet, running FF 73.

      Was NOT offered the 2020-02 Servicing Stack Update for Windows 7 (KB4537829) , the SSU patch per Woody’s article, and it’s not installed on my system, nor has it been previously offered, I’m pretty sure. Maybe it will appear AFTER the Feb patches have been installed…and I’m definitely waiting for Defcon 3 or better to do that!

      Hey, Redmond, you got us again! (Pulls arrow out of body.) Ow! That was NOT from Cupid!

      Susan, my heart goes out to you; I feel yours and every Sysadmin’s pain on this one. Thanks for the Alert!!

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
      --
      "The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

    • #2139731

      Ghacks: It appears that the Windows 7 ESU Bypass is indeed working

      A bypass to use ESU-only patches on Home machines — basically any machine that has not joined the program officially — was discovered and published in December 2019. The bypass worked with the test ESU patch that Microsoft released but it was not clear back then if it would also work with “real” patches.

      Now that the first post-Windows 7 support patch has been released, confirmations are coming in that the bypass is indeed working…

      https://www.ghacks.net/2020/02/13/it-appears-that-the-windows-7-esu-bypass-is-indeed-working/

      1 user thanked author for this post.
    • #2139785

      Quick one to say that KB4538483 showed up in WSUS, and was automatically approved and deployed by SCCM for our environment. No manual deployment necessary.

      • This reply was modified 4 years ago by magic.
      1 user thanked author for this post.
    • #2139871

      Thank you for the confirmation. Microsoft is making the process really painful for no good reason. They are also putting us at risk with the last minute decision to add new requirements in for the patches to work.

      Also, we now have to deploy the patches manually as they will not download any longer with our current patch management tool.

    • #2140993

      I’ve been thinking, Susan

      once Win7 users paid for the ESU licenses, manually downloaded & installed the KB4538483 update and have successfully installed the Feb. 2020 updates, do they need to remove KB4538483 afterwards or should they keep the KB4538483 update installed in order to receive new updates in the upcoming months beyond this month?

      that is something to think about

      • This reply was modified 4 years ago by EP.
      • This reply was modified 4 years ago by EP.
      • This reply was modified 4 years ago by EP.
      • #2141131

        KB4538383 is now like the SHA2 support updates (KB4490628 & KB4474419), it’s baseline to get further updates through WU

        Windows Update ESU Prerequisite Hierarchy

        Winmgmt service not disabled
        |
        supported ESU editions
        |
        ESU key activated
        |
        ESU Preparation update KB4538483 installed
        |
        January SSU KB4536952 or later installed

        2 users thanked author for this post.
        • #2141846

          thanks abbodi86.

          perhaps Susan should explicitly state that Win7 users should manually download & install the KB4538483 update AND to not remove it

          1 user thanked author for this post.
    • #2170082

      Opatch has it’s first Windows 7 micropatch- page with instructions-

      https://blog.0patch.com/2020/02/our-first-weeks-of-securing-windows-7.html

      1 user thanked author for this post.
    • #2211313

      How do I update security patches without internet connection, or without WSUS?

    • #2211327

      Update from what? When did you last update the machine?

      You could try the WSUSOffline update that still supports W7 (version 11.9).

      cheers, Paul

    Viewing 19 reply threads
    Reply To: Patch Lady – Windows 7 ESU last minute requirement

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: