Windows 7: ESU Activation in Enterprise Environment – Part 3

win7[German]In another blog post I would like to discuss the activation of ESU licenses for Windows 7 SP1/Windows Server 2008/R2 support renewal in enterprise environments. Microsoft doesn't offer a viable solution to this issue, but I have found a potentially better approach.


What we are talking about?

Here in the blog, I've spent a lot of time discussing support renewals for Windows 7 SP1 (and Server 2008/R2) as part of the Extended Security Updates (ESU) program (see links at the end of the article). Parts 1 and 2 of the article series dealt with the purchase and activation of ESU licenses for SMBs. However, the solution is only practicable for a handful of systems. In part 2 of the article series, German blog reader Shadena immediately asked for a solution to activate ESU within large enterprise environments:

interesting for me would be, how the ESU-Keys can be distributed on Windows 7 clients in large environments, if they can be set up on the domain's own KMS server.

I myself am not active in this field, and could only refer to the the Microsoft ESU FAQ. And there is the Techcommunity article How to get Extended Security Updates for eligible Windows devices from October 2019, but it doesn't reflect more than my second part of this article series. Not useful for enterprise environments with many Windows 7 systems where ESU should be activated.

You could create a batch solution with a few commands, which would relieve administrators of some manual effort. In part 2 I had mentioned this post where a script could be found (the batch program could be simplified, since the Activation-ID for all machines is fixed).

ActivationWs: The ESU MAK activation solution

Recently I came across a solution how to solve the problem of activating the ESU keys in enterprise environments, if the clients or servers do not have direct access to the Internet, or where the VAMT solution described by Microsoft is not applicable. Someone has developed a solution and published it as ActivationWs on GitHub.

The ActivationWs GitHub repository is a customizable solution for the distribution and activation of multiple activation keys (MAK). It consists of an ASP.NET web service and a PowerShell script to install and activate the MAK.


The developer of the solution writes that ActivationWs is designed for companies for whom deploying and activating their Extended Security Update (ESU) MAK key on many clients is a certain challenge. The ActivationWs repository offers administrators a "pull-based" activation solution. This eliminates the requirements of the VAMT approach mentioned above. This may reduce some of the obstacles that administrators must overcome when activating the product key.

(ESU activation, Source: GitHub)

The picture above shows the scheme of the activation process, including the ConfigMgr (from SCCM).

  1. The PowerShell script Activate-Product.ps1 is deployed (for example, using ConfigMgr or another solution of choice) on the ESU-enabled device.
  2. The script installs the MAK, and then queries the installation ID and product ID.
  3. Then the script sends a SOAP request to the ActivationWs Web Service. The ActivationWs Web Service is installed on a host in the internal network of the company. The communication takes place via a freely selectable port (e.g. 80/443).
  4. The Installation- and Product IDs are transferred to the Microsoft BatchActivation Service, which then returns the Confirmation ID to the ActivationWs Web Service. This service passes the Confirmation ID to the client that is to receive the ESU Activation.
  5. The script stores the Confirmation ID and completes the activation.

The ActivationWs Web Service runs on IIS and requires the .NET Framework 4.6 and access to the Microsoft BatchActivation Service ( A proxy server can be specified in the web.config file if required. Activate-Product.ps1 requires Windows PowerShell v2.0 or later and must be running with administrator privileges.

See the GitHub page for some more information and a FAQ on how to use this solution. This comes without support, but it should be the solution for some administrators.

Article series
Windows 7: Buy and manage ESU licenses – Part 1
Windows 7: Preparing for ESU and license activation – Part 2
Windows 7: ESU Activation inEnterprise Environment – Part 3
Windows 7: ESU questions and more answers – Part 4

Similar articles
Wow! Windows 7 get extended support until January 2023
Windows 7 Extended Security Updates buyable from April 2019
Microsoft offers Windows 7 Extended Update Support to SMBs
Prices for Windows 7 Extended Security Updates till 2023
Windows 7: Free Extended Update Support and usage
Windows 7: Office 365 ProPlus Updates till 2023
Windows 7 Extended Security Updates (ESU) requirements
Windows 7 Extended Security Update (ESU) program available
Windows 7 Extended Security Updates (ESU) program, price and source for SMEs

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

3 Responses to Windows 7: ESU Activation in Enterprise Environment – Part 3

    • guenni says:

      I noticed that – it's not the worsest thing – 800,000 buck for one year more Win 7 SP1 ESU support is nothing, compared to a license fee the government has to pay (and the man power they need to handle all those clients with Windows 10. I covered the case of municipal of Berlin, where they still migrating to Windows 10. They decided to upgrade 30,000 clients to Windows 10 LTSC – that's finished yet, but they run into privacy/security issues. Now that clients have to be updated in a 2nd step to Windows 10 SAC. Also data protection watchguard officials say, Windows 10 can't be used GDPR compliant. So there are many open questions beside the articles published from US media.

      Side note: I've that topic on my agenda – but currently I'm buried under a stack of blog topics. Infected sites due to shitrix is a more important topic for instance ;-).

      Anyway, thanks for all your hints given in the past – it's welcome! I have to decide, what I adopt and what not. In May 2020 I'm blogging since 13 years – and never run out of topics :-).

      I had long time ago a running gag: In 1993 I startet as a freelance computer book author. And the first question people are going to ask my wife: 'Oh God, you a poor girl, can your family live from that income'.

      So I provided an answer (for my wife, she exchanged 'I' in the following text to 'he' and 'my' to 'his'): 'No, we can't live on that. But I've turned my hobby into a profession. Since then, I've never had to work again. That's something cool, isn't it.'

      Well, it's now nearly 27 years since I made that decision – and I'm still living :-).

  1. Karl Wester-Ebbinghaus (@tweet_alqamar) says:

    Can you please also cover VAMT 3.1 which should be easier than Powershell for small business and large.
    Please note that VAMT 3.1 from ADK 1909 needs a patch for activating and inserting ESU keys into the key repository

    as described here:

Leave a Reply

Your email address will not be published. Required fields are marked *