[German]If you want to continue to have security updates for Windows 7 SP1, Windows Server 2008 and Windows Server 2008 R2 in 2021, you need the ESU package for the second year. Microsoft has been clarifying a few things about this topic over the days.
This is what ESU is all about
On January 14, 2020 Windows 7 SP1 reached the long announced end of support – and there are no more security updates by default. However, corporate customers have the option of purchasing an ESU license for Windows 7 SP1 to continue to receive security updates between January 2020 and January 2023 at the latest. Microsoft has announced Extended Security Updates Support (ESU) as a separate program for corporate customers (see Wow! Windows 7 get extended support until January 2023). The first year of ESU support expires in January 2021 and customers who require 2021 security updates must purchase an ESU extension for 2021.
ESU extension for 2021
On November 10, 2020, Microsoft announced in the Techcommunity article Year two: Extended Security Updates for Windows 7 and Windows Server 2008 that ESU licenses are due for renewal for the second year for the following operating systems:
- Windows 7 SP1
- Windows 7 Professional for Embedded Systems
- Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
- Windows Server 2008 R2 SP1 for Embedded Systems and Windows Server 2008 SP2 for Embedded Systems
Those who still operate devices with the above operating systems can book the ESU extension for the period January 12, 2021 to January 11, 2022 and thus receive further security updates.
Since ESUs are available as separate SKUs for each of the years (2020, 2021 and 2022) in which the program is offered – and can only be purchased during certain 12-month periods – you must purchase the second year of ESU coverage separately. You will need to activate a new key on each device to ensure your devices continue to receive security updates in 2021. The steps for installing and activating the MAK keys are the same as for the first year (see also the following links)
Price and source of supply
Microsoft does not mention a source of supply in the Techcommunity article. Finding a source of supply was the biggest hurdle in late 2019, early 2020. Microsoft itself only offers such a service to volume license customers. For single licenses and small companies, ESU keys for Windows 7 SP1 can only be obtained from sales partners. In my blog post Windows 7: Buy and manage ESU licenses – Part 1 I found a source that offered the ESU-Key.
German vendor Software Express now also offers ESU 2021 Keys at a price of 139.00 Euro net (or 161.24 Euro with VAT for Germany), although this product can only be ordered at the end of the year (see screenshot above). It was well known that the price for an ESU license in the second and third year is almost doubled compared to the previous year.
Important: If a company has not purchased the first year of ESU coverage, this means that both the ESU for the first year and the ESU for the second year must be purchased for the corresponding Windows 7 or Windows Server devices. Only then can the MAK keys for the second year be installed and activated so that the systems continue to receive security updates. This license (ESU 2020+2021) is also offered by Software Express at a price of 199.00 euros net (or 230.84 with VAT for Germany).
Addendum: Susan Bradley pointed me also to this site, where Amy Babinchak also sells Windows 7 ESU in the USA.
ACROS Security 0patch as alternative
The alternative, especially for people who couldn't get an ESU license for Windows Server 2008/R2, are the micropatches from 0patch. ACROS Security provides the 0patch Pro license for 23,00 Euro (net) per client and year. For this there are micropatches for the most important vulnerabilities. I had discussed the approach in the blog post Windows 7: Securing with the 0patch solution – Part 2 and in 2020 ACROS Security has released numerous micropatches for vulnerabilities. For private individuals there is even a free version of the 0patch approach. I described the different 0patch models in the blog post Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial.
Furthermore resourceful hobbyists developed a solution called ByPassESU to install security updates for Windows 7 without an ESU license. Some hints can be found in the article Windows 7 Sept. 2020 Updates: BypassESU v8 required. But I do not see this approach as a solution I would use in corporate environments. And if the approach will work or can be adapted in 2021 is still open.
A follow up article about that topic has been published at Windows 7 SP1: ESU Support for 2021 – Part 1.
Wow! Windows 7 get extended support until January 2023
Windows 7 Extended Security Updates buyable from April 2019
Microsoft offers Windows 7 Extended Update Support to SMBs
Prices for Windows 7 Extended Security Updates till 2023
Windows 7: Free Extended Update Support and usage
Windows 7: Office 365 ProPlus Updates till 2023
Windows 7 Extended Security Updates (ESU) requirements
Windows 7 Extended Security Update (ESU) program available
Windows 7 Extended Security Updates (ESU) program, price and source for SMEs
Windows 7: Buy and manage ESU licenses – Part 1
Windows 7: Preparing for ESU and license activation – Part 2
Windows 7: ESU Activation inEnterprise Environment – Part 3
Windows 7: ESU questions and more answers – Part 4
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
Cookies helps to fund this blog: Cookie settings