FAQ: Last-minute answers about Windows 7's post-retirement patches

The end of support for Windows 7 is coming up fast. For those still running the aging OS, here's what you need to know about Microsoft's Extended Security Updates program.

Windows logo overlaying hand with band-aid patch
Thinkstock/Microsoft

A week from now, Microsoft will serve customers with the last for-free Windows 7 security update, in effect retiring the 2009 operating system.

However, hundreds of millions of personal computers will still power up thanks to Windows 7 on Jan. 14, and for an indeterminate timespan after that date. Windows 7 may be retiring, but it's not disappearing.

Microsoft admitted as much more than a year ago when it announced Extended Security Updates (ESU), a program for commercial customers who needed more time to ditch Windows 7. ESU would provide patches for some security vulnerabilities for as long as three years. For a fee.

Later — just this October — Microsoft expanded ESU to include small and very small businesses, but told those customers, who typically needed to keep just a handful of PCs updated, to contact a Cloud Service Provider (CSP).

Computerworld has covered ESU since its September 2018 unveiling. But there are always bits and pieces that don't get the attention they deserve. So, we've collected the most important last-minute questions about ESU, and provided answers to those queries.

The clock is ticking.

What Windows 7 editions are eligible for ESUs? Windows 7 Professional, Windows 7 Enterprise and Windows 7 Ultimate.

Initial ESU descriptions by Microsoft omitted Ultimate, the oddball SKU (stock-keeping unit) that, along with Enterprise, was a premium version of the OS when Microsoft launched Windows 7. (Microsoft passed on doing a Windows 8 Ultimate, a good signal for how 7's version fared.) Later, Windows 7 Ultimate popped up in Microsoft's references, including this FAQ. That made sense, since Ultimate was billed as Enterprise with a twist: It could be licensed to individuals.

Does ESU provide patches for all vulnerabilities? No.

ESU includes fixes for "critical and important issues as defined by the Microsoft Security Response Center," Microsoft stated in a FAQ. The two classifications make up the top half of Microsoft's four-step system ("moderate" and "low" are the others).

For more information about the security severity rating system, see this support document.

How much does ESU cost? That depends.

Enterprise customers with volume licensing deals — or subscriptions to Windows 10 Enterprise E3 and E5, and thus with rights to Windows 7 Enterprise — will pay $25 per PC for the first year of coverage (though mid-January 2021). For machines running Windows 7 Professional — and covered by Software Assurance — the first-year price will be $50.

Businesses that are not volume customers — notably the very small shops and sole proprietors with a limited number of PCs running Windows 7 Professional, will pay around $61-$62 per machine for the first year. Because they're not volume licensees, such businesses must go through a Microsoft Cloud Service Provider (CSP).

Just a reminder: ESU is sold on a per-PC basis, not per user.

Where can our small business find a CSP to sell us ESU? Microsoft told customers to search here, the Microsoft solutions provider database.

But some reported that they were unable to attract interest from a CSP because of the small number of ESU licenses they required. Veteran Windows watcher Ed Bott, for example, struck out when he tried to obtain ESU.

One CSP told Computerworld that they'd be unlikely to sell fewer than 20-30 ESU "units" to a customer; smaller orders than that would "be unprofitable," the seller said.

(That was a combination of the low margin per ESU, the fact that the ordering process is completely manual, and the ESU demands that the seller set up an Office 365 "tenant" and an Azure AD administrative account for the customer.)

Susan Bradley, a computer network and security consultant, the moderator of the PatchMangement.org mailing list and the contributor known as "The Patch Lady" to the AskWoody.com Windows tip site, teamed up with Amy Babinchak, a Michigan-based IT consultant and Microsoft MVP (Most Valuable Professional) to document the ESU purchasing process for a very small business. After initially striking out (Babinchak is a registered CSP), they succeeded in finding a distributor (Microsoft's reseller/partner system has multiple layers) and armed a single PC for ESU.

Babinchak's Michigan-based IT services firm, Harbor Computer Services, will deal ESU in small quantities, Bradley said in an email. "Amy and Ted are doing the heavy lifting of providing an easier way to get the Windows 7 (ESU) licenses," she wrote, referring to Ted Kinczkowski, Babinchak's partner and the company's technical manager.

Interested businesses can request an ESU license from Harbor by filling out and submitting this form, Bradley added.

How do we prep our Windows 7 PCs to receive ESU starting next month? This October post to a Microsoft blog contains information on the steps necessary to purchase and download ESU product keys — PCs covered by the post-retirement program self-identify to Windows 7's servicing through these keys — and install and activate them.

The post includes several screenshots to help customers follow the instructions and lists the update prerequisites that need to be installed prior to activating the ESU key.

Highly recommended.

How long will Microsoft service Windows 7 under ESU? Three years, in one-year increments.

Customers who pony up for the first year will receive Windows 7 security-only updates starting in February (Feb. 11 is that month's Patch Tuesday) and ending in January 2021 (Jan. 12, 2021). A similar 12-month stretch will be provided for the second (2021-2022) and third (2022-2023) years.

As a CSP rued in an interview with Computerworld, ESU is not a subscription, meaning that each year must be purchased separately, each year's key also installed separately.

The final ESU will be delivered Jan. 10, 2023, closing out Windows 7's support — free and paid — after slightly more than 13 years.

Is there a way to verify that our systems will actually download ESUs before the retirement date? We don't want to find out in February that our process isn't working.

Yes, there is a way to test ESU download and installation before Microsoft starts issuing the post-retirement updates.

"This optional non-security update will help you verify that your eligible Windows 7 Service Pack 1 (SP1) and Server 2008 R2 SP1 devices can continue to get Extended Security Updates (ESUs) after the end of support date of January 14, 2020," Microsoft said in this document.

This is, as Microsoft said, a "test package" that uses the same distribution process — and on the customer's part, the same reception requirements and process — as the real ESU deal. The support document spells out the necessary ESU prerequisites, provides instructions and lists a toll-free number to call for Microsoft's assistance in getting everything working.

How has the Microsoft rollout of ESU gone? Not always well.

Some comments appended to the Microsoft post "How to get Extended Security Updates for eligible Windows devices" were scathing. The ability for customers without volume licensing to acquire ESU via a CSP came in for particular scorn.

"Microsoft has created a giant mess with the Windows 7 ESU program," argued a commentator identified as BlakeTex on Dec. 18. "The communication is so bad, you wonder if it's intentional. Many struggling MS customers have found your blog and are pleading for answers, but you are not responding, which is not helpful."

Someone labeled discoveranother agreed. "Microsoft have been utterly hopeless with ESU and have left everything to the last minute in letting resellers know about the ESU licensing costs, etc., affecting small businesses and schools enormously," the commentator wrote.

A Microsoft representative countered in the comments. "Microsoft announced ESU in early 2019 and have been making changes to the program as necessary ever since," said Joe Lurie on Dec. 19. "One change was allowing for CSP which was not in the original plans. This is why this was announced in October — it was an add-on program based on customer request."

Copyright © 2020 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon