As you already know that, Windows 7 and windows server 2008/R2 has reached their end of support lifecycle on January 14, 2020, however you can purchase the extended security updates (ESU) for windows 7 and server 2008/R2 through volume licensing to make sure these devices are protected. For more information about how to purchase the ESU, refer to this blog.
After you have purchased the ESU, you can install and activate window 7 or server 2008/R2 devices using Configuration Manager task sequence or scripting or by other means. There are multiple posts on the internet on how to install ESU.
In this blog post, we will see how to check the activation status of ESU on windows 7 and server 2008/R2. This monitoring will help you take action on the missing ESU devices to avoid the possible threats.
If you have installed the ESU key on the windows device, the information gets stored in WMI class called ‘SoftwareLicensingProduct’
If you know where does the ESU information stored in WMI, it would be easier for us to use configuration manager to gather data for further analysis.
By default, SCCM clients do not send the information about this class SoftwareLicensingProduct hence if you try to create a collection or query database using this class, you get empty results.
So to check the activation status, we can use 1) Enable the Software_licensing_product in client inventory settings (hardware inventory) 2) Use compliance settings to detect the ESU activation status and 3) script
I DO NOT recommended option 1) because SoftwareLicensingProduct class contains a lot of data that will be collected from all devices along with activation information which will bloat your database.
A simple example is, on your Windows 7, open PowerShell command and run the following syntax to see the data that is available in SoftwareLicensingProduct
Get-WmiObject -query "select * from softwarelicensingproduct"
The above command will generate a lot of data that is not required for us.
What other options do we have without bloating the database? A simple and easier method is compliance settings.
I am not doing step by step guide in this post on how to create the compliance item and compliance baseline then deploy to the collection but I will give you the steps and also the exported baseline configuration for you to import the settings into your configuration manager and deploy it.
Steps required for this:
1. Create a collection for all windows 7 and windows server 2008/R2. You can use this guide to create the collections.
2. Download the configuration baseline file (SCCM Baseline for ESU Activation.zip) from Github. This is a ZIP file which contains 2 baseline policies. After you download, you need to extract it to get .cab files.
3. Go to your configuration manager, configuration baseline, right-click, and import configuration data. Import the .cab file that you download from Github.
You will need to do this task twice because there are 2 baseline files available 1) for windows 7 and 2) for server 2008/R2.
Note: The PowerShell script that I have used in the baseline will check if the device activated with 1 year or 2 year or 3 year ESU key and report as compliant. If any of these ESU key not found, then report as non-compliant. The ESU keys are taken from this blog post. Once you import the baseline policies, you can go to CI and change the script as per your requirement.
4. You can now deploy the baseline policy to the respective collections that you created earlier.
5. Based on the schedule, clients will run through the compliance settings and report the status.
6. Run the reports to identify the list of devices that are still not installed/activated with ESU.
Once you have the data, you can use reports or create a collection for non-compliant devices for further troubleshooting.
Until next blog post!