Use SCCM compliance settings to detect the ESU activation for windows 7 and server 2008

As you already know that, Windows 7 and windows server 2008/R2 has reached their end of support lifecycle on January 14, 2020, however you can purchase the extended security updates (ESU) for windows 7 and server 2008/R2 through volume licensing to make sure these devices are protected. For more information about how to purchase the ESU, refer to this blog.

After you have purchased the ESU, you can install and activate window 7 or server 2008/R2 devices using Configuration Manager task sequence or scripting or by other means. There are multiple posts on the internet on how to install ESU.

In this blog post, we will see how to check the activation status of ESU on windows 7 and server 2008/R2. This monitoring will help you take action on the missing ESU devices to avoid the possible threats.

If you have installed the ESU key on the windows device, the information gets stored in WMI class called ‘SoftwareLicensingProduct

If you know where does the ESU information stored in WMI, it would be easier for us to use configuration manager to gather data for further analysis.

By default, SCCM clients do not send the information about this class SoftwareLicensingProduct hence if you try to create a collection or query database using this class, you get empty results.

So to check the activation status, we can use 1) Enable the Software_licensing_product in client inventory settings (hardware inventory) 2) Use compliance settings to detect the ESU activation status and 3) script


I DO NOT recommended option 1) because SoftwareLicensingProduct class contains a lot of data that will be collected from all devices along with activation information which will bloat your database.

A simple example is, on your Windows 7, open PowerShell command and run the following syntax to see the data that is available in SoftwareLicensingProduct

Get-WmiObject -query "select * from softwarelicensingproduct"

The above command will generate a lot of data that is not required for us.

What other options do we have without bloating the database? A simple and easier method is compliance settings.

I am not doing step by step guide in this post on how to create the compliance item and compliance baseline then deploy to the collection but I will give you the steps and also the exported baseline configuration for you to import the settings into your configuration manager and deploy it.

Steps required for this:

1. Create a collection for all windows 7 and windows server 2008/R2. You can use this guide to create the collections.

2. Download the configuration baseline file (SCCM Baseline for ESU from Github. This is a ZIP file which contains 2 baseline policies. After you download, you need to extract it to get .cab files.

3. Go to your configuration manager, configuration baseline, right-click, and import configuration data. Import the .cab file that you download from Github.

You will need to do this task twice because there are 2 baseline files available 1) for windows 7 and 2) for server 2008/R2.

Note: The PowerShell script that I have used in the baseline will check if the device activated with 1 year or 2 year or 3 year ESU key and report as compliant. If any of these ESU key not found, then report as non-compliant. The ESU keys are taken from this blog post. Once you import the baseline policies, you can go to CI and change the script as per your requirement.

4. You can now deploy the baseline policy to the respective collections that you created earlier.

5. Based on the schedule, clients will run through the compliance settings and report the status.

6. Run the reports to identify the list of devices that are still not installed/activated with ESU.


Once you have the data, you can use reports or create a collection for non-compliant devices for further troubleshooting.


Until next blog post!

Recommended articles:

Windows 7 support ended on January 14, 2020

FAQ about Extended Security Updates for Windows 7

6 Responses to "Use SCCM compliance settings to detect the ESU activation for windows 7 and server 2008"

    1. Thanks for the positive feedback.
      There are many blogs post out there on the internet to apply the ESU keys using SCCM but i have used the task sequence to install the prereq required for it and then deploy the ESU keys.


  1. I have been following your blogs for few years now and find it really helpful. The most important factor for any of your blogs are you write it keeping the current situation in mind. For example ESU CI & CB. If you ask me then i can create these CI's and CB's on my own by investing probably 2 days but since we always get the information about our requirement by ESKONR which saves 2 days of your time and make our life easier we just copy it from you. Major part is we don't have to test a lot because so far none of your methods broke anything in our infrastructure even in production environment so we feel confident 🙂 Your help is much appriciated.

    1. Glad you liked it and thanks Deepak for your positive comments and always feel good to hear such things and contribute more to the community.



Leave a Reply