Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management

2 Likes
over 1 year ago

On January 14, 2020, Microsoft officially ended support for Windows 7 and Windows Server 2008. If you purchased their Extended Security Updates (ESU) program in order to continue patching devices running these operating systems, ZENworks Patch Management provides two deployment options:

  • Add-On Subscription: You can purchase the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. This add-on subscription enables ESUs to be downloaded automatically through the ZENworks patch feed and installed to eligible devices using standard ZPM deployment functionality.
  • Custom Patches: You can manually download the ESUs from the Microsoft Update Catalog, use ZENworks Configuration Management to create a bundle that installs the patch, and then create a custom patch that allows you to distribute the patch to devices and track their patch status.

The remainder of this article provides details for each option.

NOTE: This information assumes that you have purchased Microsoft ESU licenses for the Windows 7 and Windows Server 2008 devices you want to patch, and that you have correctly configured the devices to support the installation of ESUs. If you have not, refer to this Microsoft article.

Option 1: Add-On Subscription

The ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates delivers ESUs through the patch feed. Patching of Windows 7 and Windows Server 2008 devices continues to work the same way it did when Microsoft provided updates for these operating systems as a free service rather than as a paid service.

Here are the key things to know when considering the add-on subscription:

  • The Add-On Subscription pricing is $30,000 USD for 1 year (15 Jan 2020 – 14 Jan 2021) of ESU downloads.
  • The Add-On Subscription is in addition to your standard ZENworks Patch Management subscription license; you must have both an active ZPM subscription license and the Add-On Subscription to receive ESUs.
  • The Add-On Subscription is in addition to your Microsoft ESU licenses; you must first purchase those licenses through Microsoft.
  • The Add-On Subscription covers all of your eligible ZENworks-managed devices. An eligible device is one for which you have a Microsoft ESU license and a standard ZPM subscription license.
  • The Add-On Subscription is supported for ZENworks 2017 Update 4 and ZENworks 2020. You must apply a patch to your Patch Server (the Primary Server running the Patch Subscription Service). The patch is made available through your customer portal after purchase.
  • The Add-On Subscription includes a license key that must be entered in ZENworks Control Center to activate the service. The license key is made available through your customer portal after purchase.

Contact your ZENworks Sales Representative if you are interested in the Add-On Subscription.

Option 2: Custom Patches

The custom patch functionality in ZENworks Patch Management provides the ability to distribute patches that you do not receive through the patch feed. This requires you to first use ZENworks Configuration Management to include the patch in a bundle. If you do not have ZENworks Configuration Management, this option will not work for you.

Here are detailed steps for creating a custom patch for an ESU:

  1. Download the ESU file from the Microsoft Update Catalog (catalog.update.microsoft.com).

    For these instructions, I’m using the 2020-02 Security Only Update for Windows 7 for x64-based Systems (KB4537813). Its filename is windows6.1-kb4537813-x64_9747e7510da5a465ee86597bb35da721bb364785.msu.

  2. Create a bundle for the ESU:
    1. In ZENworks Control Center, go to the Bundles list.
    2. Click New > Bundle.
    3. Select Windows Bundle > click Next.
    4. Select (Empty Bundle) > click Next.
    5. Name the bundle (for example, Bundle 2020-02 Security Only Update for Windows 7 ) > click Next.
  3. Click Finish to create the bundle and display its Actions page.
    bundle_new_post.png
  4. Configure the bundle Actions to install the ESU.
    1. Add an Install action to copy the ESU package to the device:
      1. Click the Install tab, then select Add > Install Files(s) to display the Add Action – Install File(s) dialog.
      2. Change the Action Name to Distribute Update Package.
      3. In the File Details list, click Add to display the Select Files dialog.
      4. Click Add, then use the ZCC Helper to upload the ESU package.
      5. In the Destination Directory field, enter %temp% to have the package copied to the temp directory on the device.
        Add Action - Install Files - Select Files_post.png











      6. Click OK.
        Edit Action - Install Files_post.png















      7. Ensure that the Executable Security Level is set to Run as a secure system user, then click OK to add the action.
    2. Add an Install action to install the update on the device:
      1. Click the Install tab, then select Add > Launch Executable to display the Add Action – Launch Executable dialog.
      2. Change the Action Name to Install Update.
      3. In the Command field, enter wusa.exe. This command launches the Windows Update Standalone Installer.
      4. In the Command Line Parameters field, enter %temp%\<filename> /quiet /norestart

        For example:
        %temp%\windows6.1-kb4537813-x64_9747e7510da5a465ee86597bb35da721bb364785.msu /quiet /norestart
      5. In the Success Return Codes field, enter 0,3010.
        Add Action - Launch Executable_post.png


















      6. Click the Advanced tab.
      7. Select Proceed when an action is complete.
      8. Select Run as a secure system user.
        Add Action - Launch Executable - Advanced_post.png


















      9. Click OK to add the action.
    3. Add an Install action to remove the ESU package after it is installed:
      1. Click the Install tab, then select Add > File Removal to display the Add Action – File Removal dialog.
      2. Change the Action Name to Remove Update Package.
      3. In the Full Path to Source Files/Directories field, enter %temp%\<filename>, then click Add.

        For example:
        %temp%\windows6.1-kb4537813-x64_9747e7510da5a465ee86597bb35da721bb364785.msu
        Add Action - File Removal_post.png


















      4. Click OK to add the action.
        bundle_actions_configure_post.png
      5. Click Apply to save the Install actions.
  1. Configure the bundle Requirements to determine which devices the bundle applies to.
    1. Click the Requirements tab.
    2. In the System Requirements add the following requirements:
      1. Architecture = 64
        NOTE: If you are distributing a 32-bit patch, select 32 instead.
      2. Operating System – Windows Version = 6.1 – Windows 7 / Windows Server 2008 R2 Versions
        bundle_requirements_configure_post.png
    3. Click Apply to save the requirements.

  2. Click Publish and follow the prompts to publish the bundle.

  3. Create a custom patch using the bundle:
    1. Click Security > Patches to display the Patches list.
    2. In the list, click New to launch the custom patch wizard.
    3. Select the ESU bundle you created, then click Next.
    4. Modify the following details, then click Next.
      • Name: This defaults to the bundle name. You can change it as desired. For example, you could add CP to indicate it is a custom patch.
      • Impact: Select Critical.
      • Vendor: Enter Microsoft.
        UPDATE: Recently Susan Perrin in Support helped a customer who used Microsoft as the Vendor but did not have the Microsoft vendor setting enabled in the Subscription Service Content Download setting. They had disabled the Microsoft  vendor setting because all Microsoft patches now use Microsoft Corp. as the vendor. Because they had disabled Microsoft as a vendor for which they wanted patches, each time the subscription update ran it disabled their custom patch. So...to ensure that this doesn't happen, you have a few options: 1) Enable Microsoft as a vendor, 2) use Microsoft Corp. as the vendor instead, or 3) use your own vendor designation such as Custom Microsoft.
      • Vendor Product ID: Unless you know the ID, leave this field blank.
      • Requires Reboot: Select this so that a reboot is required.
      • Description: Define as desired.
        custom_patch_details_post.png
    5. Click Finish to create the custom patch and add it to the Patches list.

  1. Run the Subscription process to add the custom patch to the Windows 7 DAU (scan file).

    The Windows 7 DAU (scan file) contains the patch signatures that are applicable to Windows 7 devices. It is created automatically whenever the patch subscription runs. Once the DAU is distributed to devices, the devices can scan using the file and report back the Patched/Not Patched status of any patches that are applicable to the device.

    In order for the signature file for the custom patch to be included in the Windows 7 DAU file, the subscription must be run. Then, any patch scans run on Windows 7 devices using the new DAU file can report the patch status for the custom patch.

    1. Click Security > Patch Dashboard.
    2. Click the Patch Subscription Status dashlet to expand it.
    3. Click Discover Patches to run the subscription update process.

    NOTE: These instructions are for ZENworks 2020. If you are using an older version of ZENworks, you will need to use the Update Now option in the Patch Subscription Service Settings (Configuration > Management Zone Settings > Patch Management).

  2. Apply the ESU to Windows 7 devices using either a Patch Policy or a Remediation Bundle.

    At this point, the custom patch works the same way as other patches you receive through the patch feed. You can apply it using your normal methods. After it is successfully installed on a device, the device’s patch status will change to Patched.

    Be aware that the installation of an ESU to a device that does not have a Microsoft ESU license will fail upon device reboot. The device reverts to its pre-update state, but the user still sees the failed update.

    To avoid this scenario, we recommend that you isolate the distribution of the updates to only the devices configured with Microsoft ESU MAK licenses. Here are a couple of ways you could do this:

    • Create groups for your Windows 7 ESU devices and Windows Server 2008 ESU devices and apply ESUs to only those groups.
    • Use a bundle to create a unique registry key on the ESU devices and then identify the registry key as a System Requirement in the ESU bundle you create. With this approach, the ESU custom patch would only be applicable on ESU devices even if assigned to non-ESU devices.
    • Use the article and script created by Jason Blackett to identify which devices have an activated ESU MAK license. At that point, you can use the MAK license status as criterion in the bundle system requirements to determine if the custom patch is applicable to the device.

 

Labels:

How To-Best Practice
Patch Management
Comment List
Anonymous
Related Discussions
Recommended