Finding Windows 7 and Windows 2008 ESU MAK Key Status with ZENworks


If you still have Windows 7 or Windows Server 2008 in your environment, you are probably painfully aware of the Extended Security Update (ESU) changes Microsoft introduced in January.  Darrin VandenBos did a great job explaining the changes and how to use ZENworks to deploy updates in his article. In this article I’ll present an easy way to quickly determine which devices in your zone have properly installed and licensed ESU MAK keys. This can then be used for reporting purposes as well as a system requirement in your custom bundles to target only those devices with a valid ESU entitlement from Microsoft.

Determine whether an activation is present and licensed

The first step in the process is to determine if a machine has a properly installed and licensed ESU MAK key. To do this you can create a bundle that runs the powershell script (esucheck.ps1) in the zip file attached to this article. By default it checks to see if a Windows 7 machine is licensed for Year 1 ESUs. It has commented lines for checking for Windows Server 2008 Year 1-3 and Windows 7 years 2 and 3 as well that you can uncomment in January next year to make sure it's now checking for year 2.

The easiest way to create a bundle that runs this is to simply import the exported bundle definition ( that is part of the zip file attached to this article.When you import it, it will create a Bundle in the folder you specify called Check Win7 ESU Key. To import the bundle

  1. Login to ZCC as a user with Bundle Creation permissions.
  2. Go to the folder you wish to create the bundle in in ZCC and select New > Import Bundle
  3. Specify the ZIP file you downloaded as part of this tip article.
  4. Click Next twice and then click Finish.
  5. Click Return to Folder.

You can then customize the script action the way you want by going to the bundle properties, Actions > Launch tab and clicking on Run Script, which will display the script as shown below:



Some key things you may want to change include

Change Description

What it does


This variable determines where the output of the slmgr.vbs command is output for parsing. The default path is c:\temp.


This is the location in the registry where you want to store the value that will tell ZENworks whether there is a valid ESU license.

CSCRIPT command

By default this script checks to see if there is a valid Windows 7 Year 1 ESU license. If you want to check for a different year or for a Windows Server 2008 flavor then comment out the default cscript line and uncomment the one you want.


You should now be able to assign the bundle to a test device that has a valid Windows 7 or Windows Server 2008 ESU key installed and execute the bundle. Make sure that the Win7ESULicenseStatus and Win7ESULicensePartialKey registry values end up being written to the adfRegPath location you specified.

Use ZENworks to create reports regarding ESU status

Once you have the data in the registry, you can add it into the ZENworks database as Administrator Defined Fields (ADFs). In this article I add two of them : Windows ESU License Status and Windows ESU Partial License Key. This will allow you to then use either the built in reporting capabilities of ZENworks Control Center or ZENworks Reporting to generate reports about this data. To configure these ADFs and make sure that they are picked up on inventory do the following:

  1. Login as ZCC as a user that has zone administration rights.
  2. Select Configuration > Asset Inventory.
  3. Create the Windows ESU License Status field.
    1. Under Administrator-Defined Fields, click Workstation.
    2. Click New.
    3. In the Name field enter, Windows ESU License Status
    4. In the Default Value field, enter Not Present
    5. Click Next.
    6. Click Finish.
  4. Create the Windows ESU Partial License Key field
    1. Click New.
    2. In the Name field enter Windows ESU Partial License Key
    3. Set the Size field to 8
    4. Click Next.
    5. Click Finish.
  5. You should now have something that looks like this:jblackett_1-1586198520109.png

    Note the Internal Name of the ADFs you create so you can use them in your ZRS report.

  6. Configure the Collection Data Form to read these values from the registry on each scan.
    1. Select Configuration > Inventory > Collection Data Form
    2. If you’ve never used Collection Data Form, check the Invisible mode checkbox so that it doesn’t suddenly start asking your users for information.
    3. Find the Windows ESU License Status line item, then click the No value in the Autofill column.
    4. Enter the registry key where you wrote the status (script defaults to HKEY_LOCAL_MACHINE\Software\ZENguru\Win7ESULicenseStatus)
    5. Click OK.
    6. Find the Windows ESU Partial License Key line item, then click the No value in the Autofill column.
    7. Enter the registry key where you wrote the status (script defaults to HKEY_LOCAL_MACHINE\Software\ZENguru\Win7ESULicensePartialKe)
    8. Click OK.
    9. Click OK.
  7. Now you either need to set a Collection Data Form schedule under Configuration > Inventory > Collection Data Form Schedule or you need to enable the Collection Data Form to run in one or more of your inventory scan under Configuration > Inventory > Inventory.

When you’ve completed these steps you can now wait for the inventory scan to execute or you can force a scan with the Inventory Wizard quicktask. After your devices scan you can then run reports. To do this from ZCC:

  1. In ZCC, click Reports from the left navigation pane.
  2. Create a new folder under Inventory Custom Reports
  3. Click the folder you created.
  4. Click New.
  5. For the Name, enter Windows ESU Report.
  6. Click Continue…
  7. Under Available Columns highlight Windows ESU License Status (Workstation ADF) and Windows ESU Partial License Key (Workstation ADF) and click the > button to move them to the selected column.
  8. Click Save.
  9. Click Run. This should display a list of devices, the ESU license status and part of the key used to register the device.


If you want more of a graphical view like the one above, you can use ZENworks Reporting to build a chart report that would should you the devices. To do this:

  1. Login to ZRS as someone with rights to create reports.
  2. Select Create > Ad Hoc View.
  3. Select ZENworks Domain; then click Choose Data.
  4. Select Inventory > Mobile Inventory and Inventory > Generate Device Attributes and click the > button to move them to the Selected Fields list.
  5. Click OK.
  6. In the Table dropdown, select Chart.
  7. In the Fields section, expand Inventory > General Devices Attributes and right click Machine Name; then select Use as Measure.
  8. Under Measures right click Machine Name; then select Add to Columns.
  9. Under Inventory > Inventory Administrator Defined Fields > Workstation ADFs, right-click the ADF corresponding to the field you want (based on the internal field names you noted earlier); then click Add to Rows.
  10. Move the Data Level slider to the right. You should now have a bar chart hat shows you the breakdown of all devices. Most of which will likely show a value of Not Present.
  11. Under Inventory > General Device Attributes > System Profile, right-click Operating System; then select Create Filter.
  12. Change the filter type to Is one of and then select the Windows 7 and Windows 2008 operating system variations.
  13. Click Apply. Your chart should now show only data for devices running Windows 7 or Windows Server 2008. It should now be easy to see what the overall state of the devices are based on the license status.

You can now save this chart. You could create a similar table view that has the details of the devices and then combine them into a Dashboard if desired.

Use registry key system requirements to make ESU patches applicable only to ESU devices

In addition to using these attributes for reporting you can also use them in your system requirements. If you are using Custom Patches, you can add a System Requirement that checks for HKEY_LOCAL_MACHINE\Software\ZENguru\Win7ESULicenseStatus=Licensed (or whatever key you specified). This will cause your Custom Patches to only be flagged as Applicable if the device has an ESU MAK key. This will prevent the patches from attempting to transact on non-ESU enabled devices so that you don’t get unnecessary errors in the system.


Using the techniques described in this document you can quickly and easily identify which machines in your environment have a properly licensed ESU key so that you can deploy ESU patches to those devices. You can also see which devices may be at risk because they do not have a proper key. When combined with the techniques described in the ESU patching article you will have full reporting and patching capabilities through ZENworks.


Patch Management
Configuration Management
Comment List