Frequently Asked Questions

Learn the answers to frequently asked questions about ESU patching with BigFix.

I already have a BigFix ESU Patching add-on. Do I still need to subscribe to Microsoft’s ESU program?
The BigFix ESU Patch Add-ons provide the same automation and visibility for ESU patches that BigFix provides for the standard Windows patches, in addition to providing a mechanism to automate ESU key management. However, unlike standard Windows patches, a special license key is required to install the ESU patches. You can obtain the ESU license key only through a subscription to Microsoft’s ESU program.
Should I pre-cache the ESU patches manually?
Microsoft anticipates providing ESU patches by using publicly accessible URLs at this time, which your BigFix server can download without any manual caching effort.
How do I check which endpoints are entitled to ESU patches?
An analysis is provided in each BigFix ESU Patch Add-on site with a property that reports a list of endpoints that have ESU keys installed.
On how many BigFix servers can I enable the ESU content sites?
The BigFix ESU Patch Add-on product is licensed to your organization’s HCL subscribenet account - you can use it on any of your BigFix root servers covered in that account. We provide enough license units at purchase to cover most use cases. If you need more license units than are provided in your account, or if you are a managed service provider, contact HCL BigFix Support.
Can I use ESU Fixlets in other baselines?
You can use ESU patch Fixlets in any baseline, provided the target endpoints are subscribed to the ESU patch site.
My BigFix deployment is airgapped. How do I activate my ESU keys?
If your endpoints do not have access to the Internet, you cannot activate ESU MAK directly; hence, the ESU Key Management tasks do not work for them. For such cases, Microsoft provides the Volume Activation Management Tool (VAMT). For details, see VAMT
Can I activate the Multiple Activation Key (MAK) more than once?
On an endpoint in which the ESU MAK is already installed, the MAK activation fixlet becomes relevant and the deactivation fixlet becomes irrelevant. While testing the activation and deactivation of MAK, no specific issues with applying the MAK to the same endpoint more than once were found.
Should I activate MAK for all my endpoints at the same time?
Not necessarily. You can activate your endpoints MAK by using the BigFix Fixlet, or by using the other methods. The Fixlet content for applying the patches only checks whether the MAK is applied and activated, and not the method of activation. This check is a WMI call which you can see in the Fixlet relevance.
I do not have an ESU entitlement for a few endpoints. How do I handle patching in this case?
For each patch Fixlet in a BigFix ESU Patch Add-on site, a corresponding “unentitled” Fixlet is provided. Unlike the actual ESU patch Fixlets, the “unentitled” Fixlets become relevant only to endpoints that do NOT have an activated ESU key installed (and they do not have a patch action because the installation of ESU patches on an unentitled endpoint fails). These Fixlets let you track which patches vulnerable endpoints need even if those endpoints are not in the scope of the ESU program.

How can I check the ESU keys on my endpoints?
The ESU Patching add-on sites contains “ESU Keys Information” analysis which includes “ESU Keys Installed (WMI)” property. This property shows all the ESU keys that are installed on each endpoint.




Note: The property has a 6-hour update interval, so you will need to send a refresh to endpoints that had keys recently added or removed to see the changes.
I have an ESU key installed. Why are some fixlets showing “Unentitled”?
Each ESU patch from Microsoft requires a particular ESU key installed, depending on when the patch was released. For example, a patch from January 2021 requires a Year 1 ESU key while a patch from February 2021 requires a Year 2 ESU key. If the required key is not present on the endpoint, the “Unentitled” version of the patch Fixlet is relevant instead of the entitled (actionable) version.
The following example shows relevant ESU fixlets for an endpoint with a Year 1 key but no Year 2 key:



Check the “ESU Keys Installed (WMI)” property to view the ESU keys that are installed on an endpoint.