Preparing endpoints to accept ESU patches

After subscribing the endpoints in your deployment to a BigFix ESU patch site, you can use the content in the site to prepare the endpoints to accept the ESU patches.


  1. Verify or apply the prerequisite Windows patches for ESU.
    There are multiple Windows patch Fixlets that are pre-requisites for installing the ESU Multiple Activation Key (MAK). The MAK installation fails if the patches are not installed. The ESU Key Management: Install and Activate MAK Fixlet description contains links to the pre-requisite patch Fixlets for each supported operating system, some of which are available in the Patches for Windows site and some of which are available in the ESU patch site. Follow the links to each Fixlet and verify which is not relevant; if any Fixlet patch is relevant to the endpoints intended for ESU, you should apply it before installing and activating the ESU key.

  2. Distribute Multiple Activation Key (MAK) to enable ESU patching.
    Fixlets are provided in each ESU Patching site to automate the activation and deactivation of the ESU multiple activation key (MAK) you received from Microsoft® on many endpoints at a time. The ESU Key Management: Install and Activate MAK task allows you to input your ESU key securely in the Fixlet description and take action to install and activate the key on the targeted endpoints. Similarly, with the ESU Key Management: Deactivate and Uninstall MAK task, you can remove any ESU key that is already installed on endpoints.

    Important: The activation of ESU keys requires each endpoint to be connected to the internet and be able to communicate with Microsoft®. For more options, see Frequenty Asked Questions.
  3. Create ESU patching groups in BigFix.
    Each BigFix ESU Patching Add-on site contains an analysis with a ESU Keys Installed property that identifies subscribed endpoints that have a ESU key installed and activated, and also includes the ESU key’s year and the last five characters of the installed MAK. If you have more than one MAK to manage, this will help you keep track of which key was used on which endpoints.

    By copying the analysis property Relevance into a retrieved property, you can use it to create ESU patching groups in your own deployment.

    Note: The ESU Installed Keys (WMI) property uses WMI queries, which can be expensive on some Windows configurations. Test before implementing as a retrieved property in your environment.