Preparing endpoints to accept ESU patches

This topic describes how to prepare endpoints to accept Microsoft ESU patches.

Once your endpoints are subscribed to a BigFix ESU patch site, you can use the content in that site to prepare the endpoints in your deployment to accept Microsoft’s ESU patches.

Verify or Apply Prerequisite Windows Patches for ESU

There are multiple Windows patch Fixlets that are pre-requisites for installing the ESU multiple activation key (MAK). The MAK installation fails if the patches are not installed. The ESU Key Management: Install and Activate MAK Fixlet description contains links to the pre-requisite patch Fixlets for each supported operating system, some of which are available in the Patches for Windows site and some of which are available in the ESU patch site. Follow the links to each Fixlet and verify that it is not relevant; if any Fixlet patch is relevant to the endpoints intended for ESU, you should apply it before installing and activating the ESU key.

Figure 1. Verifying prerequisite windows patches for ESU

Distribute Multiple Activation Key to Enable ESU Patching

Fixlets are provided in each ESU Patching site to automate the activation and deactivation of the ESU multiple activation key (MAK) you received from Microsoft on one or many endpoints at a time. The “ESU Key Management: Install and Activate MAK” task will allow you to input your ESU key securely in the Fixlet description, then take action to install and activate the key on the targeted endpoints. Similarly, the “ESU Key Management: Deactivate and Uninstall MAK” task will help you to remove any ESU key that is already installed on endpoints. You are not required to use BigFix to distribute the MAK and you can use different MAK on different sets of endpoints.

Figure 2. Install and activate MAK
Important: ESU keys activation requires communicating with Microsoft. The ESU key activation process requires each endpoint being activated to have Internet access. See the FAQ for more options. Once the activation is complete, Internet access is not required.

Create ESU Patching Groups in BigFix

Each BigFix ESU Patching Add-on site contains an analysis with a “ESU Keys Installed” property that identifies subscribed endpoints that have a ESU key installed and activated, and it includes the ESU key’s year and the last five characters of the installed MAK. If you have more than one MAK to manage, this will help you keep track of which key was used on which endpoints.
Figure 3. Analysis: ESU Key information - Windows 2008

By copying the analysis property Relevance into a retrieved property, you can use it to create ESU patching groups in your own deployment.

Figure 4. Create automatic computer group
Note: The ESU Installed Keys (WMI) property uses WMI queries, which can be expensive on some Windows configurations. Test before implementing as a retrieved property in your environment.

Test ESU Patch Delivery

Each BigFix ESU Patch Add-on site contains Fixlets to test ESU patching functionality on your endpoints. Take action on one and verify that the result is “Fixed”. If your endpoints are able to apply the ESU test patch successfully, it is a good indicator that they are ready for ESU patching.

Figure 5. Test ESU patch delivery