Microsoft has thrown a wrench into the workings of its long-touted Windows 7 post-retirement support, telling IT administrators that there was a brand new prerequisite that must be installed before they can download the patches they'd already paid for.
The last-minute requirement was titled "Extended Security Updates Licensing Preparation Package" and identified as KB4538483 in Microsoft's numerical format.
The licensing prep package can be downloaded manually from the Microsoft Update Catalog. It should also appear in WSUS (Windows Server Update Services), the patch management platform used by many commercial customers. It will not, however, be automatically delivered through the Windows Update service, which some very small businesses rely on to provide them necessary patches.
Cumbersome might be a word for the process of handling the new requirement. "So we have to deploy the license prep package, reboot, rescan for updates, install the new updates and reboot again?" asked someone identified only as Eric on Twitter. He claimed he was an administrator for more than 15,000 Windows clients in Cincinnati.
"That is correct," replied the Windows Update Twitter account.
Failing to deploy KB4538483 means that PCs running Windows 7 - and which had been prepped to receive the first post-retirement Extended Security Updates (ESU) released Tuesday, February 11 - would not get the security updates.
Prior to this week, Microsoft had said nothing of the last-second requirement, although the company had been loquacious during the run up to ESU's debut this month.
Microsoft had spelled out instructions for acquiring ESU and readying Windows 7 systems for the patches arrival. Even as KB4538483 hit the Update Catalog and Microsoft revised its step-by-steps - including here and here - notification of the new prerequisite was extremely low key.
No wonder KB4538483 caught admins by surprise.
"For small businesses this was very disruptive," said Susan Bradley, a computer network and security consultant, the moderator of the PatchMangement.org mailing list and the contributor known as "The Patch Lady" to the AskWoody.com Windows tip site. Bradley had actively investigated how small businesses could acquire ESUs in the months before the program's launch.
"I had to personally assist several of my clients in purchasing these keys, thought they were all set and had to reach out to them, remote into their computers and install this last minute update knowing that they wouldn't know how to get this patch, nor exactly how to install it since they normally do not go to the Microsoft catalog site," she said.
Bradley, like anyone outside Microsoft, had no idea why the Redmond, Wash. company sprung the surprise on ESU customers. "It didn't act like a normal servicing patch," she observed. After investigating further, Bradley speculated that KB4538483 was "licensing related."
Computerworld asked Microsoft to explain KB4538483, posing questions including, "Why was KB4538483 suddenly necessary?" and "Did Microsoft overlook something prior?"
"The Extended Security Updates (ESU) License Preparation Packages (KB 4538483 & KB4538484) address activation experience requirements identified during our testing and evaluation with a large population of preview customers," Microsoft said, answering-and-not-answering the queries, a common occurrence.
"We introduced the ESU License Preparation Packages at launch on February 11, 2020, to provide a consistent user experience going forward, minimum number of package installations and minimise overall customer disruption."
More disruption now so there would be less disruption later? Okay.
"The idea behind paid-for security patches is to make it easier to be patched while you are still running Windows 7, not make it harder to get updates," Bradley told Woody Leonard, a columnist for Computerworld and the head of AskWoody.com.