BypassESU v7 AIO



BypassESU v7 AIO

* A project to install Extended Security Updates for Windows 7 and Server 2008 R2

* It consist of three parts:

– patch WU engine to allow receiving ESU updates

– suppress ESU eligibility check for OS updates (including .NET 3.5.1)

– bypass ESU validation for .NET 4 updates (4.5.2 up to 4.8) // See Notice below

## Important Notes:

* Make sure that “Windows Management Instrumentation (winmgmt)” service is not disabled

* For Live OS installation, it is recommended to install KB4538483 after WU ESU Patcher, or else a restart will be required

* After using WU patcher, if you still not offered ESU updates, try to:

> restart, then check WU

> stop wuauserv service, delete the folder “C:\Windows\SoftwareDistribution”, restart, then check WU

* You can also acquire and download the updates manually from Microsoft Update Catalog

to track the updates KB numbers, either check the official Update History page

or follow this MDL thread

* ESU updates for each month will require (at least) the latest extended SSU from previous month(s)

April 2020 updates require March SSU at least
May 2020 updates require April SSU at least
June 2020 updates require May SSU at least
July 2020 updates will require May SSU or June SSU (if any)
and so on…

* Unless you integrate the ESU Suppressor, ESU updates are not supported offline (you cannot integrate them), they must be installed online on live system.

* Extract the 7z pack contents to a folder with simple path, example C:\files\BypassESU

* Temporarily turn off Antivirus protection (if any), or exclude the extracted folder

## Prerequisite Updates

the following updates must be installed and ready before using BypassESU:

– KB4490628: Servicing Stack Update, March 2019


– KB4474419: SHA-2 code signing support update, September 2019


– Latest Extended Servicing Stack Update, KB4555449 (May 2020) or later


– KB4538483: ESU Licensing Preparation Package (only required to get updates via WU)


– Updated Windows Update Client, at least KB3138612


if you installed any Monthly Quality Rollup, or July 2016 update rollup KB3172605, both already have updated WUC

if you installed January 2020 Security Only update KB4534314, or the fix update KB4539602, both already have updated WUC

How to Use – Live OS Installation

*Make sure to install the prerequisite updates (reboot if required)

* right-click on LiveOS-Setup.cmd and “Run as administrator”

* from the menu, press the corresponding number for the desired option:

[1] Full Installation {ESU Suppressor + WU ESU Patcher + .NET 4 ESU Bypass}
most recommended option

[2] Install ESU Suppressor
mainly for security-only updates users, whom don’t need the Monthly Rollup through WU

[3] Install WU ESU Patcher
this only allow to offer ESU updates via WU

[7] Install .NET 4 ESU Bypass
this allow to install NDP4 ESU updates (manually or via WU)

* Remarks

– LiveOS-Setup.cmd will remove BypassESU-v4 if detected, and override KB4528069-Lite if present

– You get option [1] only if all Suppressor/Patcher/.NET Bypass are not installed

– ESU Suppressor cannot be uninstalled after installing ESU updates, and option [5] is not shown in that case

– Warning: unless you have another bypass installed, ESU updates installation will fail if you used option [3] alone

How to Use – Offline Image/Wim Integration

* Wim-Integration.cmd support two target types to integrate BypassESU:

[1] Direct WIM file (not mounted), either install.wim or boot.wim

[2] Already Mounted image directory, or offline image deployed on another partition/drive/vhd

** Direct WIM file integration **

– place install.wim or boot.wim (one of them, not both) next to Wim-Integration.cmd, then run the script as administrator

– alternatively, run the script as administrator, and when prompted, enter the full path for the wim file

– choose the desired option from the menu (similar to live setup)

– Notes about this method:

it will integrate KB4528069-Lite, and it does not need the prerequisite updates

it will also integrate the Suppressor for winre.wim, if it exists inside install.wim

it does not provide options to remove the Suppressor/Patcher/.NET Bypass, for that, mount the wim image then use second method


** Mounted directory / offline image integration **

– manually mount the image of install.wim or boot.wim
no need for this step if the image is already deployed on another partition/drive/vhd, example Z:\

– Make sure to integrate the prerequisite updates

– right-click on Wim-Integration.cmd and “Run as administrator”

– enter the correct path for mounted directory or offline image drive letter

– choose the desired option from the menu (similar to live setup)

– afterwards, continue to integrate other updates, including ESU updates

– manually unmount install.wim/boot.wim image and commit changes

## Download


– IMI Kurwica
– mspaintmsi (superUser)
– @Enthousiast (testing)

– Notice: Regarding .NET 4 ESU Bypass

it has incompatibility issue and may cause msiexec.exe or other Windows Installer (MSI) programs to stop working
therefore, it’s recommended to install it only when new .NET 4 updates are available, then remove it after installing the updates

if it fails to install .NET 4 updates, temporary disable Antivirus protection, or try the revised separate bypass

– Tutorial: Using BypassESU AIO + ESU Updates Overview

– Troubleshoot Q&A:

– Note for KabeLake/Ryzen CPUs with wufuc patcher:

– dotNetFx4 ESU Bypass to install .NET 4.x ESU updates

– KUC W7 UpdateChecker now support ESU

– W7ESUI: Standalone Installer for ESU updates without bypass