Customers may encounter issues with patches scanning, remediation, or custom software deployment to target computers running legacy Microsoft products, for example, Windows 7 and Windows Server 2008/R2, if Extended Security Update (ESU) keys are not installed and activated.
The "A certificate chain processed but terminated in a root certificate which is not trusted" can also be an indicator for missing ESU Support:
The Extended Security Update (ESU) program is the last resort for customers who need to run certain legacy Microsoft products that are past their end-of-support period. It includes critical and important security updates (as defined by the Microsoft Security Response Center) for a maximum of three years after the product’s end-of-extended-support date.
Only ESU customers are able to get updates for these operating systems after January 14, 2020.
As LanGuard uses WSUS to gather information and report on the needed updates for each system, the functionality of LanGuard performing updates for these systems does not change.
The updates look for the MAK activation at the endpoint, and will only install those systems together with the MAK key. If the customer system does not have the ESU MAK key, it will not be eligible to receive and install the updates, ie all operations will be failing in the end due to Windows itself refusing the updates.
If your legacy Microsoft product is included in the ESU program, follow these steps:
- Purchase ESU,
- Ensure that you have installed all of the prerequisites listed in the Obtaining Extended Security Updates (ESUs) for eligible Windows devices
- Activate the MAK key.
- Restart the computer.
Verify that scanning and remediation issues are gone for the computers with activated MAK keys.