Windows Server 2012/R2: Extended Security Updates

  • Thread starter Thread starter Poornima Priyadarshini
  • Start date Start date
P

Poornima Priyadarshini

You can now get three additional years of Extended Security Updates (ESUs) if you need more time to upgrade and modernize your Windows Server 2012, Windows Server R2, or Windows Embedded Server 2012 R2 on Azure. This also applies to Azure Stack HCI, Azure Stack Hub, and other Azure products.


Note: Windows Server 2012, Windows Server 2012 R2, and Windows Embedded Server 2012 R2 reached end of support on October 10th, 2023, per our 10-year lifecycle policy. After this date, no more security patches will be released for these versions of Windows Server. For ease of reference, we'll sometimes refer to these versions as Windows Server 2012/R2 version family.

If you've already moved to Azure to protect your Windows Server 2012 and R2 workloads, you might be enjoying free Extended Security Updates. If your organization is unable to migrate, you can purchase and seamlessly deploy Windows Server 2012 Extended Security Updates enabled by Azure Arc on premises and in hosted environments without keys, directly from the Azure portal. As an alternative to Azure Arc, let's look at the steps to purchase and deploy ESUs—on premises and in hosted environments—using multiple activation keys (MAK). It takes four easy steps:

  1. Purchase and download the ESU key.
  2. Prepare to install the ESU key.
  3. Install the ESU key.
  4. Activate the ESU key.
Purchase and download the ESU key


Extended Security Updates (ESUs) are available through specific Microsoft Volume Licensing programs. Beginning October 10, 2023, you can purchase ESUs for up to three consecutive 12-month increments. This means you can be covered beginning on November 14, 2023 and through October 13, 2026. Note: You cannot buy partial periods (e.g., 6 months of updates).


Note: People tend to refer to ESU keys interchangeably as multiple activation keys (MAK), ESU product keys, or ESU license keys.

Download the ESU keys on the Microsoft admin center by doing the following.

  1. Go to Microsoft admin center.
  2. In the Your products section, select View contracts.

848x668?v=v2.pngScreenshot of the Your products page in Microsoft admin center.

  1. Select the three dots to the right of each license ID for more actions and select View Product Keys. All the product keys for the agreement will be available there.

331x404?v=v2.pngScreenshot of a close-up view of Contracts highlighting the menu option to View product keys.

Prepare to install the ESU key


Let's ensure you're ready for continued security updates after October 10, 2023. Prerequisites vary depending on the scenario, but double-check that your devices are up to date, you have appropriate licensing preparation package and keys, as well as firewall readiness.

Update your devices with the latest Servicing Stack Updates


Check that you have the following updates installed for all Windows Server 2012 and Windows Server 2012 R2 scenarios, including for embedded systems. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.

  • For Windows Server 2012 R2 or Windows Embedded Server 2012 R2, install the servicing stack update (SSU) (KB5029368) that is dated August 8, 2023 or a later SSU.
  • For Windows Server 2012, install the servicing stack update (SSU) (KB5029369) that is dated August 8, 2023 or a later SSU.

Note: If you use Windows Update, these updates will be offered automatically as needed. You must restart your device after you install the required updates.
Download required licensing packages and keys

  1. Download and install the Extended Security Updates (ESU) Licensing Preparation Package.
    • For Windows Server 2012 R2 or Windows Server 2012 R2 Embedded, see the Extended Security Updates (ESU) Licensing Preparation Package that is dated August 10, 2022 (KB5017220).
    • For Windows Server 2012, see the Extended Security Updates (ESU) Licensing Preparation Package that is dated August 10, 2022 (KB5017221).
  2. Download the ESU multiple activation keys (MAK) add-on key from the VLSC portal.
  3. For Windows Server 2012 and Windows Server 2012 R2 virtual machines on Azure or Azure Stack HCI, ESU updates are automatically unlocked. That means that you don't need to deploy the ESU keys, nor do you need the licensing preparation package. For Windows Servers that run on premises with Azure Arc, follow instructions in Deliver Extended Security Updates for Windows Server 2012 - Azure Arc.
Configure firewall allow lists for activation


If you're using a proxy firewall, you may need to allow-list the activation endpoints for ESU key activation to succeed.

For online activation (i.e., local key deployment), allow-list all the following URLs:


For proxy activation using the Volume Activation Management Tool (VAMT), allow-list the following URLs:


Note: If you directly click or tap on these links, you'll receive a privacy error message. This is the expected behavior.

Here are the requirements for applying ESUs to your scenarios:


Scenario

SSU update required?

Licensing Preparation Package required?

VMs running on Azure/Azure Stack HCI

Yes

No

Azure-Arc enabled physical/virtual machines (VMs)

Yes

No

Azure VMWare/Nutanix Solutions

Yes

Yes

On premises devices fully or partially connected (physical or virtual)

Yes

Yes
Install the ESU key


Once you have met the prerequisites listed above, you're ready to install and activate the ESU key.


Note: Installing the ESU product key will not replace the existing Windows OS product key on the device. Do not use the /upk command to uninstall the Windows OS key.

First, install the ESU key using the Windows Software Licensing Management (Slmgr.vbs) tool. Let's see how you'd then activate it.

  1. Open an elevated command prompt.
  2. Type cscript.exe %windir%\system32\slmgr.vbs /ipk <ESU key> and select Enter.
  3. If the product key is installed successfully, you'll see a message like the following:

791x378?v=v2.pngA command prompt popup message confirms successful installation of the ESU product key.


Note: If you see the Error:0xC004F050 while trying to install the ESU product key, your device may require an additional reboot.

Next, find the ESU Activation ID in the Get your ESU Activation ID table below:

  1. In the elevated command prompt, type cscript.exe %windir%\system32\slmgr.vbs /dlv and select Enter.
  2. Note the Activation ID as you will need it in the next step.

574x527?v=v2.pngA Windows Script Host dialog box shows the Activation ID number along with other details.

The following table outlines possible values for ESU Activation ID. The activation IDs are the same across all eligible Windows ESU editions and all devices enrolled for that program.


ESU Program

ESU SKU (or Activation) ID

Server – 2012/R2 Year 1

c0a2ea62-12ad-435b-ab4f-c9bfab48dbc4

Server – 2012/R2 Year 2

e3e2690b-931c-4c80-b1ff-dffba8a81988

Server – 2012/R2 Year 3

55b1dd2d-2209-4ea0-a805-06298bad25b3

Embedded Server – 2012/R2 Year 1

5f7d1147-3adc-4b28-8e57-4713ab7623cd

Embedded Server – 2012/R2 Year 2

050b873b-763b-437b-b7c5-9efbeb96ae32

Embedded Server – 2012/R2 Year 3

d44f8a8e-5129-4999-9fe0-5025c2341033
Activate the ESU key


Once you have completed your allow lists, you're ready to activate the ESU product key. To deploy and activate the ESU MAK add-on key, you'll need Slmgr.vbs or Volume Activation Management Tool (VAMT).


Note: If you use VAMT, you have to update the VAMT configuration files. If you use online activation, make sure the device has access to the Microsoft Activation server endpoints. See Extended Security Updates (ESUs): Online or proxy activation for step-by-step instructions.
  1. Open an elevated command prompt.
  2. Type cscript.exe %windir%\system32\slmgr.vbs /ato <ESU Activation Id> and select Enter.

You should now see a message stating that you have activated the key successfully:

750x311?v=v2.pngA Windows Script Host dialog box confirms that the product was activated successfully.


Important: Activation via Control Panel > System and Security > System > Activate Windows activates the Windows operating system only. You cannot use it to activate ESU keys.

Once you have activated the ESU product key, verify the status at any time by doing the following:

  1. Open an elevated command prompt.
  2. Type slmgr /dlv and select Enter.

The License Status will show as "Licensed" for the corresponding ESU program, as shown below:

577x531?v=v2.pngThe Windows Script Host dialog box shows the name and the license status for the year 1 ESU add-on, along with other details.


Note: We recommend using a management tool, such as System Center Configuration Manager (also known as Configuration Manager or SCCM), to send the Slmgr.vbs scripts to your enterprise devices.

Once the ESU key is activated, continue to use your current update and servicing strategy to deploy ESUs through Windows Update, WSUS, the Microsoft Update Catalog, or whichever patch management solution you prefer. Extended Security Updates will have the security-only update classification.

A special case of Azure virtual machines


The good news is that you don't need to deploy an additional ESU key for Azure virtual machines (VMs), Azure Stack HCI, version 21H2 and later. Like on-premises devices, you'll need to install the appropriate SSUs as outlined in the "Prepare to install the ESU key" section above. With those SSUs, VMs will be enabled to download the ESU updates.

Would you ever need to deploy the ESU key for Azure products? Yes. You'll do this for Azure VMWare, Azure Nutanix solution, Azure Stack (Hub, Edge), or for bring-your-own images on Azure for Windows Server 2012 and Windows Server 2012 R2. Just follow the steps to install, activate, and deploy ESUs described above in the "Activate the ESU product key" section.

A pre-patched Windows Server 2012 R2 image is available from the Azure Marketplace. For answers to commonly asked questions about ESU for Windows Server 2012/R2 version family, see Extended Security Updates frequently asked questions.

Our recommendation for the highest compliance and security of your Windows Server estate is Azure. And while you're planning to migrate, you can purchase and seamlessly deploy Windows Server 2012 Extended Security Updates enabled by Azure Arc on premises and in hosted environments without keys, directly from the Azure portal.

Resources


Take a look at additional resources to find out more about Extended Security Updates for Windows Server 2012, Windows Server 2012 R2, and Windows Embedded Server 2012 R2.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.

Continue reading...
 
Back
Top