P
Poornima Priyadarshini
You can now get three additional years of Extended Security Updates (ESUs) if you need more time to upgrade and modernize your Windows Server 2012, Windows Server R2, or Windows Embedded Server 2012 R2 on Azure. This also applies to Azure Stack HCI, Azure Stack Hub, and other Azure products.
If you've already moved to Azure to protect your Windows Server 2012 and R2 workloads, you might be enjoying free Extended Security Updates. If your organization is unable to migrate, you can purchase and seamlessly deploy Windows Server 2012 Extended Security Updates enabled by Azure Arc on premises and in hosted environments without keys, directly from the Azure portal. As an alternative to Azure Arc, let's look at the steps to purchase and deploy ESUs—on premises and in hosted environments—using multiple activation keys (MAK). It takes four easy steps:
Extended Security Updates (ESUs) are available through specific Microsoft Volume Licensing programs. Beginning October 10, 2023, you can purchase ESUs for up to three consecutive 12-month increments. This means you can be covered beginning on November 14, 2023 and through October 13, 2026. Note: You cannot buy partial periods (e.g., 6 months of updates).
Download the ESU keys on the Microsoft admin center by doing the following.
Screenshot of the Your products page in Microsoft admin center.
Screenshot of a close-up view of Contracts highlighting the menu option to View product keys.
Prepare to install the ESU key
Let's ensure you're ready for continued security updates after October 10, 2023. Prerequisites vary depending on the scenario, but double-check that your devices are up to date, you have appropriate licensing preparation package and keys, as well as firewall readiness.
Update your devices with the latest Servicing Stack Updates
Check that you have the following updates installed for all Windows Server 2012 and Windows Server 2012 R2 scenarios, including for embedded systems. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.
Download required licensing packages and keys
If you're using a proxy firewall, you may need to allow-list the activation endpoints for ESU key activation to succeed.
For online activation (i.e., local key deployment), allow-list all the following URLs:
For proxy activation using the Volume Activation Management Tool (VAMT), allow-list the following URLs:
Here are the requirements for applying ESUs to your scenarios:
Install the ESU key
Once you have met the prerequisites listed above, you're ready to install and activate the ESU key.
First, install the ESU key using the Windows Software Licensing Management (Slmgr.vbs) tool. Let's see how you'd then activate it.
A command prompt popup message confirms successful installation of the ESU product key.
Next, find the ESU Activation ID in the Get your ESU Activation ID table below:
A Windows Script Host dialog box shows the Activation ID number along with other details.
The following table outlines possible values for ESU Activation ID. The activation IDs are the same across all eligible Windows ESU editions and all devices enrolled for that program.
Activate the ESU key
Once you have completed your allow lists, you're ready to activate the ESU product key. To deploy and activate the ESU MAK add-on key, you'll need Slmgr.vbs or Volume Activation Management Tool (VAMT).
You should now see a message stating that you have activated the key successfully:
A Windows Script Host dialog box confirms that the product was activated successfully.
Once you have activated the ESU product key, verify the status at any time by doing the following:
The License Status will show as "Licensed" for the corresponding ESU program, as shown below:
The Windows Script Host dialog box shows the name and the license status for the year 1 ESU add-on, along with other details.
Once the ESU key is activated, continue to use your current update and servicing strategy to deploy ESUs through Windows Update, WSUS, the Microsoft Update Catalog, or whichever patch management solution you prefer. Extended Security Updates will have the security-only update classification.
A special case of Azure virtual machines
The good news is that you don't need to deploy an additional ESU key for Azure virtual machines (VMs), Azure Stack HCI, version 21H2 and later. Like on-premises devices, you'll need to install the appropriate SSUs as outlined in the "Prepare to install the ESU key" section above. With those SSUs, VMs will be enabled to download the ESU updates.
Would you ever need to deploy the ESU key for Azure products? Yes. You'll do this for Azure VMWare, Azure Nutanix solution, Azure Stack (Hub, Edge), or for bring-your-own images on Azure for Windows Server 2012 and Windows Server 2012 R2. Just follow the steps to install, activate, and deploy ESUs described above in the "Activate the ESU product key" section.
A pre-patched Windows Server 2012 R2 image is available from the Azure Marketplace. For answers to commonly asked questions about ESU for Windows Server 2012/R2 version family, see Extended Security Updates frequently asked questions.
Our recommendation for the highest compliance and security of your Windows Server estate is Azure. And while you're planning to migrate, you can purchase and seamlessly deploy Windows Server 2012 Extended Security Updates enabled by Azure Arc on premises and in hosted environments without keys, directly from the Azure portal.
Resources
Take a look at additional resources to find out more about Extended Security Updates for Windows Server 2012, Windows Server 2012 R2, and Windows Embedded Server 2012 R2.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.
Continue reading...
Note: Windows Server 2012, Windows Server 2012 R2, and Windows Embedded Server 2012 R2 reached end of support on October 10th, 2023, per our 10-year lifecycle policy. After this date, no more security patches will be released for these versions of Windows Server. For ease of reference, we'll sometimes refer to these versions as Windows Server 2012/R2 version family. |
If you've already moved to Azure to protect your Windows Server 2012 and R2 workloads, you might be enjoying free Extended Security Updates. If your organization is unable to migrate, you can purchase and seamlessly deploy Windows Server 2012 Extended Security Updates enabled by Azure Arc on premises and in hosted environments without keys, directly from the Azure portal. As an alternative to Azure Arc, let's look at the steps to purchase and deploy ESUs—on premises and in hosted environments—using multiple activation keys (MAK). It takes four easy steps:
- Purchase and download the ESU key.
- Prepare to install the ESU key.
- Install the ESU key.
- Activate the ESU key.
Extended Security Updates (ESUs) are available through specific Microsoft Volume Licensing programs. Beginning October 10, 2023, you can purchase ESUs for up to three consecutive 12-month increments. This means you can be covered beginning on November 14, 2023 and through October 13, 2026. Note: You cannot buy partial periods (e.g., 6 months of updates).
Note: People tend to refer to ESU keys interchangeably as multiple activation keys (MAK), ESU product keys, or ESU license keys. |
Download the ESU keys on the Microsoft admin center by doing the following.
- Go to Microsoft admin center.
- In the Your products section, select View contracts.
Screenshot of the Your products page in Microsoft admin center.
- Select the three dots to the right of each license ID for more actions and select View Product Keys. All the product keys for the agreement will be available there.
Screenshot of a close-up view of Contracts highlighting the menu option to View product keys.
Prepare to install the ESU key
Let's ensure you're ready for continued security updates after October 10, 2023. Prerequisites vary depending on the scenario, but double-check that your devices are up to date, you have appropriate licensing preparation package and keys, as well as firewall readiness.
Update your devices with the latest Servicing Stack Updates
Check that you have the following updates installed for all Windows Server 2012 and Windows Server 2012 R2 scenarios, including for embedded systems. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.
- For Windows Server 2012 R2 or Windows Embedded Server 2012 R2, install the servicing stack update (SSU) (KB5029368) that is dated August 8, 2023 or a later SSU.
- For Windows Server 2012, install the servicing stack update (SSU) (KB5029369) that is dated August 8, 2023 or a later SSU.
Note: If you use Windows Update, these updates will be offered automatically as needed. You must restart your device after you install the required updates. |
- Download and install the Extended Security Updates (ESU) Licensing Preparation Package.
- For Windows Server 2012 R2 or Windows Server 2012 R2 Embedded, see the Extended Security Updates (ESU) Licensing Preparation Package that is dated August 10, 2022 (KB5017220).
- For Windows Server 2012, see the Extended Security Updates (ESU) Licensing Preparation Package that is dated August 10, 2022 (KB5017221).
- Download the ESU multiple activation keys (MAK) add-on key from the VLSC portal.
- For Windows Server 2012 and Windows Server 2012 R2 virtual machines on Azure or Azure Stack HCI, ESU updates are automatically unlocked. That means that you don't need to deploy the ESU keys, nor do you need the licensing preparation package. For Windows Servers that run on premises with Azure Arc, follow instructions in Deliver Extended Security Updates for Windows Server 2012 - Azure Arc.
If you're using a proxy firewall, you may need to allow-list the activation endpoints for ESU key activation to succeed.
For online activation (i.e., local key deployment), allow-list all the following URLs:
- http://go.microsoft.com/fwlink/?linkid=88338
- https://activation.sls.microsoft.com/slspc/SLActivate.asmx
- http://go.microsoft.com/fwlink/?linkid=88339
- https://activation.sls.microsoft.com/slrac/SLCertify.asmx
- http://go.microsoft.com/fwlink/?linkid=88340
- https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx
- http://go.microsoft.com/fwlink/?linkid=88341
- https://activation.sls.microsoft.com/sllicensing/SLLicense.asmx
For proxy activation using the Volume Activation Management Tool (VAMT), allow-list the following URLs:
- https://activation.sls.microsoft.com/BatchActivation/BatchActivation.asmx
- http://go.microsoft.com/fwlink/?LinkId=82160 (This FWLink redirects to the above URL.)
Note: If you directly click or tap on these links, you'll receive a privacy error message. This is the expected behavior. |
Here are the requirements for applying ESUs to your scenarios:
Scenario | SSU update required? | Licensing Preparation Package required? |
VMs running on Azure/Azure Stack HCI | Yes | No |
Azure-Arc enabled physical/virtual machines (VMs) | Yes | No |
Azure VMWare/Nutanix Solutions | Yes | Yes |
On premises devices fully or partially connected (physical or virtual) | Yes | Yes |
Once you have met the prerequisites listed above, you're ready to install and activate the ESU key.
Note: Installing the ESU product key will not replace the existing Windows OS product key on the device. Do not use the /upk command to uninstall the Windows OS key. |
First, install the ESU key using the Windows Software Licensing Management (Slmgr.vbs) tool. Let's see how you'd then activate it.
- Open an elevated command prompt.
- Type cscript.exe %windir%\system32\slmgr.vbs /ipk <ESU key> and select Enter.
- If the product key is installed successfully, you'll see a message like the following:
A command prompt popup message confirms successful installation of the ESU product key.
Note: If you see the Error:0xC004F050 while trying to install the ESU product key, your device may require an additional reboot. |
Next, find the ESU Activation ID in the Get your ESU Activation ID table below:
- In the elevated command prompt, type cscript.exe %windir%\system32\slmgr.vbs /dlv and select Enter.
- Note the Activation ID as you will need it in the next step.
A Windows Script Host dialog box shows the Activation ID number along with other details.
The following table outlines possible values for ESU Activation ID. The activation IDs are the same across all eligible Windows ESU editions and all devices enrolled for that program.
ESU Program | ESU SKU (or Activation) ID |
Server – 2012/R2 Year 1 | c0a2ea62-12ad-435b-ab4f-c9bfab48dbc4 |
Server – 2012/R2 Year 2 | e3e2690b-931c-4c80-b1ff-dffba8a81988 |
Server – 2012/R2 Year 3 | 55b1dd2d-2209-4ea0-a805-06298bad25b3 |
Embedded Server – 2012/R2 Year 1 | 5f7d1147-3adc-4b28-8e57-4713ab7623cd |
Embedded Server – 2012/R2 Year 2 | 050b873b-763b-437b-b7c5-9efbeb96ae32 |
Embedded Server – 2012/R2 Year 3 | d44f8a8e-5129-4999-9fe0-5025c2341033 |
Once you have completed your allow lists, you're ready to activate the ESU product key. To deploy and activate the ESU MAK add-on key, you'll need Slmgr.vbs or Volume Activation Management Tool (VAMT).
Note: If you use VAMT, you have to update the VAMT configuration files. If you use online activation, make sure the device has access to the Microsoft Activation server endpoints. See Extended Security Updates (ESUs): Online or proxy activation for step-by-step instructions. |
- Open an elevated command prompt.
- Type cscript.exe %windir%\system32\slmgr.vbs /ato <ESU Activation Id> and select Enter.
You should now see a message stating that you have activated the key successfully:
A Windows Script Host dialog box confirms that the product was activated successfully.
Important: Activation via Control Panel > System and Security > System > Activate Windows activates the Windows operating system only. You cannot use it to activate ESU keys. |
Once you have activated the ESU product key, verify the status at any time by doing the following:
- Open an elevated command prompt.
- Type slmgr /dlv and select Enter.
The License Status will show as "Licensed" for the corresponding ESU program, as shown below:
The Windows Script Host dialog box shows the name and the license status for the year 1 ESU add-on, along with other details.
Note: We recommend using a management tool, such as System Center Configuration Manager (also known as Configuration Manager or SCCM), to send the Slmgr.vbs scripts to your enterprise devices. |
Once the ESU key is activated, continue to use your current update and servicing strategy to deploy ESUs through Windows Update, WSUS, the Microsoft Update Catalog, or whichever patch management solution you prefer. Extended Security Updates will have the security-only update classification.
A special case of Azure virtual machines
The good news is that you don't need to deploy an additional ESU key for Azure virtual machines (VMs), Azure Stack HCI, version 21H2 and later. Like on-premises devices, you'll need to install the appropriate SSUs as outlined in the "Prepare to install the ESU key" section above. With those SSUs, VMs will be enabled to download the ESU updates.
Would you ever need to deploy the ESU key for Azure products? Yes. You'll do this for Azure VMWare, Azure Nutanix solution, Azure Stack (Hub, Edge), or for bring-your-own images on Azure for Windows Server 2012 and Windows Server 2012 R2. Just follow the steps to install, activate, and deploy ESUs described above in the "Activate the ESU product key" section.
A pre-patched Windows Server 2012 R2 image is available from the Azure Marketplace. For answers to commonly asked questions about ESU for Windows Server 2012/R2 version family, see Extended Security Updates frequently asked questions.
Our recommendation for the highest compliance and security of your Windows Server estate is Azure. And while you're planning to migrate, you can purchase and seamlessly deploy Windows Server 2012 Extended Security Updates enabled by Azure Arc on premises and in hosted environments without keys, directly from the Azure portal.
Resources
Take a look at additional resources to find out more about Extended Security Updates for Windows Server 2012, Windows Server 2012 R2, and Windows Embedded Server 2012 R2.
- Windows Server 2012 Extended Security Updates enabled by Azure Arc
- KB5031043: Procedure to continue receiving security updates after extended support has ended on October 10, 2023
- Secure Windows Server 2012/R2 workloads with options from Azure
- Pricing - Extended Security Updates enabled by Azure Arc
- So You're Still Running Windows/SQL 2012. Now What?
- Extended Security Updates for SQL Server and Windows Server
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.
Continue reading...