Extended Security Updates for Windows Server
Extended Security Updates (ESU) for Windows Server include security updates and bulletins rated critical and important.
How you get ESUs depends on where your server is hosted
You can get access to ESUs through the following options:
Azure virtual machines
Applicable virtual machines (VMs) hosted in Azure are automatically enabled for ESUs and these updates are provided free of charge, there’s no need to deploy a MAK key or take any other action.
Azure Arc-enabled servers
If your servers are on-premises or in a hosted environment, you can enroll your Windows Server 2012 and 2012 R2 or SQL Server 2012 machines for Extended Security Updates via the Azure portal, connect through Azure Arc, and you’ll be billed monthly via your Azure subscription.
Non-Azure physical and virtual machines
If you can’t connect using Azure Arc, use Extended Security Updates on non-Azure VMs, by using a Multiple Activation Key (MAK) and applying it to the relevant servers. This MAK key lets the Windows Update servers know that you can continue to receive security updates.
Extended Security Updates on Azure
Applicable virtual machines (VMs) hosted in Azure are automatically enabled for ESU and these updates are provided free of charge. You don’t need to configure anything, and there’s no extra charge for using ESUs with Azure VMs. ESUs are automatically delivered to Azure VMs if they’re configured to receive updates.
Extended Security Updates enabled by Azure Arc
ESUs are automatically delivered to Azure Arc-enabled servers if they’re connected and enrolled for ESUs through Azure Arc. This can also apply to non-Azure servers connected to Azure Arc.
You can enroll in ESUs at scale by using Azure Policy or Azure portal, there’s no upfront charge and you’ll be billed monthly via your Azure subscription. You also don’t need to activate product keys.
Azure Arc-enabled servers also enable to you to use other Azure services, such as:
- Azure Update Manager.
- Microsoft Defender for Cloud.
- Azure Policy (Machine Configuration).
- Azure Monitor (VM Insights).
From September 2023, you’re able to activate Windows Server 2012 and 2012 R2 ESUs through Azure Arc. You can connect Windows Server 2012 and 2012 R2 servers to Azure Arc today.
To prepare for activating Windows Server 2012 and 2012R2 ESUs on your Arc-enabled servers, follow these steps:
- Sign in to the Azure portal.
- In the search bar, enter Servers – Azure Arc and select the matching service entry.
- Add your existing Windows Server 2012 or 2012 R2 machine to Azure Arc.
Access your Multiple Activation Key from the Microsoft 365 Admin Center
Customers who can’t connect to Azure Arc to apply ESUs can use Multiple Activation Keys (MAK) through Microsoft 365 Admin Center:
- Sign in to the Microsoft 365 Admin Center.
- Select Your products > Volume licensing > View contracts
- Select your agreement number used to purchase ESUs, the three dots beside it (More Actions icon), then select View product keys. All the product keys available to the agreement shown on this page.
- Once you have your MAK, install the new key on your eligible servers.
Download and installation of Extended Security Updates
Delivery, download, and application of ESUs for Windows Server is no different than other Windows Updates. The updates provided through ESUs are only Security updates.
Before you can download and install ESUs, you must have installed the latest Servicing Stack Update (SSU) and the Licensing Preparation Package.
You can install the updates using whatever tools and processes you already have in place. The only difference is that the system must be registered using the key generated in the previous section for the updates to download and install.
For VMs hosted in Azure, the process of enabling the server for ESUs is automatically completed for you. Updates should download and install without extra configuration.