KB4522133: Procedure to continue receiving security updates after extended support ended on January 10, 2023

Introduction

This article applies to customers who get an additional fourth year of free extended security updates (ESUs) only on Azure (such as Azure VMWare Solutions, Azure Nutanix Solution, and other Azure products) on the following:

• Windows Server 2008 R2 Service Pack 1 (SP1)

• Windows Server 2008 Service Pack 2 (SP2)

• Windows Embedded POSReady 7

• Windows Embedded Standard 7

• All Azure virtual machines (VMs) running Windows Server 2008 R2 and Windows Server 2008 operating systems on Azure, Azure Stack, Azure VMWare Solutions, or Azure Nutanix Solution.

After January 10, 2023, customers who get an additional fourth year of free extended security updates (ESUs) can continue to receive security updates by installing the servicing stack update (SSU) listed below or a later SSU and the ESU licensing preparation package:

• Windows Server 2008 R2 SP1

  • KB5017397: Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 13, 2022

  • KB5016892: Update for the Extended Security Updates Licensing Preparation Package for Windows Server 2008 R2 SP1

• For Windows Server 2008 SP2

  • KB5016129: Servicing stack update for Windows Server 2008 SP2: July 12, 2022

  • KB5016891: Update for the Extended Security Updates Licensing Preparation Package for Windows Server 2008 SP2

• For Windows Embedded POSReady 7 and Windows Embedded Standard 7

  • KB5017397: Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 13, 2022

Procedure

To continue receiving security updates after January 10, 2023, follow these steps:

1. You must have the following updates installed. If you use Windows Update, these updates will be offered automatically as needed.

   IMPORTANT You must restart your device after you install the following required updates.

   • You must have the SHA-2 update (KB4474419) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. If you use Windows Update, the latest SHA-2 update will be offered to you automatically. For more information about SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

   • For Windows Server 2008 R2 SP1, you must have the servicing stack update (SSU) (KB5017397) that is dated September 13, 2022 or later installed. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.

   • For Windows Server 2008 SP2, you must have the servicing stack update (SSU) (KB5016129) that is dated July 12, 2022 or later installed. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.

   • For Windows Embedded POSReady 7 and Windows Embedded Standard 7, you must have the servicing stack update (SSU) that is dated September 13, 2022, (KB5017397)  or  later installed. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.

2. Download and install the Extended Security Updates (ESU) Licensing Preparation Package. For more information, see the following articles in the Microsoft Knowledge Base:

   • For Windows Server 2008 R2 SP1, see the Extended Security Updates (ESU) Licensing Preparation Package that is dated August 8, 2022 (KB5016892)

   • For Windows Server 2008 SP2, see the Extended Security Updates (ESU) Licensing Preparation Package that is dated August 8, 2022 (KB5016891)

   • For Windows Embedded POSReady 7 and Windows Embedded Standard 7, see the Extended Security Updates (ESU) Licensing Preparation Package (KB4538483)

3. Download the ESU MAK add-on key from the VLSC portal and deploy and activate the ESU MAK add-on key. If you use the Volume Activation Management Tool (VAMT) to deploy and activate keys, follow the instructions here.

Note After you successfully complete this procedure, you can continue to download the monthly updates through the usual channels of Windows Update, WSUS and Microsoft Update Catalog. You can continue to deploy the updates using your preferred update management solution.

More information

You do not need an additional key for deployment of the following:

• You do not need to deploy an additional ESU key for Azure virtual machines (VMs) or Azure Stack HCI, version 21H2 or later.

• For other Azure products such as Azure VMWare, Azure Nutanix solution Azure Stack (Hub, Edge), or for bring-your-own images on Azure for Windows Server 2008 SP2 or Windows Server 2008 R2 SP1, you do need to deploy the ESU key. The steps to install, activate, and deploy ESUs are the same for the fourth year of ESU coverage.

• If you use Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 

Resources

For more information, see the following articles: 

• What is the Extended Security Update (ESU) program?

• Get the most out of Windows Server with these 5 best practices

• Maximize your Windows Server investments with new benefits and more flexibility