Hardening changes for Windows Server Update Services in Windows Server 2025

Summary

In today's rapidly evolving digital landscape, maintaining compliance and security across the organization is paramount. As part of this commitment, we’re making some important changes to Windows Server Update Services (WSUS). Starting with the September 2025 security update, WSUS running on Windows Server 2025 is removing dependencies on old code that’s no longer supported. This means that Windows operating systems (OS) that reached the end of their lifecycle will no longer qualify to receive extended security updates (ESU), unless you take additional action.

Does this change impact your operating systems?  

This security hardening change only affects operating systems that have reached end of support (EOS). It will not affect in-market products. Windows 10 and later versions of Windows are not impacted.

Specifically, this change will impede updating Windows endpoints running Windows Server 2012 and Windows Server 2012 R2 and only those that are using extended security updates (ESU). The extended end date for these versions was October 10, 2023, and ESUs might be available through 2026.

Consult the Microsoft Lifecycle Policy search tool and Lifecycle FAQ - Windows for your Windows versions. 

What’s the impact of this change?  

As with all security hardening changes, this change isn’t made lightly. Removing certain binaries from WSUS helps ensure the integrity and security of our software supply chain. This specifically applies to dependencies on components that no longer meet our compliance and security standards. These binaries include DLLs and EXEs that WSUS uses to update the SelfUpdate service in Windows Update (WU) on devices.

The security benefit of removing these binaries from Windows Server 2025 comes with a potential change for you if you’re using ESU updates for Windows Server 2012.

Important: If WSUS is part of a hierarchical deployment (such as connected downstream and upstream servers), there is no impact to your environment. Synchronization and update distribution will continue to function as expected.

Short-term and long-term next steps

Do you still need to update devices running any of the impacted Windows operating systems? Consider the following temporary steps to restore service for ESU updates on Windows Server 2012:

1. Choose an older supported version of WSUS. For example, Windows Server 2025 on the August 2025 security update or earlier, or Windows Server 2022.

2. Locate the “SelfUpdate” folder on this version of WSUS at %systemdrive%\Program Files\Update Services.

3. Copy the "SelfUpdate" folder and its contents from the chosen older version of WSUS.

4. Place it under the WSUS install path on Windows Server 2025 updated with the security update released in or after September 2025.

5. Add this folder as virtual directory under WSUS website in Internet Information Services (IIS).

 After completing these steps, service will resume. To be secure in the longer term, we recommend upgrading the legacy OS versions and upgrading to Windows Server 2025.  ​​​​​​​