KB5031043: Procedure to continue receiving security updates after extended support has ended on October 10, 2023

Introduction

This article applies to customers who purchase extended security updates (ESUs) for the following versions and editions of Windows Server 2012:

Windows Server 2012 R2 Standard, Datacenter, and Embedded Systems
Windows Server 2012 Standard, Datacenter, and Embedded Systems

Procedure

To continue receiving security updates after October 10, 2023, follow these steps:

For all Windows Server 2012 and Windows Server 2012 R2 servers, you must have the following updates installed. If you use Windows Update, these updates will be offered automatically as needed.

IMPORTANT You must restart your device after you install the following required updates.
- For Windows Server 2012 R2, you must have the servicing stack update (SSU) (KB5029368) that is dated August 8, 2023 or a later SSU installed. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.
- For Windows Server 2012, you must have the servicing stack update (SSU) (KB5029369) that is dated August 8, 2023 or a later SSU installed. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.
Download and install the Extended Security Updates (ESU) Licensing Preparation Package. For more information, see the following articles in the Microsoft Knowledge Base:

IMPORTANT If you are not being offered the latest cumulative updates (security updates), you must install the following update.
NOTES
- The licensing preparation package is not needed to get Windows Server 2012 or Windows Server 2012 R2 ESU updates on Azure, Azure Arc, or Azure Stack HCI, version 22H2.
- Windows Server 2012 and Windows Server 2012 R2 computers that have a Monthly Rollup that is dated on or after July 12, 2022 installed do not need to install the licensing preparation package.
- Windows Server 2012 and Windows Server 2012 R2 computers which run the release version without any updates installed or have some updates installed which are dated earlier than July 12, 2022 must have the licensing preparation package installed from Windows Server Update Services (WSUS) or Microsoft Update Catalog (see KB5017220 or KB5017221).
- Customers who use Scan Cab to install the November 14, 2023 update (KB5032247 or KB5032249) need to download the licensing preparation package from the Microsoft Update Catalog (see KB5017220 or KB5017221) and install the package manually.
- For Windows Server 2012 R2, see the Extended Security Updates (ESU) Licensing Preparation Package that is dated August 10, 2022 (KB5017220).
- For Windows Server 2012, see the Extended Security Updates (ESU) Licensing Preparation Package that is dated August 10, 2022 (KB5017221).
Use one of the following steps.

After you successfully complete the steps, you can continue to download the monthly updates through the usual channels of Windows Update, WSUS and Microsoft Update Catalog. You can continue to deploy the updates by using your preferred update management solution.

Steps for Azure

You can migrate your on-premises servers that run a version of Windows Server that has reached or is almost reaching the end of extended support to Azure, where you can continue to run them as virtual machines. For more information about Migrating to Azure, see Extended Security Updates for Windows Server overview.

Steps for Azure Stack HCI
1. Turn on legacy OS support for Azure VM verification. Follow these instructions to turn on legacy OS support for Azure VM verification:
  - Using Windows Admin Center: Manage legacy OS support using Windows Admin Center
  - Using PowerShell: Manage legacy OS support using PowerShell
2. Enable access for new VMs You must also enable legacy OS support access for each VM that requires ESU. Follow these instructions:
  - Using Windows Admin Center: Manage legacy OS support access for your VMs - Windows Admin Center. Check that your ESU VMs appear as Active in the VM tab.
  - Using PowerShell: Manage legacy OS support access for your VMs - PowerShell
3. Install Extended Security Updates Once legacy OS support is set up, you can install free Extended Security Updates for eligible VMs on your cluster. Install updates using your current method of preference; for example, Windows Update, Windows Server Update Services (WSUS), Microsoft Update Catalog
For more information, see Extended Security Updates (ESU) through Azure Stack HCI.

Steps for Azure Arc
1. For Windows Servers that run on-premises without Azure Arc:
  1. Download the ESU MAK add-on key from the VLSC portal.
  2. Deploy and activate the ESU MAK add-on key by using Slmgr.vbs or VAMT tool.
    - If you use VAMT tool, you have to update the VAMT configuration files.
    - Online activation or Proxy activation can be used to deploy and activate the ESU MAK add-on key.
    - If you use online activation, you must make sure device has access to the Microsoft Activation server endpoints.
  3. The steps to install, activate, and deploy ESUs for Windows Server 2012 and Windows Server 2012 R2 are the same as for Windows Server 2008 and Windows Server 2008 R2.
2. For Windows Servers that run on-premises with Azure Arc.
  1. Deploying a MAK key is not required if the Windows Servers are running in virtual machines (VMs) on Azure or Azure Stack HCI, version 22H2 or devices that are Azure-Arc enabled and signed-up for keyless Pay-As-You-Go Service.
  2. To deploy Extended Security Updates enabled by Azure Arc, you must onboard your devices to Azure Arc-enabled servers by deploying the Connected Machine agent. You can then provision and link Extended Security Update licenses to your Azure Arc-enabled servers, offering the flexibility of a Pay-as-you-Go, monthly Azure billed service.
  3. Azure Arc-enabled servers enrolled for Windows Server 2012 ESUs receive Azure Update Management, Machine Configuration, and Change Tracking and Inventory capabilities at no additional cost. For more information, see Prepare to deliver Extended Security Updates for Windows Server 2012 through Azure Arc.
  4. Provide access to the endpoint "microsoft.com/pkiops/certs" If you cannot open access to this endpoint, you may download the intermediate CA (valid for up to 6 months) on your Azure Arc-enabled servers as a stopgap solution.
    - For Azure Commercial Cloud, download this intermediate CA published by Microsoft. Install the downloaded certificate as Local Computer under Intermediate Certificate Authorities\Certificates. Use the following command to install the certificate correctly:
      
      certutil -addstore CA 'Microsoft Azure TLS Issuing CA 01 - xsign.crt'
    - For Azure Government Cloud, download this intermediate CA published by Microsoft. Install the downloaded certificate as Local Computer under Intermediate Certificate Authorities\Certificates. Use the following command to install the certificate correctly:
      
      certutil -addstore CA 'Microsoft Azure TLS Issuing CA 02 - xsign.crt'
For more information, see Deliver Extended Security Updates for Windows Server 2012.

More information

If you use Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

For other Azure products such as Azure VMWare, Azure Nutanix Solution, Azure Stack (Hub, Edge), or for bring-your-own images on Azure for Windows Server 2012 or Windows Server 2012 R2, you have to deploy the ESU key.
Azure resources require up to date SSL/TLS certificates to make sure endpoints are available and are updated.
Azure resources require connectivity with Azure instance MetaData Service (IMDS).

KB5031043: Procedure to continue receiving security updates after extended support has ended on October 10, 2023

Introduction

Procedure

More information

References

Need more help?

Want more options?

Was this information helpful?

Thank you for your feedback!