How to Set Up Windows Server 2019 Extended Security Updates
Windows Server 2019 reached mainstream support on January 9, 2024, and will reach end of extended support on January 9, 2029. However, for organizations running older Windows Server versions like 2008 R2 or 2012 R2, Extended Security Updates (ESUs) provide an additional three years of critical and important security patches after end-of-support dates. This guide covers how to obtain, enable, and deploy ESUs for Windows Server environments, including the special free ESU entitlement available for servers migrated to Azure.
Understanding Extended Security Update Tiers
ESUs are sold per-core, and pricing increases each year. Year 1 costs 75% of the license price, Year 2 costs 100%, and Year 3 costs 125%. For Windows Server 2012 and 2012 R2, ESU Year 1 began October 10, 2023. Organizations must have active Software Assurance or a Windows Server subscription to purchase ESUs through a volume licensing agreement.
Servers hosted on Azure receive free ESUs automatically — no additional action is required. Azure Arc-connected servers on-premises can also receive free ESUs through the Arc enrollment process, making Arc a cost-effective option for organizations with large on-premises estates.
Enrolling On-Premises Servers via Azure Arc for Free ESUs
To receive free ESUs for on-premises Windows Server 2012/2012 R2 machines through Azure Arc, first install the Arc agent:
# Download and install the Azure Connected Machine Agent
$servicePrincipalAppId = ""
$servicePrincipalSecret = ""
$tenantId = ""
$subscriptionId = ""
$resourceGroup = "ArcServers-RG"
$location = "eastus"
Invoke-WebRequest -Uri https://aka.ms/azcmagent-windows -OutFile "$env:TEMPinstall_windows_azcmagent.ps1"
.install_windows_azcmagent.ps1
azcmagent connect `
--service-principal-id $servicePrincipalAppId `
--service-principal-secret $servicePrincipalSecret `
--tenant-id $tenantId `
--subscription-id $subscriptionId `
--resource-group $resourceGroup `
--location $locationAfter the agent connects, the server appears in Azure Portal under Azure Arc > Servers. Azure automatically detects the OS version and enables ESU delivery through Windows Update.
Activating ESUs for On-Premises Servers Without Azure Arc
For on-premises servers not connected to Azure Arc, ESUs must be activated using a Multiple Activation Key (MAK) obtained through the Volume Licensing Service Center. After purchasing the ESU SKU, download the MAK and activate:
# Activate ESU with MAK key using slmgr
slmgr /ipk
slmgr /ato
# Verify activation
slmgr /dlvThe output of slmgr /dlv should show the product name as “Windows Server 2012 R2 ServerStandard, ESU Year 1” or similar, with license status “Licensed”.
Deploying ESU Patches via Windows Server Update Services (WSUS)
If your organization uses WSUS, ESU updates are classified under the standard Windows Server update categories and will appear automatically once the ESU MAK is activated on target servers. On the WSUS server, synchronize the update catalog:
# Force a WSUS synchronization on Windows Server 2019 WSUS
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
$wsus.GetSubscription().StartSynchronization()
# Check sync status
$wsus.GetSubscription().GetSynchronizationStatus()After synchronization, navigate to WSUS Administration Console > Updates > All Updates, filter by “Any Except Declined” classification, and search for “Extended Security Update” to verify that ESU patches appear and are approved for the target server groups.
Using Group Policy to Configure ESU Updates
Group Policy can be used to ensure servers in scope for ESUs are pointed at the correct update source. On a Windows Server 2019 domain controller, open Group Policy Management and create a policy targeting the ESU servers OU:
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Set: "Specify intranet Microsoft update service location"
Intranet update service: http://wsus-server:8530
Intranet statistics server: http://wsus-server:8530
Set: "Configure Automatic Updates"
Option: 4 - Auto download and schedule the install
Schedule: Every day at 03:00Verifying ESU Update Installation
After applying ESU patches, verify that the updates installed correctly:
# List recently installed Windows updates
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-30) } |
Sort-Object InstalledOn -Descending |
Select-Object HotFixID, Description, InstalledOn
# Check Windows Update log for ESU-specific entries
Get-WindowsUpdateLog -LogPath C:ESUUpdateLog.txtESU patches carry KB numbers identical to regular security updates. You can cross-reference the KB numbers against Microsoft’s Security Update Guide filtered by product “Windows Server 2012 R2” to confirm ESU-specific patches.
Managing ESU Activation Status Across Multiple Servers
For environments with many servers requiring ESU activation, use a script to check and apply activation in bulk:
$servers = Get-Content "C:ESUServers.txt"
$mak = ""
foreach ($server in $servers) {
try {
Invoke-Command -ComputerName $server -ScriptBlock {
param($key)
$result = cscript //nologo C:WindowsSystem32slmgr.vbs /ipk $key 2>&1
$activation = cscript //nologo C:WindowsSystem32slmgr.vbs /ato 2>&1
[PSCustomObject]@{
Server = $env:COMPUTERNAME
KeyInstall = $result
Activation = $activation
}
} -ArgumentList $mak -ErrorAction Stop
} catch {
Write-Warning "Failed to process $server : $_"
}
}Planning the Transition to Windows Server 2019 or Later
ESUs are a bridge, not a permanent solution. Microsoft recommends using the ESU period to plan and execute migration to Windows Server 2019 or 2022. For in-place upgrades from Windows Server 2012 R2:
# Verify upgrade compatibility
Get-WindowsOptionalFeature -Online | Where-Object { $_.State -eq "Enabled" }
# Check for incompatible applications
Get-WmiObject Win32_Product | Select-Object Name, Version | Export-Csv C:InstalledApps.csv
# Start in-place upgrade
# Mount Windows Server 2019 ISO, then run:
D:setup.exe /auto upgrade /dynamicupdate disableMonitor ESU subscription renewal dates in the Volume Licensing Service Center. Activate ESU MAK keys on servers at least 30 days before the ESU period begins to ensure continuity of patch coverage. Document which servers are under ESU coverage in your CMDB to avoid unexpected compliance gaps during audits.
