How to Set Up Extended Security Updates for Windows Server 2016

How to Set Up Windows Server 2016 Extended Security Updates

Windows Server 2016 reached its end of mainstream support in January 2022, and Microsoft has defined its end of extended support as January 12, 2027. When a Windows Server version reaches end of extended support, it no longer receives free security updates, leaving systems vulnerable to newly discovered threats. Microsoft’s Extended Security Updates (ESU) program provides an option for organizations that cannot immediately migrate to a newer operating system, offering paid security patches for up to three additional years beyond the end of extended support date.

For Windows Server 2016, ESU coverage is available for organizations enrolled in the program. Understanding how to procure, activate, and manage Extended Security Updates is critical for any team responsible for maintaining servers that cannot be upgraded or migrated on the standard support timeline. This guide covers the entire lifecycle of ESU setup for Windows Server 2016, from procurement through activation and patch delivery.

Understanding ESU Licensing

Extended Security Updates are licensed per core and require a minimum purchase of 16 cores per server. The pricing is based on a percentage of the original license cost and increases each year of ESU coverage. Year one of ESU costs 75% of the original license value, year two costs 100%, and year three costs 125%. Software Assurance customers receive year one at no additional cost beyond their existing SA coverage.

ESU licenses can be purchased through Microsoft volume licensing programs or through Azure. If your Windows Server 2016 workloads run in Azure, ESU is provided at no additional charge as part of the Azure benefit for running older workloads in the cloud. For on-premises servers connected to Azure through Azure Arc, ESU can also be enrolled and managed centrally at a reduced rate.

Enrolling On-Premises Servers via Azure Arc

The recommended approach for managing ESU on on-premises Windows Server 2016 instances is to connect them to Azure Arc. Azure Arc extends Azure management capabilities to on-premises and multi-cloud infrastructure, and servers enrolled in Arc can receive ESU licenses managed and billed through Azure. This approach simplifies activation and patch delivery significantly.

To install the Azure Arc agent on Windows Server 2016, first download the agent installer from the Microsoft download center. The agent is called the Azure Connected Machine agent. Run the installation using the following command from an elevated PowerShell prompt:

Invoke-WebRequest -Uri "https://aka.ms/AzureConnectedMachineAgent" -OutFile "AzureConnectedMachineAgent.msi"
Start-Process msiexec.exe -Wait -ArgumentList '/I AzureConnectedMachineAgent.msi /qn'

After the agent is installed, connect the server to Azure Arc by running the onboarding script. Generate the onboarding script from the Azure portal under Azure Arc > Machines > Add a machine > Add a single server, then execute it on the target server:

& "$env:ProgramFilesAzureConnectedMachineAgentazcmagent.exe" connect `
    --resource-group "MyResourceGroup" `
    --tenant-id "YOUR_TENANT_ID" `
    --location "eastus" `
    --subscription-id "YOUR_SUBSCRIPTION_ID"

Enrolling in ESU Through Azure Arc

Once the server appears in Azure Arc as a connected machine, you can enroll it in the Extended Security Updates program directly from the Azure portal. Navigate to Azure Arc > Machines, select your Windows Server 2016 machine, then look for the “Extended Security Updates” option in the left-hand menu under Operations.

Enable the ESU license enrollment, select the appropriate license type (Standard or Datacenter), and specify the number of cores. Azure will automatically configure the server to receive ESU patches through Windows Update or Windows Server Update Services (WSUS) as configured on the server.

To enable ESU enrollment for Arc-connected servers via PowerShell, use the Azure CLI:

az arcappliance create-config --resource-group "MyResourceGroup" --name "MyServer"

az connectedmachine extension create `
    --resource-group "MyResourceGroup" `
    --machine-name "MyWS2016Server" `
    --name "WindowsOSPatch" `
    --type "WindowsOSPatch" `
    --publisher "Microsoft.CPlat.Core" `
    --location "eastus"

Traditional MAK Key Activation for ESU

For servers that cannot connect to Azure, Microsoft provides Multiple Activation Key (MAK) based ESU activation. This method requires purchasing ESU licenses through a Microsoft Volume Licensing agreement and then obtaining the MAK keys from the Microsoft Volume Licensing Service Center (VLSC).

After obtaining the MAK key, activate ESU on the Windows Server 2016 system using the following steps. First, verify that all current patches are installed, including the prerequisite patch (typically the latest cumulative update for the ESU period). Then activate using the SLMGR tool:

slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Replace the X characters with your actual MAK key. Then activate online:

slmgr.vbs /ato

To verify the ESU activation status:

slmgr.vbs /dlv

Verifying Patch Delivery After ESU Activation

After activating ESU, verify that security updates are being delivered correctly. Open Windows Update settings and check for updates. ESU patches should appear in the available updates list. You can also use PowerShell to check the Windows Update history and confirm ESU patches are installing:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20 | Format-Table HotFixID, InstalledOn, Description

To check the ESU activation status and confirm the correct license state using PowerShell:

$slmgr = New-Object -ComObject SoftwareLicensingService
$slmgr.RefreshLicenseStatus()
Get-CimInstance -ClassName SoftwareLicensingProduct | Where-Object {$_.PartialProductKey -ne $null} | Select-Object Name, LicenseStatus

Managing ESU Across Multiple Servers

For environments with many Windows Server 2016 instances, use Group Policy or WSUS to centralize patch management and ensure all ESU-enrolled servers receive the appropriate security updates. Configure WSUS to approve ESU update classifications and ensure the WSUS server is properly synchronizing the Extended Security Update catalog.

Maintaining a current inventory of all Windows Server 2016 instances and their ESU enrollment status is essential for compliance and cost management. Use Azure Arc’s resource graph queries or on-premises tools such as Microsoft Endpoint Configuration Manager to generate regular reports on ESU enrollment status across your server fleet.