Guidance on Security-only Updates and Extended Security Updates, potentially save costs on ESU

Regular Contributor

Motivation

Today I would like to post about questions I get frequently asked by customers. 

This guide explains the benefits using "Cumulative Updates" which have a different name in down-level OS. In other Microsoft products they are also abbreviated as "CU".

It will cover certain aspects about Extended Security Updates, which are vital for organizations that must run down-level operating systems and Microsoft products.

This guide also includes references that are still relevant but spread across different documentation and blogs, I hope aggregating them here helps you to find relevant an related information, quickly.


What do I consider as down-level product? 


Products that not only have reached extended support but also end of service, and which are only serviced by exception or via Extended Security Updates (ESU).
So simplified, as per time of posting, anything below Windows Server 2016, Windows 10, SQL Server 2016, Exchange Server 2013.

 


Reasons to stay on down-level products and down sides


Many organizations still rely on down-level versions, even for business critical services.
Some of these products still receive regular or occasional updates, so we still have to service them.

The reasons for organization that keep them away from migrating to a newer product vary. Often there are dependencies between the use of down-level OS and other Microsoft products in regards of hardware, like machines or appliances.

 


Benefits of using current OS / Microsoft products

  • keeping OS and products current can significantly reduce costs for migrations
  • less hassle with compatibility and compatibility matrixes
  • they should be tendentially more secure or offer latest security features
  • they should offer compatibillity with latest hardware and offer best performance and scalability
  • they usually reduce efforts for servicing by improved updates methodology, improved servicing stack, reduced update size and update installation time (except Windows Server 2016, known issue)
  • they often have updated or fewer dependencies
  • it is often easier to find and access relevant and current documentation
  • the amount of IT pros and MVPs being involved into the products is significantly higher
  • in many cases offer improved automation


Understanding naming convention of updates

 

Naming convention for cumulative updates 


The naming convention is not 100% consistent across products. Cumulative updates include security fixes and all bugfixes and product improvements for the same version and edition of an installed product. Here is a list of OS / product specific differences in regards of the naming:

Windows 7, 8.0, 8.1

  • Monthly security and quality update

Windows Server 2008 R2, 2012, 2012 R2

  • Monthly security and quality update
  • Update rollups (rare)

Windows Server 2016, 2019, 2022, Windows Server version (SAC), Azure Stack HCI

  • Cumulative Update
  • Dynamic Update (special purpose)

Exchange Server 2013, 2016, 2019, [2022]

  • Cumulative Update (CU)
  • Update Rollups (rare, but often foundational)
  • Service Packs (rare, but foundational)

SQL Server 2014, 2016, 2019, [2022]

  • Cumulative Update (CU)
  • Update Rollup (rare)

- Service Packs (rare, but foundational)



Naming convention for Security Updates

 

Windows 7, 8.0, 8.1

  • Security-only update

Windows Server 2008 R2, 2012, 2012 R2

  • Security-only update

Other products:
Security Update


Know the important differences about several types of updates

“Monthly security and quality updates as well as “Update Rollups” or Service Packs (both have become rare) are equivalent to cumulative updates in modern OS or other Microsoft products.

The “Security-only” for Windows, as well as security updates for other products are not cumulative, unless the naming convention state that is a cumulative update. See above.

Extended security updates are “Security-only” updates by design, means they are not cumulative.

 


Reasons to prefer cumulative updates

All modern Microsoft products have moved on to cumulative updates for many reasons:

  • get up to date from any servicing state latest state consistently, reducing the number of installed updates, restarts, reduced or eliminated update dependencies
  • simplified and consistent experience
  • more transparent outcome testing / reproducibility of case of issues, also for Microsoft partners, ISV, or Microsoft Support


Please let me explain why “Security-only” updates expose you to a higher risk for issues:

 

  • Using “Security-only” updates inherits the risk that one update might have been skipped and so leaving security holes unfixed. Only the installation of a “Monthly security and quality update” from time to time can assure compliance here, or good inventory SAM, which could cause more time and so costs for reporting etc. Same applies if a “Security-only” update fails to install, and this has not been monitored correctly.

  • A “Security-Only” update will only address security issues, as per definition.
    Sometimes the security fixes have side effects or create dependencies, which are fixed with the same or a later “Monthly security and quality update”.

  • From my experience installing only "Security-Only” cause more issues compared to the full stack. We can only speculate about reasons. It could happen Microsoft isn't using them broadly in their own infrastructure or the amount of telemetry is limited compared to the other updates.

    If a company decides to install “Security-only” updates, in addition they are often very sensitive in other areas, too. This could be due to strict / narrowed regulations they have to follow.
    They are more unlikely able or willing to send any telemetry, which causes less reported issues to Microsoft etc. Cat bites into its own tail here.

  • In addition to the item before: From my experience other Microsoft products (than OS) and products from other vendors have caused more issues with security only updates in the past years compared to “Monthly Security and Quality Updates”, as they “expect” and test against the Security and Quality updates. There could be other experiences about this.

 

 

Extended Security Updates

 

Extended security updates have been established first with the End of life for Windows 7, Windows Server 2008 R2 and SQL Server 2008. Potentially due to feedback from customers and partner, eventually due to own internal feedback, not least due to telemetry Microsoft introduced a novum in terms of servicing a product even after its servicing lifespan, at extra costs.

Distribution of ESU updates, next with Windows Server 2012 / 2012 R2 requires a license and an internet connection for activation. ESU updates are not available for download in Update Catalog.
So you can only retrieve them on computers that are successfully licensed and also fulfill further requirements.

 


Activating and managing ESU

The installation and activation, as well as reporting of the required activation keys can be easily managed with the latest Microsoft VAMT, which is regularly updated as part of the Windows ADK.

Many organizations, as well as Microsoft docs and blogs still reference to manage this with scripts or even manually using slmgr.exe, which I personally find quite cumbersome.

NOTE: I cannot confirm yet that the current versions of VAMT from Windows ADK support the installation and activation of the Windows Server 2012 / 2012 R2 ESU keys. It might be this needs an update of VAMT (uninstall / reinstall) at a later time, to make it compatible. This was the case with Windows 7 / 2008 R2 ESU.

The ESU activation is a stacked activation.
Means you cannot activate Y2 without installing and activating Y1, which of course requires purchase of both licenses.

The ESU activation is on top and independent from the OS activation.

ESU is a per device activation, 
you may not use the following methods to activate ESU:

  • KMS
  • the modern version of KMS, ADBA (Active Directory based activation)

PRO TIP: The ADBA method is still very uncommonly used in many organizations.
One of the main reasons, imho, is that it works only with Windows OS 8.0 or newer / Windows Server OS 2012 or newer and Microsoft Office perpetual 2013 or newer. So for many it was not worth to bother to look for an alternative or to remove KMS, due to dependencies to previous versions.

In 2022, this might and should have changed now for many, when the oldest down-level version remains to be Windows 8.1 / Windows Server 2012 or Office 2013. If not, ADBA and KMS can coexist, if you still need KMS some older products.
Imho also Microsoft contributes to this situation, as docs.microsoft.com often relies on KMS as a primary method for activation, especially if you check the docs for Windows Server.

ADBA is serverless and has no requirement to firewalling. Contrary AD join and recurring connection to AD is required.

VAMT from the latest ADK makes it very easy to bulk migrate from "legacy" KMS server to the modern ADBA, where technically appropriate and to monitor results. This means if you want migrate to ADBA you have just gained an additional usecase for VAMT, besides managing your ESU activation broadly.

 


How to save costs on ESU

 

1. Plan and migrate to newer products, consider in-place upgrades where appropriate

2. Don't hesitate to get help from Microsoft partners

3. Get an offer for new hardware from your preferred vendor or Microsoft partner

Wait what? Even the cost of new hardware, licenses, migration efforts and monthly costs and can effectively save costs on ESU? Yes, you got that right. This can happen.

Azure Stack HCI monthly fees covers all costs for ESU for workloads running on the cluster. Inform yourself about details.

If your company runs an amount of workloads with OS or other Microsoft Products that are qualified for ESU, such as SQL Server and you have no plans to migrate in the near future, you should consider and calculate the costs of new hardware to migrate and host the workloads on-premises with Azure Stack HCI.

It is a scalable solution for your on-premises datacenter or edge, starting from 2 nodes only, with no requirement for a hardware / virtual machine as witness.

In fact Azure Stack HCI is the most modern iteration of Hyper-V Clustering, advanced virtual networking, software defined storage (S2D), GPU acceleration and pooling, monitoring, that's incomparable even to the latest of feature set Windows Server 2022 has to offer. 
It receives improvements and more features on an annual schedule.

The hardware, firmware and cluster is majorly managed and monitored by great OEM plugins made for Windows Admin Center. Here is an example for DELL.

Again, I am not advocating to remain on old products and even boost them with new hardware, but if your transition is foreseeable not possible or slow, causing your organization predictable and accountable costs this "bonus" should be a certain consideration. There is great content about AzureStack HCI available on YouTube.

On your current hypervisor like Hyper-V or VMware you can even create a virtual Azure Stack HCI cluster "lab" through nested virtualization. It will not be billed for 90 days, which gives you time to get familiar with the technical details, the look and feel compared to what you know about your current Hyper-V or VMware or other hypervisor solution.

 


Further references

Updates and terminology

Further simplifying servicing models for Windows 7 and Windows 8.1 (microsoft.com)
Comprehensive Update Overview and download links for SQL Server 
Understanding B, C, D week updates
GUIDE: Where to find information about Windows Updates and release information (any version) 
Description of the standard terminology that is used to describe Microsoft software updates 

Extended Security Updates and management

Obtaining Extended Security Updates for eligible Windows devices
FAQ about Windows 7 ESU 

How to get Extended Security Updates (ESU) for Windows Server 

Volume Activation Management Tool (VAMT) from ADK
Download and Install Windows ADK 
FIX: VAMT Database from Windows 11 & Windows Server 2022 ADK is inaccessible 

Misc:
Active Directory Based Activation (ADBA) 
Create Microsoft labs, including Azure Stack HCI


History:
04/02/2022 - initial post, some additions and corrections, formatting

2 Replies
Thanks for the trip :)

- there are no ESU keys for Server 2012 / R2 yet

- VAMT will mostly need manual extension to support them (similar to Win7 ESU)
as matter of fact, neither ADK for Windows 11 (22000) or Server 2022 (20348) support Windows 10 LTSC 2021 or Office 2021 out of the box, and requiare manual extension
https://docs.microsoft.com/en-us/answers/questions/638230/issue-adding-windows-10-ltsc-2021-licenses...

- it's possible to install and activate Y3/Y2 of ESU keys without Y1
i.e. back in January 2020, one could have activated Win7 ESU key Y3 and it would work all the way until January 2023

- little off-topic:
Win7 ESU technically can be activated using KMS, but it's not supported or possible officially (nor unofficially), because required CSVLK and GVLK keys are not published
Thank you for your additions! Yes there are no ESU for 2012 / 2012 R2 yet but they are already documented in docs, so we can expect they will come.
I hope that VAMT will be made "fit" for the products you noted very soon, they have to touch 7 maintain the product anyway for a different issue (database), and Windows Server 2022 reports as Windows Server 2021. Some glitches here and there.
Of course they stopped to update the product list when you use ADBA it only states Windows 8 and Windows Server 2012, so without reading docs or trying who should have known that ADBA works also for later OS and Office 2013 and newer if it is not noted there. But that's cosmetic.
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE