[German]After releasing the October 2023 updates, Windows Server 2012 and Windows Server 2012 R2 have reached their end of support; there will be no more security updates in the future – unless customers buys an Extended Security Update extension (ESU license). Now an info from a reader reaches me that these ESU licenses are not provided for on-premises systems. But there is an alternative in the form of 0patch micro patches.
Windows Server 2012/R2 is EOL
Windows Server 2012 and Windows Server 2012 R2 are (largely) history, because both operating systems received security updates for the last time on October 2023 patchday (October 10, 2023). Both operating systems have already dropped out of mainstream support in 2018.
I had mentioned this in the blog post End of Support announcement for Windows Server 2012/2012 R2, SQL Server 2012. And from Microsoft there was the document SQL Server 2012 and Windows Server 2012/2012 R2 end of support on the topic, where the dates are given, at which the support for products will be discontinued. So administrators should not have been surprised.
Rhere is ESU support, isn't there?
However, Microsoft has set up a program for an Extended Security Update extension for the above-mentioned server operating systems and customers can buy an ESU license) for three years each. According to this website, ESU licenses will then allow security updates until October 13, 2026.
Alternatively, Microsoft offers the switch to the Azure cloud. Back in July 2021, Microsoft pointed out in this article that customers can also switch to Azure virtual machines (also includes Azure Dedicated Host, Azure VMware Solution and Azure Stack (Hub, HCI, Edge)) to receive three additional years of free advanced security updates.
This offer is valid for all products mentioned in this article, as you can read on this Microsoft page about Azure. Microsoft is "luring" customers into the cloud. On the other hand, it should be possible to continue to operate on-premises machines if you have an ESU license. There is a FAQ about the ESU licenses, whose Windows Server 2012/R restrictions can be read here.
But no ESU for on-premises systems?
Last week Friday (13. Oct. 2023) blog reader Tobias contacted me by mail because he came across an unpleasant information regarding ESU licenses (thanks for that). He wrote that he had recently come across a topic that might be interesting for me as a blog owner and for the readership. He had tried to order an ESU license from a distributor in order to continue running systems on-premises. From the distributor he then received a response, from which he paraphrases or partially quotes the following statements to me:
- Microsoft informed us yesterday that no [ESU] renewal via on premise is planned.
- Although the SKU's and prices were also shown to us, we [the distributor] received an error message when booking.
- As a result, we [the distributor] are unable to fulfill your order as planned.
Microsoft has provided us with the information below on how to proceed.
According to the distributor, the following recommendations and instructions were given by Microsoft:
We recommend mapping this [i.e. ESU extension] via Azure:
Windows Server 2012 Extended Security Updates enabled by Azure Arc (microsoft.com)
How to get Extended Security Updates (ESU) for Windows Server 2008, 2008 R2, 2012, and 2012 R2 | Microsoft Learn
The best way would be this:
The distributor then added the following in his reply:
If this is not possible, please I need the business case "why this is not possible."
With this business case we could approach Microsoft and try to get a one-time release.
If you give me timely info on this, I will take care of it right away.
I did not find this "view" in the FAQ linked above. So far, there are (arguably) official SKUs for this and the links provided explicitly list ESU licensing for workloads in on-premises environments as a possible option to continue with Server 2012. That was my understanding as well.
Thomas notes that this should affect quite a few customers and that many of them do not want to or cannot go the advertised way to the cloud. Therefore, he sees the statement very critically, and especially the last part quoted above is very surprising. The customer is supposed to create a "business case" so that the distributor can submit it to Microsoft and "try" to obtain a "one-time approval".
There it is again, the ghost: "Go into the cloud", On-Premises is dead. The reader wrote that the request is now some time old, but the response from Microsoft has probably not yet been made. The reader suppose that we can only hope that the tactic of sitting out these kinds of requests until the customer gives in to the ever-increasing pressure is not now being tried.
In doing so, he is interested in whether this type of "oddity" outlined below has also occurred to other readers. I myself am hearing about it for the first time. He would also be very interested in the opinion of third parties on the subject. My opinion: Time to tackle the migration to Linux as a server operating system. Because the way Microsoft is going to do it cements the dependencies, and if something starts to wobble, it's over.
Tip: Use 0patch
It passed me by because Mitja Kolsek, the founder of ACROS Security, probably doesn't post on X anymore and let me know the info. But as of August 8, 2023, he has published the blog post Three More Years of Critical Security Patches for Windows Server 2012 and Windows Server 2012 R2. There he promises to secure the mentioned operating systems against vulnerabilities for another three years.
Kolsek develops so-called micro-patches based on the Microsoft ESU updates, which are loaded into memory by a 0patch agent at runtime and "mitigate" the vulnerabilities. I had already pointed out the concept at the beginning of 2023 in the article Windows 7/Server 2008 R2 receive 0patch micropatches in 2023 and 2024, which ACROS Security has been doing successfully for several years.
They are targeting clientele who are not lucky enough to be an "eligible customer with Software Assurance under an enterprise contract." Only this group of customers can "enjoy" up to three years of extended security updates (ESU) from Microsoft at an annual price that corresponds to "100% of the full license price per year".
With 0patch, a year of 0patch support costs between 24.95 and 34.95 euros (net) per user per year. In return, ACROS Security provides timely micro-patches for the vulnerabilities that are considered likely to be exploited. Kolsek works together with security researchers who have discovered the vulnerabilities and also evaluates the Microsoft security updates.
Similar articles
End of Support announcement for Windows Server 2012/2012 R2, SQL Server 2012
Windows 7/Server 2008 R2 receive 0patch micropatches in 2023 and 2024
Windows 7/8.1/Server 2012R2: Deactivate Google Chrome notification to upgrade to Windows 10
"… ESU licenses are not provided for on-premises systems. " That is not a correct statement. Granted, we are in the States and have an enterprise agreement with Microsoft, but we just got a firm quote last week from our distributor for ESU coverage, a quote that went through Microsoft's hands, so to speak. None of the systems in the quote are in Azure.
That said, Microsoft made a change in late August or September that Microsoft has to get involved with the customer to see if they want the Azure Arc option for ESU licensing instead of the legacy version used for Server 2008 R2 ESU licensing. The Azure Arc option has the ability to save money vs. the rigid 12-month ESU license but it does involve installing Azure Arc on the servers in question. For logistical and time reasons, we declined the Azure Arc option but it's an option that should be considered if you want to pay for ESU licensing only for the months the servers are still running Server 2012 R2.
Thanks for that statement. Has to check, if it's the same in Europe.
Did not have very much of a problem (just a little!) with obtaining and activating ESU license in Nov. 2023, for on-premise server 2012 R2, in Germany, as soon as the Microsoft Partners (which all were named/recommended/triggered by MS after a direct call there…!) did actually understand WHAT was required, AND also could obtain infomation on this from MS.
– I'll admit that was the tricky part – two of the three MS-named partners fell out because they did fail to obtain any infomation on ESUs from MS in time. Only the third one was already familiar with what we wanted, but they still had quite a struggle with getting information and details and all, from MS themselves. They did succeed, though.
(Now into the second year, due to even more unforeseen obstacles… but there were no problems with renewing either.)
Although for quite a time it seemed like that at MS there was no one actually involved with, or responsible for, or answerable to end users in respect of, or even knowledgeable of, the details of an ESU!
– Thankfully now we are still licensed happily ever after.