Edit

Free Extended Security Updates (ESU) through Azure Stack HCI

  • Article

Applies to: Azure Stack HCI, versions 23H2 and 22H2

The Extended Security Update (ESU) program enables you to get important security patches for legacy Microsoft products that are past the end of support. Getting ESU through Azure Stack HCI comes with additional benefits and implementation steps – this article explains the specifics for Azure Stack HCI.

To get general information about the ESU program, products that are covered, and support dates, see the Product Lifecycle FAQ.

Note

Azure Stack HCI customers can obtain ESUs at no cost through Azure verification for VMs by following the instructions in this article. If you have an Arc-enabled server that is not Azure Stack HCI, you should consider obtaining ESU licenses through Arc. For more information, see Deliver Extended Security Updates (through Arc).

Tutorial: Get free ESUs through Azure Stack HCI

This tutorial walks you through how you can use Azure verification for VMs to automatically unlock free ESUs on Azure Stack HCI. Azure verification is a feature on Azure Stack HCI that enables you to extend supported Azure-exclusive benefits to your cluster, including getting ESUs for free.

Note

The steps in this tutorial apply to Azure Stack HCI version 23H2 and later only. If you're using version 22H2 and earlier, see the documentation for Azure Benefits (22H2 and earlier).

Prerequisites

Step 1: Turn on legacy OS support for Azure VM verification

Follow these instructions to turn on legacy OS support for Azure VM verification:

Step 2: Enable access for new VMs

You must also enable legacy OS support access for each VM that requires ESU. Follow these instructions:

Step 3: Install Extended Security Updates

Once legacy OS support is set up, you can install free Extended Security Updates for eligible VMs on your cluster. Install updates using your current method of preference; for example, Windows Update, Windows Server Update Services (WSUS), Microsoft Update Catalog, or other. The following screenshot shows installation of security updates using Windows Update:

Screenshot that shows the Control Panel.

FAQ

What ESU products does this cover?

ESU covers Windows Server and Windows client products under the ESU program. For more information, see the product lifecycle FAQ.

Does this cover ESUs for Windows Server 2012?

Yes it does.

Does my VM need to be connected to get ESUs?

No, you don't need internet connectivity to install ESUs, unless you're using an update method that requires internet connectivity to download ESU packages. Only the Azure Stack HCI host needs to maintain 30-day internet connectivity for Azure VM verification to remain active.

Can I still use MAK keys to get ESUs for VMs on Azure Stack HCI?

Yes. If you have already bought MAK keys, you can still apply them with the instructions outlined in Obtaining Extended Security Updates for eligible Windows devices. However, MAK keys are not free. Consider switching to the Azure verification for VMs approach so that you can automatically get free ESUs through your Azure Stack HCI cluster going forward.

Can I discover ESUs if I don't have Azure verification for VMs?

Yes. You can discover ESUs even if you don't have Azure VM verification. For the installation, you must set up Azure verification for VMs (or MAK keys).

Can I get ESUs through Azure Virtual Desktops (AVD) on Azure Stack HCI?

The operating systems currently supported for AVD on Azure Stack HCI are not yet eligible for ESUs. See the list here.

Do I need to do anything to renew for Year 1/Year 2/Year 3, etc.?

No. Once you have set up Azure verification for VMs, you don't need to renew or do anything else.

Next steps

Product Lifecycle FAQ - Extended Security Updates.