How to use Windows Server 2008 and 2008 R2 extended security updates (ESU)

Applies To: Windows Server 2008 / 2008 R2

Windows Server 2008 and Windows Server 2008 R2 reach the end of their support lifecycle on January 14, 2020. Windows Server Long Term Servicing Channel (LTSC) has a minimum of ten years of support - five years for mainstream support and five years for extended support. This support includes regular security updates.

End of support also means the end of security updates. This scenario can cause security or compliance issues and put business applications at risk. Microsoft recommends that you upgrade to the current version of Windows Server for the most advanced security, performance, and innovation.

If you can't upgrade all your servers by the end of support lifecycle deadline, the following options help protect applications and data during the upgrade transition:

  • Migrate existing Windows Server 2008 and 2008 R2 workloads as-is to Azure Virtual Machines (VMs).
    • This migration to Azure automatically provides an additional three years of extended security updates (ESU). There's no additional charge for extended security updates on top of Azure VM's cost, and there's no additional configuration required.
  • Purchase an extended security update subscription for your servers and remain protected until you're ready to upgrade to a newer Windows Server version.
    • These updates are provided for up to three years after the end of support lifecycle date.

After the three year period of extended updates, there's no option for computers to receive additional updates.

What are extended security updates for Windows Server?

Extended security updates (ESUs) for Windows Server include security updates and bulletins rated critical and important, for a maximum of three years after January 14, 2020. Extended security updates don't include the following:

  • New features
  • Customer-requested non-security hotfixes
  • Design change requests

For more information, see the Extended Security Updates frequently asked questions.

Register for extended security updates

To use extended security updates, you create a multiple activation key (MAK) and apply it to Windows Server 2008 and 2008 R2 computers. This key lets the Windows Update servers know that you can continue to receive security updates. You register for extended security updates and manage these keys using the Azure portal, even if you only use on-premises computers.


If you run Windows Server 2008 / 2008 R2 VMs in Azure, you don't need to perform the following steps. Azure VMs are automatically enabled for extended security updates. You don't need to create an extended security update resource and key, and there's no additional charge for using extended security updates with Azure VMs.


Before following the steps below, please send an e-mail to with this information for approval to white list:

  • Customer Name:
  • Azure Subscription:
  • EA Agreement Number (for ESU):
  • Number of ESU servers:

The team will review provided information and add user/subscription to the white list.

If the requestor is not white-listed, the following error can occur: The resource type could not be found in the namespace 'Microsoft.WindowsESU'

To register non-Azure VMs for extended security updates and create a key, complete the following steps in the Azure Portal:

  1. Sign in to the Azure portal.

  2. In the search box at the top of the Azure portal, search for and select Extended Security Updates.

    Search for extended security updates in the Azure portal

    If you haven't use extended security updates before, chose to + Create an extended security updates resource first. Otherwise, select your resource from the list.

  3. Under Register for Extended Service Updates, select Get started.

    Get started with Extended Security Updates in the Azure portal

  4. To create your first key, select Get key.

    Choose to create a key in the Azure portal


    You need an Azure subscription associated with your account to create the extended security update resource and key. If you don't have an Azure subscription associated with your account, sign in with a different user account or create an Azure subscription using the guided steps shown in the portal.

  5. Under Azure details, select your Azure subscription, a resource group, and location for your key.

    Under Registration details, enter the following information:

    Setting Value
    Key name A display name for your key, such Agreement01.
    Agreement number Your agreement number generated by the volume licensing contract management system, or MSLicense for Enterprise Agreement programs.
    Number of computers Choose the number of computers on which you want to install Extended Security Updates with this key.‚Äč
    Operating system Choose the operating system to use this key with, such as Windows Server 2008 or Windows Server 2008 R2.

    When ready, select Review + register.

  6. After successful validation, a summary of your choices for the new registry resource is shown. If needed, correct any validation errors or update your configuration choice. The Azure Terms of Use and Privacy Policy are available.

    Check the box to confirm that you have eligible computers and the key is only to be used within your organization:

    Confirm that the key will only be used by your organization

    When ready, select Create to generate the MAK.

Extended security updates registration is now available for use with your computers. The key created should be applied to Windows Server 2008 and 2008 R2 computers that you wish to remain eligible for security updates.

Download and apply extended security updates

Delivery, download and application of extended security updates for Windows Server is no different than existing deployment processes. The updates provided through extended security updates are only for Security, and are released every Patch Tuesday.

You can install the updates using whatever tools and processes already in place. The only difference is that the system must be registered using the key generated in the previous section for the updates to download and install.

For Azure VMs, the process of enabling the computer for extended security updates is automatically completed for you. Updates should download and install without additional configuration.