When your Windows products reach the end of support, Extended Security Updates (ESUs) are there to protect your organization while you modernize your estate. To take advantage of this optional service, you’d purchase and download ESU product keys, install them, and finally activate the extended support.
Note: People tend to refer to ESU keys interchangeably as multiple activation keys (MAK), ESU product keys, or ESU license keys.
Ultimately, you can activate the ESU product key with or without internet connection. For online activation, you can use the elevated command prompt or Volume Activation Management Tool (VAMT). To install and activate ESU for devices that are not connected to the internet, you can use VAMT or phone activation. Azure Virtual Machines (VMs) are a special case, which we’ll touch on toward the end. We’ll use the Windows Server 2012 R2 case to illustrate ESU key activation. Let’s start with the easy steps for connected servers.
Important: Activation via Control Panel > System and Security > System > Activate Windows activates the Windows operating system only. You cannot use it to activate ESU keys.
You can use Volume Activation Management Tool (VAMT) for online and/or proxy activation. To install and activate ESU keys using VAMT, follow these steps:
If the VAMT host (with internet access) and Windows Server 2012/R2 servers you want to activate with the ESU keys are on the same network, you only need one VAMT host. In this case, no need to move the VAMT data file exported into .cilx file for activation.
Note: For online activation, make sure the device has access to the following endpoints:
If you directly click or tap on these links, you’ll receive a privacy error message. This is the expected behavior.
The VAMT host connects to the device using Windows Management Instrumentation (WMI) port 135. This includes RPC over TCP/IP (49152 or above), as described in The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008. Please ensure that this and any other ports are open for any physical firewall or router between the VAMT host and the device. This includes any software-based firewall on the device. If you’ve followed the allow-listing steps in Windows Server 2012/R2 Extended Security Updates, you’re all set to activate ESU keys online with VAMT.
Learn more about this scenario at Perform Proxy Activation.
If you cannot put that VAMT host on the same network, then you need a second VAMT host (see diagram below). Please check that you have what’s required for this scenario before going through the activation steps:
To activate the ESU keys with VAMT proxy, let’s create your setup and walk through a series of steps.
To activate ESU keys via phone, use the Slmgr.vbs command options /dti and /atp.
The good news is that you don’t need to deploy an additional ESU key for Azure virtual machines (VMs), Azure Stack HCI, version 21H2 and later. Like on-premises devices, you’ll need to install the appropriate SSUs as outlined in Windows Server 2012/R2: Extended Security Updates. With those SSUs, VMs will be enabled to download the ESU updates.
Would you ever need to deploy the ESU key for Azure products? Yes. You’ll do this for Azure VMWare, Azure Nutanix solution, Azure Stack (Hub, Edge), or for bring-your-own images on Azure for products under extended support. Just follow the steps to install, activate, and deploy ESUs described in Windows Server 2012/R2: Extended Security Updates.
Use any of these activation scenarios today to protect any Windows devices that reach the end of support for a limited time. The illustrative case is especially helpful today for Windows Server 2012, Windows Server 2012 R2, and Windows Embedded Server 2012 R2 as they reach end of support. Our recommended solution is Windows Server 2012 Extended Security Updates enabled by Azure Arc. Read Windows Server 2012/R2: Extended Security Updates for recommendations and steps as you modernize your estate and shift to Azure.
For additional information, consult Product Lifecycle FAQ - Extended Security Updates.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.