Microsoft Extended Security Updates - what's the deal?

10 March 2020
6 minute read
Microsoft

Microsoft Extended Security Updates - what's the deal?

10 March 2020
6 minute read

This article was written by Rich Gibbons, ITAM Review and Damien Juillard, Elée / Sambox.io
Microsoft Extended Support Updates

Following the end of support for SQL Server 2008/2008 R2 on July 9, 2019, Windows Server 2008/2008 R2 also reached the end of support on January 14, 2020. What does this mean and what are the alternatives?

Microsoft’s support policy states that products have a 10-year lifecycle during which they will provide support. These 10 years are actually cut into two periods – 5 years of mainstream support followed by 5 years of extended support. At the end of extended support, there is no more support available from Microsoft (except in very exceptional circumstances) which immediately introduces security risks if you are still running these versions. Specifically, these servers are no longer receiving security patches and any newly discovered flaw is an attack vector for trojans, ransomware etc. to potentially infiltrate your enterprise.

What are the options and is it already too late?

The first recommendation is to make sure your plans align with Microsoft’s support lifecycle, so you are only running software that is supported by the vendor. Microsoft strongly encourage organisations to ensure they are running at least Windows Server 2012, which is supported until 2022, but moving to Windows Server 2016 (supported until 2026) and Windows Server 2019 (supported until 2029) will give you a longer period before this situation occurs again. While it may seem that this is obvious, often we see organisations where around 25% of their server estate are legacy machines running Windows Server 2008/2008 R2. This can be for a variety of reasons but one of the most common is that a 3rd party application has a dependence on these older operating systems.

What are the (real) options?

If you are still on the impacted versions and you want to get protected ASAP, there is only one real option – Microsoft Extended Security Updates (ESUs). These extend the support deadline to 2023 but give only security updates – for Windows Server, it is those updates rated “Important” or “Critical”. There are two ways to access the ESUs:

1) Purchasing ESUs via your licensing agreement
2) Migrate your legacy servers to Azure

Purchase ESUs for on-premises servers

ESUs are available to purchase via the following licensing programs and channels:

  • Enterprise Agreement (EA)
  • Enterprise Agreement Subscription (EAS)
  • Server & Cloud Enrolment (SCE)
  • Enrolment for Education Solutions (EES)
  • Cloud Solution Provider (CSP)

And you need to have Software Assurance (SA) on the existing server licences, the Client Access Licenses (CALs) that connect to those servers, and on any external connector licenses for those servers too. That SA, however, can be on a different agreement.

On-premises customers will receive additional ESU keys via the well-loved Volume Licensing Service Centre (VLSC) website but must install certain packages before activating the keys. It is to be noted that KMS activation is not possible.

For CSP customers, the relevant Server Subscription licenses allow ESUs to be purchased.

How much does it cost?

Extended Security Updates for Windows Server (and SQL Server) cost approximately 75% of the on-premises license cost PER YEAR – taking Microsoft Extended Security Updates is by no means the cheap option! If you cover a server with ESUs for the full 3 years, you will pay 2.25 x the price of a full license – you could most likely have bought Windows Server 2019 w/SA for that price.

Migrating to Azure

If you need/want to remain on the older releases, another option is migrating the on-premises servers into Microsoft Azure, as cloud servers running Windows (or SQL) Server 2008/R2 receive ESUs at no additional cost. On the face of it, that makes the equation:

On-premises = 2.25 x cost

vs

Azure = Free

But, of course, it isn’t really that straight forward! Once you get the server into Azure, you need to pay for the virtual machine, storage, networking etc. but even before that, the journey to the cloud is costly too.

The time needed to test compatibility, convert, and then migrate the physical server into the cloud is rarely a quick process and will incur plenty of “soft” costs through internal time and resources. Equally, if this move to the cloud is quicker than your organisation originally planned, you may find higher costs in on-going maintenance and management of the Azure based servers too.

Hybrid Use Benefit

Those of you with Software Assurance (or Server Subscriptions), you can take advantage of the Azure Hybrid Use Benefit to reduce the cost of your Windows Server virtual machines running in Azure.

For every 16 core licenses you have with active SA, you can run up to 2 VMs with up to 16 cores. Interestingly, the Microsoft guidance such as licensing datasheets, Microsoft Docs etc. says that each VM can have “up to 8 cores” however this isn’t reflected in the Microsoft Product Terms which instead states “16 Virtual Cores allocated across two or fewer Azure Base Instances”.

Windows Server Standard licenses can be used on-premises OR in Azure, while Windows Server Datacenter licenses can be used on-premises AND in Azure simultaneously – on shared servers. For Windows Server Standard, there is a 180-day migration period where you can run the licenses on-premises and in the cloud at the same time, to facilitate the migration process.

Hybrid Use Rights are also available for SQL Server, although the rules are slightly different. You can use them to reduce costs on SQL in Azure in both IaaS and PaaS scenarios, but there is no concept of simultaneous use between on-premises and Azure – save for the same 180 dual-use rights to allow migration to the cloud.

Conclusion

As already stated, if you’re looking at the Microsoft Extended Security Updates now, they’re probably your only real option – at least for the first year. That said, it can be a good opportunity to review your software refresh policies for the future as similar situations will come around before you know it; it’s only 2 years until Windows Server 2012 leaves extended support.

Get an overall picture of your server estate, match it against Microsoft’s support end dates, and then sit down with the relevant stakeholders to find out why the old versions are still in use and what can be done to make a change – hopefully upgrading the on-premises infrastructure more rapidly and/or creating a smooth, easily repeatable process for moving servers into the cloud.

Further Reading

Obtaining ESU updates – https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091

Can’t find what you’re looking for?