Preparing endpoints to accept ESU patches

After subscribing the endpoints in your deployment to a BigFix Extended Security Updates (ESU) patch site, you can use the content in the site to prepare the endpoints to accept the ESU patches.

About this task

Before you start applying ESU patches through BigFix, it is important to first ensure that your endpoints are properly configured to accept and deploy these updates. This includes verifying that your endpoints are enrolled in the BigFix ESU patch site.

Options for Accessing Extended Security Updates (ESUs)

You can access Extended Security Updates (ESUs) through the following options depending on your environment.

Procedure

  1. Non-Azure Physical and Virtual Machines

    The ESUs on non-Azure virtual machines are obtained by applying a MAK to the relevant servers. This MAK key enables Windows Update servers to continue providing critical security updates beyond the standard support period.

    1. Verify or apply the prerequisite Windows patches for ESU.
      There are multiple Windows patch Fixlets that are pre-requisites for installing the ESU MAK. The MAK installation fails if the patches are not installed. The ESU Key Management: Install and Activate MAK Fixlet description contains links to the pre-requisite patch Fixlets for each supported operating system, some of which are available in the Patches for Windows site and some of which are available in the ESU patch site. Follow the links to each Fixlet and verify which is not relevant; if any Fixlet patch is relevant to the endpoints intended for ESU, you should apply it before installing and activating the ESU key.ESU key management
    2. Distribute MAK to enable ESU patching.
      Fixlets are provided in each ESU Patching site to automate the activation and deactivation of the ESU MAK you received from Microsoft® on many endpoints at a time. The ESU Key Management: Install and Activate MAK task allows you to input your ESU key securely in the Fixlet description and take action to install and activate the key on the targeted endpoints. Similarly, with the ESU Key Management: Deactivate and Uninstall MAK task, you can remove any ESU key that is already installed on endpoints.

      ESU key

      Important: The activation of ESU keys requires each endpoint to be connected to the internet and be able to communicate with Microsoft®. For more options, see Frequenty Asked Questions.
    3. Create ESU patching groups in BigFix.
      Each BigFix ESU Patching Add-on site contains an analysis with a ESU Keys Installed property that identifies subscribed endpoints that have a ESU key installed and activated, and also includes the ESU key’s year and the last five characters of the installed MAK. If you have more than one MAK to manage, this will help you keep track of which key was used on which endpoints.

      ESU key information

      By copying the analysis property Relevance into a retrieved property, you can use it to create ESU patching groups in your own deployment.


      ESU keys installed
      Note: The ESU Installed Keys (WMI) property uses WMI queries, which can be expensive on some Windows configurations. Test before implementing as a retrieved property in your environment.
  2. Azure Virtual Machines
    Applicable Virtual Machines (VMs) hosted in Azure are automatically enabled for ESUs, and these updates are provided free of charge. There is no need to deploy a Multiple Activation Key (MAK) key or take any additional action. Learn more about this option by visiting the Extended Security Updates on Azure.
  3. Azure Arc-Enabled Servers

    For servers located on-premises or in a hosted environment, you can enroll your Windows Server 2012 and Windows Server 2012 R2 machines for ESUs through the Azure portal. By connecting through Azure Arc, you will be billed monthly via your Azure subscription, and ESUs will be delivered automatically without the need for a MAK key.

    Learn more about enrolling your servers through Azure Arc by visiting Extended Security Updates enabled by Azure Arc.