Most people think old servers just get slower with age. The real danger is what happens when support ends. Suppose your business is still running Windows Server 2012 or 2012 R2; the clock has already run out. Now the risk gets serious fast.
Every Microsoft product goes through two stages of support. Mainstream Support is the standard period during which Microsoft adds new features and fixes problems.
Extended Support is the extra five years, where you still get security updates but no new features. For Windows Server 2012 and 2012 R2, Extended Support ended on October 10, 2023.
The Ticking Clock: What “End of Support” Really Means in 2025
So that date is already behind us. So what does that mean today?
If you stay on an out-of-support server, you will no longer receive security patches. That leaves your servers wide open to ransomware. Hackers search for old, unpatched systems because they know they can easily gain access.
Running unsupported servers also creates significant compliance issues with laws such as HIPAA, PCI, and GDPR. Auditors will flag these right away.
This also answers a common question. What happens if you skip Extended Security Updates? You lose all critical security fixes, and your risk goes way up.
What is an Extended Security Update (ESU)? The Official Lifeline
Extended Security Updates, or ESUs, are Microsoft’s paid safety net for products that have already reached the end of support. They provide critical and important security patches so you can protect older systems while you plan your next move. ESUs are meant to be a last resort, not a long-term solution, and they only cover the most serious security vulnerabilities.
It is important to know what ESUs do and do not include. You will still get patches for high-risk security issues, but you will not get new features, general bug fixes, design changes, or technical support. Those fall under separate programs. ESUs are a way to keep an out-of-support system protected for a little longer.
Microsoft sells ESUs on a one-year basis, with a maximum term of three years. For Windows Server 2012 and 2012 R2, this means coverage can extend until October 2026 if you stay enrolled.
How to Get ESUs: Two Paths That Both Point to Azure
There are only two ways to get Extended Security Updates, and both involve Azure. The right choice depends on how much change your business can handle and how quickly you want to reduce risk.
Option 1: Move your servers to Azure
You can lift and shift your Windows Server 2012 virtual machines into Azure. The big benefit is that ESUs are free in this case.
The catch is that this still requires a migration project, even if you do not change the app itself.
Option 2: Stay on-premises and use Azure Arc
You can keep your servers in your own data center and connect them to Azure through Azure Arc. This option avoids moving the workload, so it is less disruptive and often easier for systems that are tightly integrated or difficult to migrate.
But the ESUs are not free. You must purchase them each year, and Azure Arc is the only method to receive the patches.
The Core Answer: Why Azure Arc Is the Only Way for On Premise Servers
Microsoft retired the old method of buying ESUs. At the end of support cycles, such as Windows Server 2008, you could simply purchase a key from a partner and install it manually. That approach no longer exists. For Windows Server 2012 and newer, Microsoft requires Azure Arc as the system for licensing, billing, and delivering ESUs. This is a planned shift toward a unified hybrid cloud model.
Azure Arc uses a small agent that connects your on-premises server to your Azure portal. Once that connection is made, your server behaves like a managed resource inside Azure. This gives Microsoft a consistent way to validate licenses, track enrollment, and push security patches to servers that have already reached the end of support.
How Azure Arc Works
Here is the process from start to finish:
- You install the Azure Arc agent on your on-premises server.
- The server then appears inside your Azure subscription like any other resource.
- You enroll the server in the paid ESU program through the Azure portal.
- Azure handles the billing, confirms the license, and pushes ESU patches directly to your server.
Answering the Big Question: Can You Get ESUs Without Azure
No. There is no manual installer, no partner key, and no offline method. Even if your servers never leave your building, you still need an Azure subscription and Azure Arc to buy, activate, and receive the updates. This is the most important detail to understand when planning your next steps.
The “So What?” — Beyond the Patch: Why Microsoft is Really Doing This
Microsoft is not just offering a patch. The ESU requirement is a strategic move to guide organizations toward hybrid cloud management. The need for security updates is the immediate pressure, but the long-term goal is to get businesses using Azure Arc so they can manage servers in a modern and consistent way.
The ESU program is the stick that forces action. Without Arc, you cannot get the updates you need. But once Arc is installed, you gain access to powerful tools that Microsoft sees as the future of IT management. Research from Forrester showed that organizations can reduce their operational costs by 49% by using a unified platform like Azure Arc.
Gartner predicts that approximately 90 percent of companies will adopt hybrid cloud by 2027. Arc positions your business to be part of that future.
You Have Installed Azure Arc. Now What
Once Azure Arc is on your server, you have already taken the first step to strengthen and modernize your environment. Arc connects your on-premises systems to powerful cloud tools that help you improve security, consistency and visibility without moving the workload itself.
Here is what you can do right away:
Use Microsoft Defender for Cloud
You can onboard your on-premises server to Microsoft Defender for Cloud to get advanced, cloud-based threat detection. This helps you identify risks faster and protect older systems with the same security features used in Azure.
Enforce Azure Policy
Azure Policy lets you apply the same compliance and governance rules to your on-premises servers that you already use for your cloud resources. This ensures consistent settings, reduces configuration drift, and helps you meet regulatory requirements more easily.
Gain a Single Pane of Glass
Because Arc brings your on-premises servers into your Azure portal, you can view and manage all your resources in one place. This gives your team a clear, unified view of your entire environment, whether it lives in the cloud or in your data center.
Your Three Strategic Options (What to Do Now)
Microsoft’s end-of-support deadline forces every organization to make a choice. The good news is that the decision lines up with a simple model: Fortify, Bridge, or Transform. Each path fits a different business situation and timeline.
1. Fortify
This option is all about stability. You install Azure Arc, enroll your servers in ESUs, and strengthen what you already have. It is the right choice for businesses with complex or sensitive systems that cannot move yet, such as manufacturing plants, medical devices, regulated environments, or heavily customized apps. Fortify gives you time. You stay secure while you plan a larger modernization effort without rushing into a risky migration.
2. Bridge
The Bridge path is a practical middle ground. Here you begin lifting your Windows Server 2012 workloads into Azure. You are not redesigning or rewriting anything. You are simply moving the servers to a safer, supported environment. This approach helps companies that are already facing hardware refresh decisions. Instead of buying new servers, which can cost more than a migration, you shift to Azure, where ESUs are free. Many organizations choose this path because it reduces risk quickly while creating a foundation for future cloud improvements.
3. Transform
Transform is the long-term and future-ready choice. Instead of keeping an old system alive, you replace it with a modern cloud platform. A common example is moving from Dynamics GP running on Windows Server 2012 to Dynamics 365 Business Central. This option removes technical debt, improves performance, simplifies IT management, and sets the business up for growth. It is ideal for organizations that want to innovate, not just maintain the status quo.
Each of these paths solves the immediate security problem, but they also shape your technology roadmap for years to come.
Conclusion: ESUs Are a Bandage, Not a Plan
Extended Security Updates address an urgent problem, but only for a limited period of three years. After that, you must make a change. Microsoft has made the path clear. You can Fortify, Bridge, or Transform. Do not just buy a patch. Use this moment to build a real plan for long-term modernization.
If you want to secure your servers today and set your business up for the future, now is the time to get Microsoft Azure Arc in place. It is the required path for ESUs and the first step toward a stronger, more manageable hybrid environment. Let us help you get started.
Frequently Asked Questions
How much do ESUs cost?
For on-premises servers, the annual cost is the full price of the original license. You pay this for Year 1, Year 2, and Year 3. If you migrate to Azure, they are free.
What is the difference between Extended Support and Extended Security Updates?
Extended Support is the free five-year period during which Microsoft still provides security updates. ESU is the paid program that begins after Extended Support ends.
Which products are eligible?
The most common are Windows Server 2012 and 2012 R2, as well as SQL Server 2012.
Do I have to pay for Azure Arc?
Azure Arc itself is free to use as a control tool. You only pay for the services you turn on, such as ESUs or Microsoft Defender.