Microsoft Workloads on AWS

How to deploy Extended Security Updates for Windows Server 2012 on Amazon EC2 with AWS Systems Manager

In this blog post, I will guide you through the procedure necessary to prepare your Amazon Elastic Compute Cloud (Amazon EC2) workloads to receive Extended Security Updates (ESU) purchased from Microsoft. This is achieved by utilizing the Patch Manager and Run Command capabilities of AWS Systems Manager.

Windows Server users are familiar with Microsoft’s regular practice of ending support and mandating upgrades. On October 10, 2023, Windows Server 2012 and 2012 R2 reached their end of support (EOS). Microsoft EOS signifies customers will no longer receive security updates for the impacted operating systems, leaving their infrastructure and applications vulnerable.

To address the challenge of Windows Server end of support, customers have a range of options. We have outlined several of these options in detail in our blog posts: Know your AWS options for Microsoft Windows Server 2012 End of Support and It’s end of support time again. Are your Microsoft Windows Servers secure?.

Beyond the choices outlined in the aforementioned articles, customers have the option to purchase Extended Security Updates (ESU) from Microsoft if they cannot discontinue or upgrade their legacy Windows Servers. The following solution is intended for customers who have purchased ESUs from Microsoft through their Volume Licensing programs. ESUs can be acquired for both Amazon EC2 instances running with fully compliant Microsoft software licenses included and eligible bring your own license (BYOL) workloads.

Solution Overview

This solution includes the following steps:

1. Identify required patches for your Microsoft Windows 2012 workloads
2. Identify the patch baseline currently used by AWS Systems Manager Patch Manager
3. Install required patches on your Microsoft Windows 2012 workloads using Patch Manager
4. Deploy and activate the ESU Multiple Activation Key (MAK) add-on on your workloads using Run Command


Before you begin the walkthrough, you must complete configuration of Patch Manager. Patch Manager is a feature of AWS Systems Manager that automates the patching process for managed nodes, including security-related updates and other types of updates.

Patch Manager offers a range of features, including predefined patch baselines and various scanning and installation operation methods. It provides compliance reporting and integrates with several AWS services, including AWS Identity and Access Management (IAM), AWS CloudTrail, AWS Security Hub, and AWS Config.

If you haven’t configured Patch Manager yet, we recommend using the Quick Setup Patch Policies feature of Patch Manager. This feature allows you to easily establish patch management across an AWS Organization. We also have a blog post available that can guide you through this process.


We will first identify the required patches for your Microsoft Windows 2012 workloads, determining the current patch baseline, installing the necessary patches through Patch Manager, and finally deploying and activating the ESU Multiple Activation Key (MAK) add-on on your workloads using Run Command.

1. Identify required patches for your Microsoft Windows 2012 workloads

Microsoft provides the following instructions to continue receiving security updates after October 10, 2023 for your Windows 2012 and Windows 2012 R2 Amazon EC2 workloads after you purchase ESUs: KB5031043: Procedure to continue receiving security updates after extended support has ended on October 10, 2023

Steps 1 and 2 in the above article explain installation of the four required updates on Windows Servers 2012 or 2012 R2. These updates are intended to prepare your workloads to receive the forthcoming security updates through the Microsoft ESU program.

All four required updates mentioned have the following properties according to Microsoft standards:

Classification Security Updates
MSRC severity Critical

You can verify this information by searching for the four knowledgebase article numbers outlined in the above article on the Microsoft Update Catalog website.
Figure 1 below provides an example of the details for KB5017220. Pay attention to the highlighted MSRC severity and classification criteria.

KB5017220 Update Details as seen on Microsoft Update Catalog websiteFigure 1 – KB5017220 Update Details as seen on Microsoft Update Catalog website

2. Identify the patch baseline currently used by Patch Manager

Patch Manager provides predefined patch baselines for each of the operating systems supported by Patch Manager. You can use these non-customizable baselines as-is or create your own custom patch baselines.

All three of AWS’ predefined patch baselines for Windows are configured to include critical security updates by default. If you are using a custom patch baseline, make sure it includes critical security updates for Windows.

Check the following documentation for a complete definition of our patch baselines: About predefined and custom patch baselines.

To verify your current patch baseline association, please follow these steps:

1. Go to the AWS Console and open the Patch Manager console in AWS Systems Manager
2. Click on the Patch groups tab
3. Select your patch group and click on Change patch baseline registration button to verify the association. Figure 2 below shows how to verify this

Patch baseline associations propertiesFigure 2 – Patch baseline associations properties

3. Install required patches on your Microsoft Windows 2012 workloads using Patch Manager

To install these patches, follow this procedure:

1. Go to the AWS Console and open the Patch Manager console in AWS Systems Manager
2. Click the Patch Now button
3. Under Patching operation, select Scan and Install
4. Pay attention to the reboot option you select
5. Under Basic configuration, you will select your Windows 2012 workloads. You can pick Choose instances manually and under the filter pick Operation System = Windows Server 2012 (R2)
6. Select the filtered list based on the Windows OS version and click Patch Now

After processing, verify the success status from the execution summary screen. Click the execution-id and resource-id to review the list of patches installed on a given instance. Figure 3 provides an example of an execution summary for a given instance ID:

patching execution summary detailsFigure 3 – Patching execution summary details for a given instance id

Your instances have now received the patches required to receive future ESU updates. The next and final step is to deploy and activate the purchased ESU MAK add-on key on your workloads.

4. Deploy and activate the ESU Multiple Activation Key (MAK) add-on on your workloads using Run Command

Once you have downloaded the ESU MAK add-on key from the Volume Licensing Service Center (VLSC) portal successfully, you need to deploy and activate it on your workloads. For this, we will use the AWS Systems Manager Run Command capability:

1. Go to the AWS Console and open Run Command console in AWS Systems Manager left menu
2. Click the Run Command button
3. Search for AWS-RunPowerShellScript in the Document search box. Once you find it, select it from the list. Figure 4 shows how to search and select this document:

document search capabilityFigure 4 – Document search capability inside Run Command console

4. Paste the following inside the Command parameters box and make sure you replace the “xxxxx-xxxxx-xxxxx-xxxxx-xxxxx” value with your MAK Add-on key, as well as “yyyyy-yyyyy-yyyyy-yyyyy-yyyyy” with the correct ESU SKU (or Activation) ID:

cscript slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
cscript slmgr.vbs /ato yyyyy-yyyyy-yyyyy-yyyyy-yyyyy

Here is the reference list for ESU SKU (or Activation) IDs (source):

License Type Activation ID
Server – 2012/R2 Year 1 c0a2ea62-12ad-435b-ab4f-c9bfab48dbc4
Server – 2012/R2 Year 2 e3e2690b-931c-4c80-b1ff-dffba8a81988
Server – 2012/R2 Year 3 55b1dd2d-2209-4ea0-a805-06298bad25b3

Figure 5 illustrates how you can enter this command in the command parameter field:

aws run powershell script command

Figure 5 – AWS-RunPowerShellScript command parameter field

5. Select your Windows 2012 (R2) instances the way you did it in step 3.5
6. Click the Run button
7. On the execution results screen, as shown in Figure 6, you can review the details of the execution by clicking on one of your instances:

run command execution status detailsFigure 6 – Run Command execution status details

At this point, your Windows 2012 (R2) Amazon EC2 instances should be ready to receive the upcoming Extended Security Updates.


In this blog post, we have utilized the AWS Systems Manager Patch Manager capability to deploy the necessary patches on your Amazon EC2 Windows 2012 or 2012 R2 instances. Subsequently, we have used Run Command along with the provided AWS-RunPowerShellScript document to run the Slmgr tool, facilitating the deployment and activation of the ESU MAK Key add-ons.

AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.

Benjamin Lecoq

Benjamin Lecoq

Benjamin Lecoq is a Principal Technical Account Manager at AWS with more than 20 years of industry experience, one of his main focus is to help AWS Enterprise Customers to ensure their AWS environments remain operationally healthy whilst reducing cost and complexity. In his previous work experience he has been a Service Delivery manager, Support Business Unit Manager and Reverse Engineering expert.