We have been using the BigFix ESU for patching some of our remaining Win2012R2 systems. We stopped deploying these updates for a few months, and recently we are planning to start patching them again with BigFix.
We have an active BigFix ESU License for this content and our endpoints have been configured to receive the updates.
However, not all Fixlets are relevant. The only one relevant is the Service Stack Update.
When checking the relevance of this fixlet
505004808 - MS25-JAN: Security Monthly Quality Rollup - Monthly Rollup - Windows Server 2012 R2 - KB5050048 (x64)
In relevance #3 it appears to be checking for a 2 year license:
(exists value "asset_tag_number" whose (it as string = "7783-7084-3265-9085-8269-3286-77") of structures of smbios) OR (exists key "HKLM\SOFTWARE\Microsoft\Azure Connected Machine Agent\ArcESU" whose (exists value "Enabled" whose (it as string = "1") of it) of native registry AND exists file "C:\ProgramData\AzureConnectedMachineAgent\Certs\license.json") OR (if exists setting "_BESClient_WinESU_MinimizeWMI" whose (exists value whose (it != "0") of it) of client then (exists setting "_BESClient_WinESU_Keys" whose (exists value whose (exists substrings separated by "|" whose ((it starts with "Year2:" or it starts with "PA:") and it ends with ":Active") of it) of it) of client) else (exists select objects "PartialProductKey, Name, LicenseStatus from SoftwareLicensingProduct" whose (length of string value of property "PartialProductKey" of it = 5 AND (it contains "-ESU-Year2" or it contains "-ESU-PA") of string value of property "Name" of it AND integer value of property "LicenseStatus" of it = 1) of wmi))
Checking a Fixlet from 2024, that same relevance was checking for a 1 year license:
(exists value "asset_tag_number" whose (it as string = "7783-7084-3265-9085-8269-3286-77") of structures of smbios) OR (exists key "HKLM\SOFTWARE\Microsoft\Azure Connected Machine Agent\ArcESU" whose (exists value "Enabled" whose (it as string = "1") of it) of native registry AND exists file "C:\ProgramData\AzureConnectedMachineAgent\Certs\license.json") OR (if exists setting "_BESClient_WinESU_MinimizeWMI" whose (exists value whose (it != "0") of it) of client then (exists setting "_BESClient_WinESU_Keys" whose (exists value whose (exists substrings separated by "|" whose ((it starts with "Year1:" or it starts with "PA:") and it ends with ":Active") of it) of it) of client) else (exists select objects "PartialProductKey, Name, LicenseStatus from SoftwareLicensingProduct" whose (length of string value of property "PartialProductKey" of it = 5 AND (it contains "-ESU-Year1" or it contains "-ESU-PA") of string value of property "Name" of it AND integer value of property "LicenseStatus" of it = 1) of wmi))
Has anything changed that was not publicly announced with this ESU content?
We currently have 1 year ESU licenses for these systems and we can’t patch the systems if the content is not relevant. And already spend a lot of money with the purchase of the BigFix ESU Add-on for Win 2012.
That license check is for the Microsoft entitlement for ESU patching. In order to install the patches, in addition to the BigFix license we also check that the Microsoft entitlements are in place (otherwise the patches would still fail to install).
Because the check for the Microsoft entitlement is an expensive WMI query, one of the optimizations we offer is to use a client setting to cache the results of the WMI lookup. That’s what the setting "_BESClient_WinESU_MinimizeWMI" check is about.
If that setting is present, and has a value, we rely on an Action to run the WMI query and store the results in the "_BESClient_WinESU_Keys" client setting.
So, if you have the _BESClient_WinESU_MinimizeWMI setting configured on your clients, check for a Task in the site that refreshes the license info and run that on your endpoints to cache your current MS license status (assuming the MS Year 2 ESU keys have been deployed).
If you haven’t deployed the Year 2 ESU key then there should be a task to deploy that (and then run the action to cache the updated list as well)
I’m re-gathering that site so I can retrieve the fixlet / task names & ids, if you need them. Let me know.
Hi @fermt, you have to first install the SSU (KB5050115) for Win2012R2. As Microsoft stated in their KB article: Caution: Until you install the latest SSU, this update will not be offered to your device. To reduce your security risk, install the SSU as soon as possible.
Source: January 14, 2025—KB5050048 (Monthly Rollup) - Microsoft Support
Therefore first install the servicing stack update and then you’ll become applicable for KB5050048.
Thanks, Gus.
@fermt the problem could also be that you don’t have entitlements for Year 2 as @JasonWalker stated. SSU’s can be installed on endpoints regardless if you have entitlements or not. If you do manage to get the latest SSU installed and the Win2012R2 cumulative update is not applicable, then you have to renew your entitlements for Year 2 (however Microsoft has other servicing options available which does not require the ESU MAK key). We have this documented here with links to Microsoft’s documentation as well:
We renewed our entitlements a couple of months ago with Microsoft. I manually checked the status of the entitlement of one server and it shows as active:
But as I mentioned it is being reported as Year1 and the relevance checks for Year2 in the wmi query. So you are saying that if we renewed our entitlements then the output of that command should contain Year2 instead of Year1?
Is that somewhere documented?
I already applied the SSU and the rest of the content didn’t change to relevant
All of our 2012R2 servers were showing as expired late last year (2024).
Then we renewed with Microsoft Microsoft in December 2024. I then directed one of my engineers to test. He said the license key Microsoft provided us matched last years. We then checked the ESU Analysis, and all servers showed as “Active” if they have access to microsoft.com. The servers we have behind an additional firewall were still inactive. So as far as we know, servers self reactivated as they checked in to Microsoft.com. The others, my operations team will call in and reactivate manually.
I thought we could still use the same key we used for the first year but that is not the case, I wil try to get the new key and apply it.
It it confusing since the output of the slmgr.vbs /dlv command says the license is active.
I think the October 2024 patch would be the last one offered for a 2012 machine with only an ESU Year-1 entitlement. The patches after that would need the Year-2 MS entitlement, that will cover patches through October 2025, and after that would need a Year-3 entitlement to cover from Nov 2025 until Oct 2026.
Actually, we appear to be a having a problem as well. Our servers this weekend patched and received the Stack update. However, basically none installed the security updates even though they show “Active” in the ESU analysis. And most/all are showing “unentitled” on those security patches now.
