HANDS ON SharePoint
HANDS ON Teams
HANDS ON Lists
HANDS ON tek
M365 Admin
Hardening changes for Windows Server Update Services in Windows Server 2025
Important hardening changes are here. Starting with the September 2025 security update, WSUS running on Windows Server 2025 is removing dependencies on old code that’s no longer supported. This means that Windows operating systems (OS) that reached the end of their lifecycle will no longer qualify to receive extended security updates (ESU), unless you take additional action. Short-term and long-term next steps are available for Windows Server 2012 and Windows Server 2012 R2 that still need to receive ESUs.
When will this happen:
September 9, 2025
How this will affect your organization:
Removing certain binaries from WSUS helps ensure the integrity and security of our software supply chain. This specifically applies to dependencies on components that no longer meet our compliance and security standards.
The security benefit of removing these binaries from Windows Server 2025 comes with a potential change for you if you’re using ESU updates for Windows Server 2012. You’ll need to take additional action to resume servicing to these devices.
Important: If WSUS is part of a hierarchical deployment (such as connected downstream and upstream servers), there is no impact to your environment. Synchronization and update distribution will continue to function as expected.
What you need to do to prepare:
Consider the following temporary steps to restore service for ESU updates on Windows Server 2012:
After completing these steps, service will resume. To be secure in the longer term, we recommend upgrading the legacy OS versions and upgrading to Windows Server 2025.
Additional information:
- Choose an older supported version of WSUS. For example, Windows Server 2025 on the August 2025 security update or earlier, or Windows Server 2022.
- Locate the “SelfUpdate” folder on this version of WSUS at %systemdrive%\Program Files\Update Services.
- Copy the “SelfUpdate” folder and its contents from the chosen older version of WSUS.
- Place it under the WSUS install path on Windows Server 2025 updated with the security update released in or after September 2025.
- Add this folder as virtual directory under WSUS website in Internet Information Services (IIS).
- Read the official information in Hardening changes for Windows Server Update Services in Windows Server 2025.
- Consult the Microsoft Lifecycle Policy search tool and Lifecycle FAQ – Windows for your Windows versions.
- Read Set Up a Hierarchy of WSUS Servers for a scenario that’s not impacted.
Message ID: MC1150625
