TSSA/BSA: Extended support for Windows Server 2008 patches

Version 34
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Server Automation


    COMPONENT:

    TrueSight Server Patch Management


    APPLIES TO:

    All supported versions of BSA



    QUESTION:

    Microsoft Windows Server 2008 reached end-of-support on January 14 2020.

    After this date, you must purchase an Extended Support Agreement from Microsoft to continue patching Windows Server 2008 systems. 

    TSSA users may have servers running Windows Server 2008 and a requirement to continue patching these systems with TSSA past the end-of-support date. 

    What is the process which must be followed to achieve this?


    ANSWER:

     

    Windows Server 2008 Extended Support Update Process:

    In order to use the Microsoft Extended Support Updates (ESUs) with TSSA, the following process must be followed:

      
       
    1. Customer establishes Extended Support Agreement with Microsoft.  This must be done first.     
           
      • Microsoft will provide a license key to distribute to the Windows Server 2008 systems covered in the agreement.
      •   
    2.  
    3. Customer establishes Extended Support Agreement via BMC Software:     
           
      • Contact anthony_bryce AT bmc.com
      •   
    4.  
    5. BMC provides a URL that contains current patch metadata for all supported products as well as the 2008 Extended Support Updates (ESUs)
    6.  
    7. Customer updates the TSSA Patch Global Configuration with the new url     
           
      • For the offline downloader, update the Ivanti url in the resources\patch-psu.properties file in the offline downloader directory
      •   
    8.  
    9. Run the Patch Catalog Update Job in TSSA.       
           
      • The Windows Server 2008 ESUs will be publicly available, however they will not install unless the appropriate license key is in place (supplied in step #1 above)
      •   
      
    Note: The February 2020 Patch Tuesday will be the first Patch Tuesday where this will be required. The January 2020 Patch Tuesday was the last to distribute Windows Server 2008 patches   without an ESU subscription being required.
       
      Before deploying the ESU patches for the first time, validate with Microsoft what is required in order to install the ESUs (eg, Servicing Stack Updates, other patches, etc) and ensure those requirements are met on the Windows 2008 systems prior to deploying the ESUs with TSSA. 
      

    Additional Technical Details:

    Microsoft Links about the ESUs: 

    https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates
    https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807

    As of publishing this article Microsoft has noted the following about preparing to deploy the ESUs. This is subject to change:  
       
    • Install the following SHA-2 code signing support update and servicing stack update (SSU) or a later SSU update:     
           
      • 4474419 SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019
      •    
      • 4490628 Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
      •   
    •  
    • Install the following servicing stack update (SSU) and monthly rollup:     
           
      • 4516655 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019
      •    
      • 4519976 October 8, 2019—KB4519976 (Monthly Rollup)
      •   
    •  
    • Install and activate the ESU key. For information about how to install and activate the ESU key, see the How to get Extended Security Updates for eligible Windows devices blog on the Microsoft Tech Community website.
    •  
    • For customers who follow the above steps, but continue to have trouble, Microsoft suggest customers call their support number at 1-800-Microsoft (642-7676).
      
    Manual workaround until Ivanti extended support is established:

    If you are unable to establish the extended support contract with Ivanti before ESU patches are available for your systems, it is still possible to deploy the ESU patches via TSSA via a manual workaround, with the following caveats:  
       
    • the ESU agreement with Microsoft and the provided license key must be in place on the systems to be patched.
    •  
    • because the ESU patches are not present in the standard Ivanti metadata, they will not show up in the Patch Catalog, analysis results, or reporting.
    •  
    • the manual ESU deploy will not be based on analysis results and the patch may not be applicable to the target system(s).
    To perform the manual method of deploying the ESU patches:  
       
    1. Download the ESU patch from the Microsoft website
    2.  
    3. Determine the correct silent install commands to install the patch without user interaction
    4.  
    5. Create a new Depot Software Object in TSSA for the patch and provide the install command
    6.  
    7. Create a Deploy Job that Deploys the Depot Software Object and target the systems that need the patch.
      
      

     


    Article Number:

    000149314


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles