MC1150625 – M365 Change Digest

One-line summary

Starting September 9, 2025, WSUS on Windows Server 2025 removes old code, affecting ESU updates for unsupported Windows OS; admins must take action to continue ESU servicing.

Similar updates

Details

Body (from Message Center)

Important hardening changes are here. Starting with the September 2025 security update, WSUS running on Windows Server 2025 is removing dependencies on old code that’s no longer supported. This means that Windows operating systems (OS) that reached the end of their lifecycle will no longer qualify to receive extended security updates (ESU), unless you take additional action. Short-term and long-term next steps are available for Windows Server 2012 and Windows Server 2012 R2 that still need to receive ESUs.

When will this happen:

September 9, 2025

How this will affect your organization:

Removing certain binaries from WSUS helps ensure the integrity and security of our software supply chain. This specifically applies to dependencies on components that no longer meet our compliance and security standards.

The security benefit of removing these binaries from Windows Server 2025 comes with a potential change for you if you’re using ESU updates for Windows Server 2012. You’ll need to take additional action to resume servicing to these devices.

Important: If WSUS is part of a hierarchical deployment (such as connected downstream and upstream servers), there is no impact to your environment. Synchronization and update distribution will continue to function as expected.

What you need to do to prepare:

Consider the following temporary steps to restore service for ESU updates on Windows Server 2012:

Choose an older supported version of WSUS. For example, Windows Server 2025 on the August 2025 security update or earlier, or Windows Server 2022.
Locate the “SelfUpdate” folder on this version of WSUS at %systemdrive%\Program Files\Update Services.
Copy the "SelfUpdate" folder and its contents from the chosen older version of WSUS.
Place it under the WSUS install path on Windows Server 2025 updated with the security update released in or after September 2025.
Add this folder as virtual directory under WSUS website in Internet Information Services (IIS).

After completing these steps, service will resume. To be secure in the longer term, we recommend upgrading the legacy OS versions and upgrading to Windows Server 2025.

Additional information:

Read the official information in Hardening changes for Windows Server Update Services in Windows Server 2025.
Consult the Microsoft Lifecycle Policy search tool and Lifecycle FAQ - Windows for your Windows versions.
Read Set Up a Hierarchy of WSUS Servers for a scenario that’s not impacted.

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Copy \u0027SelfUpdate\u0027 folder from older WSUS version",
      "Add as virtual directory in IIS on WSUS 2025",
      "Consider upgrading legacy OS and WSUS"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting September 9, 2025, WSUS on Windows Server 2025 removes old code, affecting ESU updates for unsupported Windows OS; admins must take action to continue ESU servicing.",
    "ai_topics": [
      "Windows",
      "Windows Server"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1150625",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-09-09T21:19:19Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Hardening changes for Windows Server Update Services in Windows Server 2025"
  }
}