Azure Azure Arc Hybrid Cloud Windows Server 2012 Windows Server 2012 R2

Azure Arc: Set up Extended Security Updates for your Windows Server 2012 machines with Azure Arc

by wmatthyssen
Comments 12


In this blog post, you’ll discover the process of onboarding your Windows Server 2012/2012 R2 machines into Azure Arc, creating a new Extended Security Update (ESU) license, and seamlessly linking it to your Arc-enabled servers running Windows Server 2012/2012 R2.

As many of you are likely aware,  support for Windows Server 2012 and Windows Server 2012 R2 ended on October 10, 2023. If you continue to use these servers (machines) in your on-premises or other cloud environments, please be aware that Microsoft no longer provides security updates or support.

However, by enabling these machines as Azure Arc-enabled machines, you can enroll them in ESU*, ensuring they receive crucial security patches for ongoing protection. In this blog post, I’ll guide you through the process of setting this up.

*Please be aware that there will be a one-time bill-back charge for the months that have passed after the end of support date. Billing will occur at the end of the first month following the activation of your ESU license.


Table of Contents


Prerequisites

  • An Azure subscription, preferably more than one if you plan to follow the Cloud Adoption Framework (CAF) enterprise-scale architecture. This includes a connectivity and/or management subscription, as well as an Arc subscription (landing zone), to deploy your Arc-related resources.
  • All the necessary resource providers need to be registered (Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.Compute, Microsoft.Security, Microsoft.OperationalInsights, Microsoft.Sql, Microsoft.Storage) on the Azure subscription utilized for your ESUs enabled by Azure Arc.
  • An existing dedicated resource group on the Arc subscription to include only your Azure Arc-enabled servers.
  • An existing dedicated resource group on the Arc subscription to store your Azure Arc WS20212 or WS2012R2 ESU licenses.
  • An Azure Administrator account with the necessary RBAC roles, specifically the Contributor role, to carry out essential tasks such as creating and assigning ESUs.
  • A service principal to connect machines non-interactively using Azure PowerShell.
  • Some Windows Server 2012 (W2K12) or Windows Server 2012 R2 (W2K12R2) machines, whether physical or virtual, running within your hybrid environment.
  • To install the Azure Connected Machine agent on your machines, you need an account with elevated privileges (administrator or root) for the installation process.
  • To receive the latest ESU patches, the servers must first be updated with the following previous updates, if not already installed: Windows Server 2012: KB5029369 and KB5017221, or a later SSU, and for Windows Server 2012 R2: KB5029368 and KB5017220, or a later SSU.
  • The pre-defined installation script to connect your machines has already been generated and made available on a network share.













Onboarding your Windows Server 2012 machine to Azure Arc-enabled servers

Let’s get started by onboarding your Windows 2012 or 2012 R2 machines into Arc through the onboarding script. In this blog post, I’ll demonstrate this process for a single server, but you can automate it for multiple servers using methods like Group Policy Objects (GPO).

Just log in to one of the machines with an account that has administrator privileges, open Windows PowerShell as Administrator and then navigate to the network share to run the OnboardingScript.ps1 script.

You can use the following PowerShell one-liner (adjusted for your environment; replace “servername” and “sharename) to execute the script:

powershell -executionpolicy bypass -file \\"servername"\"sharename"\OnboardingScript.ps1






It’s important to note that in order to utilize ESUs, the Azure Connected Machine Agent must be at least version 1.34 or higher. You can easily check the version by running “azcmagent version” directly on the server from Windows PowerShell or the Command Prompt.


Create an Azure Arc WS2012 or WS2012R2 ESU license

When your servers are onboarded into Azure Arc, the next step is to create Windows Server 2012 or 2012 R2 Extended Security Update licenses from Azure Arc.

To create such a new license, Logon to the Azure Portal and enter “arc” into the global search bar, then select “Azure Arc” from the search results.


On the Azure Arc page, navigate to the “Management” section and choose “Extended Security Updates“.


On the Azure Arc Extended Security Updates page, open the Licenses tab and select Create.


Next, complete all the necessary fields, such as subscription, resource group, and license name. When setting up a new license, I recommend scheduling its activation for a later time.

In the SKU field, specify the SKU*, which can be Windows Server 2012, 2012 R2 Standard Edition, or Datacenter Edition.

In the core type field, choose physical cores if your server is licensed based on its hardware cores, or choose virtual cores if you’re licensing individual VMs without covering all underlying hardware cores.

In my example, I selected virtual cores because I have 3 VMs operating on a Hyper-V host running Windows Server 2022.

When choosing virtual cores, the licensing guidelines stipulate a minimum of 8 virtual cores per VM. This means that even if you’re using a single VM with just 4 cores (vCPUs), you still require an 8-core license. In my situation, all 3 of my VMs are running with 4 cores each, but I still need to activate 3 licenses, each with a minimum of 8 virtual cores, to license all 3 of them.

Before you can proceed and click “Create” to initiate the license provisioning, you must confirm Microsoft’s SA or SPLA coverage**.

*For general guidance on choosing the right license and understanding the differences between each option, you can refer to this Microsoft Learn webpage

**In order to purchase ESUs, you need Software Assurance via Volume Licensing Programs like Enterprise Agreement (EA), Enterprise Agreement Subscription (EAS), Enrollment for Education Solutions (EES), or Server and Cloud Enrollment (SCE). Alternatively, if your Windows Server 2012/2012 R2 machines are licensed through SPLA or with a Server Subscription, Software Assurance isn’t necessary for purchasing ESUs.”









Link an ESU license to a Windows Server 2012 or 2012 R2 Arc-enabled server

After creating your initial ESU license, you can choose one or more Arc-enabled servers to associate with it. Once a server is linked to an activated ESU license, it becomes eligible to receive Windows Server 2012 and 2012 R2 ESUs.

Initially, if you don’t have any activated licenses, you need to activate one.

To do this, click on the name of a deactivated license under the “License” tab. Next, click “Edit“, choose “Activated“, and then click “Save” to activate the selected license.





Once you have at least one active license, navigate to the “Eligible Resources” tab to see a list of all your Arc-enabled servers running Windows Server 2012 and 2012 R2.

To enable ESUs for one or more machines, simply choose them from the list and click “Enable ESUs“.


On the “Enable Extended Security Updates” page, you’ll see the number of selected machines for ESU activation and the available WS2012 licenses. Choose a license to link with the selected machine(s), then click “Enable“.



If everything proceeds smoothly, the status of the selected machine(s) will change to “Enabled“.


If any of your Windows Server 2012 or 2012 R2 machines have an active ESU status, you can configure your preferred patching solution to receive these updates. Whether it’s Azure Update Manager*, Windows Server Update Services (WSUS), Microsoft Updates, Microsoft Endpoint Configuration Manager, or a third-party patch management solution, the choice is yours.

*Azure Arc-enabled servers running Windows Server 2012 ESUs can access Azure Update Management, Machine Configuration, and Change Tracking and Inventory capabilities without any extra charges.


Conclusion

Windows Server 2012 and Windows Server 2012 R2 officially reached the end of support on October 10, 2023. If your hybrid environment still includes these servers, be aware that Microsoft no longer provides new security updates or support for them.

Fortunately, by enabling these Windows Server 2012/2012 R2 machines as Azure Arc-enabled servers, you can choose to enroll them in Extended Security Updates. This option ensures they continue to receive the essential security updates necessary for their protection.

In this blog post, I demonstrated the steps to onboard your Windows Server 2012/2012 R2 machines into Azure Arc, create a new ESU license, and link it to your Arc-enabled servers running Windows Server 2012/2012 R2.

If you have any questions or suggestions about this blog post, feel free to reach out to me through my Twitter handle (@wmatthyssen) or simply leave a comment, and I’ll be more than happy to assist.


Tags

About wmatthyssen

Wim is an Azure Technical Advisor and Trainer with over fifteen years of Microsoft technology experience. As a Microsoft Certified Trainer (MCT), his strength is assisting companies in the transformation of their businesses to the Cloud by implementing the latest features, services, and solutions. Currently, his main focus is on the Microsoft Hybrid Cloud Platform, and especially on Microsoft Azure and the Azure hybrid services.   Wim is also a Microsoft MVP in the Azure category and a founding board member of the MC2MC user group. As a passionate community member, he regularly writes blogs and speaks about his daily experiences with Azure and other Microsoft technologies.

wmatthyssen.wordpress.com

12 comments on “Azure Arc: Set up Extended Security Updates for your Windows Server 2012 machines with Azure Arc

  1. Tim
    October 22, 2023

    Licensing ESU by vCores is required to have a minimum of 8 vCores per Virtual Machine – even if they VM has less than 8 cores. So you’ll have needed 3 x 8 vCore packs

    Like

    Reply

  2. Pingback: Azure Arc: Provision an Extended Security License with an Azure PowerShell script – Wim Matthyssen

  3. Murat Senel
    December 6, 2023

    Hi, do you need to create a ESU license individually for each server or you can create only one which covers all the servers?

    Like

    Reply
    • wmatthyssen
      January 19, 2024

      Hi Murat,

      Feel free to choose whichever option suits your preferences and works best for your environment.

      How many servers are we exactly talking about?

      Keep in mind that it’s simpler to remove an ESU license that’s linked to a single server compared to dealing with multiple servers. Personally, I recommend using one ESU license per server, as it makes it easier to map the correct number of vcores.

      When you consolidate multiple servers under one ESU license, keep in mind that the minimum number of vcores required per server is still 8, so as an example, two attached servers will require at least 16 vcores.

      Like

      Reply
  4. Ion
    December 12, 2023

    Hi Win,
    Nice article.
    What will be the best approach for a Hyper-V envirenoment considering that the hosts must be receiving updates too?
    Thank you!

    Like

    Reply
  5. Sarfaraz Ansari
    December 28, 2023

    Is there a way to use Maintenance window for installing security updates

    Like

    Reply
  6. Mark Taylor
    April 19, 2024

    After enrolling the Windows 2012 device for ESU in Azure ARC, is there anything I can check on the device itself that confirms enrollment? thanks

    Like

    Reply
    • wmatthyssen
      April 22, 2024

      Hello Mark,

      You can use the azcmagent to check if the ESU status is Active. Simply run azcmagent show from a command prompt on the device itself. Alternatively, you can also verify if any ESU updates are coming in or already installed. For Windows Server 2012 R2 devices, at least (KB5036960) should be appearing as a new update.

      Like

      Reply

  7. Pingback: Azure Arc: Validate ESU enrollment – Wim Matthyssen

Leave a comment