Insight Tech APAC Blog Logo

Extended Security Updates (ESUs) via Azure Arc

Author:
Published: February 20, 2024

6 minutes to read

Tags: azurearcesuwindowsserver

As organizations increasingly embrace cloud computing, their approaches vary based on factors like size and scale. While some opt for a cloud-native model using Microsoft Azure, others choose to blend cloud services with their existing on-premises infrastructure—a strategy known as the Hybrid model. In this hybrid approach, organizations maintain a presence across multiple cloud providers.

Despite its advantages and flexibility, the Hybrid model presents certain challenges. One significant hurdle is the complexity of management. As workloads expand, organizations grapple with maintaining control over intricate environments spanning data centers, various clouds, and even edge computing. A common struggle within this context is safeguarding end-of-support Windows Servers, whether they reside in a multi-cloud environment or on-premises.

End-of-support Windows Servers 2012/R2 updates options for Customers

Upgrading older Windows Servers to Windows Server 2016 or later isn’t always straightforward for clients. As servers in on-premises or multi-cloud environments approach the end of support, it poses a significant challenge. The cessation of security updates puts business applications running on these servers at risk and may lead to compliance issues.

To address this, the Extended Security Updates (ESU) program offers a solution. Customers can utilize ESUs to extend the support period for Windows servers beyond the official end-of-support date, albeit for a limited duration. These updates specifically focus on security enhancements, critical patches, and important bulletins.

Options for client to obtain Extended Security Updates (ESUs) for Windows Servers”

  • Migrate workload to Azure: Migrate existing affected Windows Server workloads as-is to Azure Virtual Machines which will automatically provide ESU for a defined period without being additionally charged for these updates on top of Azure VM’s cost. Migrating workloads to Azure VMware Solution (AVS) also makes them eligible for free ESUs.
  • Purchase ESU license outside of Azure: By purchasing ESU, you can protect them until you decide to upgrade them to a more recent version or migrate them to cloud.

Licensing Option

Considering the workload is running outside Azure, client can choose one of the option to enable ESU for their Windows Server 2012/ R2

  1. Azure Arc-enabled Servers: For on-premises servers or those in a hosted environment, ensure they are connected through Azure Arc service to enable Arc-enabled servers. If servers are Arc-enabled, customers can enroll their Windows Server 2012 and 2012 R2 servers for ESU via the Azure portal. Billing occurs monthly on their subscription.

  2. Non-Arc Enabled Physical and Virtual Machines: For servers not using Azure Arc, ESU can be enabled by acquiring ESU licenses through the Microsoft Volume Licensing program. These licenses are valid for annual coverage periods, with each license specific to a server or operating system for the duration of purchase. Customers can acquire licenses for subsequent years only if they have obtained licenses for prior years.

ESU License Eligibility Criteria

To qualify for ESU licenses:

  • Customers must have Software Assurance for purchasing ESUs in on-premises or hosted environments.
  • Windows Server 2012/2012 R2 machines licensed through the Services Provider License Agreement (SPLA) are eligible.
  • Machines licensed with a Server Subscription (where Software Assurance is not required) also qualify.

ESU License provisioning process using Azure Arc

Flexibility is critical when enrolling end of support infrastructure in Extended Security Updates (ESUs) and Azure Arc provides a simplified experience to receive critical patches. ESUs provide critical patches to keep your systems secure even after the official support period ends.

Alt text

Here’s how you can achieve this:

  1. Provision Windows Server 2012 Arc ESU Licenses:
    • Start by provisioning ESU licenses specifically for Windows Server 2012.
    • These licenses serve as the foundation for enabling ESUs on your Azure Arc-enabled servers.
  2. Link Licenses to Azure Arc-Enabled Servers:
    • Once you have the ESU licenses, link them to your Azure Arc-enabled servers.
    • This linking process ensures that the servers receive the necessary security updates.
  3. Azure Portal Management:
    • Use the Azure portal to manage the linking and provisioning of licenses.
    • Specify the following details during provisioning:
      • Virtual Core or Physical Core License: Choose based on your server configuration.
      • Standard or Datacenter License: Select the appropriate edition.
      • Number of Associated Cores: Break down the count by 2-core and 16-core packs.

Conclusion

In my view, Azure Arc stands out as an ideal solution for tackling this challenge by offering a streamlined approach to acquiring and delivering Extended Security Updates (ESUs) for your Windows Server 2012/2012 R2. Here are the key benefits it provides

  • Pay-as-you-go: Flexibility to sign up for a monthly subscription service with the ability to migrate mid-year.
  • Azure billed: You can draw down from your existing Microsoft Azure Consumption Commitment (MACC) and analyze your costs using Microsoft Cost Management and Billing.
  • Built-in inventory: The coverage and enrollment status of Windows Server 2012/2012 R2 ESUs on eligible Arc-enabled servers are identified in the Azure portal, highlighting gaps and status changes.
  • Keyless delivery: The enrollment of ESUs on Azure Arc-enabled Windows Server 2012/2012 R2 machines won’t require the acquisition or activation of keys.

Once the servers are onboarded to Azure Arc, a free access is provided to these Azure services which will help to manage the server lifecycle efffectively.

  • Azure Update Manager - Unified management and governance of update compliance that includes not only Azure and hybrid machines, but also ESU update compliance for all your Windows Server 2012/2012 R2 machines.
  • Azure Automation Change Tracking and Inventory - Track changes in virtual machines hosted in Azure, on-premises, and other cloud environments.
  • Azure Policy Guest Configuration - Audit the configuration settings in a virtual machine. Guest configuration supports Azure VMs natively and non-Azure physical and virtual servers through Azure Arc-enabled servers.

Other Azure services through Azure Arc-enabled servers are available as well, with offerings such as:

  • Microsoft Defender for Cloud - As part of the cloud security posture management (CSPM) pillar, it provides server protections through Microsoft Defender for Servers to help protect you from various cyber threats and vulnerabilities.
  • Microsoft Sentinel - Collect security-related events and correlate them with other data sources.