MicrosoftMy SCCM Software Update Point enviornment could not return proper applicability for November's cumulative updates when scanning Azure Arc enabled on-prem VMs or Native Azure VMs in Azure until I installed the 2022-08 KB5017220, KB5017221 preparation packages on those SCCM agent-managed servers, even though Microsoft documentation above says you don't have too. My client systems were all showing all of November's updates as "Not required" except for the 2023-11 Servicing Stack Update. For the Azure Arc machines I had already deployed and installed the Azure Connected Machine Agent (version 1.35) and enabled/activate the ESU license in the Azure Portal.
Conisidently, when I bypassed the Software Update Point, on these same SCCM-agent managed systems Azure Arc on-prem enabled VMs or Native Azure VMs I also noticed the native Windows Update client UI when scanning externally couldn't find November's Cumluative updates either, until these preparation packages were installed. I was pleased to see that these preparation package updates in my experience did not require a reboot.
So the result for me was to simply install the preparation packages in addition to performing the other ESU program requirements.
Below are all the operations that I did to make ESU program advertise November's 2023 Cumulative Updates to Windows Server 2012/2012R2
Azure-Arc on-prem enabled VMs:
Install November 2023 SSU
2023-11 Servicing Stack Update for Windows Server 2012 for x64-based Systems (KB5032309)
2023-11 Servicing Stack Update for Windows Server 2012 R2 for x64-based Systems (KB5032308)
Install October 2023 SMQR
2023-10 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5031419)
2023-10 Security Monthly Quality Rollup for Windows Server 2012 for x64-based Systems (KB5031442)
Install Azure Connected Machine Agent, I suggest version 1.36 from this month as it has new features to check your ESU licenses.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notes#version-136---november-2023
With, SCCM I used a Task Sequence and a Service Principal to deploy, install and onboard the Azure Connected Machine agent at scale/en masse. There are a number of different deployment options at the links here, read all this documentation! This covers the solution end-to-end.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates?tabs=azure-cloud
https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-configuration-manager-custom-task
https://learn.microsoft.com/en-us/azure/azure-arc/servers/deployment-options
https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal
Configure Appropriate Entitlements in Azure Arc for your ESU Licenses and activate your licenses.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/license-extended-security-updates
Install the Prepartion Package respective of your OS
2022-08 Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2012 R2 for x64-based Systems (KB5017220)
2022-08 Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2012 for x64-based Systems (KB5017221)
Azure IaaS Compute Native VMs.
Install November 2023 SSU
2023-11 Servicing Stack Update for Windows Server 2012 for x64-based Systems (KB5032309)
2023-11 Servicing Stack Update for Windows Server 2012 R2 for x64-based Systems (KB5032308)
Install October 2023 SMQR
2023-10 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5031419)
2023-10 Security Monthly Quality Rollup for Windows Server 2012 for x64-based Systems (KB5031442)
Install the Prepartion Package respective of your OS
2022-08 Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2012 R2 for x64-based Systems (KB5017220)
2022-08 Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2012 for x64-based Systems (KB5017221)
