It’s been almost two weeks since the first post-End of Life Patch Tuesday for Windows Server 2012/R2. To receive that critical security patch from November’s Patch Tuesday, your servers must be enrolled in Extended Security Updates. Fortunately, it’s not too late. You can enroll in WS2012 ESUs enabled by Azure Arc anytime, with just a few steps!
So, what are you waiting for? Let’s make sure you receive not just that first WS2012/R2 ESU patch but the ESU patches to come by following these steps:
Onboard WS2012/R2 Standard and Datacenter servers to Azure Arc. Onboard your servers to Azure Arc with latest version of the Connected Machine Agent (Version 1.35+) and ensure that the networking pre-requisites are fulfilled including networking access to all of the endpoints outlined at prepare to deliver Extended Security Updates for Windows Server 2012 through Azure Arc. Note, only the operating systems Windows Server 2012 and 2012 R2, for both Standard and Datacenter edition, are supported by Azure Arc, and you can connect your vCenter to onboard your VMware vSphere environments to Azure Arc at scale.
Provision licensing and enroll your Azure Arc-enabled servers in WS2012 ESUs. Provision and activate WS2012/R2 Arc ESU licenses, allocating the appropriate cores and editions to match your servers. Then, link your Azure Arc-enabled server to an activated Windows Server 2012 ESU licenses. For at-scale enrollment, consider using the built-in Azure policy: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their ... To check whether the server is properly enrolled in ESUs enabled by Azure Arc, you can verify the presence of the license object at C:\ProgramData\AzureConnectedMachineAgent\Certs\license.json. Alternatively with Connected Machine agent version 1.36 or higher, you can use the azcmagent show command for ESU enrollment status. For enrollment details, see Deliver Extended Security Updates for Windows Server 2012.
Install the SSU and License Prep Package for ESU Eligibility. If you have not already, download the servicing stack update (SSU) and Licensing Preparation Package on your Arc-enabled servers from August 8, 2023 or later. Note, the license prep packages require a reboot.
For Windows Server 2012 R2, you must have the servicing stack update (SSU) (KB5029368) and the Licensing Preparation Package (KB5017220).
For Windows Server 2012, you must have the servicing stack update (SSU) (KB5029369) and the Licensing Preparation Package (KB5017221).
Provide access to the endpoint: microsoft.com/pkiops/certs. If you cannot open access to this endpoint, you may download the intermediate CA (valid for up to 6 months) on your Arc-enabled servers as a stopgap solution.
For Azure Commercial Cloud, download this intermediate CA published by Microsoft. Install the downloaded certificate as Local Computer under Intermediate Certificate Authorities\Certificates. Use the following command to install the certificate correctly: certutil -addstore CA 'Microsoft Azure TLS Issuing CA 01 - xsign.crt'
For Azure Government Cloud, download this intermediate CA published by Microsoft. Install the downloaded certificate as Local Computer under Intermediate Certificate Authorities\Certificates. Use the following command to install the certificate correctly: certutil -addstore CA 'Microsoft Azure TLS Issuing CA 02 - xsign.crt'
Once these steps have been followed, the Extended Security Update patches will be available for the Azure Arc-enabled server. Note, customers have the flexibility to use the patching solution of choice including SCCM, WSUS, and third-party patching solutions.
Your Azure Arc-enabled servers enrolled in WS2012 ESUs enabled by Azure Arc are eligible for free access to Azure-native patching through Azure Update Manager and Azure governance capabilities like Machine Configuration and Change Tracking and Inventory at no additional cost, helping you further strengthen the security and compliance posture of your Azure Arc-enabled servers.
The best part? You can unenroll, just as easily as you enrolled your servers in WS2012 ESUs enabled by Azure Arc. Because ESUs enabled by Azure Arc is a monthly Azure billed service, as you migrate and modernize your EOL infrastructure workloads to Azure, you can decrement, deactivate, and delete WS2012/R2 Arc ESU licenses that you no longer need.