While more and more organizations are moving towards cloud they are all using cloud in their own way depending on size and scale. Some have adopted cloud native model using Microsoft Azure, but some decided to use cloud services while still maintaining their on-premises footprint. The latter approach is known as Hybrid model. Hybrid also means having presence in more than one cloud provider.
While the Hybrid model comes with some advantages and flexibility it has certain challenges too. One of the biggest challenges is the added management complexity. In a Hybrid model as the workload grows, organizations might struggle to control the growing complex environments which could be extending across data centers, multiple clouds and even the edge. One common struggle which we will be covering in this blog post today is… the ability to protect your end-of-support Windows Servers which are either in multi-cloud environment or on-premises.
What options do Customers have for end-of-support Windows Servers 2012/R2?
It’s not always easy for clients to upgrade all older Windows Servers to Win2016 or later. As the on-premises or multi-cloud environment servers reach the end of support, it also means end of security updates which can put business applications running on the server at security risk and can cause compliance issues.
The Extended Security Updates (ESU) program is an option that can be used by customers to run Windows servers past the end of support for a maximum period but not indefinitely. The updates provided through ESUs are only Security updates as well as critical and important rated bulletins.
Below are options for customers to use ESU:
- Migrate workload to Azure: Migrate existing affected Windows Server workloads as-is to Azure Virtual Machines which will automatically provide ESU for a defined period without being additionally charged for these updates on top of Azure VM's cost. Migrating workloads to Azure VMware Solution (AVS) also makes them eligible for free ESUs.
- Get ESU through Azure Stack HCI: On-premises Windows Server 2012/ 2012 R2 virtual machines connected to cloud via Azure Stack HCI can get free ESUs through Azure verification of VMs.
- Purchase ESU license outside of Azure: By purchasing ESU, they can protect them until they decide to upgrade them to a more recent version or migrate them to cloud.
Purchase ESU License Options
If workload running outside of Azure and not connected to cloud through Azure Stack HCI, customers have below options for licensing ESU.
- Azure Arc-enabled Servers: Their on-premises servers or in a hosted environment should be connected through Azure Arc service to have Arc-enabled servers. If they are Arc enabled, they can enroll their Windows Server 2012 and 2012 R2 servers for ESU via the Azure portal. They will be billed monthly on their subscription.
- Non-Arc enabled physical and virtual machines – For these servers they can enable ESU by acquiring ESU licenses through Microsoft Volume Licensing program.
These ESU licenses are valid for annual coverage periods and each license is entitled to a specific server or operating system for the duration it has been purchased. They can acquire license for later years only if they have acquired licenses for prior years.
Purchase ESU License Eligibility Criteria
To be eligible for ESU licenses, their server/operating system must qualify one of the following:
- Customers should have Software Assurance to purchase ESUs on-premises or in hosted environment.
- Windows Server 2012/2012 R2 machines are licensed through Services Provider License Agreement (SPLA) and not using their own licenses.
- Windows Server 2012/2012 R2 machines are licensed with a Server Subscription where Software Assurance is not required.
ESU Licensing with Azure Arc enabled Windows Server 2012/2012 R2
To deliver ESU for Windows Server 2012, customers should provision Windows Server Arc ESU licenses and then apply/link those licenses to Azure Arc enabled servers. These can be done via Azure portal.
Before we progress to understand how to provision WS2012 ESU license and to link licenses to Arc enabled servers it is good to be aware about below:
- Standard vs Datacenter Edition: When standard edition of license selected, it will be limited to 2 virtual instances but with Datacenter Edition, it can be applied to unlimited virtual instances.
- vCore Vs pCore Licensing:
vCore (Virtual Core ) Licensing: When this licensing is chosen, they will pay based on the number of virtual cores (vCores) being used by the OS. It requires a minimum of 8 cores per Virtual machine when selected. It uses the standard edition rate for billing.
pCore ( Physical Core) Licensing: If they choose to license based on physical cores (pCores), then they pay based on the number of physical cores (pCores) utilized by the host operating system. It requires a minimum of 16 cores per server when selected. Customers have the flexibility to use this licensing with either edition.
NOTE:
- vCore Licensing cannot be used on physical servers.
- They can select either licensing options or can also select a mix of pCore and vCore licensing for their virtual machines within the remit of their virtualization entitlements.
Create a new ESU WS2012 license:
Step 1: Sign in to the Azure portal
Step 2: On the Azure Arc service page, select Extended Security Updates in the left pane under Management section.
Step 3: Under Licenses tab, select Create.
Step 4: Provide the information required in Create an Extended Security Updates license page to configure the license.
- Resource group: The ESU license will be billed to.
- License name: You can create multiple licenses. It may be helpful following a naming convention for license name.
- SKU and Core Type: Select the value based on licensing option chosen.
- Core Packs: Enter the value based on cores count required. You can modify the number of cores associated with a license later after creation.
Step 5: Review the information provided and then select Create.
License created from above will appear in the list under Licenses tab. Licenses can be linked to Arc-enabled servers following steps in next section.
ESU license can be provisioned in a deactivated state during creation to avoid initiation of billing.
Link ESU licenses to Arc-enabled servers:
Each license can be linked to one or more Arc-enabled servers.
Step 1: Sign in to the Azure portal
Step 2: On the Azure Arc service page, select Extended Security Updates in the left pane under Management section.
Step 3: Select Eligible Resources tab.
This will give you the list of all Arc-enabled servers which are running Windows Server 2012/2012 R2 and eligible for ESU updates.
ESU Status column tells us whether the machine is ESU enabled.
Step 4: Select the machines from the list (with ESU Status = Not enabled) and then select Enable ESUs.
Step 5: Next page Enable Extended Security Updates shows the count of machines selected for enabling ESU and lists the available licenses. Select the license that needs to be linked to these machines and then click on Enable at bottom of page.
It will take some time but later the status of machine in ESUs Status column changes to Enabled.
NOTE: A Windows Server is eligible to receive ESU updates once linked to an activated ESU license.
ESU Licensing limits:
Customer can include up to 10,000 cores within each WS2012 ESU license and if needed for more cores then can split the cores across multiple licenses. However, there is a limitation of only 800 licenses per resource group.
ESU Billing:
Billing for ESU is mainly dependent on three factors:
- Number of cores provisioned
- Selection of license edition
- Any eligible discounts
While above three factors sound simple, below are few good to know points before we proceed to understand on how to estimate monthly cost:
- Is the Customer planning to decommission any servers? Do not include the core counts for servers, which need to be decommissioned and do not require extended security updates applied.
- Back-billing for sign-ups after the end of support dates: For customers who enroll in ESUs enabled by Azure Arc after the end of support date October 10, 2023, for Windows Server 2012/R2, they will be billed a one-time upfront charge for the months they missed after the end of support date, with billing coming in at the end of the first month when they signed-up.
Example: XYZ Corp has decided to enroll for ESU for Windows Server 2012/R2 in February 2024. In that case they will receive a one- time back-bill for October (starting from 11th of the month), November, December 2023, and January 2024 at the end of February month.
After February, for the later months, XYZ Corp billing will only be based on the current month.
- Back-billing applies even if a customer intermittently deactivates ESUs.
Example: If XYZ Corp, unenrolls in March 2024 and then decides to re-enrolls in June 2024, the re-enrollment will trigger back-billing for April and May 2024.
When ESU enabled by Azure Arc, Customers can link their already paid extended security updates to their eligible Disaster Recovery Benefit servers.
- Billing is monthly. Decrementing, deactivating, or deleting a license will result in charges for up to five more calendar days from the time of decrement, deactivation, or deletion. Reduction in billing isn't immediate.
- There is no cost for non-production workloads that need ESU updates.
Examples of Cost-Effective ESU Licensing:
It is recommended to refer to the Azure Pricing calculator for calculating estimated monthly cost.
Let us take some examples (based on public pricing) to understand cost effective ESU licensing.
Example 1 *:
XYZ Corp. has currently got a VMware cluster containing 28 hosts with 736 physical cores on-premises. There are 90 VMs on the cluster and they are running Windows Server 2012 R2 consuming all 736 cores.
Based on above information, public pricing for Arc Enabled ESU for both the licensing option would be:
pCore (Physical Core) Licensing: 46 x Windows Server 2012 DC – 16 Core (£341) = ~ £15K / month
vCore (Virtual Core) Licensing: 92 x Windows Server Standard – 8 Core (£30) = ~ £3K / month
They can either license the entire cluster with 736 Windows Server 2012 Datacenter ESU physical cores or license each VM individually with a total of 736 standard edition virtual cores. In the above case, it's cheaper to purchase an Arc ESU Windows Server 2012 Standard edition license associated with 736 virtual cores if all other factors align with the option.
NOTE: In the above example it was assumed that ESU vCore/pCore licensing requirements for the machines were achieved.
Example 2 *:
ABC Corp has currently got 64 cores of Datacenter Edition and 128 cores of standard edition physical hosts running Windows 2012 and eligible for ESU.
When buying licenses, they can buy in 2 or 16 core packs with not much difference in cost. 8 packs of 2 cores costs almost the same as 1 pack of 16 core.
When buying 16 core packs then pricing calculation will be:
64 cores of Datacenter Edition = 4x Windows Server 2012 DC – 16 core (£341) = ~ £1.3 K /month
128 cores of Standard Edition = 8 x Windows Server Standard – 16 core (£60) = £480/month
When calculating with 2 core packs, calculation will look like:
64 cores of Datacenter Edition = 32 x Windows Server 2012 DC – 2 core (£43) = ~ £1.3 K /month
128 cores of Standard Edition = 64 x Windows Server Standard – 2 core (£7.4) = £473.6 /month
As seen in the above calculations, buying multiple packs of lesser core, or buying a smaller count of packs with larger core size does not bring much cost difference. However, for situations where they need granular control on activation of licenses, it might help with the flexibility in buying multiple packs of required cores.
* This example is only for illustration purposes. Scenario and factors to consider for cost effective ESU licensing option may vary based on Customer requirements.
Summary
Extended Security Updates for Windows Server includes security updates, critical and important bulletins for a period after end of extended support. ESUs do not include new features, customer-requested non-security updates, or design change requests. After the period of ESU ends, Microsoft will stop providing updates. It is recommended to upgrade your version of Windows Server to the current version or more recent version as soon as possible for the most advanced security, performance and innovation.
Where updates are not immediately possible, migrating your on-premises Windows servers Infrastructure (that has past the end of extended support or almost reaching to it) to Azure or connecting them to cloud using Azure Stack HCI is also an option (for a defined period) as they're eligible for free ESUs.
ESU Availability and End dates information for Windows Server 2012/2012 R2 are:
End of Extended Support/ESU Start Date: October 10, 2023
ESU End Date Year 1: October 8, 2024
ESU End Date Year 2: October 14, 2025
ESU End Date Year 3: October 13, 2026
Type of Security Update: Critical, Important
Learn More
Search Product and Services Lifecycle Information - Microsoft Lifecycle | Microsoft Learn
Product Lifecycle FAQ - Extended Security Updates | Microsoft Learn
Extended Security Updates (ESU) on Azure Stack HCI - Azure Stack HCI | Microsoft Learn
Manage Azure Arc-enabled Servers using Windows Admin Center in Azure preview | Microsoft Learn
Overview of Windows Server upgrades | Microsoft Learn
Perform an in-place upgrade of Windows Server | Microsoft Learn
Microsoft
