Today, Tuesday, October 10th, 2023 marks the end of service for Server 2012 (R2). Are you prepared and ready to go with Extended Security Updates? If not, read this post to get up to speed with the details of ESU’s.
This blog post serves as a follow up to my first call to arms in regards to the impending Server 2012 (R2) End of Service deadline (you can read that here). This time lets dig deeper into how ESU’s will work both for servers hosted on Azure but also the new Azure Arc enabled machines option for enabling ESU’s.
Server 2012 (R2) VM’s running on Azure
We’ll start with what happens with Server 2012 (R2) virtual machines that are currently running on Azure (or maybe you’ve recently migrated them to take advantage of the free ESU license).
Microsoft is providing free ESU licenses to workloads present on Azure itself. This includes Azure Virtual Machines, Azure Dedicated Host, Azure VMWare Solutions, Nutanix Cloud Clusters on Azure, and Azure Stack Hub/Edge/HCI.
ESU licenses are automatically installed for eligible machines through the Azure Machine Agent that should be installed on all your Azure machines already. Eligibility of the machines is done through the Azure Instance Metadata Service meaning that Azure classic VM’s do require extra configuration as they don’t have access to that service.
A method to check if the license has been assigned correctly from within the VM is shown in the section outlining Azure Arc.
Azure Arc Enabled On-Premise Machines
If you’re running Server 2012 R2 machines on-premise then you’ll need to purchase Extended Security Update licenses.
For machines that are on-boarded into Azure Arc these licenses can be created and assigned all by yourself from within the Azure portal. Creating licenses this way you’ll take advantage of Azure’s monthly billing compared to needing to purchase yearly licenses. Pricing details can be found here.
Keep in mind that for these licenses you will be back-billed to October 10th, 2023 if you apply them at a later date. This will come in the form as ‘a one-time upfront charge for the months they missed after the end of support date, with billing coming in at the end of the month. For example, if a customer enrolls in January 2024, they will receive a one-time back-bill for October, November, and December 2023 during their first month.’
Creating an ESU License for Azure Arc Machines
I’ve setup a Server 2012 R2 machine on-premise for testing purposes and onboarded it for Azure Arc. It now shows up under the new ‘Extended Security Updates’ tab as an eligible resource for receiving ESU.
First we need to create a license under the ‘Licenses’ tab:
Fill in the required information and ensure you select the correct SKU and core type. Take care to read the documentation regarding which core types and the amount of core packs you require as this can get complicated depending on the scenario. More information can be found here.
Once the license has been created and activated it can be assigned to the previously listed eligible machines directly from Azure Arc:
Licenses are automatically installed once assigned, similar to the machines that are found in Azure through the Azure Connected Machine Agent. This can be confirmed by running the following command on the machine:
slmgr /dlv all
Lots of VM’s? Automate it!
Another advantage of being able to handle the licensing through Azure is the ability to script/program the creation and deployment of ESU licenses.
This is done through the Azure REST API and can be referenced here.
I haven’t seen any programs available yet that take advantage of this API in order to automate the licensing just yet but I’m sure those are around the corner. In any case, I probably wouldn’t recommend using this method as the licensing requirements and pricing are quite complicated and it’s much easier to use the Azure Arc portal.
What’s Next?
With ESU licenses installed there isn’t much else to do but wait for Microsoft to release new security updates. These will most likely come next month Patch Tuesday (second Tuesday of the month) and any machine with a valid license will automatically grab the new updates from whatever patch management solution is in place. This includes first/third-party tools such as Azure Patch Management or Solarwinds.
Conclusion
In this blog post we’ve taken a deeper look into how Extended Security Update licensing works for the now deprecated Server 2012 (R2) operating system. ESU’s will allow you to keep operating these systems securely for three more years under official Microsoft support as a last resort to upgrading them proper. Off course, it is still recommended to upgrade to the newer operating system versions.
Security consultant with focus on cloud and Azure.
