Azure Arc: Set up Extended Security Updates for your Windows Server 2012 machines with Azure Arc : wmatthyssen
by: wmatthyssen
blow post content copied from Wim Matthyssen
click here to view original post
In this blog post, you’ll discover the process of onboarding your Windows Server 2012/2012 R2 machines into Azure Arc, creating a new Extended Security Update (ESU) license, and seamlessly linking it to your Arc-enabled servers running Windows Server 2012/2012 R2.
As many of you are likely aware, support for Windows Server 2012 and Windows Server 2012 R2 ended on October 10, 2023. If you continue to use these servers (machines) in your on-premises or other cloud environments, please be aware that Microsoft no longer provides security updates or support.
However, by enabling these machines as Azure Arc-enabled machines, you can enroll them in Extended Security Updates, ensuring they receive crucial security patches for ongoing protection. In this blog post, I’ll guide you through the process of setting this up.
Table of Contents
- Prerequisites
- Onboarding your Windows Server 2012 machine to Azure Arc-enabled servers
- Create an Azure Arc WS2012 or WS2012R2 ESU license
- Link an ESU license to a Windows Server 2012 or 2012 R2 Arc-enabled server
- Conclusion
Prerequisites
- An Azure subscription, preferably more than one if you plan to follow the Cloud Adoption Framework (CAF) enterprise-scale architecture. This includes a connectivity and/or management subscription, as well as an ARC subscription (landing zone), to deploy your Arc-related resources.
- An existing dedicated resource group on the Arc subscription to include only your Azure Arc-enabled servers.
- An existing resource group on the Arc subscription to store your Azure Arc WS20212 or WS2012R2 ESU licenses.
- An Azure Administrator account with the necessary RBAC roles, specifically the Contributor role, to carry out essential tasks such as creating and assigning ESUs.
- A service principal to connect machines non-interactively using Azure PowerShell.
- Some Windows Server 2012 (W2K12) or Windows Server 2012 R2 (W2K12R2) machines, whether physical or virtual, running within your hybrid environment.
- To install the Azure Connected Machine agent on your machines, you need an account with elevated privileges (administrator or root) for the installation process.
- The pre-defined installation script to connect your machines has already been generated and made available on a network share.
Onboarding your Windows Server 2012 machine to Azure Arc-enabled servers
Let’s get started by onboarding your Windows 2012 or 2012 R2 machines into Arc through the onboarding script. In this blog post, I’ll demonstrate this process for a single server, but you can automate it for multiple servers using methods like Group Policy Objects (GPO).
Just log in to one of the machines with an account that has administrator privileges, open Windows PowerShell as Administrator and then navigate to the network share to run the OnboardingScript.ps1 script.
You can use the following PowerShell one-liner (adjusted for your environment; replace “servername” and “sharename) to execute the script:
powershell -executionpolicy bypass -file \\"servername"\"sharename"\OnboardingScript.ps1
Create an Azure Arc WS2012 or WS2012R2 ESU license
When your servers are onboarded into Azure Arc, the next step is to create Windows Server 2012 or 2012 R2 Extended Security Update licenses from Azure Arc.
To create such a new license, Logon to the Azure Portal and enter “arc” into the global search bar, then select “Azure Arc” from the search results.
On the Azure Arc page, navigate to the “Management” section and choose “Extended Security Updates“.
On the Azure Arc Extended Security Updates page, open the Licenses tab and select Create.
Next, complete all the necessary fields, such as subscription, resource group, and license name. When setting up a new license, I recommend scheduling its activation for a later time.
In the SKU field, specify the SKU*, which can be Windows Server 2012, 2012 R2 Standard Edition, or Datacenter Edition.
In the core type field, choose physical cores if your server is licensed based on its hardware cores, or choose virtual cores if you’re licensing individual VMs without covering all underlying hardware cores.
In my example, I selected virtual cores because I have 3 VMs with 2 virtual cores each. So, I chose 4 sets of 2 cores, totaling the minimum requirement of 8 for this virtual core license.
Before you can proceed and click “Create” to initiate the license provisioning, you must confirm Microsoft’s SA or SPLA coverage**.
*For general guidance on choosing the right license and understanding the differences between each option, you can refer to this Microsoft Learn webpage
**In order to purchase ESUs, you need Software Assurance via Volume Licensing Programs like Enterprise Agreement (EA), Enterprise Agreement Subscription (EAS), Enrollment for Education Solutions (EES), or Server and Cloud Enrollment (SCE). Alternatively, if your Windows Server 2012/2012 R2 machines are licensed through SPLA or with a Server Subscription, Software Assurance isn’t necessary for purchasing ESUs.”
Link an ESU license to a Windows Server 2012 or 2012 R2 Arc-enabled server
After creating your initial ESU license, you can choose one or more Arc-enabled servers to associate with it. Once a server is linked to an activated ESU license, it becomes eligible to receive Windows Server 2012 and 2012 R2 ESUs.
Initially, if you don’t have any activated licenses, you need to activate one.
To do this, click on the name of a deactivated license under the “License” tab. Next, click “Edit“, choose “Activated“, and then click “Save” to activate the selected license.
Once you have at least one active license, navigate to the “Eligible Resources” tab to see a list of all your Arc-enabled servers running Windows Server 2012 and 2012 R2.
To enable ESUs for one or more machines, simply choose them from the list and click “Enable ESUs“.
On the “Enable Extended Security Updates” page, you’ll see the number of selected machines for ESU activation and the available WS2012 licenses. Choose a license to link with the selected machine(s), then click “Enable“.
If everything proceeds smoothly, the status of the selected machine(s) will change to “Enabled“.
If any of your Windows Server 2012 or 2012 R2 machines have an active ESU status, you can configure your preferred patching solution to receive these updates. Whether it’s Azure Update Manager, Windows Server Update Services (WSUS), Microsoft Updates, Microsoft Endpoint Configuration Manager, or a third-party patch management solution, the choice is yours.
Conclusion
Windows Server 2012 and Windows Server 2012 R2 officially reached the end of support on October 10, 2023. If your hybrid environment still includes these servers, be aware that Microsoft no longer provides new security updates or support for them.
Fortunately, by enabling these Windows Server 2012/2012 R2 machines as Azure Arc-enabled servers, you can choose to enroll them in Extended Security Updates. This option ensures they continue to receive the essential security updates necessary for their protection.
In this blog post, I demonstrated the steps to onboard your Windows Server 2012/2012 R2 machines into Azure Arc, create a new ESU license, and link it to your Arc-enabled servers running Windows Server 2012/2012 R2.
If you have any questions or suggestions about this blog post, feel free to reach out to me through my Twitter handle (@wmatthyssen) or simply leave a comment, and I’ll be more than happy to assist.
October 18, 2023 at 06:41PM
Click here for more details...
=============================
The original post is available in Wim Matthyssen by wmatthyssen
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment