Extended Security Updates (ESUs) are security updates that Microsoft provides for supporting products that have reached their end-of-support date. ESUs are the final option for customers who want to run legacy applications past the end of support. ESUs are available for a fee, and they cover critical security updates 
Azure Arc is a cloud management service that enables you to manage all of your resources, including on-premises, hybrid, and multi-cloud resources, from a single pane of glass. Azure Arc also enables you to deliver ESUs to your Windows Server 2012 and Windows Server 2012 R2 servers.
This blog post provides a comprehensive guide to Extended Security Updates enabled by Azure Arc. It covers the following topics:
- What are ESUs?
- What are the benefits of using ESUs?
- What are the requirements for using ESUs?
- How to enable ESUs for your Windows Server 2012 and Windows Server 2012 R2 servers using Azure Arc.
- Best practices for using ESUs.
- Use cases for ESUs enabled by Azure Arc.
- Pricing for ESUs.
What are ESUs?
Extended Security Updates (ESUs) are security updates that Microsoft provides for supporting products that have reached their end-of-support date. ESUs are available for a fee, and they cover critical security updates for three years after the end of the support date.
Microsoft recommends that customers upgrade their operating systems to the latest supported version before the end of the support date. However, customers who are unable to upgrade their operating systems by the end of the support date can purchase ESUs to continue receiving critical security updates.
What are the benefits of using ESUs?
The benefits of using ESUs include:
- Continued protection from critical security vulnerabilities: ESUs provide critical security updates for three years after the end of the support date. This helps to protect your servers from known security vulnerabilities.
- Reduced risk of compliance violations: Many regulations require organisations to keep their systems up to date with the latest security patches. ESUs can help you to comply with these regulations.
- Extended time to migrate: ESUs can give you more time to migrate your servers to a newer supported version. This can be helpful if you are not yet ready to migrate your servers.
What are the requirements for using ESUs enabled by Azure Arc?
To use ESUs enabled by Azure Arc, you must meet the following requirements:
- You must have a valid Windows Server license.
- Your servers must be running Windows Server 2012 or Windows Server 2012 R2.
- Your servers must be connected to Azure Arc.
How to enable ESUs for your Windows Server 2012 and Windows Server 2012 R2 servers using Azure Arc
To enable ESUs for your Windows Server 2012 and Windows Server 2012 R2 servers using Azure Arc, follow these steps:
- Connect your servers to Azure Arc.
- Provision an ESU license for each server that you want to enable ESUs for.
- Link the ESU licenses to your servers.
To connect your servers to Azure Arc:
- Install the Azure Arc Connected Machine agent on your servers.
- Register your servers with Azure Arc.
To provision an ESU license for each server that you want to enable ESUs for:
- Go to the Azure portal https://portal.azure.com/
- Click Azure Arc.
- Click Extended Security Updates.
- Click + Create an ESU license.
- Enter the required information and click Create.
Note, that you have two options when creating your license instance. The Activate Now option starts your billing cycle immediately and allows you to enroll any linked Windows Server 2012 or Windows Server 2012 R2 server into ESUs. The Activate later option gives some adaptability to test now without triggering billing or ESU activation on any linked Windows Server 2012 and Windows Server 2012 R2 servers.
To link the ESU licenses to your servers:
- Go to the Azure portal https://portal.azure.com/.
- Click Azure Arc.
- Click Extended Security Updates and select the Eligible Resources tab.
- Select the Windows Server 2012 or Windows Server 2012 R2 servers to which you want to link the ESU licenses.
- Click Enable ESUs.
- Select the core type, Physical cores or Virtual cores and then select the ESU license that you want to link to the Windows Server 2012 or Windows Server 2012 R2 servers.
- Click Enable.
Once you have linked the ESU licenses to your Windows Server 2012 or Windows Server 2012 R2 servers, you will start receiving ESUs for those servers. You can use your existing patching solution to deploy ESUs.
Best practices for using ESUs
Here are some best practices for leveraging ESUs within your environment:
- Use ESUs to extend the time that you have to migrate to a newer supported version of Windows Server.
- Do not use ESUs as a long-term solution.
- Keep your servers up to date with the latest ESUs.
- Monitor your servers for security vulnerabilities and take appropriate action to mitigate them.
- Consider creating two ESU licenses if you require both vCores and pCores. This will give you more flexibility to adjust the number of licenses you need as servers are migrated or decommissioned.
- Each license can have up to 10,000 cores. If you need more than this, you will need to split servers across multiple licenses. 500 servers can be linked to a single license.
- Leverage additional Azure services e.g. Machine Configuration, Inventory, Change Tracking and Update Management at no extra costs, for those Windows Server 2012 or Windows Server 2012 R2 servers enrolled in ESUs.
- Review your ESU licenses regularly to ensure that they are up to date and that you are not overpaying
Use cases for ESUs enabled by Azure Arc
ESUs enabled by Azure Arc can be used in a variety of scenarios, including:
- Extending the time to migrate to a newer supported version of Windows Server: ESUs can give you more time to migrate your servers to a newer supported version of Windows Server. This can be helpful if you are not yet ready to migrate your servers for technical or financial reasons.
- Maintaining compliance: Many regulations require organisations to keep their systems up to date with the latest security patches. ESUs can help you to comply with these regulations, even if you are running an older version of Windows Server.
- Protecting critical systems: If you have critical systems that are running Windows Server 2012 or Windows Server 2012 R2, ESUs can help you protect those systems from security vulnerabilities.
- Supporting legacy applications: If you have legacy applications that are only compatible with Windows Server 2012 or Windows Server 2012 R2, ESUs can help you to continue supporting those applications.
- Offers Capex flexibility: ESUs enabled by Azure Arc are a monthly subscription service. Once you upgrade or modernise, you stop paying for the ESU. Unlike in previous ESU schemes, that utilised a yearly model.
Pricing for ESUs
Eligible customers with active Software Assurance will be able to purchase ESUs for their on-premises Windows Server 2012 or Windows Server 2012 R2 servers. Pricing for ESUs is based on the number of cores in your servers and is sold in either two-core or sixteen-core packs in Azure (purchasing eight-cores in Azure is not an option currently). Billing is monthly and will be itemised on your Azure bill.
Summary
If you are considering using ESUs enabled by Azure Arc, it is important to evaluate your specific needs and requirements. You should also consider the costs of ESUs and the impact on your migration planning.
For more information on the many ways we can help you, https://www.hpe.com/uk/en/services/pointnext.html.
Patrick Lownds
Hewlett Packard Enterprise
