Extended Security Updates(ESU) Enabled by Azure Arc

Hakan Ceyhan
DataBulls
Published in
9 min readSep 7, 2023

If you are using Windows Server 2012 and 2012 R2 and Microsoft SQL Server 2012 then I have bad news for you:

Microsoft always recommend upgrading to the latest versions of the software to continue to get regular security updates. Despite the conclusion of Extended Support for Windows Server 2012, 2012 R2, and Microsoft SQL Server 2012, you can continue to receive essential security updates for an additional three years by activating the Extended Security Update (ESU). The Extended Security Update (ESU) program serves as a final choice for customers who require continued operation of specific legacy Microsoft products after their official support has ended.

1. What Does “End of Support” Mean?

“End of Support” is an important feature of Microsoft’s Lifecycle Policy. This policy includes a total support duration of 10 years for Business and Developer products like SQL Server and Windows Server, split into 5 years of Mainstream Support and 5 years of Extended Support. After the Extended Support phase concludes, Microsoft no longer releases patches or security updates. This absence of support can potentially lead to security and compliance issues, exposing customers’ applications and businesses to significant security risks. In cases where upgrading to the next software version isn’t feasible, Microsoft offers Extended Security Updates (ESUs) as an option, providing an additional 3 years of security coverage for end-of-support software versions.

Microsoft Life Cycle Policy

2. What is Included in Extended Security Updates?

For Windows Server 2008/2008 R2 and 2012/2012 R2, Extended Security Updates include both “critical” and “important” Security Updates, as rated by the “Security Update Severity Rating System,” for a maximum of three years after the conclusion of the support period.

For SQL Server 2012, Extended Security Updates include the delivery of “critical” Security Updates for up to three years following the end of support.

3. What should you do?

ESU for Windows Server 2008 ended. However, if customers migrate their workload to Azure they will get an extension of one more year for free extended security updates. This extension means that customers now have until January 14, 2024, to transition their Windows Server 2008/2008 R2 environments to a supported release.

It’s crucial to note that Extended Security Updates for SQL Server 2008/2008 R2 on Azure concluded on July 12, 2023. Therefore, customers using SQL Server 2008/2008 R2 on Azure must accelerate their upgrade process to maintain security.

Windows Server 2012 Lifecycle
Microsoft SQL Server 2012 Lifecycle

On the other hand, if you are using Windows Server 2012 and 2012 R2 and Microsoft SQL Server 2012 and If you haven’t already upgraded your servers, here are some recommended actions to secure your applications and data:

a) Extended Security Updates in Azure

Customers who migrate their workloads to Azure will benefit from Extended Security Updates for SQL Server 2012 and Windows Server 2012/2012 R2 for a period of three years after the End of Support dates, all without incurring any extra charges beyond the cost associated with running the virtual machine. Customers moving to Azure SQL Managed Instance (PaaS) do not need Extended Security Updates, as this is a fully managed solution, and is always updated and patched by Microsoft.

b) Upgrade on-premises

If you need to keep your servers on-premises instead of migrating to Azure and the cloud, you have two choices for how to proceed:

· Build new servers with a supported version of Windows Server and migrate your applications and data.

· Upgrade in-place to a supported version of Windows Server.

In general, in-place upgrades for Windows Server allow you to upgrade through at least one version, and in some cases, even two. For instance, Windows Server 2012 R2 can be directly upgraded to Windows Server 2019. However, if your current server is Windows Server 2008 or Windows Server 2008 R2, there isn’t a direct upgrade path to Windows Server 2016 or any subsequent versions. The necessary route involves a two-step process: first, upgrading to Windows Server 2012 R2, and then upgrading to either Windows Server 2016 or Windows Server 2019.

c) Purchase Extended Security Updates for on-premises

Extended Security Updates are not limited to Azure but are also accessible for workloads operating on-premises or in other cloud providers. Customers who are running SQL Server or Windows Server and possess licenses with active Software Assurance under specific agreements like Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), Server & Cloud Enrollment (SCE), Enrollment for Education Solutions (EES), or Subscription can opt to acquire Extended Security Updates on an annual basis. This option is available for a duration of three years after the respective End of Support date. Customers have two options for purchasing Extended Security Updates:

(1) Extended Security Updates through Azure Arc

With Azure Arc, you have the ability to enroll your machines running Windows Server 2012/R2 or SQL Server 2012 for Extended Security Updates and pay for them as part of your Azure billing. This arrangement entails a monthly fee for the Extended Security Updates, and the convenience of not requiring any keys. Azure Arc handles all necessary authentication processes, eliminating the need for acquiring, deploying, and managing keys. Furthermore, you can easily access an inventory view that displays the Extended Security Update coverage for all Azure Arc-enabled Windows and SQL Server machines.

(2) Purchase Extended Security Updates via Volume Licensing Service Center

Alternatively, you can choose to purchase Extended Security Updates through an annual billing cycle via the Volume Licensing Service Center. For Windows Server, this entails manually deploying Multiple Activation Key (MAK) Keys.

4. What is Extended Security Updates enabled by Azure Arc

As Windows Server 2012 and Windows Server 2012 R2 are approaching their end of support on October 10, 2023, Azure Arc-enabled servers provide a valuable solution. With Azure Arc, you have the capability to enroll your existing Windows Server 2012/2012 R2 machines in Extended Security Updates (ESUs). This approach offers the dual benefits of cost flexibility and an improved delivery experience, helping you to effectively manage the transition and maintain the security of your systems beyond the end of support.

4.1. What are the benefits of Extended Security Updates (ESUs) enabled by Azure Arc?

· Cost Flexibility: ESUs through Azure Arc can be paid for on a monthly basis. This offers financial flexibility and allows organizations to align their expenses more closely with their budgetary needs.

· Encouragement for Migration: The monthly payment model for ESUs can incentivize organizations to expedite their server upgrade or migration processes, as the sooner they complete the transition, the sooner they can eliminate the ongoing cost of ESUs.

· Simplified Management: Azure Arc streamlines the process of enrolling machines for ESUs. It eliminates the need for acquiring, deploying, and managing keys, simplifying the administrative burden.

· Azure Integration: By leveraging Azure services, organizations can benefit from the broader Azure ecosystem, including advanced security features, monitoring, and management tools.

· Inventory Management: Azure Arc provides an inventory view that allows organizations to easily monitor the ESU coverage of all Azure Arc-enabled Windows Server machines.

You can purchase and deploy Extended Security Updates (ESUs) for your Arc enabled-on-premises servers from the Azure portal:

Starting in October, when you navigate to the Arc-enabled Server section within the Azure portal, you will find a list of eligible servers that qualify for Extended Security Updates (ESUs):

Here, you can select the eligible servers and view the total cost for ESU:

As an example, let’s consider the scenario where you intend to purchase traditional VL ESU for Windows Server 2012 Datacenter with 16 cores. The annual cost for this would amount to $5,232. If you are planning to upgrade your servers three months later, you would still have to pay the full annual price.

Here’s where the ESU with Azure Arc steps in as a cost-effective solution. By opting for ESU enabled by Azure Arc, you can break down the annual cost into manageable monthly payments, which equate to $436 per month ($5,232 divided by 12). The significant advantage here is that you only need to pay for ESUs as long as you require them. Once you upgrade your system, you can discontinue these payments, making it a flexible and cost-efficient approach to managing your server security and updates.

Important to know:

Minimum core-count for a Windows and SQL Server Extended Security Update purchase

· Pricing for Windows Server Extended Security Updates is based on Windows Server Standard per core pricing, based on the number of virtual cores in the hosted virtual machine, and subject to a minimum of 16 licenses per instance.

· Pricing for SQL Server Extended Security Updates is based on SQL Server per core pricing, based on the number of virtual cores in the hosted virtual machine, and subject to a minimum of 4 licenses per instance. Software Assurance is not required.

· Core licenses are sold in packs of two (a 2-pack of Core Licenses), and packs of 16 (a 16-pack of Core Licenses). Each processor needs to be licensed with a minimum of eight cores (four 2-pack Core Licenses). Each physical server, including single-processor servers, will need to be licensed with a minimum of 16 Core Licenses (eight 2-pack of Core Licenses or one 16-pack of Core Licenses). Additional cores can then be licensed in increments of two cores (one 2-pack of Core Licenses) for servers with core densities higher than 8.

For SQL Servers:

In order to be eligible for the monthly subscription of Extended Security Updates (ESUs), you must have initially purchased the Year 1 ESU from VLSC (Volume Licensing Service Center). For newcomers to the ESU plans, it is a prerequisite to first acquire Year 1 ESU before activating the monthly ESU subscription. This ensures that your systems are appropriately covered and compliant with security updates.

  1. If You’ve Purchased ESU for Year 1 from VLSC but haven’t paid for Year 2 yet, you can make the switch to the ESU subscription via Azure Arc at this point and pay monthly.
  2. If You’ve Already Purchased Year 2 of ESU, you must wait until Year 3 before you can transition to Arc-enabled ESUs.

Thank you for reading. I look forward to seeing you in the next article.

Sources:

1. https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2?source=recommendations

2. https://learn.microsoft.com/en-us/lifecycle/products/microsoft-sql-server-2012

3. https://www.microsoft.com/en-us/windows-server/extended-security-updates?rtc=1

4. https://learn.microsoft.com/en-us/windows-server/get-started/extended-security-updates-deploy

5. https://www.microsoft.com/en-us/windows-server/extended-security-updates

More

--

--