Azure Arc ESU Overview and Best Practices

Azure Arc ESU (Enterprise State User) is a game-changer for organizations looking to simplify their hybrid and multi-cloud management.

Azure Arc ESU provides a unified management experience across on-premises, edge, and multi-cloud environments, allowing you to manage your entire infrastructure from a single pane of glass.

By leveraging Azure Arc ESU, you can reduce complexity, improve security, and increase efficiency.

With Azure Arc ESU, you can manage your entire infrastructure, including servers, databases, and applications, from a single console.

To get started with Azure Arc ESU, you'll need to plan and prepare to onboard your machines to Azure Arc-enabled servers.

First, check out the Prepare to deliver Extended Security Updates for Windows Server 2012 section to learn more about the process.

You'll also need the Contributor role in Azure RBAC to create and assign ESUs to Arc-enabled servers.

To create a new Azure Arc WS2012 or WS2012R2 ESU license, you'll need to logon to the Azure Portal and search for "Azure Arc", then select "Azure Arc" from the search results.

The provisioning of ESU licenses requires you to attest to your SA or SPLA coverage, which can be done through Volume Licensing Programs like Enterprise Agreement (EA), Enterprise Agreement Subscription (EAS), Enrollment for Education Solutions (EES), or Server and Cloud Enrollment (SCE).

You can manage ESU licenses by signing in to the Azure portal, selecting "Azure Arc" and then "Extended Security Updates" in the left pane.

To view all your Arc-enabled servers from the Servers page, a banner specifies how many Windows 2012 machines are eligible for ESUs.

You can select "View servers in Extended Security Updates" to view a list of resources that are eligible for ESUs, together with machines already ESU enabled.

To create a new WS2012 license, select "Create" and provide the required information to configure the license.

When creating a new license, you'll need to specify the SKU (Standard or Datacenter), type of cores (Physical or vCore), and number of 16-core and 2-core packs.

The cores associated with the license can be modified after provisioning.

You can also provision an Extended Security Update license in a deactivated state so that it won’t initiate billing or be functional on creation.

To link ESU licenses to Arc-enabled servers, select the "Eligible Resources" tab to view a list of all your Arc-enabled servers running Windows Server 2012 and 2012 R2.

The ESUs status column indicates whether or not the machine is ESUs-enabled.

To enable ESUs for one or more machines, select them in the list, and then select "Enable ESUs".

You can also create a license from this page by selecting "Create an ESU license" when selecting a license to link to the selected machine(s).

To use ESUs enabled by Azure Arc, you must meet the following requirements: you must have a valid Windows Server license, your servers must be running Windows Server 2012 or Windows Server 2012 R2, and your servers must be connected to Azure Arc.

You can use ESUs enabled by Azure Arc in a variety of scenarios, including extending the time to migrate to a newer supported version of Windows Server, maintaining compliance, protecting critical systems, supporting legacy applications, and offering Capex flexibility.

To enable ESUs for your Windows Server 2012 and Windows Server 2012 R2 servers using Azure Arc, you'll need to connect your servers to Azure Arc, provision an ESU license for each server, and link the ESU licenses to your servers.

The Azure Connected Machine Agent must be at least version 1.34 or higher to utilize ESUs. You can check the version by running "azcmagent version" directly on the server from Windows PowerShell or the Command Prompt.

Here are the services included with WS2012 ESUs enabled by Azure Arc:

To link ESU licenses to Arc-enabled servers, you can select one or more servers to link to an Extended Security Update license. Once linked, the server is eligible to receive Windows Server 2012 and 2012 R2 ESUs.

With Azure Arc ESU, you have more flexibility in pricing, as it offers a pay-as-you-go subscription model, unlike the classic ESU which is purchased in yearly increments.

The total cost depends on your SKU's and total number of cores, so it's essential to consider these factors when calculating your expenses.

ESUs can be purchased in two-core or sixteen-core packs in Azure, with monthly billing itemized on your Azure bill.

For eligible customers with active Software Assurance, ESUs can be purchased for on-premises Windows Server 2012 or Windows Server 2012 R2 servers, based on the number of cores in your servers.

Here's a breakdown of the billing associated with ESU licenses:

Pricing for Extended Security Updates (ESUs) varies depending on the subscription model and the number of cores in your servers. You can choose between a pay-as-you-go model or a classic ESU model with yearly increments.

The pay-as-you-go model is available with Azure Arc, which offers more flexibility than the classic ESU model. You can learn more about the pricing for Arc-enabled Windows Server 2012 virtual machines on the official Microsoft website.

Pricing for ESUs is based on the number of cores in your servers and is sold in either two-core or sixteen-core packs in Azure. You can't purchase eight-core packs in Azure currently.

Billing for ESUs is monthly, and you'll see the charges itemized on your Azure bill.

Modification billing is a crucial aspect of Azure Arc ESU licensing. You'll be charged for any changes made to your license, including adding or removing cores.

If you add cores to an existing ESU license, you'll be subject to back-billing for the time elapsed since the end of support (EOS). This means you'll be charged for the additional cores from the calendar month they were added.

The billing rate for your license will reflect the reduced number of cores within 5 days of any changes made to your license.

Licenses are billed for their number and edition of cores from the point of activation. Activation and reactivation are subject to back-billing, so be sure to keep track of your license status.

You'll be billed for up to 5 calendar days after deactivating or deleting a license. This is why it's essential to regularly review and manage your licenses to avoid unnecessary charges.

Here's a summary of the key points to keep in mind:

Azure Arc ESU provides a cost-effective way to extend security updates for Windows Server 2012 and 2012 R2 machines. This is especially important as they approach the end of their support lifecycle on October 10, 2023.

You can enroll your current Windows Server 2012/2012 R2 machines in Extended Security Updates (ESUs) through Azure Arc-enabled servers. This offers flexibility and enhances the deployment experience.

To enroll your on-premises VMs, you'll need to use Volume Licensing Programs via your Microsoft representative. This is the licensing method for on-premises VMs.

For Arc-enabled VMs, you can use physical cores-based, and virtual cores-based licensing via the Azure portal. This is a pay-as-you-go subscription model, which is different from the annual pricing model for on-premises VMs.

Azure VMs, on the other hand, automatically enable ESU, and it's free of charge. This includes other Azure products such as Azure Dedicated Host, Azure VMware Solution, Azure Nutanix Solution, and Azure Stack (Hub, Edge, and HCI).

Here are the different ESU enrollment methods:

As an added benefit, Arc-enabled VMs also provide free access to Azure Update Manager, Azure Automation Track Changes and Inventory, and Azure Policy Guest Configuration.

To connect your servers to Azure Arc, you'll need to follow these two steps: install the Azure Arc Connected Machine agent on your servers and register your servers with Azure Arc.

First, you'll need to install the Azure Arc Connected Machine agent on your servers. This is the foundation for connecting your servers to Azure Arc.

You can register your servers with Azure Arc by going to the Azure portal and clicking on Azure Arc, then Extended Security Updates. From there, you can create an ESU license instance with the option to activate it now or later.

Here are your options when creating your ESU license instance: Activate Now, which starts your billing cycle immediately, and Activate later, which gives you some adaptability to test without triggering billing or ESU activation.

At-Scale Policy is a powerful tool for managing servers at scale. It allows you to apply policies to a targeted subscription or resource group for both auditing and management scenarios.

To enable Extended Security Updates (ESUs) license for Windows 2012 machines, consider using the built-in Azure policy "Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended (preview)".

This policy can be applied to ensure that Windows 2012 machines remain protected even after their support lifecycle has ended.

You can also use another built-in policy to deny Extended Security Updates (ESUs) license creation or modification, which is "Deny Extended Security Updates (ESUs) license creation or modification (preview)".

This policy is particularly useful for locking down license modification or creation to prevent any unauthorized changes.

To connect your servers to Azure Arc, you need to install the Azure Arc Connected Machine agent on your servers. This agent allows your servers to communicate with Azure Arc and receive updates.

First, ensure your servers meet the minimum version requirement of the Azure Connected Machine Agent, which is version 1.34 or higher. You can check the version by running "azcmagent version" directly on the server from Windows PowerShell or the Command Prompt.

Once the agent is installed, you can register your servers with Azure Arc. To do this, go to the Azure portal, click on Azure Arc, and then click on Extended Security Updates. From there, you can create a new ESU license instance, which will give you the flexibility to configure your patching solution of choice.

You have two options when creating your license instance: Activate Now, which starts your billing cycle immediately, or Activate later, which allows you to test without triggering billing or ESU activation.

Here's a quick rundown of the steps to connect your servers to Azure Arc:

Remember to ensure your servers meet the minimum version requirement of the Azure Connected Machine Agent before proceeding.

If you're stuck with outdated legacy systems and their operating systems, upgrading your workload to a newer and supported operating system is a good next step. This can be done through Azure Arc, which buys you time to say goodbye to your legacy systems.

You can also modernize to a PaaS or SaaS service, giving you more flexibility in your migration strategy. With ESUs through Azure Arc, you can terminate the ESU immediately when you're ready to modernize your estate.

Azure services like Azure Update Manager, Azure Automation Change Tracking and Inventory, and Azure Policy Guest Configuration are great options to explore. These services can help you manage and secure your systems more efficiently.

If you're new to Azure, your Azure Arc-enabled VMs are a great starting point. They allow you to familiarize yourself with what Azure has to offer and take advantage of its many features.

Here are some resources to help you get started: