DEV Community

Sarah Lean 🏴󠁧󠁢
Sarah Lean 🏴󠁧󠁢

Posted on • Originally published at techielass.com

Troubleshoot Windows Server 2012 Arc-enabled servers not receiving updates

Troubleshoot Windows Server 2012 Arc-enabled servers not receiving updates

If your Windows Server 2012 servers that are Arc-enabled to receive their Extended Security Updates (ESU) aren’t receiving the updates there are some steps you can take to try and troubleshoot that issue.

This blog post will explore the steps needed to troubleshoot the issue.

Step 1 - Check the Azure Portal

The first step is to check the Azure portal to understand if the server has been assigned an ESU licence.

Head to https://portal.azure.com

Launch the Azure Arc blade.

Click on Machines down the left-hand side.

Troubleshoot Windows Server 2012 Arc-enabled servers not receiving updates
Azure Arc blade in the Azure portal

Find the server that isn’t receiving updates.

Click on the server name.

When the server information loads, check under capabilities to ensure ESU is Enabled.

Troubleshoot Windows Server 2012 Arc-enabled servers not receiving updates
Azure Arc machine status

If the server states that the ESU capability is Not Enabled , assign the correct ESU license to the server to enable it to receive updates.

Troubleshoot Windows Server 2012 Arc-enabled servers not receiving updates
Azure Arc machine status

If the server states that the ESU capability is Enabled, move on to the next troubleshooting step.

Step 2 - Check the Azure Arc version installed

The troubleshooting step to check is what version of the Azure Arc agent is installed.

The ESU capability was enabled on version 1.34 of the Azure Arc agent. That version or above needs to be installed on the server.

To check the version of the Arc agent log onto the affected server.

Launch a PowerShell command terminal and type in the following command:

azcmagent version

Enter fullscreen mode Exit fullscreen mode

Troubleshoot Windows Server 2012 Arc-enabled servers not receiving updates
Check Azure Arc version

If the agent is below version 1.34, follow the upgrade processes to bring the agent to a higher level.

If the agent is level 1.34 or above move on to step 3.

Step 3 - Check the status of the Azure Arc agent

The next step is to ensure the Azure Arc agent is connected and working correctly as expected.

Launch a PowerShell command terminal and type in the following command:

azcmagent show

Enter fullscreen mode Exit fullscreen mode

You are looking for two key pieces of information. The first one is the Agent status and Agent Last Heartbeat. They should state Connected and list a time or date close to your current time and date.

The second piece of information you are looking for is the Extended Security Updates Status. That should read as active.

Troubleshoot Windows Server 2012 Arc-enabled servers not receiving updates
Azure Arc agent status

If these areas report as connected and active, then move to troubleshooting step 4. If the areas reported something else, please go through the Azure Arc agent pre-requisite requirements to ensure the correct networking and firewall rules etc are in place as required. Also, check if the appropriate ESU license is assigned and active.

Step 4 - Check the registry

On the server, we want to confirm the registry setting is configured as it should. To do this click on the Windows icon , then search for regedit.

Check registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure Connected Machine Agent\ArcESU] "Enabled”

Troubleshoot Windows Server 2012 Arc-enabled servers not receiving updates
Azure Arc registry settings

A value of 1 means that the machine can receive the latest Extended Security Update patches.

0 means the server is not enabled for Arc-based ESUs and won’t receive ESUs via that route.

Step 5 - Check patches

The server needs to be up to date with several patches installed, these are patches from previous updates, so if you’ve been keeping your servers up to these should already be there. However, it’s worth checking to ensure they have been installed.

  • For Windows Server 2012 R2, you must have the servicing stack update (SSU) (KB5029368) that is dated August 8, 2023 or a later SSU installed. Also ensure the Extended Security Updates (ESU) Licensing Preparation Package dated August 10, 2022 (KB5017220) is installed.
  • For Windows Server 2012, you must have the servicing stack update (SSU) (KB5029369) that is dated August 8, 2023 or a later SSU installed. Also ensure the Extended Security Updates (ESU) Licensing Preparation Package dated August 10, 2022 (KB5017221) is installed.

The issue is still there

If you’ve checked through all of these steps and you still have an issue my next suggestions would be:

  • Investigate your method of applying updates, for example, is the connection between this server and the WSUS server working correctly?
  • Uninstall and unregistering the server within Azure Arc and starting again from scratch might be a good idea, in case there is some kind of configuration that is blocking the updates from being applied.
  • Log a support ticket with Azure support to offer advice.

Conclusion

By following these comprehensive troubleshooting steps, you can proactively address any challenges in the ESU update process, thereby enhancing the security posture of your Windows Server 2012 environments. Regularly monitoring and maintaining the ESU updates will contribute to a robust and resilient infrastructure, safeguarding your systems against potential vulnerabilities.

Top comments (0)