If your Windows Server 2012 servers that are Arc-enabled to receive their Extended Security Updates (ESU) aren’t receiving the updates there are some steps you can take to try and troubleshoot that issue.
This blog post will explore the steps needed to troubleshoot the issue.
Step 1 - Check the Azure Portal
The first step is to check the Azure portal to understand if the server has been assigned an ESU licence.
Head to https://portal.azure.com
Launch the Azure Arc blade.
Click on Machines down the left-hand side.
Azure Arc blade in the Azure portal
Find the server that isn’t receiving updates.
Click on the server name.
When the server information loads, check under capabilities to ensure ESU is Enabled.
If the server states that the ESU capability is Not Enabled , assign the correct ESU license to the server to enable it to receive updates.
If the server states that the ESU capability is Enabled, move on to the next troubleshooting step.
Step 2 - Check the Azure Arc version installed
The troubleshooting step to check is what version of the Azure Arc agent is installed.
The ESU capability was enabled on version 1.34 of the Azure Arc agent. That version or above needs to be installed on the server.
To check the version of the Arc agent log onto the affected server.
Launch a PowerShell command terminal and type in the following command:
azcmagent version
If the agent is below version 1.34, follow the upgrade processes to bring the agent to a higher level.
If the agent is level 1.34 or above move on to step 3.
Step 3 - Check the status of the Azure Arc agent
The next step is to ensure the Azure Arc agent is connected and working correctly as expected.
Launch a PowerShell command terminal and type in the following command:
azcmagent show
You are looking for two key pieces of information. The first one is the Agent status and Agent Last Heartbeat. They should state Connected and list a time or date close to your current time and date.
The second piece of information you are looking for is the Extended Security Updates Status. That should read as active.
If these areas report as connected and active, then move to troubleshooting step 4. If the areas reported something else, please go through the Azure Arc agent pre-requisite requirements to ensure the correct networking and firewall rules etc are in place as required. Also, check if the appropriate ESU license is assigned and active.
Step 4 - Check the registry
On the server, we want to confirm the registry setting is configured as it should. To do this click on the Windows icon , then search for regedit.
Check registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure Connected Machine Agent\ArcESU] "Enabled”
A value of 1 means that the machine can receive the latest Extended Security Update patches.
0 means the server is not enabled for Arc-based ESUs and won’t receive ESUs via that route.
Step 5 - Check patches
The server needs to be up to date with several patches installed, these are patches from previous updates, so if you’ve been keeping your servers up to these should already be there. However, it’s worth checking to ensure they have been installed.
- For Windows Server 2012 R2, you must have the servicing stack update (SSU) (KB5029368) that is dated August 8, 2023 or a later SSU installed. Also ensure the Extended Security Updates (ESU) Licensing Preparation Package dated August 10, 2022 (KB5017220) is installed.
- For Windows Server 2012, you must have the servicing stack update (SSU) (KB5029369) that is dated August 8, 2023 or a later SSU installed. Also ensure the Extended Security Updates (ESU) Licensing Preparation Package dated August 10, 2022 (KB5017221) is installed.
The issue is still there
If you’ve checked through all of these steps and you still have an issue my next suggestions would be:
- Investigate your method of applying updates, for example, is the connection between this server and the WSUS server working correctly?
- Uninstall and unregistering the server within Azure Arc and starting again from scratch might be a good idea, in case there is some kind of configuration that is blocking the updates from being applied.
- Log a support ticket with Azure support to offer advice.
Conclusion
By following these comprehensive troubleshooting steps, you can proactively address any challenges in the ESU update process, thereby enhancing the security posture of your Windows Server 2012 environments. Regularly monitoring and maintaining the ESU updates will contribute to a robust and resilient infrastructure, safeguarding your systems against potential vulnerabilities.
Top comments (0)