 Welcome to this IT Ops Talk video. My name is Oren Thomas and I am a Principal Hybrid Cloud Advocate at Microsoft. In this video, you'll learn how to understand the role of ESU in supporting Windows Server beyond the end of extended support. Enable ESU on Windows Server with Azure Arc. Use multiple activation keys to enable ESU for non-arc enabled servers. Create and allocate ESU licenses for Arc enabled servers. The Windows Server 2012 R2 operating system is beyond the end of Microsoft's extended support period. Imagine that your organization presently doesn't have the resources to migrate the workloads hosted on Windows Server 2012 R2 to new servers running Windows Server 2022. As a stopgap measure, you'd like to take advantage of the extended security update ESU program for the Windows Server operating system. When you enable extended security updates, your organization will have access to several years of update support beyond Microsoft's existing extended support window. Enabling ESUs provides your organization with time to migrate workloads to a new Windows Server platform. Extended security updates ESUs for Windows Server include security updates and bulletins rated critical and important for a maximum period of time from the end of extended support, depending on the version of Windows Server. ESUs don't include new features, customer requested non-security hotfixes, or design change requests. ESUs are available free of charge for servers hosted in Azure, and available to purchase for servers not hosted in Azure. The extended security update ESU program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. Windows Server long-term servicing channel LTSC has a minimum of 10 years of support, five years for mainstream support, and five years for extended support, which includes regular security updates. When you get the extended security updates, depends on which version of Windows Server you're using and where it's hosted. The table on the screen shows the ESU duration and end date for a variety of Windows Server operating systems. After the period of extended security updates ends, Microsoft will stop providing updates. One of the aims of the ESU program is to get customers to migrate workloads to a newer version of Windows Server rather than to stay on older editions in perpetuity. How you get ESUs depends on where your server is hosted. You can get access to ESUs through the following options, as your virtual machines, as your Arc-enabled servers, and not as your physical or virtual computers, as your virtual machines. Virtual machines hosted in Azure or on Azure Stack HCI running versions of Windows Server where ESUs are available are automatically enabled for ESUs. These updates are provided free of charge. There's no need to deploy a multiple activation key MAK or take any other action. Extended security updates are also free of charge in other Azure products such as Azure Dedicated Host, Azure VMware Solution, and Windows Server VMs hosted on Azure Stack, Hub, Edge, and HCI. Customers in these environments should contact Microsoft support for assistance, as your Arc-enabled servers. If your servers are on-premises or in a hosted environment, you can enroll your Windows Server 2012 and 2012 R2 or SQL Server 2012 machines for extended security updates via the Azure portal. Connect through Azure Arc and you'll build monthly via your Azure subscription. You can also enroll programmatically at scale through as your CLI, ARM APIs, or Azure Policy, non-Azure physical and virtual machines. If you cannot connect using Azure Arc, use extended security updates on non-Azure VMs by using a special multiple activation key MAK and applying it to the relevant servers. This special MAK key lets the Windows update servers know that you can continue to receive security updates. ESUs are automatically delivered to Azure Arc-enabled servers if they're connected and enrolled for ESUs through Azure Arc. You can enroll in ESUs at scale by using Azure Policy or the Azure portal. Once enabled, you'll build monthly via your Azure subscription. When you use this method, there is no need to activate special product keys. Customers who cannot connect to Azure Arc to apply ESUs can use multiple activation keys MAK through Microsoft 365 Admin Center. With some versions of Windows Server, you may need to install the servicing stack update and extended security updates licensing preparation package that are available from the Microsoft download center before they can be enabled for ESUs. Activation occurs over the internet. For computers that are unable to directly communicate with the internet, you can activate ESUs using the volume activation management tool VAMT in conjunction with event ESU configuration file. ESU updates can be delivered through Update Manager, Windows Server Update Services, Microsoft Updates, Microsoft Endpoint Configuration Manager or third party patch management solutions. Windows Server 2012 and 2012 R2 extended security updates are available at no additional charge on Azure Stack HCI. Windows Server 2012 and 2012 R2 servers running on Azure Stack HCI can be enrolled in extended security updates using PowerShell. You use the extended security updates section of the Azure Arc page of the Azure portal to create ESU licenses that you can then assign to Arc-enabled servers. The licenses tab of this page is shown on the screen. This page shows two different licenses, standard edition license and the data center edition license. There are also a different number of license cores and core types visible on this page. To provision an ESU license, you select the create ESU license option on this page. When performing this step specify the Windows Server SKU either standard or data center, type of cores either physical or virtual, number of 16 core and two core packs. If you choose to license based on physical cores, the licensing requires a minimum of 16 physical cores per license. If you choose to license based on virtual cores, the licensing requires a minimum of eight virtual cores per virtual machine. Licensing virtual cores is appropriate for scenarios where you may be running the VM on a third party host or on a third party cloud. Virtual cores are also an appropriate choice when running Windows Server 2012 and 2012 RA2 VMs on versions of Windows Server that are still subject to mainstream or extended support. If you're licensing a server used for virtualization, the standard licensing can be applied to up to two hosted virtual machines whilst data center licensing has no limit to the number of VMs it can be applied to. Depending on the number of VMs hosted on the virtualization server, it may make sense to choose the data center license instead of the standard license. You have the option of provisioning extended security update licenses in a deactivated state so that they don't incur billing from creation. You can then activate these licenses when you're ready to provision them. You are also able to modify the number of cores associated with the license after provisioning. To link an existing ESU license to an Arc-enabled server, select the eligible resources tab in the extended security updates section of the Azure Arc page in the Azure portal. This page is shown on the screen. Select the Arc-enabled computers for which you wish to enable ESUs and then choose enable ESUs. On the enable extended security updates page shown on the screen, choose the ESU license that you wish to allocate to each computer. If you haven't already created the ESU licenses, you can also create a new ESU license when performing this step. The extended security update program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. Virtual machines hosted in Azure or on Azure Stack HCI running versions of Windows Server where ESUs are available are automatically enabled for ESUs. If your servers are on-premises or in a hosted environment, you can enroll your Windows Server 2012 and 2012 R2 or SQL Server 2012 machines for extended security updates via the Azure portal. Connect through Azure Arc and you'll be billed monthly by your Azure subscription. If you cannot connect using Azure Arc, use extended security updates on non-Azure VMs by using a special multiple activation key MAK and applying it to the relevant servers. This special MAK key lets the Windows update servers know that you can continue to receive security updates. You can find out more about managing ESUs on learn.Microsoft.com by following the links in the video description. My name is Oren Thomas. Thank you for your attention and I hope you found this video informative and useful.