 Everyone, I'm Jason Lesnick and with me we've got Pornema and Arnav and today we're going to talk about keeping Windows Server 2012 R2 protected after end of servicing. We're going to talk about the different extended security options that are available to you, whether your servers are on Azure Arc managed on-prem or within Azure. So first off, what are extended security updates? Think of the ESU program as a bridge to complete your migration from a version of Windows Server, in this case 2012 R2, that has already reached end of service. And you need a little bit more time to take those servers and applications and migrate them to a newer version, hopefully the latest version of Windows Server 2022. And so with the ESU program, you can get up to three additional years of the monthly security updates. Now the ESU program is really designed as a last resort when you need more time to migrate to newer versions. Don't think of it as buying extra time to stay on a version of 2012 or 2012 R2. Think of it as getting extra time to move off. And so this is the best way to keep your organization as safe as possible while remaining on the older version of Windows Server. It provides you with the monthly patch Tuesday updates, but it does not replace the need to migrate as quickly as you can to Windows Server 2022. This session is going to talk about a few different types of options for licensing the ESU and deploying it. The first one is the standard ESU mechanism that we've had for Server 2008 NR2 and Windows 7 as well. Where you would get a 5x5 Mac key to activate on those servers. And it's mostly for the servers that are running either on-prem or in the cloud. Then there's the Azure Arc managed capabilities where you don't need Mac keys at all. And this is for servers that are running on-prem, but you're going to connect up to Azure Arc. And then finally, if you have Windows servers that are running in virtual machines running in Azure, will we make it easier for that as well too? No additional charge. So let me introduce Arnolf and he's going to go and talk about how to manage Windows Server 2012 and 2012 R2 ESUs enabled by Azure Arc. Awesome. Thanks for the overview of different options customers have to onboard their servers to extended security updates. One of those options you mentioned are ESUs enabled by Azure Arc. ESUs through Azure Arc really are about taking the ESU delivery mechanism and making it a cloud-centric delivery option. As you consider migrating your servers to Azure, we have free access to extended security updates. So what are some of the differentiation points of this new offer for ESUs enabled by Azure Arc? Well, first, you have the flexibility of billing through a pay-as-you-go model. So as you decommission or migrate modernized workloads in the middle of the year, you have the benefit of pay-as-you-go flexibility. Additionally, you're able to apply Azure consumption discounts. This is an Azure build service and document for your Microsoft Azure consumption commitments in Mac. Additional benefits include access to the robust Azure management capabilities that Arc enabled servers benefit from. And some of these are included at no additional cost for your servers enrolled in ESUs through Arc. That includes Azure Update Manager, which is the Azure centralized patch assessment delivery mechanism, change tracking inventory, and machine configuration, which allows for comprehensive security baselines, auditing, desired state configuration, and more, as I'll show you. Finally, ESUs enabled by Azure Arc improve your usage compliance visibility and ease of enrollment. We centralize your entire Windows Server 2012 estate connected to Arc, including their ESU status, their patch status, and of licenses that can be easily transferred, tagged, and built from an auditing perspective. Now, ESUs enabled by Azure Arc came in as a new offering just last October, and many customers had already purchased your one of ESUs through volume licensing. A key question that we see coming up with our customers is, how do you transition from your one of ESUs on volume licensing to ESUs enabled by Arc going forward? We're excited to announce that we're going to offer a transition path for those customers. If you've already purchased your one of ESUs from VR, you're going to be able to switch to Arc for year two and beyond. And in this process, you'll be able to attest to having purchased your one of ESUs supplying your invoice ID for your previous purchase to have billing commenced from October 10th, 2024, giving you flexibility for year two and beyond. As you prepare for this option, you can review our networking guidelines and start connecting your machines to Azure Arc, as I'll show today in a demo. So let's get after it and show 2012 R2 ESUs enabled by Azure Arc in action with the demo live from Azure Portal. Here, we're logged into Azure Portal and we're in the landing zone of Azure Arc. What I'll showcase is how you can onboard your servers through Windows Server 2012 R2 standard and data center servers to Azure Arc to start leveraging the capabilities and enrollment in ESUs. What you do is first go to your machines page on the Azure Portal and you're going to provision an Azure Arc enabled server. What this entails is running a script on your Windows Server 2012 R2 machines and that's going to establish a connection to Azure and create a projection in the Azure management plane to represent your on-prem or your multi-cloud Windows server instance. So here, for example, we can specify subscription, a resource group where we'd like to land our server, a region for our Arc enabled resource, and a connectivity method. We support connectivity either through public internet or through proxy server and private link express route for your Arc enabled servers. As you generate this onboarding script, you can go ahead, you can include tagging for your servers, and finally you can go to download and running your script. When you're ready for that final stage to go ahead and download and run your script, you'll have the flexibility to run this not just using our single server onboarding capability, but also using multi-server onboarding capability. So we're going ahead here and we are selecting our region and then we can go ahead next, clicking ahead and have our script we're able to download. We're able to use PowerShell to run that script and that's going to install our connected machine agent establishing connection to Azure. But it's also going to give you the flexibility to do tagging and deploy to other Azure management services as well. You can run the script one by one using PowerShell and an interactive device logon, but you can also add scripts at scale. We have a multi-server onboarding experience where you can use tools like system center configuration manager or Ansible or group policy to deploy your servers at scale. So that's the first step. You onboard your servers to Azure Arc through the deployment of the connected machine agent and their enrollment. Next, you're going to go ahead and see those Arc-enabled servers and their status for ESUs. Here we see a bunch of Windows Server 2012 machines including their ESU enrollment status and all of these are on-prem or multi-cloud, off-Azure servers whose status we see. What we're going to do to enroll them in ESUs is actually provision an Arc-ESU license directly from Azure portal. So we're going to go here. We're going to select a resource group just like we did before and we're going to give it a name. For example, we can say ESU license test one just for our example. We'll choose to activate now and then we can specify activation details. We can specify standard or data center addition and physical core or virtual cores including the number of cores we're going to include for that license. For example, I can hear provisioning at 16 virtual core, standard addition ESU license. I have clear visibility into my cost including their monthly rates. Finally, I can attest to having SA, having the rights for creation of the ESU license and I can go ahead and provision that ESU license. Voila! I've created an ESU license and that's going to show up in Azure class management and billing. The next step for enrollment in ESUs is actually linking that license to provisioned Arc-enabled server. I simply select an Arc-enabled server. I click enable ESUs and then I'm able to select based off of the core type of a license, the specific license that I'd like to integrate with. Here I can pick from an existing license. I can go ahead and click enable and I'll be able to successfully enroll that server into extended security updates. Beyond getting these ESU patches, I also have the flexibility to use other Azure management capabilities and no additional cost for those servers enrolled in extended security updates. So for example, here I am in Azure Update Manager, the centralized patch assessment and patch delivery through Azure. And I'm able to see my machines, my updates data, pending data at no additional cost for those Arc-enabled instances. Moreover, I can leverage capabilities like guest configuration where I can assign guest assignments including security policies, auditing, etc. on my Arc-enabled servers again for no additional cost. Beyond these included free services, once your servers have been onboarded to Azure Arc, you also have the flexibility to start leveraging additional Azure management capabilities like Microsoft Defender for Cloud, which offers cloud security posture management and workload protection. Really critical as you think about not just the ESU critical security patch piece, but the broader security posture management workload protection you're extending for and support infrastructure. With that, it's a wrap on just some of the capabilities of Windows Server 2012 ESUs enabled by Azure Arc. I'm excited to hand it off to Pranima, who's going to share more about some of the nuances and deployments on deploying ESUs to volume licensing. Thank you, Arnav, for demoing how to enable Arc on the Windows Server 2012 R2 devices. In today's presentation, I'm going to show how to deploy the ESU add-on key and activate it on the Windows Server 2012 R2 devices. To get your servers ready for the ESU, you have to follow three simple steps. The first one is to get the latest security updates. The second step is to install the add-on key, and then the third step is to get it tested. Before you can install the ESU key, you'll have to install some prerequisites packages that include licensing update package and the servicing stack update package. These packages are available on the normal Windows Update channel. They are Windows Update, Catalog, and WSS. The KB numbers are listed here in the slide, and you can also find them in my public blog as well. The KB numbers listed here are also applicable for Server 2012 R2 embedded devices. If you are using any patch management software such as SCCM or any other software, you can continue to get these updates in a normal workflow. To deploy the ESU key, there are a couple of options. First, you can use the SLMGR or the partial script. For small businesses, this may be convenient. If you are an enterprise with many devices that need to be enabled for ESU, then volume activation management tool might be a good option. VA MT tool ships as part of ADK. It allows you to do both online activation and the proxy activation. On Azure, if you are running your Windows Server 2012 R2 VMs, they don't need the ESU key to be deployed. They will get the ESU updates for free. ESU updates are also available without the keys on Azure Stack, HCI, 21H2, and later as well. Finally, if you want to test your deployment, you can get one of the latest security updates that are available on the website, and then check your normal workflow of your Windows Update history page for any errors. I'll move on to the demos. I'll give three demos. The first one is how to deploy and activate the ESU key using SLMGR. I'll also show the online activation with volume activation management tool and also proxy activation offline with VA MT. In this demo, I'll show how to install and activate ESU key using SLMGR. I open an elevated command prompt type SLMGR DLB command. It shows the licensing details. I type in SLMGR slash IPK command. This command is the same for command prompt and PowerShell. I get the ESU key and apply. Now, ESU key is successfully installed. If you do the DLB command, it shows ESU A1 key is installed, but the license status is unlicensed. I need to fix it. I type in SLMGR slash ATO command. Put the activation ID, which you can get it from my public blog or using DLB command. Now, the ESU key is successfully installed and activated. If you do DLB command one more time, the license status is also shown as licensed and activated as well. This is how you install and activate the ESU key using SLMGR command. In this demo, I'll show how to install and activate ESU key using volume activation management tool. I have two demo VMs here, demo 10 and my demo 11 machines running Windows Server 2012 R2. I have my volume activation management tool installed as well. First, I will go try to find my two demo machines, demo 10 and my demo 11 machines. Once I find these two machines in my VAMG tool, I right click, check for license status. I get an error unable to connect to WMI service. I need to fix this error. I go to firewall.cpl app, enable WMI on my demo 10 machine. I also need to do the same on my demo 11 machine as well. I enable WMI on both my demo machines, right click. Now I update the license status. Now it's successfully updated. The next step is to install the ESU product key. I select those two VMs, install product key. I select the ESU product key, hit install ESU key. Now you can see the ESU key is installed successfully. The license status is still unlicensed for the ESU product key. Now I select those two machines, activate. Now you can see the VMs are also successfully activated. This is how you install and activate the ESU product key using the VAMG tool. In this demo, I'll show how to install and activate ESU key on my two client machines that are not internet connected using VAMG offline or proxy activation. The steps are really simple. The first step is to install the ESU product key on the devices that are not connected to internet. Get the installation IDs into a .clx file. Take it to the VAMG online machine. Get the confirmation IDs and bring the CILX file back to the VAMG offline host and hit the activation. So let's walk through these steps here in the demo. I have two client VMs, VAMG offline, VAMG offline machine here. It is not connected to internet. I have my demo 8 machine, which is not connected to internet. I have my demo 9 machine, which is not connected to internet as well. Now I come back to my VAMG tool. I identify my demo machines, demo 8 and 9 using their names. I'm able to find those two machines. Now I'll try to update the license status. I get an error saying unable to connect to WMI. I need to fix it. I go to firewall.cpl app, enable WMI on my demo 8 machine. I also need to do the same step of enabling WMI on my demo 9 machine as well. After I do this, I come back, update license status. This time, the license status was successfully updated. Now I need to install the ESU product key. I select the ESU product key, hit the install key button. ESU key is successfully installed. Now I hit the export list button. I export the installation IDs into a .cilx file. Proxy activation data is successfully exported to my .cilx file. Now I copy the file into a network share. This is an internal network share which we are accessing, and it's not an external network. Internal network share is on the VAMT host machine. I copy over my .cilx file into my VM. Come back to the VMT online host, import the .cilx file there. After I import, you can see that the file has the installation IDs in it. Now right click, I get the confirmation IDs into the same file. I got the confirmation IDs into the same file, and I verify that I have both the installation ID and the confirmation ID in the file. I copy that file over to my network share and come back to my VMT offline host. I'll do an import of that .cilx file. Now the data import is successful. I right click on my demo 8 and demo 9 machines and hit activate and apply confirmation ID. Now you can see the confirmation IDs are successfully applied on those two VMs. If you do SLMGRDLV, you can see the add-on key is successfully installed and licensed as well. This is how you install and activate the ESU key using proxy activation. So let's cover just a couple quick frequently asked questions. How can I obtain ESU licenses? You have three options for licensing ESU for Windows Server 2012 and 2012 R2. The first one is through Azure VMs. If you're running those servers in virtual machines on Azure, it happens automatically and it's at no additional charge. It could be via Azure Arc with ESU enabled by Azure Arc licenses. Finally, through volume licensing, you can acquire ESU licenses through the 5x5 MAC key through the volume licensing program. For maximum flexibility and convenience, we do recommend using Azure Arc. You can acquire the ESU licenses either directly from Microsoft or from your partner, such as an enterprise agreement reseller or a cloud solution provider. What other products are part of the ESU? It's really important to understand that when you get an ESU for Windows Server 2012 or 2012 R2, no other products actually are part of the ESU. However, .NET versions that were in support for Server 2012 or 2012 R2 will still provide updates. And if you're using those servers in a system-centered configuration manager environment, those servers can continue to be managed as clients through SCCM, assuming you are using the most current version of SCCM. Server roles running on those servers are not supported. And also Microsoft Edge is not supported through the 2012 or 2012 R2 ESU program itself. Finally, are ESUs part of unified support? They are not. ESU licenses are not part of any support agreement. They are a separate purchase. We'll leave you with some additional resources with documentation on the web that you can search up. We hope you've enjoyed this session and this will help you deploy the ESU on your road to migrating off of Windows Server 2012 and 2012 R2. Thank you.