No Updates for 2012 R2 Servers activated with ESU activated through Azure Arc

Sai 15

We have two Windows Server 2012 R2 servers which have ESU activated through Azure Arc but no updates are being detected for November patches. I've read through the troubleshooting info and everything looks to be setup correctly. Any ideas on why they're not picking up the updates?

John R 0 Reputation points

2023-11-17T21:29:22.3466667+00:00

We're experiencing the same issue. Here's a potential workaround that other users reported as working for them, and which worked on one of our test systems so far.

Install these long-superseded updates (as appropriate):
2022-08 Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2012 for x64-based Systems (KB5017221)

2022-08 Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2012 R2 for x64-based Systems (KB5017220)

...then have the impacted system check for updates again.
Sai 15 Reputation points

2023-11-17T21:33:19.65+00:00

Yeah, checked to ensure that package was installed as part of my troubleshooting. Still no luck even with it installed.
Sai 15 Reputation points

2023-11-17T21:35:54.3066667+00:00

Yea, I confirmed that package was installed already. Still no luck
abbodi86 3,891 Reputation points

2023-11-20T17:53:32.8933333+00:00
Install / Update Azure Connected Machine Agent v1.34 or later

Confirm the appropriate ESU license entitlements is configured with Azure Arc

Install ESU Prepartion Package: KB5017220 for Server 2012 R2 - KB5017221 for Server 2012

Install 2023-08 Servicing Stack Update, or later SSU: KB5029368 for Server 2012 R2 - KB5029369 for Server 2012

Confirm the following registry value exist and set to 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure Connected Machine Agent\ArcESU] "Enabled"=dword:00000001
Sai 15 Reputation points

2023-11-20T17:59:39.6+00:00

I've gone through all those steps except for checking the registry value but still not luck.

Machine agent is on 1.36

ESU activated and assigned to both machines

Prep package is installed

Servicing stack update is installed

Confirmed registry value exists and set to 1
Derek G. Yarrington 5 Reputation points

2023-11-21T00:47:26.3566667+00:00

I have the same problem as Sai but specifically for KB5032249. Seeing a lot of the same reports in forums too.
SwathiDhanwada-MSFT 18,766 Reputation points

2023-11-21T04:06:50.2766667+00:00

Sai Thanks for reporting this. I am checking internally with the team and will share an update soon.
SwathiDhanwada-MSFT 18,766 Reputation points

2023-11-21T04:58:23.7833333+00:00

Sai Derek G. Yarrington abbodi86 John R Product team is aware of this issue and working towards to fix this. We currently don't have an ETA yet. As soon as I receive an update on this, will post an update here. Apologies for the inconvenience caused.
David Olney 5 Reputation points

2023-11-23T09:42:12.9433333+00:00

I have exactly the same issue.

Windows 2012 R2 with ESU purchased through Azure ARC. Its consistent across all our machines so would seem a bug more than a configuration issue as it won't detect the update through SCCM or Windows Update. Interestingly if you try to install the November update manually it works.

I have had a case open with Microsoft for the last week but have so far not managed to resolve the issue.
Jeremy Brooks 0 Reputation points

2024-01-03T15:40:37.03+00:00

Picking up on where various people have left off, as having a similar issue, where have setup Arc agent, and the SSU and the licencing package, rebooted the server and still not picking up options for updates, but if I try Windows Update on the server, and change to go online for updates, it detects various updates, and I can download and install them

1 answer

SwathiDhanwada-MSFT 18,766 Reputation points

2023-11-21T16:29:07.0866667+00:00

Sai Derek G. Yarrington abbodi86 John R The information related to this patch is documented here. Sharing the same information below.

Ensure that both the licensing package and SSU are downloaded for the Azure Arc-enabled server as documented at KB5031043: Procedure to continue receiving security updates after extended support has ended on October 10, 2023.

If installing the Extended Security Update enabled by Azure Arc fails with errors such as "ESU: Trying to Check IMDS Again LastError=HRESULT_FROM_WIN32(12029)" or "ESU: Trying to Check IMDS Again LastError=HRESULT_FROM_WIN32(12002)", there is a known remediation approach:

Download this intermediate CA published by Microsoft.

Install the downloaded certificate as Local Computer under Intermediate Certificate Authorities\Certificates. Use the following command to install the certificate correctly:

certutil -addstore CA 'Microsoft Azure TLS Issuing CA 01 - xsign.crt'

Install security updates. If it fails, reboot the machine and install security updates again.

If you have other issues receiving ESUs after successfully enrolling the server through Arc-enabled servers, or you need additional information related to issues affecting ESU deployment, see Troubleshoot issues in ESU.

If there are further updates on this issue, I will post it here.
Please sign in to rate this answer.
Sai 15 Reputation points

2023-11-21T17:52:21.67+00:00

There were no error messages when installing the licensing package and SSU so would this remediation approach still apply?

SwathiDhanwada-MSFT 18,766 Reputation points

2023-11-22T04:11:05.7366667+00:00

Sai I am checking that with product team. Meanwhile can you please tell me if you are using Public cloud or Gov Cloud ?

Sai 15 Reputation points

2023-11-22T18:17:36.73+00:00

We're using the tenant provided through our M365 GCC account which I assume is still public cloud?

SwathiDhanwada-MSFT 18,766 Reputation points

2023-11-23T13:08:20.6366667+00:00

Sai Thank you for providing the information. Regarding your earlier question, I still haven't received response from product team. I will share the updates as soon as I receive a response from PG team.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

No Updates for 2012 R2 Servers activated with ESU activated through Azure Arc

1 answer

Your answer