You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-arc/servers/includes/esu-network-requirements.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ If you are using Azure Arc-enabled servers only for the purpose of Extended Secu
17
17
|`management.azure.com`|Azure Resource Manager - to create or delete the Arc server resource|When connecting or disconnecting a server, only| Public, unless a [resource management private link](../../../azure-resource-manager/management/create-private-link-access-portal.md) is also configured |
18
18
|`*.his.arc.azure.com`|Metadata and hybrid identity services|Always| Private |
19
19
|`*.guestconfiguration.azure.com`| Extension management and guest configuration services |Always| Private |
20
-
|`microsoft.com/pkiops/certs`|Certificate download for ESUs | ESUs enabled by Azure Arc | Public |
20
+
|`www.microsoft.com/pkiops/certs`|Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443)| ESUs enabled by Azure Arc | Public |
21
21
|`san-af-<region>-prod.azurewebsites.net`| Azure Arc data processing service| SQL Server ESUs | Public|
22
22
23
23
#### [Azure Government](#tab/azure-government)
@@ -30,7 +30,7 @@ If you are using Azure Arc-enabled servers only for the purpose of Extended Secu
30
30
|`management.usgovcloudapi.net`|Azure Resource Manager - to create or delete the Arc server resource|When connecting or disconnecting a server, only| Public, unless a [resource management private link](../../../azure-resource-manager/management/create-private-link-access-portal.md) is also configured |
31
31
|`*.his.arc.azure.us`|Metadata and hybrid identity services|Always| Private |
32
32
|`*.guestconfiguration.azure.us`| Extension management and guest configuration services |Always| Private |
33
-
|`microsoft.com/pkiops/certs`|Certificate download for ESUs | ESUs enabled by Azure Arc | Public |
33
+
|`www.microsoft.com/pkiops/certs`|Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443)| ESUs enabled by Azure Arc | Public |
34
34
35
35
#### [Microsoft Azure operated by 21Vianet](#tab/azure-china)
Copy file name to clipboardExpand all lines: articles/azure-arc/servers/includes/network-requirements.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,7 +40,7 @@ The table below lists the URLs that must be available in order to install and us
40
40
41
41
> [!NOTE]
42
42
> When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The **Endpoint used with private link** column in the following table shows which endpoints can be configured with a private endpoint. If the column shows *Public* for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function.
43
-
>
43
+
44
44
| Agent resource | Description | When required| Endpoint used with private link |
45
45
|---------|---------|--------|---------|
46
46
|`aka.ms`|Used to resolve the download script during installation|At installation time, only| Public |
@@ -60,7 +60,7 @@ The table below lists the URLs that must be available in order to install and us
60
60
|`dc.services.visualstudio.com`|Agent telemetry|Optional, not used in agent versions 1.24+| Public |
61
61
|`san-af-<region>-prod.azurewebsites.net`| Azure Arc data processing service | For SQL Server enabled by Azure Arc. The Azure Extension for SQL Server uploads inventory and billing information to the data processing service. | Public |
62
62
|`telemetry.<region>.arcdataservices.com`| For Arc SQL Server. Sends service telemetry and performance monitoring to Azure | Always | Public |
63
-
|`microsoft.com/pkiops/certs`|Certificate download for ESUs |ESUs enabled by Azure Arc | Public |
63
+
|`www.microsoft.com/pkiops/certs`|Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) |ESUs enabled by Azure Arc | Public |
64
64
65
65
> [!NOTE]
66
66
> To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<region>`. Within this command, the region must be specified for the `<region>` placeholder.
@@ -71,7 +71,7 @@ The table below lists the URLs that must be available in order to install and us
71
71
72
72
> [!NOTE]
73
73
> When configuring the Azure connected machine agent to communicate with Azure through a private link, some endpoints must still be accessed through the internet. The **Endpoint used with private link** column in the following table shows which endpoints can be configured with a private endpoint. If the column shows *Public* for an endpoint, you must still allow access to that endpoint through your organization's firewall and/or proxy server for the agent to function.
74
-
>
74
+
75
75
| Agent resource | Description | When required| Endpoint used with private link |
76
76
|---------|---------|--------|---------|
77
77
|`aka.ms`|Used to resolve the download script during installation|At installation time, only| Public |
@@ -84,7 +84,7 @@ The table below lists the URLs that must be available in order to install and us
84
84
|`*.guestconfiguration.azure.us`| Extension management and guest configuration services |Always| Private |
85
85
|`*.blob.core.usgovcloudapi.net`|Download source for Azure Arc-enabled servers extensions|Always, except when using private endpoints| Not used when private link is configured |
86
86
|`dc.applicationinsights.us`|Agent telemetry|Optional, not used in agent versions 1.24+| Public |
87
-
|`microsoft.com/pkiops/certs`|Certificate download for ESUs |ESUs enabled by Azure Arc | Public |
87
+
|`www.microsoft.com/pkiops/certs`|Intermediate certificate updates for ESUs (note: uses HTTP/TCP 80 and HTTPS/TCP 443) |ESUs enabled by Azure Arc | Public |
88
88
89
89
#### [Microsoft Azure operated by 21Vianet](#tab/azure-china)
Copy file name to clipboardExpand all lines: articles/azure-arc/servers/run-command.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,11 +40,11 @@ Run Command on Azure Arc-enabled servers supports the following operations:
40
40
41
41
## Example scenarios
42
42
43
-
Suppose you have an Azure Arc-enabled server called “2012DatacenterServer1” in resource group “ContosoRG” with Subscription ID “aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa”. Consider a scenario where you need to provide remote access to an endpoint for Windows Server 2012 / R2 servers. Access to Extended Security Updates enabled by Azure Arc requires access to the endpoint `microsoft.com/pkiops/certs`. You need to remotely configure a firewall rule that allows access to this endpoint. Use Run Command in order to allow connectivity to this endpoint.
43
+
Suppose you have an Azure Arc-enabled server called “2012DatacenterServer1” in resource group “ContosoRG” with Subscription ID “aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa”. Consider a scenario where you need to provide remote access to an endpoint for Windows Server 2012 / R2 servers. Access to Extended Security Updates enabled by Azure Arc requires access to the endpoint `www.microsoft.com/pkiops/certs`. You need to remotely configure a firewall rule that allows access to this endpoint. Use Run Command in order to allow connectivity to this endpoint.
44
44
45
45
### Example 1: Endpoint access with Run Command
46
46
47
-
Start off by creating a Run Command script to provide endpoint access to the `microsoft.com/pkiops/certs` endpoint on your target Arc-enabled server using the PUT operation.
47
+
Start off by creating a Run Command script to provide endpoint access to the `www.microsoft.com/pkiops/certs` endpoint on your target Arc-enabled server using the PUT operation.
48
48
49
49
To directly provide the script in line, use the following operation:
50
50
@@ -60,11 +60,11 @@ PUT https://management.azure.com/subscriptions/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaa
60
60
"parameters": [
61
61
{
62
62
"name": "ruleName",
63
-
"value": " Allow access to microsoft.com/pkiops/certs"
63
+
"value": " Allow access to www.microsoft.com/pkiops/certs"
64
64
},
65
65
{
66
66
"name": "endpoint",
67
-
"value": ""microsoft.com/pkiops/certs"
67
+
"value": "www.microsoft.com/pkiops/certs"
68
68
},
69
69
{
70
70
"name": "port",
@@ -100,11 +100,11 @@ PUT https://management.azure.com/subscriptions/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaa
100
100
"parameters": [
101
101
{
102
102
"name": "ruleName",
103
-
"value": " Allow access to microsoft.com/pkiops/certs"
103
+
"value": " Allow access to www.microsoft.com/pkiops/certs"
Copy file name to clipboardExpand all lines: articles/azure-arc/servers/troubleshoot-extended-security-updates.md
+31-23Lines changed: 31 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,36 +57,44 @@ If you're unable to enable this service offering, review the resource providers
57
57
58
58
Ensure that both the licensing package and servicing stack update (SSU) are downloaded for the Azure Arc-enabled server as documented at [KB5031043: Procedure to continue receiving security updates after extended support has ended on October 10, 2023](https://support.microsoft.com/topic/kb5031043-procedure-to-continue-receiving-security-updates-after-extended-support-has-ended-on-october-10-2023-c1a20132-e34c-402d-96ca-1e785ed51d45). Ensure you are following all of the networking prerequisites as recorded at [Prepare to deliver Extended Security Updates for Windows Server 2012](prepare-extended-security-updates.md?tabs=azure-cloud#networking).
59
59
60
-
61
-
### Error: Trying to check IMDS again (HRESULT 12002)
60
+
### Error: Trying to check IMDS again (HRESULT 12002 or 12029)
62
61
63
62
If installing the Extended Security Update enabled by Azure Arc fails with errors such as "ESU: Trying to Check IMDS Again LastError=HRESULT_FROM_WIN32(12029)" or "ESU: Trying to Check IMDS Again LastError=HRESULT_FROM_WIN32(12002)", you may need to update the intermediate certificate authorities trusted by your computer using one of the following two methods:
64
63
65
-
1. Configure your network firewall and/or proxy server to allow access from the Windows Server 2012 (R2) machines to `https://microsoft.com/pkiops/certs`. This will allow the machine to automatically retrieve updated intermediate certificates as required and is Microsoft's preferred approach.
66
-
1. Download all intermediate CAs from a machine with internet access, copy them to each Windows Server 2012 (R2) machine, and import them to the machine's intermediate certificate authority store:
67
-
1. Download the 4 intermediate CA certificates:
68
-
1.[Microsoft Azure TLS Issuing CA 01](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001%20-%20xsign.crt)
69
-
1.[Microsoft Azure TLS Issuing CA 02](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2002%20-%20xsign.crt)
70
-
1.[Microsoft Azure TLS Issuing CA 05](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2005%20-%20xsign.crt)
71
-
1.[Microsoft Azure TLS Issuing CA 06](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2006%20-%20xsign.crt)
72
-
1. Copy the certificate files to your Windows Server 2012 (R2) machine.
73
-
1. Run the following commands in an elevated command prompt or PowerShell session to add the certificates to the "Intermediate Certificate Authorities" store for the local computer. The command should be run from the same directory as the certificate files. The commands are idempotent and won't make any changes if you've already imported the certificate:
74
-
75
-
```powershell
76
-
certstore -addstore CA "Microsoft Azure TLS Issuing CA 01 - xsign.crt"
77
-
certstore -addstore CA "Microsoft Azure TLS Issuing CA 02 - xsign.crt"
78
-
certstore -addstore CA "Microsoft Azure TLS Issuing CA 05 - xsign.crt"
79
-
certstore -addstore CA "Microsoft Azure TLS Issuing CA 06 - xsign.crt"
80
-
```
81
-
82
-
After allowing the servers to reach the PKI URL or manually importing the intermediate certificates, try installing the Extended Security Updates again using Windows Update or your preferred patch management software. You may need to reboot your computer for the changes to take effect.
64
+
#### Option 1: Allow access to the PKI URL
65
+
66
+
Configure your network firewall and/or proxy server to allow access from the Windows Server 2012 (R2) machines to `http://www.microsoft.com/pkiops/certs` and `https://www.microsoft.com/pkiops/certs` (both TCP 80 and 443). This will enable the machines to automatically retrieve any missing intermediate CA certificates from Microsoft.
67
+
68
+
Once the network changes are made to allow access to the PKI URL, try installing the Windows updates again. You may need to reboot your computer for the automatic installation of certificates and validation of the license to take effect.
69
+
70
+
#### Option 2: Manually download and install the intermediate CA certificates
71
+
72
+
If you're unable to allow access to the PKI URL from your servers, you can manually download and install the certificates on each machine.
73
+
74
+
1. On any computer with internet access, download these intermediate CA certificates:
75
+
1.[Microsoft Azure TLS Issuing CA 01](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001%20-%20xsign.crt)
76
+
1.[Microsoft Azure TLS Issuing CA 02](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2002%20-%20xsign.crt)
77
+
1.[Microsoft Azure TLS Issuing CA 05](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2005%20-%20xsign.crt)
78
+
1.[Microsoft Azure TLS Issuing CA 06](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2006%20-%20xsign.crt)
79
+
1. Copy the certificate files to your Windows Server 2012 (R2) machines.
80
+
1. Run the following commands in an elevated command prompt or PowerShell session to add the certificates to the "Intermediate Certificate Authorities" store for the local computer. The command should be run from the same directory as the certificate files. The commands are idempotent and won't make any changes if you've already imported the certificate:
81
+
82
+
```powershell
83
+
certstore -addstore CA "Microsoft Azure TLS Issuing CA 01 - xsign.crt"
84
+
certstore -addstore CA "Microsoft Azure TLS Issuing CA 02 - xsign.crt"
85
+
certstore -addstore CA "Microsoft Azure TLS Issuing CA 05 - xsign.crt"
86
+
certstore -addstore CA "Microsoft Azure TLS Issuing CA 06 - xsign.crt"
87
+
```
88
+
89
+
1. Try installing the Windows updates again. You may need to reboot your computer for the validation logic to recognize the newly imported intermediate CA certificates.
83
90
84
91
### Error: Not eligible (HRESULT 1633)
85
92
86
93
If you encounter the error "ESU: not eligible HRESULT_FROM_WIN32(1633)", follow these steps:
If you have other issues receiving ESUs after successfully enrolling the server through Arc-enabled servers, or you need additional information related to issues affecting ESU deployment, see [Troubleshoot issues in ESU](/troubleshoot/windows-client/windows-7-eos-faq/troubleshoot-extended-security-updates-issues).
0 commit comments