2011-01-16

Windows 7/2008 Deployment - KMS and MAK Keys pt. 1

I have been dealing with an issue that has been bugging me for quite a while. It has to do with the deployment of Windows 7 or Windows 2008 R2 VM's and License Activation.

First let's describe the environment and situation. The whole infrastructure is at 4.1, vCenter and all ESX hosts as well. It was upgraded recently from 4.0. 7 months ago I created my templates - with all my customizations. Some of these customizations included different OS settings, menu sizes, toolbars etc. In order to copy all of these settings to the default profile, once upon a time all you had to do was to copy that current user profile to the Default User Profile, and subsequently every user than would logon thereafter would have all those settings defined. Starting with Windows 7 and 2008 (perhaps also Vista - I am not sure, we gave this version a skip) this was not the recommended way to this. There is a detailed Microsoft KB that explains the method - which is to Sysprep the machine and provide a setting in the unattend.xml file which will copy the profile. This can be done manually but that is not recommended. You should use the WAIK. This tool is available from Microsoft.

After installing the software you attach a Operating System Image and create an answer file. In that answer file you can search for the Copy Profile option and set:

<CopyProfile>true</CopyProfile>

My first problem I ran into then was that I was not aware of the fact you can only Sysprep a machine 3 times, thereafter you will not be able to do it any more. This of course led me to a problem of after making changes to the VM and Sysprep'ing again and again and again - I could no longer continue with this Template (Thank you VMware for snapshots!!).

Failure occurred while executing 'C:\Windows\System32\slc.dll,SLReArmWindows', returned error code -1073425657

There is a solution to this issue which can avoided by adding an additional flag to the unattend.xml file <SkipReArm>1</SkipReArm>.

The Activation grace period is typically 30 days. It begins after Windows Setup finishes and the computer boots for the first time. While there is no limit to the number of times that the Sysprep command can run on a computer, there is a limit to the number of times Windows can be rearmed. Typically, a system can be rearmed only three times. Using this setting enables you to run the Sysprep command multiple times without resetting the activation clock.

And now I finally had my template customized, and ready for deployment.

Now over the past 8 months the we have implemented a Microsoft KMS server. Before that let us go into what has changed since the days of XP/2003 in terms of licensing/activation. With Windows 2003/XP organizations were provided with a VL (Volume License) Key. That meant I could put the serial number in the image / template / Sysprep file for each and every machine. Once installed there was no further action needed. Starting with 2008/Windows (remember we skipped Vista) we were provided with 2 different License Keys, a MAK key and a KMS Key.

Frequently Asked Questions About Volume License Keys. A MAK key is one that you add to the OS and that has to be activated with Microsoft. This can be done over the internet or with the VAMT (I will not go into how to provide a proper licensing mechanism for your OS's in your organization). This is not an automatic process and for a small amount of OS's it is quite suitable. Christian Mohn has created a good explanation of how to use this tool. But when you are talking about hundreds and thousands of operating systems, this does not scale well. Also not always do you want to open your firewall to allow each and every computer to activate with a Microsoft Server somewhere "out there". Therefore Microsoft introduced the KMS (Key Management Server). It is a role that you can install on Windows Server 2008 which will act as your activation server for all OS's in the organization. There is a record in the DNS that is created which each new OS will look for by default and if found will activate the OS - automatically. Much better for a bigger environment.

We will continue into part 2 of this series with the issue at hand.