I ran into a need recently where I had to activate Windows on new machines in an automated fashion. The issue was that the environment did not use KMS, but instead activated new machines using a MAK key. The machines being activated did not have Internet access, so they had to be activated via proxy.
There is a great article on how to do this using the Volume Activation Management Tool (VAMT) here. Basically, enable Internet access (or at least access to the MS Activation servers) to a machine with the VAMT installed and you can use the GUI to activate it. If you need to automate it, you can see instructions on the PowerShell commands for VAMT here.
This all works very well, but not complete for my needs. I needed have a different server other than the VAMT server initiate the activation. To do this, I wrapped the VAMT commands I needed in a PowerShell function detailed further below. With this function, you can have any server issue the commands to the VAMT server to add and activate multiple severs on your network in an automated fashion.
I found one big caveat though. You need to enable Kerberos Delegation for BOTH the VAMT server and the server running this function. This is done by issuing the command below in PowerShell:
Set-AdComputer -Identity computerName -TrustedForDelegation $true
The reason for this is the server running this function must pass the credentials of the user running it to the VAMT cmdlets so they can run. In turn, the Find-VamtManagedMachine cmdlet must also pass those credentials to Active Directory to look the machine up. If you forget to do this, you will get errors.
Here is the function:
function Invoke-WindowsActivation() | |
{ | |
<# | |
.SYNOPSIS | |
This function reaches out remotely to the specified VAMT server and activates the given machines by proxy. To run this, you must meet the following requirements: | |
* The ActiveDirectory module from Microsoft be installed on the machine this function runs from. Install with: | |
Add-WindowsFeature | |
* It's assumed the machines you are dealing with are on an Active Directory domain. | |
* You have a server with the VAMT 3.0 installed. | |
.PARAMETER ComputerName | |
Specifies one or more computers to activate. | |
.PARAMETER Domain | |
Specifies the AD domain the VAMT server and the machines you are activating are on. Default is the current user DNS Domain ($ENV:USERDNSDOMAIN). | |
.PARAMETER VamtServer | |
Specifies the machine the VAMT toolset is installed on. This machine needs the Windows Assessment and Deployment Kit (VAMT Tool) installed. See: | |
https://www.microsoft.com/en-us/download/details.aspx?id=30652 | |
https://technet.microsoft.com/en-us/library/hh825184.aspx | |
.EXAMPLE | |
Invoke-WindowsActivation -ComputerName myserver1,myserver2 -VamtServer vamt01 | |
ActionsAllowed : 105 | |
ApplicationName : | |
ApplicationId : xxxxx | |
CMID : | |
ConfirmationId : | |
ExportGuid : xxxxx | |
FullyQualifiedDomainName : myserver1.mydomain.com | |
GenuineStatus : Genuine | |
GraceExpirationDate : 4/17/2017 9:56:23 PM | |
InstallationId : xxxxx | |
KmsHost : | |
KmsPort : | |
LastActionStatus : Successfully updated the product information. | |
LastErrorCode : 0 | |
LastUpdated : 4/17/2017 9:56:23 PM | |
LicenseFamily : ServerDatacenter | |
LicenseStatus : Licensed | |
LicenseStatusLastUpdated : 4/17/2017 9:56:23 PM | |
LicenseStatusReason : 0 | |
PartialProductKey : xxxx | |
ProductDescription : Windows(R) Operating System, VOLUME_MAK channel | |
ProductKeyId : xxx | |
ProductName : Windows(R), ServerDatacenter edition | |
ProductKeyType : Mak | |
ProductVersion : 6.3.9600.17809 | |
Sku : xxxxx | |
ProductKeyTypeName : | |
LicenseStatusText : | |
GenuineStatusText : | |
ResourceLanguage : | |
SoftwareProtectionService : SPP | |
VLActivationType : NeverVolumeActivated | |
VLActivationTypeEnabled : Default | |
AdActivationObjectName : | |
AdActivationObjectDN : | |
AdActivationCsvlkPid : | |
AdActivationCsvlkSkuId : 00000000-0000-0000-0000-000000000000 | |
#> | |
[CmdletBinding(SupportsShouldProcess=$true)] | |
param | |
( | |
[Parameter(Mandatory=$true,ValueFromPipeline=$true)] $ComputerName, | |
[string] $Domain = $ENV:UserDnsDomain, | |
[Parameter(Mandatory=$true)] [string] $VamtServer | |
) | |
begin | |
{ | |
function Test-Kerberos() | |
{ | |
[CmdletBinding()] | |
param | |
( | |
[Parameter(Mandatory=$true)] $ComputerName | |
) | |
Import-Module ActiveDirectory | |
$c = Get-AdComputer –Identity $ComputerName –Properties TrustedForDelegation | |
return ( $c.TrustedForDelegation ) | |
} | |
if ( !(Test-Kerberos –ComputerName $VamtServer) ) | |
{ | |
throw ("The VAMT Server ($VamtServer) does not have Kerberos delegation enabled! Use: Set-AdComputer -Identity $VamtServer -TrustedForDelegation $true") | |
} | |
if ( !(Test-Kerberos –ComputerName $Env:COMPUTERNAME) ) | |
{ | |
throw ("This client ($Env:COMPUTERNAME) does not have Kerberos delegation enabled! Use: Set-AdComputer -Identity $VamtServer -TrustedForDelegation $true") | |
} | |
# You must use a 32-bit PowerShell session! VAMT.psd1 does not support 64-bit. | |
$session = New-PSSession –ComputerName $VamtServer –ConfigurationName Microsoft.PowerShell32 | |
$sb = ` | |
{ | |
$psdPath = "" | |
if ( Test-Path –Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\VAMT3" ) | |
{ | |
$psdPath = Get-ItemProperty –Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\VAMT3" –Name "SchemaFilePath" | Select-Object –ExpandProperty SchemaFilePath | |
} | |
else | |
{ | |
throw ("VAMT3 is not installed on the local machine: $($ENV:COMPUTERNAME)!") | |
} | |
Write-Verbose ("VAMT Module location: $psdPath") | |
Import-Module –Name (Join-Path –Path $psdPath –ChildPath "vamt.psd1") | |
} | |
$psdPath = Invoke-Command –Session $Session –ScriptBlock $sb | |
} | |
process | |
{ | |
try | |
{ | |
foreach ( $comp in $ComputerName ) | |
{ | |
$sb = ` | |
{ | |
param | |
( | |
[Parameter(Mandatory=$true)] $ComputerName, | |
[string] $Domain = $ENV:UserDnsDomain | |
) | |
$product = Find-VamtManagedMachine –QueryType ActiveDirectory –QueryValue $Domain –MachineFilter $ComputerName | |
if ( !$product ) | |
{ | |
throw ("Unable to find a computer in the VAMT Database named $ComputerName! Verify Kerberos delegation is enabled for both $($ENV:ComputerName) and $ComputerName! Set-AdComputer -Identity $ComputerName -TrustedForDelegation `$true ") | |
} | |
Write-Host ("Product Entry:") | |
Write-Host ($product | Format-List | Out-String) | |
if ( $product.GenuineStatus -ine "Genuine" ) | |
{ | |
# Get the confirmation ID: | |
$confirmation = $product | Get-VamtConfirmationId | |
if ( $confirmation.ConfirmationId ) | |
{ | |
$out = Install-VamtConfirmationId –Products $confirmation | |
$output = Find-VamtManagedMachine –QueryType ActiveDirectory –QueryValue $Domain –MachineFilter $ComputerName | |
Write-Host ("Activated server: ") | |
Write-Host ($output | Format-List | Out-String) | |
$output | |
if ( $output.GenuineStatus -ine "Genuine" ) | |
{ | |
throw ("An error occurred activating Windows OS on $comp. `r`nError message: $($output.LastActionStatus).") | |
} | |
} | |
else | |
{ | |
throw ("Unable to get a confirmation ID for machine $ComputerName!") | |
} | |
} | |
else | |
{ | |
Write-Warning ("$ComputerName has already been activated!") | |
$product | |
} | |
} | |
if ( $PSCmdlet.ShouldProcess($comp, "Activate Windows machine") ) | |
{ | |
Invoke-Command –Session $session –ScriptBlock $sb –ArgumentList $comp,$Domain | |
} | |
} | |
} | |
catch | |
{ | |
if ( $session ) | |
{ | |
$session | Remove-PSSession | |
} | |
throw $_ | |
} | |
} | |
end | |
{ | |
if ( $session ) | |
{ | |
$session | Remove-PSSession | |
} | |
} | |
} |
Hopefully, this is of use to others.
Could you please describe more exactly,what this script does? I need the Clients with MAK-Key itself to initiate the activation after imageing. The way, pushing the licence to the clients is not practicable for us. Thank you a lot!
LikeLike