Automating MAK Proxy Activation with PowerShell

I ran into a need recently where I had to activate Windows on new machines in an automated fashion.  The issue was that the environment did not use KMS, but instead activated new machines using a MAK key.  The machines being activated did not have Internet access, so they had to be activated via proxy.

There is a great article on how to do this using the Volume Activation Management Tool (VAMT) here.  Basically, enable Internet access (or at least access to the MS Activation servers) to a machine with the VAMT installed and you can use the GUI to activate it.  If you need to automate it, you can see instructions on the PowerShell commands for VAMT here.

This all works very well, but not complete for my needs.  I needed have a different server other than the VAMT server initiate the activation.  To do this, I wrapped the VAMT commands I needed in a PowerShell function detailed further below.  With this function, you can have any server issue the commands to the VAMT server to add and activate multiple severs on your network in an automated fashion.

I found one big caveat though.  You need to enable Kerberos Delegation for BOTH the VAMT server and the server running this function.  This is done by issuing the command below in PowerShell:

Set-AdComputer -Identity computerName -TrustedForDelegation $true 

The reason for this is the server running this function must pass the credentials of the user running it to the VAMT cmdlets so they can run.  In turn, the Find-VamtManagedMachine cmdlet must also pass those credentials to Active Directory to look the machine up.  If you forget to do this, you will get errors.

Here is the function:

function Invoke-WindowsActivation()
{
<#
.SYNOPSIS
This function reaches out remotely to the specified VAMT server and activates the given machines by proxy. To run this, you must meet the following requirements:
* The ActiveDirectory module from Microsoft be installed on the machine this function runs from. Install with:
Add-WindowsFeature
* It's assumed the machines you are dealing with are on an Active Directory domain.
* You have a server with the VAMT 3.0 installed.
.PARAMETER ComputerName
Specifies one or more computers to activate.
.PARAMETER Domain
Specifies the AD domain the VAMT server and the machines you are activating are on. Default is the current user DNS Domain ($ENV:USERDNSDOMAIN).
.PARAMETER VamtServer
Specifies the machine the VAMT toolset is installed on. This machine needs the Windows Assessment and Deployment Kit (VAMT Tool) installed. See:
https://www.microsoft.com/en-us/download/details.aspx?id=30652
https://technet.microsoft.com/en-us/library/hh825184.aspx
.EXAMPLE
Invoke-WindowsActivation -ComputerName myserver1,myserver2 -VamtServer vamt01
ActionsAllowed : 105
ApplicationName :
ApplicationId : xxxxx
CMID :
ConfirmationId :
ExportGuid : xxxxx
FullyQualifiedDomainName : myserver1.mydomain.com
GenuineStatus : Genuine
GraceExpirationDate : 4/17/2017 9:56:23 PM
InstallationId : xxxxx
KmsHost :
KmsPort :
LastActionStatus : Successfully updated the product information.
LastErrorCode : 0
LastUpdated : 4/17/2017 9:56:23 PM
LicenseFamily : ServerDatacenter
LicenseStatus : Licensed
LicenseStatusLastUpdated : 4/17/2017 9:56:23 PM
LicenseStatusReason : 0
PartialProductKey : xxxx
ProductDescription : Windows(R) Operating System, VOLUME_MAK channel
ProductKeyId : xxx
ProductName : Windows(R), ServerDatacenter edition
ProductKeyType : Mak
ProductVersion : 6.3.9600.17809
Sku : xxxxx
ProductKeyTypeName :
LicenseStatusText :
GenuineStatusText :
ResourceLanguage :
SoftwareProtectionService : SPP
VLActivationType : NeverVolumeActivated
VLActivationTypeEnabled : Default
AdActivationObjectName :
AdActivationObjectDN :
AdActivationCsvlkPid :
AdActivationCsvlkSkuId : 00000000-0000-0000-0000-000000000000
#>
[CmdletBinding(SupportsShouldProcess=$true)]
param
(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)] $ComputerName,
[string] $Domain = $ENV:UserDnsDomain,
[Parameter(Mandatory=$true)] [string] $VamtServer
)
begin
{
function Test-Kerberos()
{
[CmdletBinding()]
param
(
[Parameter(Mandatory=$true)] $ComputerName
)
Import-Module ActiveDirectory
$c = Get-AdComputer Identity $ComputerName Properties TrustedForDelegation
return ( $c.TrustedForDelegation )
}
if ( !(Test-Kerberos ComputerName $VamtServer) )
{
throw ("The VAMT Server ($VamtServer) does not have Kerberos delegation enabled! Use: Set-AdComputer -Identity $VamtServer -TrustedForDelegation $true")
}
if ( !(Test-Kerberos ComputerName $Env:COMPUTERNAME) )
{
throw ("This client ($Env:COMPUTERNAME) does not have Kerberos delegation enabled! Use: Set-AdComputer -Identity $VamtServer -TrustedForDelegation $true")
}
# You must use a 32-bit PowerShell session! VAMT.psd1 does not support 64-bit.
$session = New-PSSession ComputerName $VamtServer ConfigurationName Microsoft.PowerShell32
$sb = `
{
$psdPath = ""
if ( Test-Path Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\VAMT3" )
{
$psdPath = Get-ItemProperty Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\VAMT3" Name "SchemaFilePath" | Select-Object ExpandProperty SchemaFilePath
}
else
{
throw ("VAMT3 is not installed on the local machine: $($ENV:COMPUTERNAME)!")
}
Write-Verbose ("VAMT Module location: $psdPath")
Import-Module Name (Join-Path Path $psdPath ChildPath "vamt.psd1")
}
$psdPath = Invoke-Command Session $Session ScriptBlock $sb
}
process
{
try
{
foreach ( $comp in $ComputerName )
{
$sb = `
{
param
(
[Parameter(Mandatory=$true)] $ComputerName,
[string] $Domain = $ENV:UserDnsDomain
)
$product = Find-VamtManagedMachine QueryType ActiveDirectory QueryValue $Domain MachineFilter $ComputerName
if ( !$product )
{
throw ("Unable to find a computer in the VAMT Database named $ComputerName! Verify Kerberos delegation is enabled for both $($ENV:ComputerName) and $ComputerName! Set-AdComputer -Identity $ComputerName -TrustedForDelegation `$true ")
}
Write-Host ("Product Entry:")
Write-Host ($product | Format-List | Out-String)
if ( $product.GenuineStatus -ine "Genuine" )
{
# Get the confirmation ID:
$confirmation = $product | Get-VamtConfirmationId
if ( $confirmation.ConfirmationId )
{
$out = Install-VamtConfirmationId Products $confirmation
$output = Find-VamtManagedMachine QueryType ActiveDirectory QueryValue $Domain MachineFilter $ComputerName
Write-Host ("Activated server: ")
Write-Host ($output | Format-List | Out-String)
$output
if ( $output.GenuineStatus -ine "Genuine" )
{
throw ("An error occurred activating Windows OS on $comp. `r`nError message: $($output.LastActionStatus).")
}
}
else
{
throw ("Unable to get a confirmation ID for machine $ComputerName!")
}
}
else
{
Write-Warning ("$ComputerName has already been activated!")
$product
}
}
if ( $PSCmdlet.ShouldProcess($comp, "Activate Windows machine") )
{
Invoke-Command Session $session ScriptBlock $sb ArgumentList $comp,$Domain
}
}
}
catch
{
if ( $session )
{
$session | Remove-PSSession
}
throw $_
}
}
end
{
if ( $session )
{
$session | Remove-PSSession
}
}
}

 

Hopefully, this is of use to others.

1 thought on “Automating MAK Proxy Activation with PowerShell

  1. J B

    Could you please describe more exactly,what this script does? I need the Clients with MAK-Key itself to initiate the activation after imageing. The way, pushing the licence to the clients is not practicable for us. Thank you a lot!

    Like

    Reply

Leave a Reply to J B Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s