Configuring a vDisk for Microsoft Volume Licensing
A vDisk can be configured for Microsoft Key Management Service (KMS) or Multiple Activation Key (MAK) volume licensing when the Imaging Wizard is run. If it was not configured when the Imaging Wizard was run, it can still be configure from the Console:
The MCLI and SoapServer command-line interfaces can also be used to configure Microsoft volume licensing.
- Select the vDisk in the Console, then right-click and select File Properties. The vDisk File Properties dialog appears.
- Click the Microsoft Volume Licensing tab, then select the MAK or KMS licensing method.
- Click OK.
Configuring Microsoft KMS Volume Licensing
This section describes use of the Key Management Server (KMS) license keys with Provisioning Services.
Provisioning Services support for KMS licensing requires that the SOAP Server user account be a domain user with the right to perform volume maintenance task. This user is typically found in Local\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. By default, a member of the local administrators group would have this right.
KMS volume licensing utilizes a centralized activation server that runs in the datacenter, and serves as a local activation point (opposed to having each system activate with Microsoft over the internet).
When preparing or updating a KMS configured vDisk that will be copied or cloned, it is important to complete the final KMS configuration task, which is to change the vDisk mode from Private Image Mode to Shared Image Mode, before copying or cloning the vDisk to other Provisioning Servers. Also, both the .pvp and .vhdx file must be copied to retain the properties and KMS configuration of the original vDisk.
The tasks involved in configuring a vDisk image to use KMS volume licensing and managing that vDisk in a Provisioning Services farm include:
- Enabling KMS licensing on the vDisk being created. This is accomplished by selecting the KMS menu option on the Microsoft Volume Licensing tab when running the Imaging Wizard (refer to Imaging Wizard for details).
- Preparing the new base vDisk image
- Maintaining or upgrading the vDisk image
Note: If KMS licensing was not configured on the vDisk when the Imaging Wizard was run, it can alternatively be configured using the Console user interface (refer to the Microsoft Volume Licensing tab, or the MCLI and PowerShell command-line interfaces (refer to the MCLI or PowerShell Programmers Guide for details).
Preparing the new base vDisk image for KMS Volume Licensing
After a vDisk is created using the Imaging Wizard, it must be reset to a non-activated state using the rearm command.
It is important to perform this operation on a system booted from the vDisk in Private Image Mode so that the master target device hard disk’s rearm count is not reduced.
Microsoft limits the number of times you can run rearm on an installed OS image. The operating system will need to be reinstalled if the number of allowed rearm attempts is exceeded.
- Boot the target device from the vDisk in Private Image Mode to rearm.
OSPPPREARM.EXE must be run from an elevated command prompt.
- A message will prompted you to reboot the system, DO NOT REBOOT. Instead shut down the Target device.
- If the KMS option was not selected when the vDisk image was created, click on the Microsoft Volume Licensing tab and set the licensing option to KMS.
- Set the vDisk mode to Standard Image mode.
- Stream the vDisk to one or more target devices.
Maintaining or upgrading a vDisk image that uses KMS Volume Licensing
To maintain or upgrade a vDisk image that is configured to use KMS volume licensing:
- Set the vDisk mode to Private Image mode.
- Stream the vDisk to a target device.
- Apply the OS/application service pack/update, then shutdown the target device.
- Set the vDisk mode back to Shared Image mode.
- Stream the vDisk to the target device in Shared Image mode.
If Office 2010 is installed as vDisk update, or after vDisk has gone through base disk preparation once, then the base disk preparation needs to be repeated as follows:
a. In the Console, right-click on the vDisk, then select the File Properties menu option. The vDisk File Properties dialog appears.
b. Click on the Microsoft Volume Licensing tab, then change the licensing option from KMS to None.
c. On the Mode tab, set the vDisk access mode to Private Image mode.
d. PXE boot to the vDisk in Private Image mode to rearm.
OSPPPREARM.EXE must be run from an elevated command prompt.
e. A message will prompted you to reboot the system, DO NOT REBOOT. Instead shut down the Target device.
f. In the Console, right-click on the vDisk, then select the File Properties menu option. The vDisk Properties dialog appears.
g. Click on the Microsoft Volume Licensing tab, then change the license option from None to KMS.
h. On the Mode tab, set the vDisk access mode to Shared Image mode.
i. Stream the vDisk to the target devices.
Configuring Microsoft MAK Volume Licensing
This section describes the use of Multiple Activation Keys (MAK). A MAK corresponds to a certain number of purchased OS licenses. The MAK is entered during the installation of the OS on each system, which activates the OS and decrements the count of purchased licenses centrally with Microsoft. Alternatively, a process of ‘proxy activation’ is done using the Volume Activation Management Toolkit (VAMT). This allows activation of systems that do not have network access to the internet. Provisioning Services leverages this proxy activation mechanism for Standard Image mode vDisks that have MAK licensing mode selected when the vDisk is created.
The Volume Activation Management Tool (VAMT) version 3.1 must be installed and configured on all Provisioning Servers within a farm. This tool is available from the Microsoft Windows Assessment and Deployment Kit (Windows ADK) available at: http://www.microsoft.com/en-US/download/details.aspx?id=39982. Upon first execution of the VAMT, a VAMT database is created. This database caches all device activations and allows for Provisioning Services to re-activate.
Volume Activation Management Tool 3.1 requires:
- PowerShell 3.0 – the OS is earlier than Windows Server 2012 or Windows 8
- SQL 2012 express or newer
Provisioning Service MAK activation requires configuration for three types of users.
- Volume Activation Management Tool/Provisioning Services installation user — This user is a local administrator on the Provisioning Services server system and has the rights on SQL 2012 or newer (VAMT 3.1 requirement) to create a database for VAMT to use.
- MAK user — This is the user set in the site’s properties. This user handles the MAK activation on both server and client side. This user is a local administrator on both the Provisioning Services server and the master client. This user requires full access to the VAMT database.
- Provisioning Services soap/stream services user — the stream process handles the reactivation when the target device restarts. This user requires read access to the VAMT database.
Provisioning Servers use PowerShell to interface with the VAMT. These manual configuration steps are required one time per server.
- Install PowerShell 3.0.
- Install VAMT 3.1 on every Provisioning Services server system using a Volume Activation Management Tool/Provisioning Services installation user.
- Configure a VAMT database as prompted during the initial run of VAMT 3.1. Make this database accessible to all Provisioning Services servers used to stream VAMT activated Provisioning Services target devices.
- If the user who created the VAMT database is not the soap/stream services user, copy the VAMT configuration file C:\Users<VAMT installation user (dB creator)>\AppData\Roaming\Microsoft\VAMT\VAMT.config to C:\Users<Provisioning Services soap/stream services user>\AppData\Roaming\Microsoft\VAMT\VAMT.config.
- Set the Provisioning Services server security configuration to use PowerShell to interface with VAMT.
- Set-ExecutionPolicy -Scope <the Provisioning Services services user> unrestricted – see http://technet.microsoft.com/en-us/library/hh849812(v=wps.620).aspx for more information.
- WinRM quickconfig.
- Enable-WSManCredSSP -Role Client -DelegateComputer <this server fqdn> -Force
- Enable-WSManCredSSP -Role Server –Force.
- Configure Windows firewall on the client for VAMT 3.1 – see http://technet.microsoft.com/en-us/library/hh825136.aspx for more information. Provisioning Services target devices cannot be activated or reactivated if the firewall is not configured for VAMT.
Common activation errors
Error: Failed to create PSSession.
Reason: MAK user is not a local administrator on the Provisioning Services server.
Error: Index was out of range. Must be non-negative and less than the size of the collection. Parameters name: Index.
Reason: MAK user does not have full access (read\write) permission to the VAMT database.
Setting the vDisk licensing mode for MAK
A vDisk can be configured to use Microsoft Multiple Activation Key (MAK) licensing when the Imaging Wizard is run (refer to Imaging Wizard). If MAK licensing was not configured when the Imaging Wizard was run, the vDisk’s licensing mode property can be set using the Console, MCLI, or PowerShell user interface. The licensing mode should be set before attempting to activate target devices.
For information on using the command-line interfaces, refer to the MCLI or PowerShell Programmers Guide.
Entering MAK user credentials
Before target devices that use MAK-enabled vDisks can be activated, MAK user credentials must be entered for a site.
The user must have administrator rights on all target devices that use MAK-enabled vDisks, and on all Provisioning Servers that will stream the vDisks to target devices.
To enter credentials:
- Right-click on the site where the target devices exist, then select the Properties menu option.
- On the MAK tab, enter the user and password information in the appropriate text boxes, then click OK.
Activating target devices that use MAK-enabled vDisks
After a vDisk is configured for MAK volume licensing and user credentials have been entered, each booted target device that is assigned to the vDisk needs to be activated with a MAK.
After all licenses for a given MAK have been used, a new key will be required in order to allow additional target devices that share this vDisk image to be activated.
To activate target devices that use MAK volume licensing from the Console:
Boot all target devices that are to be activated.
In the Console, right-click on the collection or view of the individual device that includes those target devices that require MAK license activation, then select the Manage MAK Activations menu option. The Manage MAK Activations dialog appears.
In the Multiple activation key text box, enter the MAK to be used to activate the target devices.
The number of booted target devices that require activation, display on the dialog. From the list of booted devices, check the box next to each target device that should be activated.
Click OK to activate licensing for all selected target devices (do not close the dialog until the activation process is completed.
The process can be stopped by clicking the Cancel button. Closing the dialog before the activation process completes stops the process and may result in some target devices not being activated).
The Status column indicates if a target device is currently being activated (Activating) or the activation failed (Failed).
If all target devices were activated successfully, click OK to close the dialog.
After the activation process completes, if one or more target devices were not selected to be activated, or if devices were not activated successfully, the dialog displays listing any un-activated devices. After resolving any issues, repeat this step to activate the remaining target devices.
The Manage MAK Activations option does not display after all currently booted target devices have been successfully activated.
Maintaining MAK Activations
Typically, devices and their assigned vDisk activations are preserved automatically. When a different target device is assigned a MAK activated vDisk, it removes any saved existing MAK reactivation information. If the vDisk is reassigned in the future, the target device will not reactivate. To prevent the loss of MAK activation, do not unassign the activated disk from the target device.
To change a target device’s vDisk, without losing the MAK activation, select one of the following methods:
- Assign additional vDisks to the target device, without removing any, then set the default booting vDisk accordingly.
- Assign additional vDisks to the target device and temporarily disable the MAK activated vDisk.
To update a MAK activated vDisk, the AutoUpdate feature must be used so that the MAK activation information, required for shared device reactivation, is maintained.
Additional MAK considerations:
- Use of manual vDisk updates (unassigning one vDisk and reassigning another vDisk) will result in the loss of the required MAK activation information and will require a new activation, which would consume another license.
- Use of AutoUpdate to deploy a new vDisk, from a different OS install than the previous vDisk, will result in mismatched MAK activation information. In this case, a new activation must be performed from the command line interface, as only unactivated target devices can be activated from the Provisioning Services console.