How Microsoft licences work with MDT and WDS deployment

deploymentmdtwdswindows

The problem is the following:

My company has bought several laptops (Acer, Lenovo), those come with Windows 10 professional edition already installed, so when you start the PC for the first time you end up in a classic OOBE environment (choose country, keyboard, cortana…)

More laptops (the same as I previously described) are coming. So, I would like to have a custom Windows in order to avoid repeating and wasting time to configure each and each PC.

To do so, I already have a WDS + MDT server ready to use. My idea is to create a master image and deploy it. The thing is: my master image will not have a license key but, since I know that my laptops already have Windows activated with an OEM license, I think that after the installation of the master the OEM license key (which is stored in the BIOS) will reactivate by itself.

But after some research it seems that it is not the "Microsoft way" to do, in fact what I intend to do is very likely illegal.

So I would like to have an answer: Do you need a special license for deploying custom Windows image with WDS ?

Thanks for reading and for the eventual answer.

Best Answer

It comes down to this. Windows Professional is licensed for use on the laptop. It doesn't matter how you put the operating system on the laptop. It will always be licensed for use on that hardware. There is nothing illegal about what you are trying to do and is, in fact, an extremely common scenario.

We run a fully zero touch experience to deploy all of our new systems.

We embed the generic Windows 10 Pro product key in the unattend.xml in the specialize pass under the shell-setup section (VK7JG-NPHTM-C97JM-9MPGT-3V66T) this is sufficient for bypassing product key issues during dpeloyment.

We create an additional step in the deployment task in the "State Restore" section which runs the following powershell script to activate the system using the embedded product key:

#This script performs automatic activation during windows deployments.
#It will check if Windows is activated, if not it will try to activate with the BIOS key.

#Activation function, installs the specified product key and returns true or false if activated successfully.
function Activate
{
    #If $key doesn't exist we can't activate
    if (-not $key) { return }
    
    try
    {
    $instance = (Get-WmiObject -query 'select * from SoftwareLicensingService')
    $instance.InstallProductKey($key)
    $instance.RefreshLicenseStatus()
    } catch { return }
}

#First check and see if windows is already activated.
if (Get-WmiObject SoftwareLicensingProduct | where {$_.PartialProductKey -and $_.Name -like "*Windows*" -and ($_.LicenseStatus -eq 1 -or $_.LicenseStatus -eq 2)})
{
    #Host is already activated.
    exit
}

#Check for a BIOS key - if it exists, this is what we are going to use first.
$key = (Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey

if ($key) 
{
    #BIOS Key exists - use it
    if (Activate $key) { exit }
}

You can see evidence in this script that checks if a BIOS key exists and if activation was successful:

if ($key) 
{
    #BIOS Key exists - use it
    if (Activate $key) { exit }
}

At one time we also had Windows 7 laptops which we were redeploying with Windows 10. So, we also had a volume license key for Windows 10 and the code was modified so that if no BIOS key existed, we would call the Activate function with the volume license key:

if ($key) 
{
    #BIOS Key exists - use it
    if (Activate $key) { exit }
}
else
{
    #BIOS Key does not exist - Use VLK
    if (Activate 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx') { exit }
}

You could add additional logic if activation fails as seen in the if statement:

if (Activate 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx') { exit }

And, you can go one step further to make this step in your deployment task require a certain exit code, and if it fails, the deployment task can issue a warning or failure at the end of the process alerting you to activation issues.

BIOS activation after using the generic product key has always been a little wonky. It's possible this script is not necessary at all anymore, and Windows will automatically activate itself afterwards. I think it is unlikely, because Windows has already accepted the (invalid) generic key and will not try to replace it, hence the need for the script to do so.

Related Solutions

What are some of the best answer file settings for a WDS Deployment

Add Device Drivers by Using Windows Setup Microsoft-Windows-PnpCustomizationsWinPE (If you need drivers for Windows PE to see the local hard disk drive or network)
Enable Remote Desktop
1. Add the following settings to your answer file in the listed configuration pass: Microsoft-Windows-TerminalServices-LocalSessionManager (4 specialize) Networking-MPSSVC-Svc\FirewallGroup (4 specialize)
2. In the Answer File pane, right-click FirewallGroups and select Insert new Firewall Group. Configure the following settings in the Answer File pane. Microsoft-Windows-TerminalServices-LocalSessionManager (Value: fDenyTSConnections=false) Networking-MPSSVC-Svc\FirewallGroups\FirewallGroup (Values:Active=true ; Group=Remote Desktop; Profile=all)
Add a Custom Command to an Answer File On the Insert menu, point to Synchronous Command. Click a configuration pass from the submenu. The Create Synchronous Command dialog box opens. In the Enter command line text box, enter the command, with parameters. In the Order box select the order of the commands to run, and click OK. The command is added to the answer file in the selected configuration pass: Commands added to the 1 windowsPE configuration pass appear in the setting: Microsoft-Windows-Setup\RunSynchronous. Commands added to the 4 specialize or 6 auditUser passes configuration pass appear in the setting: Microsoft-Windows-Deployment\RunSynchronous. Commands added to the 7 oobeSystem pass appear in the setting: Microsoft-Windows-Shell-Setup\FirstLogonCommands. See also:WDS: Phase 3: Preparing and Customizing Your Windows Image

But you also use the Microsoft Deployment Toolkit 2010, which works better that WAIK. The latest version of the MDT 2010, also supports Office 2010. To simplify desktop deployment, Microsoft first created Microsoft Solution Accelerator for Business Desktop Deployment (BDD), an integrated toolset together with comprehensive guidance for deploying Windows Vista and the 2007 Office System. BDD went through several versions including:

BDD 2.0 and 2.5 – Used for deploying Windows XP that was released in two editions: Standard edition for smaller midmarket customers, and Enterprise edition for larger organizations that had an Microsoft Systems Management Server 2003 infrastructure deployed.
BDD 2007 – Used for deploying Windows XP, Windows Vista, and the 2007 Office System and released in a single edition for both midmarket and enterprise customers.

BDD has now morphed into Microsoft Deployment Toolkit 2008 (MDT 2008) which lets you deploy the following versions of Microsoft Windows:

*
  Windows Vista
*
  Windows XP Professional
*
  Windows Server 2008
*
  Windows Server 2003

In addition, you can use MDT 2008 to deploy the 2007 Microsoft Office system and Microsoft Office 2003 to your desktop computers.

MDT 2008 simplifies the task of deploying Windows Vista by providing the following benefits:

Provides an integrated workspace from which you can perform hardware/software inventories, mitigate application compatibility issues, migrate user profiles, package and deploy applications, create and manage distribution shares and deployment points, and to build, service and deploy your images.
Supports integration with Windows DS for centralized server-based deployments. Supports integration with your existing systems management infrastructures that use SMS 2003 and Microsoft System Center Configuration Manager 2007 (SCCM 2007).
Allows you to customize various aspects of the deployment process to suit the needs of your organization.

A newer version of that is the MDT 2010, which supports: PowerShell Windows 7 and Windows Server 2008 (R2) Finally, there are a number of other enhancements in MDT 2010 relating to security, stability and performance. For example, you can now refresh a computer that has a volume protected by Windows BitLocker Drive Encryption without having to decrypt and re-encrypt the protected volume. This makes this particular refresh scenario more secure and much faster than before.

WDS or MDT for Windows 7 Deployment

For ten laptops I would definitely use MDT. Download the package from Microsoft and read through the docs, they're quite good and cover all of the steps you need to make it go. If you encounter larger numbers of machines to deploy to I would then look towards WDS but use it with MDT.

Microsoft Deployment Toolkit 2010 Microsoft Deployment Toolkit (MDT) 2012 Update 1

Best Answer

Related Solutions

What are some of the best answer file settings for a WDS Deployment

WDS or MDT for Windows 7 Deployment

Related Topic