Windows 7 OEM SLIC/SLP Activation via WDS/MDT

Windows 7 OEM SLIC/SLP Activation via WDS/MDT

I ran into a situation recently where i wanted to deploy Windows 7 to a Dell workstation that came with an OEM copy of Windows 8 Pro. (Microsoft OEM downgrade rights allow this) I wanted to automate this with WDS & MDT so i would never again have to worry about it. The only problem was that I didn’t have a nice little CD key sticker with an OEM windows key. This means i needed a way to install Windows 7 and activate it the same way the OEMs do. Until now I had no idea how OEM activations work. All i knew was that when i used an original Dell OEM CD to install windows, it didn’t require a CD key and was auto-magically activated. 
 
I’m writing this post because i was never able to find any sort of blog post or forum post describing my particular situation. I had three goals in mind:
  1. I needed to create an image that i could deploy via WDS (Windows Deployment Services) and MDT (Microsoft Deployment Toolkit). 
  2. I wanted the image to be as up-to-date as possible with Windows Updates. I didn’t want to wait 6 hours on Windows updates every time I deployed a new machine. 
  3. I wanted the image to be activated auto-magically just like the Dell OEM DVD does. (Note: Licensing and legality are beyond the scope of this post. Please deploy responsibly.
Here is the solution i came up with. 
 
Short Answer:
 
Those familiar with MDT and WDS will have no trouble with items 1 and 2 above. The part that stumped me was doing items 1 and 2 in conjunction with item 3. Doing so with a volume license and a KMS server is easy. With an OEM license it’s a different story. 
 
As it turns out, all you need for the auto-magical oem offline activation is the following: 
  1. Use an OEM SLP key found online or in the OEM DVD. (E.g. Dell’s SLP key can be found under .$OEM$$$setupscriptsslp.cmd file) You don’t need to use DISM for this. (Though you probably can.) Just use MDT. 

  2. You need to have the OEM’s cert (The OEM.xrm-ms file located in the $OEM$$$System32OEM folder on the OEM DVD) injected into the C:WindowsSystem32OEM folder of the wim. 
Most posts on the internet just assume you know you need to do that. I DIDN’T and ended up spending my entire afternoon figuring that out. Once i figured that out, all i had to do was inject the cert into the folder above, use the OEM SLP key, deploy a reference image using a task sequence set to perform windows updates, capture said image, and then redeploy. The cert even persists through sysprep so you don’t need to re-inject after the capture. 
 
Long Answer: 
 
Extract/Prep:
  1. The first step is to download & extract a copy of Windows 7 to a folder. I recommend using the vanilla versions from the VLSC/MSDN. The OEM DVD from a manufacture would work as well. One thing i found out (that i already sort of knew) is that all Windows 7 ISOs are the same. They all include every version of Windows 7 and are pretty much identical. The difference is the $OEM$ folder on the disk. 

  2. Once you have the iso extracted, we need to find the master install.wim file and determine what version of windows you intended to create an image for. (In my case, Windows 7 Pro) This file is found under the sources folder of the ISO/DVD. Once you’ve located the file, open an elevated command prompt (or Power Shell) and run the following command: (Keep in mind i’ve extracted the contents of my DVD to c:win7dvd)

    dism /get-imageinfo /imagefile:c:win7dvdsourcesinstall.wim

    This will output each version of Windows 7 that is contained within the install.wim file. Note down the Index number of the version you need. (3 in the case of Windows 7 Pro)

  3. Now let’s extract just that version of Windows 7 from the install.wim file. 

    dism /export-image /sourceimagefile:c:win7dvdsourcesinstall.wim /sourceindex:3 /destinationimagefile:c:winpewin7pro.wim

 
Extract the OEM cert & CD key:

  1. First let’s get the OEM’s SLP key. The way i did this for Dell was to use the Dell OEM DVD. Open the DVD and browse to D:sources$OEM$$$setupscripts. Then open/edit (DO NOT RUN) the slp.cmd file. Inside you will find the key. Note that down for use later when we build the task sequence in MDT. You can also find a list of ALL OEM SLP keys on the internet. They aren’t secret or anything. 

  2. Next we need to get the OEM’s certificate. To do this browse to D:sources$OEM$system32OEM. Once there you should see a file called OEM.xrm-ms. Copy this file to a safe place. You will need this later. Just like above, you can also find the certs online. One site i found offered a .7z file with over 200 OEM certs. 
 
Inject & Deploy:
There are two ways to do this last part. The first way is the way i did it originally. It works well and did the job. After i did this, i discovered a much easier way that works just as well. I’ll document both ways in case there is a use case for the first method that is not apparent to me right now. I should also mention that this assumes you already know how to use WDS/MDT. Explaining that in detail is way beyond the scope of this post. 
 
Method 1: 
  1. We need to mount the wim you extracted above so we can inject the cert into it. Open an elevated command prompt (or Power Shell) and run the following command:

    dism /mount-image /imagefile:c:winpewin7pro.wim /index:1 /mountdir:c:winpewin7pro 
    (NOTE: Make sure the mount directory exists but is empty)

  2. Now browse to c:winpewin7prowindowssystem32 and create a new folder called OEM. (Or if one exists, open it and move to the next step) 

  3. Find the cert you copied earlier and paste it into this folder. 

  4. Now that the cert has been injected, we need to unmount the cert and commit the changes. Using the same elevated command prompt as before, run this command:

    dism /unmount-image /mountdir:c:winpewin7pro /commit

  5. Now that our win7pro.wim file contains the cert, import it into MDT and create your task sequence. During the task sequence creation, use the SLP key you captured earlier. Be sure to use the last option that says “Specify the product key for this operating system.” Not the MAK or KMS options. Once the task sequence is created, be sure to enable the windows update steps. (Pre & Post) 

  6. Now deploy the image your reference computer. (I recommend a VM) During the deployment wizard, be sure to tell LiteTouch to capture an image when it’s finished. Walk away for 4 hours and let Windows apply 300 updates and restart half a dozen times. 

  7. Once the fully updated Windows 7 Pro image has been captured, simply import that wim into MDT and use that to deploy your workstations. The new image will be fully updated and will automatically activate as long as you use that same SLP key.
Method 2:
This method uses MDT to inject the cert during LiteTouch deployment. If you aren’t familiar with the $OEM$ folder structure, you should read up on it here. Basically, anything in the $OEM$$$ folder gets copied to the C:Windows folder during installation. MDT had the capability of doing this until Microsoft removed it in MDT 2012 Update 1. Luckily someone wrote a script that adds this functionality back. 
  1. First, download the CopyOEM.wsf script from this blog post and read up on how to add the script to your task sequence. 

  2. Open your MDT’s DeploymentShare and open the $OEM$ folder. Inside create a new folder called System32. Open that folder and create another folder called OEM. 

  3. Copy and paste the cert you obtained earlier into this folder. When all is said and done your cert should be under the serverDeploymentShare$$OEM$system32oem folder. 

  4. Now import the above extracted win7pro.wim file into MDT and create your task sequence. During the task sequence creation, use the SLP key you captured earlier. Be sure to use the last option that says “Specify the product key for this operating system.” Not the MAK or KMS options.

  5. Once the task sequence is created, enable the windows update steps. (Pre & Post) Also be sure to add in the step to copy the $OEM$ folder to the destination as described in the blog post linked in step 1. 

  6. Now deploy the image to your reference computer. (I recommend a VM) During the deployment wizard, be sure to tell LiteTouch to capture an image when it’s finished. Walk away for 4 hours and let Windows apply 300 updates and restart half a dozen times. 

  7. Once the fully updated Windows 7 Pro image has been captured, simply import that wim into MDT and use that to deploy your workstations. The new image will be fully updated and will automatically activate as long as you use that same SLP key.
 
Conclusion:
You’ll be happy to know (or you might already know) that Windows 8 eliminates this whole mess. Everything is now stored in the UEFI/BIOS and Windows 8 by default will activate automatically if this data is detected. 
 
I also want to mention that in the future when you want to re-update your Windows 7 image to pull in new updates, be sure to do it using the original win7pro.wim file and not the captured wim file. If you don’t, you may run into the Windows 7 sysprep limit.

Leave a Reply

Your email address will not be published. Required fields are marked *