FOG Client / FOS report bios product key to database (Host) Activate through BIOS key (Deployment)
-
@x23piracy I am still not sure if I get this right. Should we also extract the key from the registry if we don’t find it in the firrmware table? What if we find both, what if they don’t match (is this possible)??
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@sebastian-roth said in FOG Client report Windows key to FOG WebIf (Host definition):
@x23piracy I am still not sure if I get this right. Should we also extract the key from the registry if we don’t find it in the firrmware table? What if we find both, what if they don’t match (is this possible)??
- If we find both, we take the one from bios, if only registry found we take this.
- They will never match a windows 10 pro bios activated computer always has the following generic key in it’s registry:
VK7JG-NPHTM-C97JM-9MPGT-3V66T
since i know that u are german: https://www.deskmodder.de/wiki/index.php/Seriennummern_Key_generischer_Schlüssel_Windows_10
Additional to the feature request itself, it would be a really cool if we could embed the activation with what i am doing with my setkey.exe snapin into fog, so under host definition could be a checkbox near the windows key labeled “activate with bios key”. That could be checked by default, so if i deploy a new computer fog will automatically activate with the bios key and the fog client will report the specific bios key back to fogs host definition and if there would be a report the pakage would be complete.
For the client interval how often to check the key i would recommend to only do it on first client checkin, we just need to check this once, the key will never be changed. so if we once collected a key from a specific host we can stop crawling the key for it. Maybe it could be useful to have a function to say he try to recrawl the key for that client without resetting this for all.
Maybe we also need a global option for the fog client: “Report Client Windows Key” @tom-elliott
As i can see we still have a product key report
Regards X23
-
Hi,
i’ve got a ps cmd line that offers the bios key in one single line.
Powershell
(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
Commandline
powershell -Command (Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKeyActivation in one line with powershell:
slmgr /ipk (Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey ; slmgr /atoreturning messages should be send to nirvana
-
@x23piracy I’ve been lurking on this thread. Isn’t the goal here to be able to read the key from bios using linux? (BTW, your PS code is pretty sweet!! Nice job)
I think I found something–>
To get it, you need to read the contents of the /sys/firmware/acpi/tables/MSDM file.
Here’s an example:
riking@hp-laptop:~$ sudo xxd /sys/firmware/acpi/tables/MSDM 0000000: 4d53 444d 5500 0000 0313 4850 514f 454d MSDMU.....HPQOEM 0000010: 534c 4943 2d4d 5043 0100 0000 4850 2020 SLIC-MPC....HP 0000020: 0000 0400 0100 0000 0000 0000 0100 0000 ................ 0000030: 0000 0000 1d00 0000 4639 XXXX XXXX XXXX ........F98**-** 0000040: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX ***-*****-*****- 0000050: XXXX XXXX XX ****T*** are the contents of the license key, in ASCII text.
<–ref: Accepted post here https://superuser.com/questions/637971/how-do-i-get-out-my-embedded-windows-8-key-from-a-linux-environment
-
@george1421 And then the post after the accepted one here: https://askubuntu.com/questions/233181/retrieve-windows-8-product-key-from-mainboard
sudo tail -c+57 /sys/firmware/acpi/tables/MSDM -
@x23piracy @george1421 I was just about to create an issue on github (which I use to keep track of things I work on with the fog-client) for this request as I had the impression that it’s worth and doable. But Georg’s post now suggests that it can be done from Linux, so on the capture/deploy process in FOS. Now I am wondering which way to go. Please keep discussing this here till we decide how and where to add this (fog-client, FOS, …?).
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@sebastian-roth @george1421 if you are able to inject the key like slmgr is doing that with (/ipk and /ato) on a running windows system why not doing it in the moment of deployment under FOS.
I like the idea, but how can you inject it?If we have this feature in the client we have to think howto implement without polling this information again and again, we need it only once so i think the FOS method would be the best if you can do it.
Here is the slmgr.vbs: https://pastebin.com/a2yP1MfD
I’ve taken it from a Windows 10 Pro 1703 System.Install Product Key:
Private Sub InstallProductKey(strProductKey) Dim objService, objProduct Dim lRet, strDescription, strOutput, strVersion Dim iIsPrimaryWindowsSku, bIsKMS bIsKMS = False On Error Resume Next set objService = GetServiceObject("Version") strVersion = objService.Version objService.InstallProductKey(strProductKey) QuitIfError() ' Installing a product key could change Windows licensing state. ' Since the service determines if it can shut down and when is the next start time ' based on the licensing state we should reconsume the licenses here. objService.RefreshLicenseStatus() For Each objProduct in GetProductCollection(ProductIsPrimarySkuSelectClause, PartialProductKeyNonNullWhereClause) strDescription = objProduct.Description iIsPrimaryWindowsSku = GetIsPrimaryWindowsSKU(objProduct) If (iIsPrimaryWindowsSku = 2) Then OutputIndeterminateOperationWarning(objProduct) End If If IsKmsServer(strDescription) Then bIsKMS = True Exit For End If Next If (bIsKMS = True) Then ' Set the KMS version in the registry (64 and 32 bit versions) lRet = SetRegistryStr(HKEY_LOCAL_MACHINE, SLKeyPath, "KeyManagementServiceVersion", strVersion) If (lRet <> 0) Then QuitWithError lRet End If If ExistsRegistryKey(HKEY_LOCAL_MACHINE, SLKeyPath32) Then lRet = SetRegistryStr(HKEY_LOCAL_MACHINE, SLKeyPath32, "KeyManagementServiceVersion", strVersion) If (lRet <> 0) Then QuitWithError lRet End If End If Else ' Clear the KMS version in the registry (64 and 32 bit versions) lRet = DeleteRegistryValue(HKEY_LOCAL_MACHINE, SLKeyPath, "KeyManagementServiceVersion") If (lRet <> 0 And lRet <> 2 And lRet <> 5) Then QuitWithError lRet End If lRet = DeleteRegistryValue(HKEY_LOCAL_MACHINE, SLKeyPath32, "KeyManagementServiceVersion") If (lRet <> 0 And lRet <> 2 And lRet <> 5) Then QuitWithError lRet End If End If strOutput = Replace(GetResource("L_MsgInstalledPKey"), "%PKEY%", strProductKey) LineOut strOutput End SubActivate:
Private Sub ActivateProduct(strActivationID) Dim objService, objProduct Dim iIsPrimaryWindowsSku, bFoundAtLeastOneKey Dim strOutput Dim bCheckProductForCommand strActivationID = LCase(strActivationID) bFoundAtLeastOneKey = False set objService = GetServiceObject("Version") For Each objProduct in GetProductCollection(ProductIsPrimarySkuSelectClause & ", LicenseStatus, VLActivationTypeEnabled", PartialProductKeyNonNullWhereClause) bCheckProductForCommand = CheckProductForCommand(objProduct, strActivationID) If (bCheckProductForCommand) Then iIsPrimaryWindowsSku = GetIsPrimaryWindowsSKU(objProduct) If (strActivationID = "") And (iIsPrimaryWindowsSku = 2) Then OutputIndeterminateOperationWarning(objProduct) End If ' ' This routine does not perform token-based activation. ' If configured for TA, then show message to user. ' If (objProduct.VLActivationTypeEnabled = 3) Then LineOut GetResource("L_MsgTokenBasedActivationMustBeDone") Exit Sub End If strOutput = Replace(GetResource("L_MsgActivating"), "%PRODUCTNAME%", objProduct.Name) strOutput = Replace(strOutput, "%PRODUCTID%", objProduct.ID) LineOut strOutput On Error Resume Next ' ' Avoid using a MAK activation count up unless needed ' If (Not(IsMAK(objProduct.Description)) Or (objProduct.LicenseStatus <> 1)) Then objProduct.Activate() QuitIfError() objService.RefreshLicenseStatus() objProduct.refresh_ End If DisplayActivatedStatus objProduct bFoundAtLeastOneKey = True If (strActivationID <> "") Or (iIsPrimaryWindowsSku = 1) Then Exit Sub End If End If Next If (bFoundAtLeastOneKey = True) Then Exit Sub End If LineOut GetResource("L_MsgErrorProductNotFound") End SubBut remember we should not force to use a bios key if available maybe we have cases where people use Volume License (KMS Server) while they having computers with BIOS key inside (ok would be stupid) but i am sure this case is existing. So we need a switch or something in the host definition to turn on/off activation with bios key.
But what if we have a allready installed system that wasn’t deployed by FOG, i really like to gain such keys after the installation of the fog client. Maybe we need both FOS’s ability to inject and detect a key and the same with the fog client for existing computers that naver had contact with FOG but going to have FOG Client installed on it.
Challenge accepted?
EDIT:
I have the feeling we need to write to the windows registry under FOS if we would like to inject the Windows Product Key:
http://www.dagondesign.com/articles/windows-xp-product-key-recovery/
http://geekswithblogs.net/willemf/archive/2006/05/31/80203.aspxI am not sure but maybe we don’t need (slmgr /ato), windows should activate automatically by itself.
The more i think about i came to conclusion that the mechanism of reading and injecting the key should done by the fog client, while the system is running.
What do you think guys?
Regards X23
-
Well we have to remember or be sure to create an isolation between FOS and the target OS. For windows activation that needs to be done inside windows. Either through the unattend.xml file or slmgr or fog client.
What would be interesting is if / when FOS takes an inventory of the target computer it could also read the bios key and store it in a field. Maybe not the activation key field but a bios key field. Then at some time that bios key may be copied to the activation key field and let the fog client do its thing. OR within the FOS post install scripts to be able to have access to that information (via the gethost.php script) so the post install script can use it to update the unattend.xml or patch a setupcomplete.cmd line that runs the slmgr command. But the idea is that if we collect this during inventory then I don’t see any other bits of fog needing to be changed other than adding a field to the inventory table, making that new field visible in the webgui and changing the inventory script to collect the key.
I can’t say for sure that the stuff that I found works. My Linux Mint laptop is built for Win7 so there is no key to be found when I inspect the MSDM table.
-
@george1421 said in FOG Client report Windows key to FOG WebIf (Host definition) Activate through BIOS key (Deployment):
Well we have to remember or be sure to create an isolation between FOS and the target OS. For windows activation that needs to be done inside windows. Either through the unattend.xml file or slmgr or fog client.
FOG Client should trigger slmgr with the apropriate key from the database.
What would be interesting is if / when FOS takes an inventory of the target computer it could also read the bios key and store it in a field.
Yes, i think thats the way to go but what if someone uses FOG in an already deployed but growing environment. Typically FOG Client would be mass installed, is the FOG Client reporting the same inventory stuff like the inventory been done by the boot menu? If not FOG Client also should have the ability to read the key from bios and report it.
Maybe not the activation key field but a bios key field. Then at some time that bios key may be copied to the activation key field and let the fog client do its thing. OR within the FOS post install scripts to be able to have access to that information (via the gethost.php script) so the post install script can use it to update the unattend.xml or patch a setupcomplete.cmd line that runs the slmgr command. But the idea is that if we collect this during inventory then I don’t see any other bits of fog needing to be changed other than adding a field to the inventory table, making that new field visible in the webgui and changing the inventory script to collect the key.
Why not keeping it simple? Would it not be enough if the fog client checks if the client has it’s key and if not just trigger slmgr with the information we have in the db?
I can’t say for sure that the stuff that I found works. My Linux Mint laptop is built for Win7 so there is no key to be found when I inspect the MSDM table.
I tried this with my work pc over the ubuntu bash windows 10 offers, there are the acpi tables missing but i think that have to be done in a native running linux not in an emulated one.
@george1421 can i try your usb FOS Image, maybe boot from the stick and try if i can get the serial from bios?
Lets say that works can’t we start with sending that key to fogs database for the current product key field? If this has been done we are good to go because currently fog client can activate a deployed system by an entered key in that host definition field.
I have a notebook with windows 10 key in bios beside me where i can try it this evening.
-
@x23piracy said in FOG Client report Windows key to FOG WebIf (Host definition) Activate through BIOS key (Deployment):
Yes, i think thats the way to go but what if someone uses FOG in an already deployed but growing environment. Typically FOG Client would be mass installed, is the FOG Client reporting the same inventory stuff like the inventory been done by the boot menu? If not FOG Client also should have the ability to read the key from bios and report it.
I agree, but that is where your handy code comes into use. That can be integrated into the {next} fog client to update the bios key field if the developers see value in it.
can i try your usb FOS Image, maybe boot from the stick and try if i can get the serial from bios?
Yes that should work well. I forgot about that method of booting. There is a debug mode built into that usb stick. So it is pretty easy.
Lets say that works can’t we start with sending that key to fogs database for the current product key field? If this has been done we are good to go because currently fog client can activate a deployed system by an entered key in that host definition field.
The risk here is replacing a MAK or KMS key with the bios value may not be what all users consider useful. That is why I picked a new field, so it is stored. Then a crafty IT admin could write a simple mysql command to copy it over if its blank. I’m not seeing this as a widely used feature. But a useful one if you need it.
-
Yes it works,
i just created a FOS USB Stick, thank you @george1421 and booted it with a notebook that has a product key in it’s bios into kernel debug mode (i need shell).
Then i entered the following command:
tail -c+57 /sys/firmware/acpi/tables/MSDMWhat i got was, surprise a product key:
To be sure that this is really our product key i also used the command i found and a key tool to crosscheck the key.
And yes it’s correct:
What we need now is the following @Sebastian-Roth:
- FOS ability to read and report bios product key to the host product key field in db (expand the inventory script with the command above to read the key and report it like any other inventory item)
- FOG Clients ability to also report product key (if not already done) for the case if the fog client has been mass deployed in existing environment where maybe not all host will be booted and inventoried by the FOG Boot Menu.
Afaik this should be all we need because if i fill the product key field of a host today with a product key and deploy a windows system, fog client will set this key into the system. So everything is prepared except the feature that we can read key from the bios and report them to the db.
Who is responsible from the dev team for the FOS?
Regarding to @george1421 post before, another solution could be a second product key field, one is for the manual known input, and another for determined bios product keys, now for each host there could be a switch in the options where we can decide which product key field to use?
Am i wrong?
Regards X23
-
The more I think about it, the less I’m inclined to say this is a needed feature. While its technically possible to add this to fog. I don’t see the value in having the devs spend their time to read out and store the bios activation key. That key is only of value to activate OEM images. The only way the OEM image can be deployed is via the original media is was delivered on. With OEM media you are not allowed to install, alter, capture and redeploy an OEM install. It may be only installed from the original OEM media. That process is not the intent of FOG Project.
For FOG Deployment, when you are deploying Windows OS, you must use a Volume License key. These can either be MAK or KMS keys. You can pick up a single VLK license per OS you need to distribute . That is just one license per OS, you pay the same price for the VLK for 10 systems or 100 systems. The only caveat is to buy into the open program you need 5 MS points, the VLK license counts as one. What some people have done is purchased the 1 VLK licenses and 4 network CAL licenses to reach the 5 count.
When I get onto my other computer I’ll post a link to a post on Spiceworks that talks about what you can and can’t do (legally) with imaging MS products.
[update]: Here is the link I mentioned above https://community.spiceworks.com/how_to/124056-reimaging-rights-for-windows-10-licensing-how-toSo I think if I had a vote, I would rather have the devs work on this unable to read inode from library issue than spend time adding a feature to FOG that only a limited number of people might use.
-
for me it’s hard to follow that position. But i have to respect it. -
Hi,
can i have some clues where is the right point to try to embed the command while doing an inventory? which file in the filesystem is doing all the commands while doing inventorisation?
If the team isn’t willing to integrate, i will do it on my own.
Regards X23
-
@Sebastian-Roth @george1421 please have a look in here: http://www.aidanfinn.com/?p=14534
Legally Deploying Images Windows To OEM Licensed PCs, what i am doing here is legal if the appropriate vl has been purchased. -
@x23piracy said in FOG Client / FOS report bios product key to database (Host) Activate through BIOS key (Deployment):
what i am doing here is legal if the appropriate vl has been purchased
While this post is 4 years old, this is EXACTLY what I’ve been saying.
My previous post:
For FOG Deployment, when you are deploying Windows OS, you must use a Volume License key. These can either be MAK or KMS keys. You can pick up a single VLK license per OS you need to distribute . That is just one license per OS, you pay the same price for the VLK for 10 systems or 100 systems. The only caveat is to buy into the open program you need 5 MS points, the VLK license counts as one. What some people have done is purchased the 1 VLK licenses and 4 network CAL licenses to reach the 5 count.
From the article:
- The OEM and the VL license must be the same edition, e.g. you cannot deploy a Pro VL image to Home OEM licensed PCs using this licensing technique.
- You must ensure that the versions are matched, e.g. the OEM license entitles you to Windows 7 (including downgrades) if deploying Windows 7 images. For example, you can’t deploy a Windows 7 VL image to a PC with a Windows Vista OEM sticker/license using this licensing technique.
What if you company does not have a VL agreement? You need to 5 products to start one. You can buy a single copy of Windows (to get the ISO download and MAK/KMS keys) and 4 cheap dummy CALs – now you have a VL at minimum cost, and you can re-image your OEM-licensed PCs with an image made from your VL media.
You may deploy OEM media, as long as you have purchased a VLK key for that media. But then again once you have a VLK key you have access to download the volume media too. I have not tested it, but I assume a VLK key will activate an OEM image.
But again, if you purchased the VLK key and have it, there is no need to query the firmware for the bios OEM key. That key WILL NOT activate volume licensed media.
Understand I’m not saying no to this feature, I’m just not seeing the value in it. If you know what needs to be done, by all means fork the fog project make your changes and then submit the changes back to the project. That is one way to get your needed features back into the base code.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
-
I don’t think storing the Product Key’s is going against any legal issues here. You own the machines, and therefore own the keys for those machines. Storing them however you’d like is totally within your legal rights.
I’ve given a partial implementation of this feature already now. It does not store the product keys to the host in question by default though. This way you can still define how you’d like it. It only works for “quick registration” too.
The only “ramification” I can think this could cause is using the key may supersede your using a VLK as the product key field is meant to be a way for the client to “activate” the hosts in question as well.
-
@george1421 I don’t think it matters, one way or the other. If the admins want to use the individual keys that ship with the systems, or if they want to use the VLK, I don’t see the harm. Automating it, I suppose, would actually be a good thing, as trying to keep track of Keys can become cumbersome, though with VLK it does make it easier.
-
Hi,
just some seconds ago i could test it and it is working.
To enable this you have to switch to working branch and enable key reading in the fog options:
When i run a quick reg with a host that has a productkey in bios i get this:
Thank you Tom for this really fast realization of the feature.
Regards X23
-
OK after reading over all this. This is very illegal. You aren’t supposed to be pulling the OEM key out of the bios / firmware in the first place. Can you? Yes. Should you? No.
If you were to get audited and they saw the FOG system was doing this you could get in very deep trouble.
The real issue I see here is why. The reason I say this is the following. If you are sysprepping image with the OEM ISO and pushing that to each machine they will activate on their own without intervention you just have to set the rearm.
I would personally steer clear of this as I can see M$ taking a stand on this and would hate for them to even look at FOG for that reason. Seems to be a disconnect in how your image is made that they are not auto activating.
Personally I don’t like the rule of not imaging OEM machines. You bought them and they are all the same, they got their money you should be aloud to. It seems arbitrary that you have to load by hand…
