Hello World,
In our previous posts, we have been discussing the ESU (Extended Security Updates) program that can help organizations still running legacy operating system like Windows 7 and Windows 2008/R2 to obtain paid critical security hotfixes. To benefit from the program, you will need to deploy mandatory updates, install VAMT Tool, Deploy and Activate the ESU MAK keys and you would then be good to go to receive (when released by Microsoft) these newly critical patches. We have been explaining in quite details the ESU program deployment process in the following posts.
- ESU for Windows 7 and Windows 2008/R2 – Part I – Prepare the Infra
- ESU for Windows 7 and Windows 2008/R2 – Part II – Installing VAMT
- ESU for Windows 7 and Windows 2008/R2 – Part III – Finalizing VAMT
- ESU for Windows 7 and Windows 2008/R2 – Part IV – Patching VAMT 3.1
- ESU for Windows 7 and Windows 2008/R2 – Part V – Discover Products
- ESU for Windows 7 and Windows 2008/R2 – Part VI – Add,Deploy & Activate Product Keys
We thought that we had covered most of the topic through these posts. However, a lot of customers and organizations came back to us with a rather valid question about VDI infrastructure. How do we manage VDI infrastructure based on Windows 7 operating system ? Microsoft does not really seems to provide a formal and definitive answer about this specific scenario
So, let’s have a look at the concern and possible workaround that can be used when deploying ESU MAK Key in a VDI Scenario…..
Problem Explained
There are actually two problems that have been mentioned when using ESU MAK key in conjunction with VDI infrastructure (non-persistent desktop). These problems are
- Activation process and support
- License depletion in VDI Infrastructure
Let’s have a quick look at these issues
MAK Activation not supported in VDI Infrastructure
In a VDI infrastructure, a master image (containing all th latest windows updates) is created and every new VDI instance created by the system is using this master image to create the needed virtual machines through your network. When a new update is released by Microsoft, the master image is updated and sealed back so it can be deployed through the VDI infrastructure ensuring that all VDI instances are all up to dated.
Usually, the master image contains the KMS keys and is configured to perform the activation process against the KMS server available on the network. This approach ensure that all VDI instances get activated against the KMS server. However,when integrating the ESU program, the ESU Keys delivered by Microsoft are MAK based. This is where problems start to popup ! VDI vendors are only supporting KMS Activation and no MAK activation (check out this vmware doc link).
To benefit from ESU program, you need to install and activate MAK keys but your VDI vendor is telling you that you have to use KMS activation…So, how do you integrate ESU program and VDI infrastructure ? Keep reading, we will offer a possible workaround !
MAK Keys Licenses Depletion
The other problem that has been raised by customers is about licensing consumption in a VDI scenario. In a non-persitent VDI infrastructure; the VDI instances are created and deleted as needed by the VDI platform. This means that each time a new VDI Instance is generated, the activation process is triggered. Imagine that you have included the ESU MAK key in your master image and that is kind of working with your VDI Infrastructure (i.e. MAK Key activation). In such situation, each time that a VDI instance is created, a new MAK is consumed. At the end, you will have be issuing all your MAK Keys to non-persistent VDI machines and when you really need to get and obtain the ESU critical patch, you are out of valid licenses….
Possible Workaround
We have seen that using the ESU MAK Keys in a VDI infrastructure can be challenging and can basically cost you more money if you do not use the appropriate method for using and activate your systems with the ESU MAK Key. Funny enough, it’s seems that Microsoft has not really thought about these possible issues as no really/official procedure has been published (yet?) about ESU and VDI Infrastructure.
Initially, some customers thought that the ESU MAK Key was an addon to the KMS key, it would not be a problem activating the ESU MAK on the master image…However, as described above, side effect was depletion of available license key…. So, how to you integrate ESU MAK Keys and VDI infrastructure ? You have to adapt slightly your master image creation process…..You would need to perform the following actions
- Step 1 – Go on your master image and make it ready for changes
- Step 2 – Activate the master image using the ESU MAK Key you have received
- Step 3 – Download any new ESU Critical patches that might have been made available by Microsoft
- Step 4 – Remove the ESU MAK Key from your Master image (using this command slmgr.vbs -upk <Activation Id>)
- Step 5 – Seal your up to date master image
- Step 6 – Deploy it through your VDI
Because there is no ESU MAK key in the master image, you have overcome both problems mentioned above. You will still be using KMS Activation and there will be no depletion of your ESU MAK Key licenses. Most important, your VDI instances will be running with all the latest windows updates including the extra one you paid for when you enrolled the ESU Program….
Final Notes
In a VDI Infrastructure, some people have been asking also if it would make sense to deploy a VAMT server in order to activate a handful of master image (between 1 and 5 based on our experience). It might seems a lot of effort for only a few machines. If your master image can have direct internet connection, you might want to manually perform the installation and activation actions. You would need to perform the following actions
To install the ESU MAK Key, you will need issue the following command in command prompt
slmgr /ipk <ESU-MAK-KEY>
To activate the system where the MAK Key has been installed, you have to issue the following command
slmgr /ato <activation ID>
Year 1 | 77db037b-95c3-48d7-a3ab-a9c6d41093e0 |
Year 2 | 0e00c25d-8795-4fb7-9572-3803d91b6880 |
Year 3 | 4220f546-f522-46df-8202-4d07afd26454 |
slmgr /upk <activation ID>
slmgr /atp >ConfirmationID> <activation ID>