Search This Blog

Tuesday, March 5, 2019

Azure KMS Server

You might find yourself in a situation where you want all your computers to activate using Active Directory based activation except for your Azure VM’s, they should use the Azure KMS server.

By default, when Active Directory based activation is enabled all computers on your domain will use Active Directory based activation.

By using the command cscript c:\Windows\system32\slmgr.vbs /dlv we can see that this host has been activated by AD activation:

image

The /dli option displays the current license information.

But we can change the default behavior on our Azure VM’s.

Azure public cloud should use the following KMS server: kms.core.windows.net:1688

One way to do this could be by using SCCM compliance Settings.

First, we need a Collection in SCCM to hold all Azure computers, this can again be done in a lot of ways, but let’s use an easy one where we select all computers with the Virtual Machine Type equals to Azure.

image

This type equals the value of 2 when selecting the criteria on the collection.

image

And finally the full query used:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.VirtualMachineType = 2

image

Now that we have all the Azure computers in the collection, we can create the compliance settings.

Create Configuration Item:

image

Name the Configuration Item:

image

Select the versions og Windows you want to support:

image

Select New to create new settings:

image

Name the setting, select Setting type Script, Data type Boolean and click on Add Script (Discovery script).

image

Make sure Windows PowerShell is selected and then enter the following script code:

if((cscript "$env:SystemRoot\system32\slmgr.vbs" -dli all) -match "Registered KMS machine name: kms.core.windows.net:1688") {
   Write-Host $True }
else {
   Write-Host $False }

image

The above script will return True if the computer has been activated with the Azure KMS server otherwise it will return False.

Click on Add Script (Remediation script).

image

Again make sure Windows PowerShell is selected and then enter the following script code:

cscript "$env:SystemRoot\system32\slmgr.vbs" /skms kms.core.windows.net:1688
cscript "$env:SystemRoot\system32\slmgr.vbs" /act-type 2
cscript "$env:SystemRoot\system32\slmgr.vbs" /ato

image

The options used are:

/skms <Name[:Port] | : port> [Activation ID]
     Set the name and/or the port for the KMS computer this machine will use. IPv6 address must be specified in the format [hostname]:port

/act-type [Activation-Type] [Activation ID]
     Set activation type to 1 (for AD) or 2 (for KMS) or 3 (for Token) or 0 (for all).

/ato [Activation ID]
     Activate Windows

The above script will change the KMS server used, change to Active Directory activation and the activate Windows again with the new KMS server.

Click on the Compliance Rules tab and New:

image

Name the Rule, set Rule type to Value, set The setting must comply with the following rule to Equals True, and select the option Run the specified remediation script when this setting is noncompliant.

image

Click OK to confirm:

image

Press Summary:

image

Press Next and then Close:

image

image

Next step is to create a Configuration Baseline:

image

Name the baseline, select Add and Configuration Items.

image

Select the Configuration Item just created and click Add.

image

Then click OK two time to confirm:

image

image

Deploy the Baseline just created:

image

Select remediate noncompliant rules when supported, the Azure collection we created and a schedule after your choice.

image

We can force the evaluation on one computer to test our baseline:

image

The expected result should be that the computer is now activated with Azure KMS server:

image

No comments:

Post a Comment