Search
Sponsors
| 24 Sep '04 - 22:32 | kenneth van surksum Microsoft Volume License Key Encryption
Windows has an VLK encryption feature for unattended setups of Windows XP(SP1 +) and Windows Server 2003 installations. This feature is applicable to customers with volume licensing agreements with Microsoft such as Microsoft Select, Microsoft Enterprise Agreement, and Microsoft Open License. Customers who place a VLK in an unattended setup file (unattend.txt) will be able to encrypt the VLK such that it will be time-limited (in increments of 5–60 days) and not visible as plain text. This feature provides customers deploying Windows XP and Windows Server 2003 with an additional layer of protection by obscuring the VLKs in unattended installations.
Scenario:
To protect for 30 days SMS-based, RIS-based, or network file share-based installs using the volume licensing version of Windows XP:
1. From the command prompt, run:
winnt32/encrypt:"XXXXX-XXXXX-XXXXX-XXXXX-XXXXX:30"/unattend:path_to_destination_unattend_file[/Q]
2.The resultant hash value is written to the specified unattended file, overwriting any existing ProductKey or ProductID entries.
A message box displays whether the process succeeds or fails due to an error.
If the /Q switch is used, information about the success or failure is written to the file %Windir%\Winnt32.log
3. The product key entry in the unattend.txt file is functional for 30 days after the date of encryption.
A script to re-encrypt the key regularly could be created to ensure that a new encrypted key is always available for the install. The Task Scheduler could also be used to schedule this task to be repeated automatically.
Note: I noticed sometimes that the encrypted VLK wasn't updated, clearing the old encrypted VLK from the unattended setup file solved this problem. I haven't seen any KB articles on this yet.
Update: There is a KB article describing this proces: see http://support.microsoft.com/?kbid=328356