Windows01 Jan 2018 • Leave Comments
- Prevent Win10 1803 auto-restart
- Windows Embedded Standard 7
Prevent Win10 1803 auto-restart
- Run gpedit.msc as administrator;
- Computer Configuration - Administration Template - Windows Update
Configure Automatic Updates - Enabled
Choose '4 - Auto download and schedule the install'
- No auto-restart with logged on users for shceduled automatic updates installations - Enabled
Turn off SMB v1 and optionally v2 and/or v3. Then check by:
netstat -na | find "LISTENING" | find ":445 "
- Anything related to Intel Management Engine (IME) or Automatic Management Technology (AMT) should be avoid.
- Turn off Windows Defender (scan disk) with gpedit.msc.
- Unlike Widnows 8 onwards, Windows 7 ISO lack drivers (i.e. Ethernet, Wireless etc.). Upon installation, it probably cannot connect the Internet.
Windows Embedded Standard 7
- Use a Template - Thin Client.
- Modify Drivers & Modify Features.
- Automatically detect devices.
- Untick 'Resolve optional dependencies' otherwise final OS Footprint would be 3.4G around. Leave 'Resolve Dependencies' to the last step of package selection, which otherwise would pulls uncessary leftover.
- .Net Framework, tick everything. Miscellaneous applications depend on .NET framework.
- Application Support, untick 'MSMQ'.
- Boot Environments, 'Enhanced write filter boot Environment' to 'Windows Boot Environment'.
- Browsers, keep IE 8.
- Data Access and Storage, untick 'Windows Data Access Components - SQL'.
- Data Integrity, leave everything unticked.
- Devices and Printers, untick 'Printing Utilities and Management'.
- Diagnostics, leave 'Common Diagnostics Tools' and optionally 'User' ticked (Windows Task Manager).
- Embedded Enabling Features, untick everything and optionally tick 'Registry Filter' (for regedit).
- Fonts, tick 'Simplified Chinese Fonts'.
- Graphics and Multimedia, untick 'Windows Media Player 12'.
- International, leave everything unticked.
- Internet Information Service - IIS, leave everything unticked.
- Management, leave it alone but optionally untick 'Windows Update User Interface'.
- MediaCenter, leave everything unticked.
- Networking, untick everything and tick 'Network and Sharing Center', and optionally 'Wireless Networking'. With regards to 'Wireless Networking' part, VirtualBox does not support wirless adapters (only simulates Ethernet), which means you cannot add or see wirless adapter in Windows Device Manager. However, you can attach a USB Wi-Fi stick to guest OS and connect directly to Wi-Fi router.
- Remote Connections, untick 'Remote Desktop Connection'.
- Security, untick everything.
- System Services, leave it alone.
- User Interface, untick 'Help', 'Microsoft Speech API', and 'Accessibility'.
- Resolve Dependencies. Choose 'Unbranded Startup Screens', 'Windows Boot Environment', 'Standard Windows USB Stack' and 'Windows Explorer Shell' (a MSUT). Some previously unticked feature might be ticked again as a dependency of some other features.
Add more features
Suppose you have unticked an feature (i.e. IE 8), and want to add it back after installation, do the following:
- Find the feature package cabinet file from ISO, like DS/Packages/FeaturePack/x86~winemb-ie-explorer~~~~6.1.7600.16385~1.0/WinEmb-IE-Explorer.cab.
- Use Pkgmr or DISM command line to install the cabinet file. dism is far more powerful than what you think. For example, you can use it to check a cabinet file information.
# Do it in an elevated command prompt. DISM /? Pkgmgr /? DISM /Online /Add-Package /PackagePath:"C:\Users\Brink\Desktop\WinEmb-IE-Explorer.cab" Pkgmgr /ip /m:C:\Users\Brink\Desktop\WinEmb-IE-Explorer.cab # restart system as requested
Windows XP Professional VOL SP3 x86
Windows Emebedded 7 Standard x86
XGY72-BRBBT-FF8MH-2GG8H-W7KCW MPMVY-PP762-WWVBC-83RXJ-2H7RH GJVTR-C4WQ6-BKRH3-DRFFH-J83DM
Key Management Server (KMS)
KMS activation is not permanent.
A Microsoft Key Management Server (KMS) is a legitimate service offered under Microsoft Volume Activation 2.0 solution which is used to activate volume licensed Microsoft products. It works with minimal administration intervention and allows automated activation of Microsoft products (i.e. Windows OS, Office, Visio etc.).
With KMS activation method, the client (Microsft products) contacts verification server periodically to renew license. Each activation holds the license for 180 days. I will not go into details on KMS mechanism.
Here, I will set up a self-hosted KMS server :) based on FOSS reverse engineering code. Before that, please review a few notes on KMS:
KMS activates only Volume (VOL) licensing Microsoft products.
'Windows Enterprise' is certainly VOL licensed while 'Windows Professionl' use either VOL license or retail license. Office versions downloaded from Microsoft MSDN and/or Technet are non-VOL. It's recommended to download VOL licensing editions from itellyou.cn.
MAK activation method (one key forever) makes life easier on the premise that you succeed in finding a MAK key.
Where to put the KMS server side?
Intuitively, we can deploy it on Windows system to be activated. However, local server may be compromised by Windows updates or anti-virus software. Beginning with Windows 8.1 the KMS server must be a different computer than the client. You cannot use vlmcsd on the same computer where you want to activate a product. If you have only one computer, you can run vlmcsd in a virtual machine. It's better to put the server side on a alway-on devices like VPS.
Among the other things, vlmcsd in C and py-kms in Python2 are the most popular KMS emulators. They can run on almost any platforms like Windows, Cygwin, Linux, Android, OpenWrt, Unix, BSD etc. Here, I choose vlmcsd on CentOS 7 as an example.
To set up KMS emulator on Windows system, you'd better use py-kms.
Firstly, build binaries from source.
root@tux / # cd /opt/ root@tux opt # git clone --depth=1 https://github.com/Wind4/vlmcsd.git root@tux opt # cd vlmcsd root@tux opt # man man/vlmcsd.7 root@tux opt # make root@tux opt # chown -R nobody: /opt/vlmcsd root@tux opt # cd bin root@tux opt # vlmcsd -h root@tux opt # vlmcs -h
The author also provides pre-compiled binaries on Github relase page.
Launch KMS server
root@tux / # /opt/vlmcsd/bin/vlmcsd -g nobody -u nobody -o2 -L127.0.0.1:1688 -m1 -t5 -d -lsyslog -v -De root@tux / # /opt/vlmcsd/bin/vlmcsd -i /opt/vlmcsd/etc/vlmcsd.ini root@tux / # journalctl -xft vlmcsd
-eare useful for terminal debugging.
We can load configuration file by the option
-iand run vlmcsd in background, such that we can send the "HUP" signal to vlmcsd process without restarting.
# man man/vlmcsd.ini.5 User = nobody Group = nobody PublicIPProtectionLevel = 2 Listen = 127.0.0.1:1688 MaxWorkers = 1 ConnectionTimeout = 5 DisconnectClientsImmediately = TRUE LogFile = syslog LogVerbose = TRUE
Command line options take precedence over the respective configuration line in the .ini file. For example,
-k(do not disconnect clients) on command line overrides 'DisconnectClientsImmediately = TRUE'.
About configuration options, please check etc/vlmcsd.ini.
Make sure the relevant port are accessible from outside.
Test KMS server locally
user@tux ~ # journalctl -xft vlmcsd user@tux ~ # /opt/vlmcsd/bin/vlmcs 127.0.0.1:1688 -v -e # print examples user@tux ~ # /opt/vlmcsd/bin/vlmcs -v -x # print supported Windows and Office versions user@tux ~ # /opt/vlmcsd/bin/vlmcs -v -l 35 # activate Windows 7 Enterprise
- vlmcs tests against a KMS server that can be a vlmcsd emulator or a real Microsoft KMS.
- A Microsoft KMS sends correct activation messages only if it detects a certain minimum of clients (25 for Windows client OSses, 5 otherwise) on the network. This is Microsoft's futile attempt to prevent running a KMS server in a home environment. Use the
-nargument to charges a KMS server. The vlmcsd emulator is always fully charged, so I set MaxWorkers to 1. If
-nis larger than 1, vlmcsd will report RPC error.
- The above vlmcs client runs in the same host as vlmcsd. Repeat the test from your PC to see what happens.
Systemd unit (/etc/systemd/system/vlmcsd.service)
[Unit] Description=KMS emulator After=network.target [Service] Type=forking PermissionsStartOnly=true User=nobody Group=nobody LimitNOFILE=4096 ExecStart=/opt/vlmcsd/bin/vlmcsd -i /opt/vlmcsd/etc/vlmcsd.ini [Install] WantedBy=multi-user.target
There is no point in leaving this service always online as long as you remember to activate the product every 180 days.
KMS recognizes product type by General Volume License Key (GVLK). If you accidentally ignore GVLK during installation or entered the some other keys (i.e. invalid MAK key) afterwards, please restore Windows GVLKs (a.k.a KMS Client Setup Key), Office GVLKs. Open an elevated command prompt on the client Windows:
slmgr slmgr /ipk <GVLK>
cd C:\Program Files\Microsoft Office\Office16 cscript ospp.vbs cscript ospp.vbs /inpkey:<GVLK>
Choose an approprate GVLK in accord with reference link above. Do *not fill GVLK in product itself. Always use the command line!
slmgr is for Windows OS and usually resides in the system32 directory. ospp.vbs is for Office 2010/2013/2016. To use it, we should first change the current directory Office's installation. slmgr.vbs and cscript ospp.vbs without parameters print help message.
You'll have to install a volume license (VL) version of Office. Office versions downloaded from MSDN and/or Technet are non-VL. If you happened to install a retail licensing product (i.e. OEM, Home, and Ultimate Windows), then in all likelihood KMS is out of your luck. To check Windows version on command line:
wmic os get caption
There exist some inofficial GVLKs for retail licensing Windows, which can be found in vlmcsd.7 man page. Hence, why not attempt to convert Windows to a KMS client as stated above? The only difference is that those inofficial GVLKs hold each activation for 45 or 30 days.
About Office, if you happened to install a retail version (i.e. Office 16 Pro Plus retail, Visio included), there exists a script to help you convert the retail version to VOL version. If you have tried to input different MAK keys before the conversion or the product brings in a default MAK key, you should first remove them before KMS activation.
cscript ospp.vbs /dstatus cscript ospp.vbs /unpkey:<last-5-digits>
You are highly recommended to install and activate Visio 2016 Pro before other office components. inpkey automatically assigns the keys to Office or Visio.
Configure a client
For Windows OS, skms means set KMS:
slmgr.vbs /skms <kms-server[:tcp-port]>
For Office, it is optional if Windows OS already sets that.
cd C:\Program Files\Microsoft Office\Office16 # -or- cd C:/Program Files(x86)/Microsoft Office/Office16 # cscript ospp.vbs /sethst:<kms-server> cscript ospp.vbs /setprt:<tcp-port>
Activate a product
After telling a client the KMS address, Windows contacts it for activation on demands. To activate Windows system immediately, right click Computer, select Properties and activate there. Alternatively, do it on command line:
slmgr.vbs /ato slmgr.vbs /xpr slmgr.vbs /dlv
Similarly for Office:
cscript ospp.vbs /act cscript ospp.vbs /dstatus