Jump to content

Enable WMI for MAK Proxy Activation

clodhoppers18

By clodhoppers18
in Windows Server

 Share

Recommended Posts

clodhoppers18

clodhoppers18

Posted
Posted (edited)

Issue:

I am running into an issue with an image I have that is preventing me from efficiently activating the PCs that I have after deployment of a custom image.

Whenever I attempt to do a MAK Proxy Activation, I have to disable the Windows Firewall on the client PC in order for the activation to take place. Prior to disabling it, I have been able to ping between the two computers without any problem.

Scenario:

Attempting to do MAK proxy activation on a Windows 7 Professional image with a Windows Server 2008 that has MDT 2010 and WDS using the Volume Activation Management Tool. The image is nearly perfect with the exception of two minor things, but aside from this and a password issue, it is golden.

Research:

I have done some research on line and it looks that WMI must be enabled and allowed through the Windows Firewall on the client in order for the MAK activation to occur. I am in the process of checking this right now, but I wanted to confirm that you do need WMI enabled and permitted before rattling my mind on what is preventing the access.

Optimal Solution:

One that doesn't require me to re-do the entire image. If at all possible, I would like to avoid re-doing the image just because I need to change one thing. Is it possible to insert the rule that may be needed using registry edits? I have found where I can add certain ports to the firewall profiles through netsh advfirewall command, but I'm not only unsure of what ports are needed, but also the scope and any other necessary parameters for this.

I thank you all in advance. Just so it's clear, I have done some research all over the net on this but haven't found anyone with my issue. Also, I have looked through both the firewall addition and the WMI requirement prior to posting this. If I overlooked something, please let me know.

Thanks!

--Dustin

Edited by clodhoppers18
Link to comment
Share on other sites

clodhoppers18

clodhoppers18

Posted
  • Author
Posted

Yes, unfortunately we can only allow the primary domain name to not require authentication. so for http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl we would have to allow www.microsoft.com to go through without authentication. This will allow all users to get to www.microsoft.com Unfortunately, this is not an option for our security folks.

Right now we are using MAKproxy activation which allows the server IP to go through the proxy without authentication. This allows it to conduct the activation and pass the confirmation ID back to the client. The windows firewall on the client is preventing the server from connecting and activating the client.

Hopefully this clarifies the issue.

Link to comment
Share on other sites
clodhoppers18

clodhoppers18

Posted
  • Author
Posted

Even when I am initiating the activation from the Windows Deployment Server using the Volume Activation Management Tool?

I can get to the web with no problem and I can ping the computer with no problem but when I try to do the MAK Proxy activation, it acts like it can't see the client.

Link to comment
Share on other sites
Tripredacus

Tripredacus

Posted
Posted

OK let me understand this. You are (basically) using your deployment server to be the proxy between the clients and the MS Activation Server? When you say you disable the firewall and it works, disable it on where, the client or the server? :unsure:

Link to comment
Share on other sites
Tripredacus

Tripredacus

Posted
Posted

This seems less a Windows 7 issue and more of a network/server issue, since it is confirmed that allowing microsoft.com to not be authenticated will fix the problem, but your IT won't allow that.

Have you tried allowing WDS to prestage all systems into a specific OU, then you can allow that group to access microsoft.com without authentication. Or even have these systems use a specific user account that has access through the proxy.

Link to comment
Share on other sites
clodhoppers18

clodhoppers18

Posted
  • Author
Posted

The only change I make is disabling the firewall on the client. The MAK Proxy activation does not require the client have access to the internet in order to activate. The computer with the VAMT must have access to the microsoft sites without the proxy in the way. The proxy isn't the issue at this point because as soon as I disable the Windows Firewall on the client computer, the MAK Proxy Activation is successful.

Also, the web filtering that we use isn't robust enough to detect the OU that the computer is in and apply policies that way. We can only use IP address or username based filtering.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...