这篇文章将吸引拥有批量许可 (VL)订阅、从Windows 7 专业版(Pro)或企业(Enterprise)版迁移到Windows 10并已购买Windows 7 扩展安全更新 (ESU)的企业、组织和企业。在这篇文章中,我们将说明如何使用多次激活密钥 (MAK)在属于本地Active Directory域的多个设备上安装和激活(Active Directory)Windows 7 扩展安全更新(Extended Security Update)( ESU ) 密钥。
在多个设备上安装(Install)和激活 Windows 7 ESU密钥
首先,您需要下载Activate-ProductOnline.ps1 脚本并将其保存到本地文件夹。此脚本将安装并激活ESU产品密钥。
The Activate-ProductOnline.ps1 script requires that Windows 7 devices have Internet access for online activation. If you need to install ESU on isolated Windows 7 devices or have restricted internet access, the ActivationWs project supports activation of Windows 7 devices by using a proxy to communicate with the Microsoft BatchActivation Service. The ActivationWS project includes a PowerShell script (Activate-Product.ps1) compatible with the steps described in this post.
脚本的基本逻辑如下:
- 接受(Accept)并验证所需的ProductKey和可选的LogFile参数。
- 如果产品密钥已安装并激活,则退出。
- 安装产品密钥。
- 激活产品密钥。
- 生成具有默认位置的日志文件:$env:TEMP\Activate-ProductOnline.log。
接下来,您应该确保已安装所有先决条件。如果缺少先决条件, Windows 7的ESU密钥将无法正确安装。如果软件许可服务(Software Licensing Service)在安装ESU密钥时报告错误 0xC004F050,这表明尚未安装必备软件,或者更新应用到了错误的操作系统。解决此问题的最佳方法是确保您将ESU密钥应用于Windows 7 Pro、Enterprise或Ultimate,并单独重新安装每个先决条件。
完成上述安装前检查后,您现在可以继续创建一个 WMI 过滤的组策略对象(Group Policy Object),该对象将在Windows 7加入域的设备上运行Activate-ProductOnline.ps1 。
微软(Microsoft)说,方法如下:
要创建新GPO并将其链接到包含ESU范围内的(ESUs)Windows 7设备的目录位置,请执行以下操作:
- 在安装了组策略管理(Group Policy Management)工具的域控制器或工作站上,选择(Select) 开始(Start) 并键入 组策略(Group Policy) ,然后选择 组策略管理(Group Policy Management)。
- 展开林和域节点以公开包含Windows 7设备的相应 OU 或容器。(Container)
- 右键单击(Right-click)组织单位(Organizational Unit)(OU) 或Container。
- 选择在域中创建 GPO。(Create a GPO in the domain.)
- 将其命名为Windows7_ESU。
- 单击确定(OK)。
- 右键单击新 GPO 并选择编辑(Edit) 以打开组策略管理编辑器(Group Policy Management Editor)。
- 在计算机配置(Computer Configuration)下,展开 策略(Policies),然后展开 Windows 设置(Windows Settings)。选择 Scripts (Startup/Shutdown)。
- 双击 窗格右侧的 启动,然后单击(Startup)PowerShell 脚本(PowerShell Scripts)选项卡。
- 选择添加(Add)以 打开添加(Add)脚本(Script)对话框,然后选择 浏览(Browse)。
浏览(Browse)按钮打开您创建的组策略对象(Group Policy Object)的Windows 资源管理器(Windows Explorer)窗口启动(Startup)脚本文件夹。
- 将Activate-ProductOnline.ps1脚本拖到 Startup 文件夹中。
- 选择刚刚复制的Activate-ProductOnline.ps1 并选择 Open。
- 确保在脚本名称(Script Name)字段 中指定了Activate-ProductOnline.ps1 ,然后输入参数 -ProductKey,后跟您的 ESU MAK 密钥。
选择 OK 关闭Add A Script 对话框(Add A Script Dialog),选择 OK 关闭Startup Properties,然后关闭Group Policy Management Editor。
在组策略管理控制台(Group Policy Management Console)中,右键单击 WMI 过滤器(WMI Filters) 节点并选择 新建(New)以打开新建 WMI 过滤器对话框。
- 为新的WMI 过滤器(WMI Filter)指定一个有意义的名称,然后选择添加(Add)以打开 WMI 查询对话框。
- 使用WMI Query Select Version from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType= “1”。
- 选择OK 关闭WMI Query对话框,然后选择 Save。
- 在组策略管理控制台(Group Policy Management Console)中,选择新的GPO。在WMI 过滤(WMI Filtering)部分中,选择您刚刚创建的WMI 过滤器。(WMI Filter)
现在您已完成上述步骤,您需要验证ESU PKID是否已安装并激活。
要验证该过程是否成功,请执行以下操作:
在GPO范围内的Windows 7计算机上,从提升的命令提示符运行以下命令。
slmgr /dlv
现在验证Windows 7 Client-ESU插件的软件许可信息,并确保许可状态(License Status) 为 许可(Licensed) ,如下图所示:
注意(Note):新策略最多可能需要 45 分钟才能同步到您站点中的所有域控制器(远程域控制器需要更长的时间,具体取决于同步计划)。完成后,重新启动Windows 7设备,这将强制执行组策略(Group Policy)更新并允许启动(Startup)脚本运行。该脚本将创建一个日志文件,可以对其进行检查以进行其他验证。默认情况下,日志文件将命名为Activate-ProductOnline.txt并位于系统TEMP目录 C:\Windows\Temp中。
如果您收到激活错误,请参阅我们的激活故障排除指南。
最后,如果您在验证操作系统和验证先决条件后无法安装ESU密钥,请联系(ESU)Microsoft 支持(Microsoft Support)。
That’s it! I hope IT admins will find this post useful.
Install & activate Windows 7 ESU keys on multiple devices using MAK
This pоst will interest businesses, organizations, and enterprises with Volume License (VL) subscriptions, who аre migrаting from Windows 7 Pro or Enterprise to Wіndows 10, and have purchased Windows 7 Extеnded Security Updates (ESUs). In this post, we will illustrate how to install and actiνate Windows 7 Extended Security Update (ESU) keys on multiple devices that are part of an on-premises Active Directory domain using a Mυltiplе Activation Key (MAK).
Install & activate Windows 7 ESU keys on multiple devices
To begin, you’ll need to download the Activate-ProductOnline.ps1 script and save it to a local folder. This script will install and activate the ESU product key.
The Activate-ProductOnline.ps1 script requires that Windows 7 devices have Internet access for online activation. If you need to install ESU on isolated Windows 7 devices or have restricted internet access, the ActivationWs project supports activation of Windows 7 devices by using a proxy to communicate with the Microsoft BatchActivation Service. The ActivationWS project includes a PowerShell script (Activate-Product.ps1) compatible with the steps described in this post.
The basic logic for the script is as follows:
- Accept and validate required ProductKey and optional LogFile parameters.
- Exit if the product key is already installed and activated.
- Install the product key.
- Activate the product key.
- Produce a log file with default location: $env:TEMP\Activate-ProductOnline.log.
Next, you should ensure that all of the prerequisites are installed. The ESU key for Windows 7 will not install properly if the prerequisites are missing. If the Software Licensing Service reports error 0xC004F050 when installing the ESU key, this indicates that either the prerequisites have not been installed, or the updates are being applied to the wrong operating system. The best way to resolve this is to ensure that you are applying the ESU key to Windows 7 Pro, Enterprise, or Ultimate and reinstall each of the prerequisites individually.
After you have completed the pre-installation checks outlined above, you can now proceed to create a WMI-filtered Group Policy Object that will run the Activate-ProductOnline.ps1 on the Windows 7 domain-joined devices.
Here’s how, says Microsoft:
To create a new GPO, and link it to the directory location holding the Windows 7 devices in scope for the ESUs, do the following:
- On a domain controller or workstation with Group Policy Management tools installed, Select Start and type Group Policy and select Group Policy Management.
- Expand the forest and domain nodes to expose the appropriate OU or Container that contains Windows 7 devices.
- Right-click the Organizational Unit (OU) or Container.
- Select Create a GPO in the domain.
- Name it Windows7_ESU.
- Click OK.
- Right-click the new GPO and select Edit to open the Group Policy Management Editor.
- Under Computer Configuration, expand Policies, then expand Windows Settings. Select Scripts (Startup/Shutdown).
- Double-click Startup in the right side of the pane and click the PowerShell Scripts tab.
- Select Add to open the Add a Script dialog, and then select Browse.
The Browse button opens a Windows Explorer window Startup script folder for the Group Policy Object you created.
- Drag the Activate-ProductOnline.ps1 script into the Startup folder.
- Select the Activate-ProductOnline.ps1 you just copied and select Open.
- Ensure Activate-ProductOnline.ps1 is specified in the Script Name field and enter the parameter -ProductKey followed by your ESU MAK key.
Select OK to close the Add A Script Dialog, select OK to close Startup Properties, then close Group Policy Management Editor.
In the Group Policy Management Console, right-click the WMI Filters node and select New to open the New WMI filter dialog.
- Give the new WMI Filter a meaningful name and select Add to open the WMI Query dialog.
- Use the WMI Query Select Version from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″.
- Select OK to close the WMI Query dialog and then select Save.
- In the Group Policy Management Console, select the new GPO. In the WMI Filtering section, choose the WMI Filter you just created.
Now that you have completed the steps outlined above, you’ll need to verify that the ESU PKID is installed and activated.
To verify that the process has been successful, do the following:
On a Windows 7 computer in the scope of the GPO, run the command below from an elevated command prompt.
slmgr /dlv
Now verify the software licensing information for the Windows 7 Client-ESU add-on and ensure that the License Status is Licensed as shown in the image below:
Note: It may take up to 45 minutes for the new policy to synchronize to all domain controllers in your site (longer for remote domain controllers, depending on the synchronization schedule). Once completed, reboot your Windows 7 devices, which will force a Group Policy update and allow the Startup scripts to run. The script will create a log file that can be examined for additional verification. By default, the log file will be named Activate-ProductOnline.txt and located in the system TEMP directory C:\Windows\Temp.
If you receive an activation error, refer to our Activation troubleshooting guide.
Finally, if you cannot install the ESU key after verifying the operating system and verifying prerequisites, contact Microsoft Support.
That’s it! I hope IT admins will find this post useful.