none
Hide or encrypt product key information in answer file?

    Question

  • Is it possible to hide or encrypt the product key that is included in the answer file (unattend.xml)?

    I encrypt the password which works fine, but I cannot find any method of hiding the product key.


    Wednesday, April 26, 2017 4:03 PM

All replies

  • Hi Paul77MTL,

    Are you using a retail product key or volume license key? Why do you want to hide the product key?

    According to my research, it is only available to encrypt the password and there is no official method to hide the product key. If you don't want to expose the product key, we could configure the answer file to skip the product key step. Then activate the machine manually later. If you are using KMS, there is no need to include the product key in the answer file.

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 27, 2017 6:04 AM
    Moderator
  • Hi MeipoXu,

    It's actually an OEM key. We distribute devices with Windows 10 pre-installed and allow customers to re-image the device if needed. The Windows 10 image used to re-image includes the product key in the answer file. This means that the product key can be pulled from the answer of the image if someone wanted to abuse it.

    I have not found a method to skip the product key prompt unless I include the key in the answer file.

    Is it possible to skip the product key prompt and have Windows use the product key that was used in  the syspre'd master image?

    Thursday, April 27, 2017 1:51 PM
  • Hello,

    You should be able to use DISM to inject the product key into the image

    https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/dism-windows-edition-servicing-command-line-options

    /Set-ProductKey:


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, April 27, 2017 6:31 PM
  • Hello,

    You should be able to use DISM to inject the product key into the image

    https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/dism-windows-edition-servicing-command-line-options

    /Set-ProductKey:


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    I don't understand how this will solve the issue. I would still need to add a command in the image (setupcomplete or runonce) to execute the command. Therefore the product key will still need to be somewhere in a text or script file.
    Tuesday, May 2, 2017 4:11 PM
  • Hello,

    You would have to inject the key into the image directly and recapture the image.


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, May 2, 2017 4:44 PM
  • Hello,

    You would have to inject the key into the image directly and recapture the image.


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Can you expand?
    The image is already activated before I sysyprep. To what I understand sysprep removes the activation. 

    In my tests I found that if I remove the product key from the answer file Windows will prompt to enter a new key. But if I skip that step it will still activate once it can connect to the internet.

    I'm assuming this is the same as using dism to inject the key. If so, the next question would be how to skip the product key prompt when imaging new units?

    Tuesday, May 2, 2017 5:33 PM
  • Hi Paul77MTL,

    "the next question would be how to skip the product key prompt when imaging new units?"

    Try to include the "setup key" in the answer file.
    Appendix A: KMS Client Setup Keys
    https://technet.microsoft.com/en-us/library/jj612867.aspx

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 4, 2017 10:08 AM
    Moderator
  • KMS key works to bypass the prompt. 

    What do you suggest to apply the real product key without having it in plain text in a file on the machine?

    Tuesday, May 9, 2017 3:51 PM
  • Hi Paul77MTL,

    If you are using KMS, the machine should be activated automatically.
    If you are using retail product key, we could activate it manually.

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 11, 2017 2:23 AM
    Moderator
  • We are not using KMS. Here is the scenario;

    - I have images (wim files) for some computers that can be re-imaged by customers.

    - The images are sysprep'd and contain an OEM product key in the answer file.

    - I would like to encrypt or hide the OEM product key so that it is protected from someone who can potentially download the wim, extract the answer file, and then can reuse the OEM key for malicious purposes.

    - Also, Windows should not ask for a product key on first boot, which is why I included the OEM product key in the answer file

    - Using the KMS key in the answer file allows the image to boot without being prompted for a key, but then the real OEM key would still need to be applied somehow. I can surely script it using dism or slmgr, but the key will still be in clear text somewhere on the image which I do not want

    Does this make sense?

    Thursday, May 11, 2017 1:11 PM
  • Hi Paul77MTL,

    For OEM product key, it could be divided into two scenarios. If the key is included in the BIOS, the installation should be activated automatically. If it is not, I am afraid we should input the product key for the customer manually in case it will be exposed to the customer.

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 15, 2017 8:54 AM
    Moderator