Aug 07 2007

Volume Activation 2.0

Key changes reduce piracy.

To activate a retail version of Microsoft Windows, a user must enter the product key into Windows and then connect to the Internet or call Microsoft to validate the key. But that’s too cumbersome for enterprises that have thousands of computers, so Microsoft uses Volume Activation to let businesses use a single volume license key, or VLK, for all their computers.

Volume Activation 1.0 completely bypassed the activation process for customers with a VLK. Enterprises could automate deployments, regardless of whether a computer was connected to a network. Unfortunately, Volume Activation 1.0 also made it easy for software pirates to activate XP without buying a license. Even before XP’s official release, several VLKs were freely available on the Internet, and anyone could use them to activate the operating system. Once a VLK was leaked, Microsoft couldn’t stop it from being abused.

Windows Vista and Server 2008 (set for release in February) use Volume Activation 2.0. Microsoft made several significant changes to reduce piracy, including the following:

  • Volume license versions of Windows must be activated. Fortunately, Microsoft provides tools for automating and managing the activation process.
  • Multiple activation keys (MAKs) replace VLKs. Like VLKs, MAKs never expire. Unlike them, MAKs can be activated only by contacting Microsoft.
  • You can use a key management service (KMS) host to activate Windows. With KMS, you must activate just one computer with Microsoft: the KMS host. The KMS host can then activate an unlimited number of computers on your network.
  • You cannot use volume licensing with Vista Ultimate. You can use volume licensing only with the Business or Enterprise editions, which lack some of Ultimate’s features.

These changes will require volume license customers to put significant energy into planning and maintaining a volume activation infrastructure. Version 1.0 required little more than adding a VLK to an answer file; Volume Activation 2.0 will require you to:

  • Learn how to manage separate MAK and KMS infrastructures.
  • Determine whether individual client computers should be activated with MAK or KMS.
  • Maintain retail product keys for any client computers that require Vista Ultimate.

Volume activations for Vista and Server 2008 will be more work than they were for XP, but it’s manageable.

Activation Methods

Microsoft provides two ways to activate volume license versions of Vista and Server 2008: MAK and KMS. Microsoft will give you keys for both, and you will probably need to use both. Most volume license customers will do the following:

  • Install KMS on an existing computer. Any volume license versions of Vista or Server 2008 will automatically use this KMS host to activate.
  • Use MAK to activate any computer that might be disconnected from the KMS host for longer than six months. It doesn’t matter if the computer previously was activated by KMS.

Relying primarily on KMS will let you more closely protect your MAK, minimizing the chance that it’s leaked on the Internet, which might require you to rekey any computers activated using t.

With KMS, you deploy a product activation server, known as the KMS host, on your network. Once activated with Microsoft, the KMS host lets you activate an unlimited number of computers on your internal network.

To hamper software piracy, Microsoft prevents KMS from running on small networks. You must use it to activate at least 25 computers running Vista or five running Server 2008 computers, and you must do so within 30 days of activating the KMS host. (Virtual machines don’t count.)

Even after the 30 days, you can’t let the number of computers fall below these minimums. If you do, the KMS host will stop activating computers, and any computers that already have been activated soon will expire and enter reduced functionality mode. In RFM, users won’t be able to do much besides open their Web browser, start the computer in safe mode or enter a key to reactivate the computer.

Deploying and Managing KMS

Deploying a KMS host costs nothing because the software is free, and you can install it on an existing computer (even a domain controller) with little impact. A single KMS host can activate about 500,000 clients, and each activation requires communicating less than 1 kilobyte of data.

By default, you can activate up to six KMS hosts with your host key. Most enterprise networks need only one KMS host; you don’t need separate hosts for different locations, organizational units or domains. You need an additional KMS host only if clients are on an isolated network that cannot reach the primary KMS host.

The KMS host will automatically add the Domain Name System SRV records required for clients to find it (assuming your network supports dynamic DNS), so setup is extremely easy. The first time you start a volume license version of Vista or Server 2008, the computer will attempt to identify and activate to a KMS host. So, KMS client activation occurs automatically.
You don’t need to back up your KMS host because it doesn’t keep a database. Instead, it records successful and unsuccessful activations in the event log. If the host fails, simply reinstall Windows and reactivate KMS. As long as you don’t leave the KMS host offline for more than six months, the outage shouldn’t affect KMS clients. When you bring the new host online, client computers will automatically find the new KMS host to renew their activations. For these reasons, you don’t need to configure a backup KMS host.

The KMS host software is built into volume license versions of Vista and Server 2008, and you can download the software to install it on Windows Server 2003 at www.microsoft.com/downloads/details.aspx?FamilyID=81d1cb89-13bd-4250-b624-2f8c57a1ae7b.

After initial activation, KMS clients will attempt to renew their activation every seven days. If the KMS host is offline or a client isn’t connected to your internal network, it’s not a problem because the clients will keep trying for a total of 210 days (180 days, plus a 30-day grace period). Users who travel and offline for weeks at a time won’t have a problem; network or server failures also won’t trip up activations.

If a KMS client is away from the KMS host for more than 210 days, the computer will enter RFM. The last thing you want is for a user not to be able to access a computer while traveling, so you should avoid RFM whenever possible. If it does occur, you can talk the user through entering the MAK at the System Properties window to migrate the computer to MAK.

The MAK Approach

MAK provides functions similar to VLKs that you might have used with Volume Activation 1.0, except that every computer must contact Microsoft to activate. If computers are connected to the Internet during deployment, there’s nothing more you need to know about MAK because activation will happen automatically. Unlike KMS, MAK activations never expire.

If computers aren’t connected to the Internet, you have other activation options:

  • Phone: You can call Microsoft using a voice line; enter codes that Windows provides using the buttons on the phone, and then type the confirmation identification information into Windows to complete activation.
  • Modem: If you can connect the computer to a phone line, you can dial directly into Microsoft’s product activation servers.
  • Volume Activation Management Tool: VAMT can act as a proxy to activate computers on isolated networks. VAMT will let you to activate every MAK client on your network simultaneously, which is much faster than phone or modem activation.

With VAMT, you can connect to computers across your internal network and perform the following tasks:

  • Install a MAK. If you don’t install the MAK as part of the operating system image before deployment, and you don’t include it in the unattend.xml answer file, you can install the MAK after setup is complete.
  • Activate computers that are connected to the Internet. VAMT can command MAK clients to contact Microsoft and activate themselves.
  • Activate computers when only VAMT is connected to the Internet. VAMT can collect installation IDs (IIDs) from unactivated MAK clients, submit the IIDs to Microsoft across the Internet, retrieve a list of activation confirmation IDs (CIDs) and then use the CIDs to activate the MAK clients. This lets you activate MAK clients that aren’t directly connected to the Internet.
  • Activate computers when even the VAMT is not connected to the Internet. If the MAK clients and VAMT are connected to a completely isolated network, you can export the list of IIDs to removable media, copy them to a second VAMT that is connected to the Internet, and then use removable media to copy the list of CIDs back to the isolated network to activate the MAK clients.

As mentioned earlier, it’s critical to keep your MAK secret because Microsoft might prevent your MAK from activating new computers if it’s abused. Microsoft also can use Windows Genuine Advantage, which can be triggered when Windows automatically downloads updates, to prevent computers activated with a compromised MAK from continuing to run normally. Although Microsoft says they won’t block your MAK without providing you with sufficient time to change it, you’ll save yourself a headache by keeping it secret.

The MAK is encrypted and kept in a trusted store on MAK clients, making it almost impossible for end users to identify. But you will need to share your MAK with the people responsible for deploying new computers. If your organization has many locations, this might require sharing the MAK with dozens of people. To help limit the risk of exposure, ask your Microsoft volume licensing representative about how to use key blocking to prevent activations from outside the internal network.

Scripting Activation

Microsoft provides a Visual Basic script for managing activation: slmgr.vbs, located in the %windir%\system32\ folder. You can use slmgr.vbs to perform the following tasks:

  • Install a product key or MAK.
  • Initiate Windows activation.
  • View current activation status.
  • Migrate a computer activated with KMS to MAK, or vice versa.
  • Extend the 30-day grace period an additional 30 days — you can do this three times.

You can run slmgr.vbs automatically after a successful Windows installation to activate a computer. You also can run slmgr.vbs from a logon script if you need to change the MAK used to activate computers. To activate computers across the network, slmgr.vbs supports connecting to remote computers with administrative credentials.

For detailed information, run the following command at a command prompt:

cscript %windir%\system32\slmgr.vbs /?

Making changes to the activation status requires administrative privileges by default. This setting is sufficient if you plan to activate computers before deployment, and you don’t foresee the need to later change activation status. If you need to call slmgr.vbs from a logon script, or if you need to allow a traveling user to migrate a computer from KMS to MAK, set the following reg_dword registry value to 1:

hklm\software\microsoft\windows nt\currentversion\sl\useroperations

With proper planning, volume activation can be easy to manage, scalable and reliable. For best results, deploy a single KMS host to your network and add KMS hosts for every isolated network with more than 25 Vista clients. Volume activation will be completely automatic. If you have any computers that might be disconnected from your network for longer than six months, activate them to a MAK.

Tony Northrup is a developer, security consultant and author with more than 10 years of professional experience developing applications for Microsoft Windows.