John Pritchard Ramprabhu Rathnam CLI314

Provide an overview of activation and validation Provide guidance for common scenarios Share learning’s Activation requirement in volume is here and real Planning is crucial for successful deployment Prescriptive guidance is available now to help with your deployment

Activation Common Scenarios Best Practices Validation Reduced Functionality Mode Q&A

22 Non-genuine Windows are growing nearly 100 PCs every minute 33 Compromised volume keys attribute to ~20% of Windows validation failures Source: 2006 Global Software Piracy Study by Business Software Alliance 11 Worldwide PC software piracy for 2006 estimated at 35%

Online Phone BIOS-bound Online Phone Proxy

Multiple Activation Key (MAK) Key Management Service (KMS) Key MAK Independent Activation (Online, Phone) Individually connect and activate with Microsoft MAK Proxy Activation Activate multiple systems with one connection to Microsoft KMS Activation Activate periodically using customer-hosted service Enable installation and usage of the product during grace period without need for any product key

Customer hosted activation enablement service Eliminates the need for each system to activate with Microsoft KMS key used on designated host(s) to enable the service KMS host(s) activate with Microsoft using online or phone one-time Each KMS key, by default, can activate six different hosts Each KMS host can activate unlimited # of systems running volume editions of Windows Vista and Windows Server 2008 Requires a threshold of min. physical machines established and maintained (25 for Windows Vista and 5 for Windows Server 2008) KMS host maintains a single count of last 50 systems contacted in the last 30 days KMS clients activates itself based on response from the KMS host and the local business rules KMS client must connect with KMS host anonymously at least once every 180 days KMS client uses DNS or registry info to discover the KMS host

One time activation with Microsoft Two methods of activation using a MAK: MAK Independent Activation: Each system individually connects and activates with Microsoft MAK Proxy Activation: One centralized activation request on behalf of multiple systems with one online connection to Microsoft MAK Keys have an activation limit that depends on customer’s license agreement Each activation counts towards activation limit Keys are distributed either through WMI script, during OS installation, or Volume Activation Management Tool Uses SSL in the case of MAK independent and SSL & WMI in the case of MAK proxy Reactivation may be required if there is significant change in the underlying hardware

Performs both MAK Proxy and MAK Independent activation Provides activation status of all machines in the environment Supports discovery of machines in the environment: Active Directory (AD) Workgroup, and Individual machines by IP address or Machine Name Allows for Import/Export of data using XML Enables local reactivation and monitoring of MAK usage

New - KMS host will be able to run in virtual machines when Windows Server 2008 RTMs KMS host can run on Windows Vista VM now Support for Windows Server 2003 and Windows Server 2008 will be available when Windows Server 2008 RTMs Install KMS host on a virtual instance that is least likely to be moved to avoid reactivation KMS host does not contribute to the n-count however the VM host does contribute to the n-count Virtual instances of OS can be activated using KMS Addresses issue of virtual images moving from one physical to another that could force a reactivation request

Activation must be a part of the Windows deployment planning process Establish activation ownership and accountability Determine the use and mix of MAK/KMS activations Enumerate target environments based on number of systems and user network connectivity Evaluate impact of upcoming KMS releases Windows Server 2008 KMS

Basic connectivity characteristics LAN-connected machines (core networked) Roaming/remote machines w/ regular connectivity Roaming/remote machines w/ sporadic connectivity Isolated (never connected) machines Build sources OEM Preinstalled machines (new machines) Customer-specific image Generic image that customer modifies/replaces OEM rebuilds Customer-built machines (rebuilds, virtual, test) Number of systems

Unless there is a specific (political/ procedural/ architectural) barrier, use KMS Configure KMS for access by users from remote/branch locations Place KMS in hub location(s), but don’t overuse- each KMS must have a rolling n-count of 25+ Remember that one KMS key activates up to 6 KMS hosts Consider placing KMS on a virtual host Remember that significant hardware change of underlying physical machine may still trigger reactivation

Each system must be activated by MAK when there are not enough system for a KMS infrastructure If occasional Internet connectivity is available, machine can activate against Microsoft directly or against the Core KMS Host

“Regular connectivity” = client can be reasonably expected to connect via LAN or VPN at least once every 180 days Typically far shorter than the common user password expiration interval policy Often have existing mechanisms in place to ensure that users periodically connect If it can be expected to connect, use KMS Requires planning for users who “miss the window”- customize the sample web page for self-servicing Should a client exceed 180 days w/out connectivity, grace period and rearm still provides time to activate May consider switching that user’s machine to MAK activation

Machines that are built, leave the company’s premises and are not seen again for very long or indeterminate periods of time Machines in ships/submarines/deserts Corporate machines provided for home use Student laptops Professors on sabbatical Activate the system as part of system provisioning using Independent MAK or Proxy MAK

Where lack of connectivity is due to nature of lab rather than explicit prohibition on connectivity Provide connectivity to KMS May use switch/router/FW/IPsec filtering for traffic Deploy a local KMS Be conscious of n-count and # of KMS hosts Virtual machines activate, but don’t increment n-count To reach n-count, build 25 physical machines or one machine 25 times, etc.- buys 30 days until n-count starts to drop Activate using MAK through phone or VAMT (sneakernet) For frequently rebuilt systems consider not activating Machines will have to be activated or rebuilt after 120 days (can re-arm grace period three times)

Ensure KMS keys are used only on machines that will serve as KMS host Generalize images using Sysprep to reset activation related values Use VAMT for any activation involving MAK Increases protection of MAK keys Provides remaining activation count Enables local reactivation Leverage IPSec infrastructure in filtering KMS communication In the case of MAK activation do activation after connecting all necessary hardware

LicensedLicensed Grace (30 days) Reduced Functionality Mode (RFM) Initial Installation Out of Tolerance: Hardware Modification or Activation Expiry (KMS) Successful Activation Initial, Expiration, or Modification Failure to (Re)Activate

Use Volume Activation Management Tool (VAMT) or SMS 2003 SP3 to monitor license states Initial installation grace Out of tolerance grace Monitor the health of KMS using MOM 2005 KMS MP KMS activation only works on legacy machine (no ACPI SLIC table) or Marked machine (ACPI SLIC table exists and is complete)

Activation Count Summary KMS Activity History Licensing Status Summary Machine Expiration Chart Machine Expiration Detail Virtual Machine Summary

Conditions that cause validation failure: Failure to activate the product properly within the grace period Using a compromised or non-MS issued key Tampering to circumvent product activation or validation features System response varies depending on activation status Genuine features disabled Reduced functionality mode Once determined to be non-genuine resolution requires reactivation and revalidation

Interactive logon limited to 1hr sessions Access to default Web browser only after logon No start menu or task manager Limited access to files and folders Treated as non-genuine Aero TM, ReadyBoost TM are disabled Only critical security updates are available and not optional updates Windows Defender removes only critical and severe threats

Activation is a required for all editions of Windows Vista & Windows Server 2008 Enables protection and management of customer specific volume keys Eliminates handling of product keys at the time of system installation Helps differentiate genuine installations Multiple activation options exist for volume customers MAK independent, MAK proxy and KMS Prescriptive guidance available for integrated deployment and management

We are looking for customer/partner feedback on Volume Activation 2.0, please take a moment to provide your feedback Customer/Partner Feedback The password is: 1301 OEM/System Builder Feedback The password is: 1301

Business Desktop Deployment Solution Accelerator: t/bdd Volume Activation 2.0 on TechNet: Volume Activation 2.0 on Download Center: For product key information and call center numbers: ault.mspx

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DatacenterItanium StandardEnterprise Storage Enterprise** Web Compute Cluster Storage* BusinessEnterprise Hierarchical KMS Keys Lateral MAKs

Volume Licensing is upgrade only KMS keys are assigned per applicable enrollment(s) or licenses purchased per product pool (client, server) Open License customers will only receive MAK and KMS keys specific to product licenses purchased Customers w/ Select or EA or CASA licenses receive additional Windows Server 2008 edition keys for evaluation MAK are issued at customer request Partners and MSDN subscribers receive only MAK and/or retail keys

KMS Host KMS Client By default, KMS Host is not activated Once activated, KMS Host is ready to activate KMS clients when minimum requirements are met Once a combination of 5 physical KMS Clients are present, Windows Server 2008 machines will be activated by the KMS host Once a combination of 25 physical KMS Clients are present, Windows Vista machines will be activated by the KMS host Windows Vista machines Windows Server 2008 machines

1. Discover KMS host via registry or DNS SRV RR (_vlmcs._tcp) 2. Send RPC request to KMS host on 1688/TCP by default (~250b) Generate client machine ID (CMID) Assemble and sign request (AES encryption) On failure retry every 2 hours (default) 3. KMS host adds CMID to queue (entries expire after 30 days) and responds with current count (~200b) itself 4. KMS client evaluates count vs. license policy and activates itself Store KMS host Product ID, intervals, and client hardware ID in license store On success renew activation every 7 days (default) Activate KMS host(s) using KMS keys with Microsoft

2. Apply MAK and collect Installation ID (IID) using WMI optionally export to XML file 1. Find Windows Vista machine(s) from Active Directory (LDAP) or through network discovery APIs NetServerEnum() 4. Activate MAK Proxy client(s) by applying CID optionally import updated XML file first 3. Connect to Microsoft over Internet (SSL) and obtain corresponding Confirmation ID (CID)update XML file with CIDs 1234