Windows Vista: Volume Activation 2.0

Ramprabhu RathnamDirector – Product ManagementMicrosoft Corporation

Agenda

• Introduction

• Software Protection Platform

• Activation Options

• Resources

• Q&A

• Unrestrained usage

• Not easy to track or manage

• Does not offer tools or means for easier, scalable, and more secure deployments

• Stolen or compromised

• Get confused with non-genuine software

Challenges

• Enable protection and management of license keys

• Flexible options to suit varying operating models

• Minimal impact to desktop deployment and management

• Reduce the risk of running tampered software

• Facilitate genuine differentiation

VLK 1.0 Realities Goals for Windows Vista

Software Protection Platform

• Improve the security of the software

• Reduce piracy through enhanced and flexible product activation options

• Protect software from malicious tampering & reverse engineering

• Enable differentiation & compliance

• Facilitate genuine differentiation

• Ease software asset management efforts

• Trusted license store and public APIs

• Assist in Electronic Software Distribution

• Windows Anytime Upgrade

Digital licensing and software IP protection Digital licensing and software IP protection solution for Windows Vista & “Longhorn” solution for Windows Vista & “Longhorn” customerscustomers

OnlinePhone

BIOS-bound Pre-install

Multiple Activation Key (MAK)Key Management Service (KMS)

Activation Options

Volume Activation 2.0

• Help automate and manage the activation process for all volume licensed editions of Windows Vista & Windows Server “Longhorn”

• Two types of Keys• Multiple Activation Key

• Key Management Service Key

• Three activation methods• MAK Independent Activation: Each desktop individually connects and

activates with Microsoft (online or telephone)

• MAK Proxy Activation: One centralized activation request on behalf of multiple desktops with one connection to Microsoft

• KMS Activation: Activate using customer hosted service and NOT with Microsoft

• Machines using the OEM SKU do not require VA 2.0

• Planned and managed as part of integrated desktop deployment process

Multiple Activation Key

• One time activation against Microsoft

• Two methods of activation using a MAK:

• MAK Independent Activation: Each desktop individually connects and activates with Microsoft (online or telephone)

• MAK Proxy Activation: One centralized activation request on behalf of multiple desktops with one connection to Microsoft

• Reactivation may be required if there is significant change in the underlying hardware

• Has an associated upper limit, depending on the license agreement, and can be easily refilled

`

MAK Independentclient

MAK Independent Activation

`

VAMT host

Microsoft

Internet

1. Distribute MAK :

a. Change product key wizard or WMI script

b. During OS installation

c. Volume Activation Management Tool (VAMT)

2. MAK client(s) connect once to Microsoft via Internet (SSL) for activation or use telephone.

1

2

Volume Activation Management Tool

• Performs both MAK Proxy and MAK Independent activation

• Provides activation status of all machines in the environment

• Supports discovery of machines in the environment:

• Active Directory (AD)

• Workgroup, and

• Individual machines by IP address or Machine Name

• Requires remote WMI access

• Stores all data in a well defined XML format

• Allows for Import/Export of data

• Availability in Q1 of 2007

MAK Proxy Activation using VAMT

`

VAMT host

Microsoft

2. Apply MAK and collect Installation ID (IID) using WMI

optionally export to XML file

`

MAK Proxy client

1. Find Windows Vista machine(s) from Active Directory (LDAP) or through network discovery APIs NetServerEnum()

4. Activate MAK Proxy client(s) by applying CID

optionally import updated XML file first

Active Directory

Internet

3. Connect to Microsoft over Internet (SSL) and obtain corresponding Confirmation ID (CID)

optionally update XML file with CIDs

1 23 4

Key Management Service

• Activate using customer hosted service and NOT with Microsoft

• Systems must re-activate by connecting to KMS host at least every 180 days

• Requires 25+ for Windows Vista and 5+ for Windows “Longhorn” server

• Default activation option for all volume editions of Windows Vista and Windows Server “Longhorn”

• Requires no user interaction

• Currently available on Windows Vista and “Longhorn”. Planned support for Windows Server 2003 in Q1 2007

How KMS Activation Works

KMS ClientKMS Host(s)

DNS

1. Discover KMS host via registry or DNS SRV RR (_vlmcs._tcp)

2. Send RPC request to KMS host on 1688/TCP by default (~250b)

Generate client machine ID (CMID)

Assemble and sign request (AES encryption)

On failure retry every 2 hours (default)

3. KMS host adds CMID to queue and responds with current count (~200b)

4. KMS client evaluates count vs. license policy and activates itselfitself

Store KMS host Product ID, intervals, and client hardware ID in license store

On success renew activation every 7 days (default)

1

2

3

4

Managing

• Administrative tools• Volume Activation Management Tool

• KMS Management Pack for System Center Operations Manager (MOM Pack)

• Management interfaces• Command line interface

• Public APIs

• WMI properties

• Event Logs on every machine

• Integration with Management tools• SMS 2003 SP3 and System Center Configuration Manager will

have built-in activation reports

• Public APIs that can be used by any mgmt tools to duplicate this functionality

Example Configuration using MAK/KMS

Core Network

`

`

`

Multiple Machines

KMS Client

`

KMS Client

Microsoft

Hosting KMS

KMSInternet

Internet

InternetDisconnected Machines

`

MAK PhoneActivation

MAK Independent

Isolated Lab

`

``

Desktop

KMS Client

KMS ClientKMS Client

`

Contains at least 25

machines.

KMS Phoneactivation

Hosting KMS

`

`KMS Clients

KMS Client1688/TCP

`

Secure Zone

Summary

• Activation is a required process for all editions of Windows Vista & Windows Server “Longhorn”

• Multiple activation options exist for volume customers

• MAK independent, MAK proxy and KMS

• Provides centralized management and protection of VL keys

• Enhances software asset management efforts

• Integrated with Business Desktop Deployment for easier deployment and management

Resources

• Business Desktop Deployment Solution Accelerator:

• http://www.microsoft.com/technet/desktopdeployment/bdd

• Volume Activation 2.0 on TechNet:

• http://go.microsoft.com/fwlink/?LinkID=75673

• Volume Activation 2.0 on Download Center:

• http://go.microsoft.com/fwlink/?LinkID=75674

• For product key information and call center numbers:

• http://www.microsoft.com/licensing/resources/vol/default.mspx

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Reduced Functionality Mode

• Placed in reduced functionality mode when:

• Grace period expired, Hardware changed significantly, Tampering detected, or Windows Genuine validation failed

• While in RFM the User experience differs: • Some features will be disabled e.g. ReadyBoost, Defender

• Some features will be degraded e.g. Aero

• Desktop will display non-Genuine watermark

• Users will have access to their desktop and data in “Safe” mode

• Multiple options available to restore full functionality

Volume Activation Management Tool

User interface is subject to change