1. Introduction
Product activation is the
process of validating software with the manufacturer. Activation
confirms the genuine status of a product and that the product key is not
compromised. It is analogous to the activation of credit cards or new
mobile phones. Activation establishes a relationship between the
software's product key and a particular installation of that software on
a device.
All methods of activation
used by Microsoft are designed to help protect user privacy. Data that
is sent during activation is not traceable to the computer or user. The
data that is gathered is used to confirm a legally licensed copy of the
software. It is then aggregated for statistical analysis. Microsoft does
not use this information to identify or contact the user or
organization. For example, during online activations, information such
as the software version, language, and product key are sent, as well as
the IP address and information about the hardware of the device. The IP
address is used only to verify the location of the request, as some
editions of Windows—such as Windows 7 Starter—can be activated only
within certain target market geographies.
2. Activation Options
Licenses for Windows 7 can be obtained through one of three basic channels: retail, Original Equipment Manufacturer (OEM),
or Volume Licensing. Each channel has its own unique methods of
activation. Because organizations can obtain their operating systems
through any of the three available channels, they can choose a
combination of activation methods.
2.1. Retail
Windows 7 products acquired
through a retail store are licensed individually and are activated in
the same way as retail versions of Windows Vista. Each purchased copy
comes with one unique product key, found on the product packaging, which
is typed in during the installation of the product. The computer uses
this product key to complete the activation after the installation of
the operating system is complete. This activation can be accomplished
either online or by telephone.
2.2. Original Equipment Manufacturer
Most OEMs sell systems
that include a standard build of Windows 7. Hardware vendors perform OEM
activation by associating Windows with the firmware (basic input/output
system, or BIOS) of the physical computer. This process occurs before
the computers are sent to the customer so that no additional actions are
required of the user. This method of activation is known as OEM
Activation.
OEM Activation
is valid as long as the customer uses the OEM-provided image on a
system. To create a customized image, customers can use the image
provided by the OEM as the basis for creating the custom image.
Otherwise, a different activation method must be used.
Note:
Some editions of Windows 7, such as Windows 7 Enterprise, are available only through the Volume Licensing channel. OEM Activation is applicable to computers purchased through OEM channels with Windows installed.
2.3. Volume Licensing
Volume Licensing
offers customized programs tailored to the size and purchasing
preference of the organization. These programs provide simple, flexible,
and affordable solutions that enable organizations to manage their
licenses. To become a Volume Licensing customer, an organization needs
to set up a Volume License agreement with Microsoft.
There are only two legal
ways to acquire a full Windows desktop license for a new computer
system. The first and most economical way is preinstalled through the
computer hardware manufacturer. The other option is with a full,
packaged retail product. Volume Licensing programs such as Open License,
Select License, and Enterprise agreements cover Windows upgrades only
and do not provide a full Windows desktop license. After the computers
have a full Windows desktop license, a Windows Volume Licensing
agreement can be acquired and used to provide version upgrade rights.
For more information on Volume Licensing, go to http://go.microsoft.com/fwlink/?LinkId=73076.
Volume Activation is
designed to allow Volume License customers to automate the activation
process in a way that is transparent to users. Volume Activation applies
to computers that are covered under a Volume Licensing program. It is
used strictly as a tool for activation and is in no way tied to license
invoicing or billing. Volume Activation provides two different models
for completing volume activations: Key Management Service (KMS) and
Multiple Activation Key (MAK). KMS allows organizations to activate
systems within their own network, whereas MAK activates systems on a
one-time basis using Microsoft's hosted activation services.
Customers can use either
or both key types to activate systems in their environment. The model
chosen depends on the size, network infrastructure, connectivity, and
security requirements of the organization. IT professionals can choose
to use just one or a combination of these activation models.
Choosing the Activation Method
Kim Griffiths, Product Manager
Genuine Windows
Aaron Smith, Program Manager
Windows Genuine Platform Team
Which method to use? That is
one of the most common questions that we hear from our customers about
Volume Activation. It is a decision that you need to make before any
systems are deployed. When we were designing Volume Activation, it was
clear that there were a wide variety of customer deployment models and
use cases that needed to be considered. For example, a well-connected,
global corporate intranet would have very different requirements from a
disconnected development and test lab. Accordingly, two methods were
developed to give the level of flexibility that our customers needed: KMS and MAK. Customers can use one or both methods, depending on how they deploy and use their machines.
KMS is the recommended
solution for most customer use cases, for a variety of reasons. First,
it is automated and simple for the administrator to configure. The KMS
clients detect and use the service for activation on their own, without
any configuration changes to the image or end-user involvement. Second,
activation happens within the customer environment. After the service is
activated, all communication stays inside the organization. None of the
KMS clients will ever connect to Microsoft to activate.
MAK is best suited to a smaller
set of systems, individual stand-alone machines, or those that are
disconnected from the corporate network. It is very similar to retail
activation and can be configured as part of system provisioning, making
it transparent to the end user as well.
3. Key Management Service
KMS activates computers
on a local network, eliminating the need for individual computers to
connect to Microsoft. To do this, KMS uses a client–server topology. KMS
clients can locate KMS hosts by using Domain Name System (DNS) or a
static configuration. KMS clients contact the KMS host by using Remote
Procedure Call (RPC). KMS can be hosted on computers running the Windows
7, Windows Vista, Windows Server 2008 R2, Windows Server 2008, or
Windows Server 2003 operating systems.
3.1. Minimum Computer Requirements
If you are planning to use KMS activation, the network must meet or exceed the activation threshold (the minimum number of qualifying computers that KMS requires). IT professionals must also understand how the KMS host tracks the number of computers on the network.
3.1.1. KMS Activation Thresholds
KMS can activate both physical computers and virtual machines (VMs). To qualify for KMS activation, a network must have a minimum number of qualifying computers, called the activation threshold.
KMS hosts activate clients only after meeting this threshold. To ensure
that the activation threshold is met, a KMS host counts the number of
computers requesting activation on the network.
The Windows Server
operating systems (starting with Windows Server 2008) and Windows client
operating systems (starting with Windows Vista) are activated after
meeting different thresholds. The Windows Server activation threshold is
5 computers, and the Windows client activation threshold is 25
computers. The threshold includes Windows client and server operating
systems running on physical computers or VMs.
A KMS host responds to each
valid activation request from a KMS client with the count of how many
computers have contacted the KMS host for activation. Clients that
receive a count below their activation threshold are not activated. For
example, if the first two computers that contact the KMS host are
running Windows 7, the first receives an activation count of 1, and the
second receives an activation count of 2. If the next computer is a
Windows 7 VM, it receives an activation count of 3, and so on. None of
these computers is activated because computers running Windows 7 must
receive an activation count greater than or equal to 25 to be activated.
KMS clients in the grace state that are not activated because the
activation count is too low will connect to the KMS host every two hours
to get the current activation count and will be activated when the
threshold is met.
If the next computer that
contacts the KMS host is running Windows Server 2008 R2, it receives an
activation count of 4, because activation counts are a combination of
computers running Windows Server 2008 R2 and Windows 7. If a computer
running Windows Server 2008 or Windows Server 2008 R2 receives an
activation count that is greater than or equal to 5, it is activated. If
a computer running Windows 7 receives an activation count greater than
or equal to 25, it is activated.
3.1.2. Activation Count Cache
To track the activation
threshold, the KMS host keeps a record of the KMS clients that request
activation. The KMS host gives each KMS client a client machine identification (CMID) designation, and the KMS host saves each CMID in a table. Each activation request remains in the table for 30 days. When a client renews its activation, the cached CMID
is removed from the table, a new record is created, and the 30-day
period begins again. If a KMS client does not renew its activation
within 30 days, the KMS host removes the corresponding CMID from the table and reduces the activation count by 1.
The KMS host caches twice the number of CMIDs that KMS clients
require to help ensure that the CMID count does not drop below the
activation threshold. For example, on a network with clients running
Windows 7, the KMS activation threshold is 25. The KMS host caches the
CMIDs of the most recent 50 activations. The KMS activation threshold
for Windows Server 2008 R2 is 5. A KMS host that is contacted only by
clients running Windows Server 2008 R2 KMS would cache the 10 most
recent CMIDs. If a client running Windows 7 later contacts that KMS
host, KMS increases the cache size to 50 to accommodate the higher
threshold. KMS never reduces the cache size.
3.2. How KMS Works
KMS activation requires
Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity.
By default, KMS hosts and clients use DNS to publish and find the KMS.
The default settings can be used, which require little to no
administrative action, or KMS hosts and clients can be configured
manually based on network configuration and security requirements.
3.2.1. KMS Activation Renewal
KMS activations are valid for 180 days. This is called the activation validity interval.
To remain activated, KMS clients must renew their activation by
connecting to the KMS host at least once every 180 days. By default, KMS
client computers attempt to renew their activation every seven days. If
KMS activation fails, the client will reattempt every two hours. After a
client's activation is renewed, the activation validity interval begins
again.
3.2.2. Publication of the KMS
The KMS uses service (SRV) resource records (RRs) in DNS to store and communicate the locations of KMS hosts. KMS hosts use Dynamic DNS (DDNS),
if available, to publish the KMS SRV RRs. If DDNS is not available, or
the KMS host does not have rights to publish the RRs, the DNS records
must be published manually or IT professionals must configure client
computers to connect to specific KMS hosts. The Volume Activation Deployment Guide at http://go.microsoft.com/fwlink/?LinkId=150083 describes the steps necessary to publish the KMS in DNS.
Note:
DNS changes may take time to propagate to all DNS hosts, depending on the complexity and topology of the network.
3.2.3. Client Discovery of the KMS
By default, KMS clients query
DNS for KMS information. The first time a KMS client queries DNS for KMS
information, it randomly chooses a KMS host from the list of SRV RRs that DNS returns.
The address of a DNS server
containing the SRV RRs can be listed as a suffixed entry on KMS clients,
which allows advertisement of SRV RRs for KMS in one DNS server and
allows KMS clients with other primary DNS servers to find KMS.
Also, priority and weight parameters can be added to the DnsDomainPublishList
registry value for KMS. Doing so allows IT professionals to establish
KMS host priority groupings and weighting within each group, which
specify the KMS host to try first, to balance traffic among multiple KMS
hosts. Only Windows 7 and Windows Server 2008 R2 use the priority and
weight parameters.
If the KMS host that a client
selects does not respond, the KMS client removes that KMS host from its
list of SRV RRs and randomly selects another KMS host from the list.
After a KMS host responds, the KMS client caches the name of the KMS
host and uses it for subsequent activation and renewal attempts. If the
cached KMS host does not respond on a subsequent renewal, the KMS client
discovers a new KMS host by querying DNS for KMS SRV RRs.
By default, client computers
connect to the KMS host for activation by using anonymous RPCs through
TCP port 1688. (IT professionals can change the default port.) After
establishing a TCP session with the KMS host, the client sends a single
request packet. The KMS host responds with the activation count. If the
count meets or exceeds the activation threshold for that operating
system, the client is activated and the session is closed. The KMS
client uses this same process for renewal requests. The communication
each way is 250 bytes.
3.3. Planning a KMS Deployment
The KMS does not require a
dedicated server. The KMS can be co-hosted with other services, such as
Active Directory Domain Services (AD DS) domain controllers and read-only
domain controllers (RODCs). KMS hosts can also run on physical
computers or VMs running any supported Windows operating system,
including Windows Server 2003. Although a KMS host running on Windows
Server 2008 R2 can activate any Windows operating system that supports
Volume Activation, a KMS host running on Windows 7 can activate only
Windows client operating systems. A single KMS host can support
unlimited numbers of KMS clients; however, Microsoft recommends
deploying a minimum of two KMS hosts for failover. Most organizations
can use as few as two KMS hosts for their entire infrastructure.
Note:
KMS is not
included automatically in Windows Server 2003. To host KMS on machines
running Windows Server 2003, download and install KMS for Windows Server
2003 SP1 and later from http://go.microsoft.com/fwlink/?LinkID=82964. KMS is available in several languages. The 64-bit version is available at http://go.microsoft.com/fwlink/?LinkId=83041.
3.3.1. Planning DNS Server Configuration
The default KMS auto-publishing feature requires SRV RR and DDNS support. Microsoft DNS or any other DNS server that supports SRV RRs (per Internet Engineering Task Force [IETF] RFC 2782) and dynamic updates (per RFC
2136) can support KMS client default behavior and KMS SRV RR
publishing. Berkeley Internet Domain Name (BIND) versions 8.x and 9.x
support both SRV records and DDNS, for example.
The KMS host must be configured
so that it has the credentials needed to create and update SRV, A (IP
version 4, or IPv4), and AAAA (IP version 6, or IPv6) RRs on the DDNS
servers, or the records need to be created manually. The recommended
solution for giving the KMS host the needed credentials is to create a
security group in AD DS and add all KMS hosts to that group. In the
Microsoft DNS server, ensure that this security group is given full
control over the _VLMCS._TCP record on each DNS domain that will contain
the KMS SRV RRs.
3.3.2. Activating the First KMS Host
KMS hosts on the network
need to install a KMS key and then be activated with Microsoft.
Installation of a KMS key enables the KMS on the KMS host. After
installing the KMS key, complete the activation of the KMS host by
telephone or online. Beyond this initial activation, a KMS host does not
communicate any information to Microsoft.
KMS keys are installed only on
KMS hosts, never on individual KMS clients. Windows 7 and Windows Server
2008 R2 have safeguards to help prevent inadvertently installing KMS
keys on KMS client computers. Any time users try to install a KMS key,
they see a warning, but they can continue to install the KMS key.
3.3.3. Activating Subsequent KMS Hosts
Each KMS key can be installed on up to six KMS hosts, which can be physical computers or VMs. After activating a KMS host, the same host can be reactivated up to nine more times with the same key.
If the organization needs
more than six KMS hosts, IT professionals can request additional
activations for the organization's KMS key. An example of this would be
if 10 separate physical locations were under one Volume Licensing
agreement, and IT wanted each location to have a local KMS host. To
request this exception, call the Activation Call Center. For more
information, see the Volume Licensing Web site at http://go.microsoft.com/fwlink/?LinkID=73076.
3.3.4. Upgrading Existing KMS Hosts
KMS hosts operating on
Windows Server 2003, Windows Vista, or Windows Server 2008 can be
configured to support KMS clients running Windows 7 and Windows Server
2008 R2. For Windows Vista and Windows Server 2008, it will be necessary
to update the KMS host with a package containing the files supporting
the expanded KMS client support. This package is available through the
Microsoft Download Center at http://www.microsoft.com/downloads or through Windows Update and Windows Server Update Services (WSUS).
In the case of updating a
Windows Server 2003 KMS host, all necessary files are contained within
the KMS 1.2 downloadable package, which is available through the
Microsoft Download Center at http://www.microsoft.com/downloads.
3.3.5. Planning KMS Clients
By default, computers
running Volume Licensing editions of Windows Vista, Windows 7, Windows
Server 2008, and Windows Server 2008 R2 are KMS clients, and no
additional configuration is needed. KMS clients can locate a KMS host
automatically by querying DNS for SRV RRs that publish the KMS. If the
network environment does not use SRV RRs, a KMS client can be configured
manually to use a specific KMS host. The steps needed to configure KMS
clients manually are described in the Volume Activation Deployment Guide at http://go.microsoft.com/fwlink/?LinkId=150083.
11.3.3.6. Activating as a Standard User
Windows 7 does
not require administrator privileges for activation. However, this
change does not allow standard user accounts to remove Windows 7 from
the activated state. An administrator account is required for other
activation- or license-related tasks, such as rearming.
4. Multiple Activation Key
A MAK
is used for one-time activation with Microsoft's hosted activation
services. Each MAK has a predetermined number of allowed activations;
this number is based on Volume Licensing agreements and does not match
the organization's exact license count. Each activation using a MAK with
Microsoft's hosted activation service counts toward the activation
limit.
There are two ways to activate computers using a MAK:
MAK Independent activation
MAK Independent activation requires that each computer independently
connect and be activated with Microsoft, either over the Internet or by
telephone. MAK Independent activation is best suited for computers
within an organization that do not maintain a connection to the
corporate network.
MAK Proxy activation
MAK Proxy activation enables a centralized activation request on behalf
of multiple computers with one connection to Microsoft. MAK Proxy
activation is configured using the Volume Activation Management Tool
(VAMT). MAK
Proxy activation is appropriate for environments in which security
concerns may restrict direct access to the Internet or the corporate
network. It is also suited for development and test labs that lack this
connectivity.
MAK is recommended for computers
that rarely or never connect to the corporate network and for
environments in which the number of computers needing activation does
not meet the KMS activation threshold. MAK can be used for individual
computers or with an image that can be bulk-duplicated or installed
using Microsoft deployment solutions. MAK can also be used on a computer
that was configured originally to use KMS activation—useful for moving a
computer off the core network to a disconnected environment.
4.1. Volume Activation Management Tool
Included in the Windows Automated Installation Kit (Windows AIK), VAMT
is a stand-alone application that collects activation requests from
several computers and then sends them to Microsoft in bulk. VAMT
allows IT professionals to specify a group of computers to activate
using AD DS, workgroup names, IP addresses, or computer names. After
receiving the activation confirmation
IDs, VAMT distributes them to the computers that requested activation.
Because VAMT also stores these confirmation IDs locally, it can
reactivate a previously activated computer after it is reimaged without
recontacting Microsoft. The communication between VAMT and client
computers is via Windows Management Instrumentation (WMI), so Windows
Firewall on client computers must be configured to allow WMI traffic.
Additionally, VAMT can be used to transition computers easily between
MAK and KMS activation methods. Download Windows AIK, which includes
VAMT, at http://go.microsoft.com/fwlink/?LinkId=136976.
4.2. MAK Architecture
MAK
Independent activation installs a MAK product key on a client computer
and instructs that computer to activate itself against Microsoft servers
over the Internet. In MAK Proxy activation, VAMT installs a MAK product
key on a client computer, obtains the Installation Identifier (IID) from the target computer, sends the IID to Microsoft on behalf of the client, and obtains a Confirmation Identifier (CID). The tool then activates the client by installing the CID.