Windows 7 : Using Volume Activation (part 1) - Activation Options & Key Management Service

1. Introduction

Product activation is the process of validating software with the manufacturer. Activation confirms the genuine status of a product and that the product key is not compromised. It is analogous to the activation of credit cards or new mobile phones. Activation establishes a relationship between the software's product key and a particular installation of that software on a device.

All methods of activation used by Microsoft are designed to help protect user privacy. Data that is sent during activation is not traceable to the computer or user. The data that is gathered is used to confirm a legally licensed copy of the software. It is then aggregated for statistical analysis. Microsoft does not use this information to identify or contact the user or organization. For example, during online activations, information such as the software version, language, and product key are sent, as well as the IP address and information about the hardware of the device. The IP address is used only to verify the location of the request, as some editions of Windows—such as Windows 7 Starter—can be activated only within certain target market geographies.

2. Activation Options

Licenses for Windows 7 can be obtained through one of three basic channels: retail, Original Equipment Manufacturer (OEM), or Volume Licensing. Each channel has its own unique methods of activation. Because organizations can obtain their operating systems through any of the three available channels, they can choose a combination of activation methods.

2.1. Retail

Windows 7 products acquired through a retail store are licensed individually and are activated in the same way as retail versions of Windows Vista. Each purchased copy comes with one unique product key, found on the product packaging, which is typed in during the installation of the product. The computer uses this product key to complete the activation after the installation of the operating system is complete. This activation can be accomplished either online or by telephone.

2.2. Original Equipment Manufacturer

Most OEMs sell systems that include a standard build of Windows 7. Hardware vendors perform OEM activation by associating Windows with the firmware (basic input/output system, or BIOS) of the physical computer. This process occurs before the computers are sent to the customer so that no additional actions are required of the user. This method of activation is known as OEM Activation.

OEM Activation is valid as long as the customer uses the OEM-provided image on a system. To create a customized image, customers can use the image provided by the OEM as the basis for creating the custom image. Otherwise, a different activation method must be used.

Note:

Some editions of Windows 7, such as Windows 7 Enterprise, are available only through the Volume Licensing channel. OEM Activation is applicable to computers purchased through OEM channels with Windows installed.

2.3. Volume Licensing

Volume Licensing offers customized programs tailored to the size and purchasing preference of the organization. These programs provide simple, flexible, and affordable solutions that enable organizations to manage their licenses. To become a Volume Licensing customer, an organization needs to set up a Volume License agreement with Microsoft.

There are only two legal ways to acquire a full Windows desktop license for a new computer system. The first and most economical way is preinstalled through the computer hardware manufacturer. The other option is with a full, packaged retail product. Volume Licensing programs such as Open License, Select License, and Enterprise agreements cover Windows upgrades only and do not provide a full Windows desktop license. After the computers have a full Windows desktop license, a Windows Volume Licensing agreement can be acquired and used to provide version upgrade rights. For more information on Volume Licensing, go to http://go.microsoft.com/fwlink/?LinkId=73076.

Volume Activation is designed to allow Volume License customers to automate the activation process in a way that is transparent to users. Volume Activation applies to computers that are covered under a Volume Licensing program. It is used strictly as a tool for activation and is in no way tied to license invoicing or billing. Volume Activation provides two different models for completing volume activations: Key Management Service (KMS) and Multiple Activation Key (MAK). KMS allows organizations to activate systems within their own network, whereas MAK activates systems on a one-time basis using Microsoft's hosted activation services.

Customers can use either or both key types to activate systems in their environment. The model chosen depends on the size, network infrastructure, connectivity, and security requirements of the organization. IT professionals can choose to use just one or a combination of these activation models.

DIRECT FROM THE SOURCE

Choosing the Activation Method

Kim Griffiths, Product Manager

Genuine Windows

Aaron Smith, Program Manager

Windows Genuine Platform Team

Which method to use? That is one of the most common questions that we hear from our customers about Volume Activation. It is a decision that you need to make before any systems are deployed. When we were designing Volume Activation, it was clear that there were a wide variety of customer deployment models and use cases that needed to be considered. For example, a well-connected, global corporate intranet would have very different requirements from a disconnected development and test lab. Accordingly, two methods were developed to give the level of flexibility that our customers needed: KMS and MAK. Customers can use one or both methods, depending on how they deploy and use their machines.

KMS is the recommended solution for most customer use cases, for a variety of reasons. First, it is automated and simple for the administrator to configure. The KMS clients detect and use the service for activation on their own, without any configuration changes to the image or end-user involvement. Second, activation happens within the customer environment. After the service is activated, all communication stays inside the organization. None of the KMS clients will ever connect to Microsoft to activate.

MAK is best suited to a smaller set of systems, individual stand-alone machines, or those that are disconnected from the corporate network. It is very similar to retail activation and can be configured as part of system provisioning, making it transparent to the end user as well.

3. Key Management Service

KMS activates computers on a local network, eliminating the need for individual computers to connect to Microsoft. To do this, KMS uses a client–server topology. KMS clients can locate KMS hosts by using Domain Name System (DNS) or a static configuration. KMS clients contact the KMS host by using Remote Procedure Call (RPC). KMS can be hosted on computers running the Windows 7, Windows Vista, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 operating systems.

3.1. Minimum Computer Requirements

If you are planning to use KMS activation, the network must meet or exceed the activation threshold (the minimum number of qualifying computers that KMS requires). IT professionals must also understand how the KMS host tracks the number of computers on the network.

3.1.1. KMS Activation Thresholds

KMS can activate both physical computers and virtual machines (VMs). To qualify for KMS activation, a network must have a minimum number of qualifying computers, called the activation threshold. KMS hosts activate clients only after meeting this threshold. To ensure that the activation threshold is met, a KMS host counts the number of computers requesting activation on the network.

The Windows Server operating systems (starting with Windows Server 2008) and Windows client operating systems (starting with Windows Vista) are activated after meeting different thresholds. The Windows Server activation threshold is 5 computers, and the Windows client activation threshold is 25 computers. The threshold includes Windows client and server operating systems running on physical computers or VMs.

A KMS host responds to each valid activation request from a KMS client with the count of how many computers have contacted the KMS host for activation. Clients that receive a count below their activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 7, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a Windows 7 VM, it receives an activation count of 3, and so on. None of these computers is activated because computers running Windows 7 must receive an activation count greater than or equal to 25 to be activated. KMS clients in the grace state that are not activated because the activation count is too low will connect to the KMS host every two hours to get the current activation count and will be activated when the threshold is met.

If the next computer that contacts the KMS host is running Windows Server 2008 R2, it receives an activation count of 4, because activation counts are a combination of computers running Windows Server 2008 R2 and Windows 7. If a computer running Windows Server 2008 or Windows Server 2008 R2 receives an activation count that is greater than or equal to 5, it is activated. If a computer running Windows 7 receives an activation count greater than or equal to 25, it is activated.

3.1.2. Activation Count Cache

To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client machine identification (CMID) designation, and the KMS host saves each CMID in a table. Each activation request remains in the table for 30 days. When a client renews its activation, the cached CMID is removed from the table, a new record is created, and the 30-day period begins again. If a KMS client does not renew its activation within 30 days, the KMS host removes the corresponding CMID from the table and reduces the activation count by 1.

The KMS host caches twice the number of CMIDs that KMS clients require to help ensure that the CMID count does not drop below the activation threshold. For example, on a network with clients running Windows 7, the KMS activation threshold is 25. The KMS host caches the CMIDs of the most recent 50 activations. The KMS activation threshold for Windows Server 2008 R2 is 5. A KMS host that is contacted only by clients running Windows Server 2008 R2 KMS would cache the 10 most recent CMIDs. If a client running Windows 7 later contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.

3.2. How KMS Works

KMS activation requires Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little to no administrative action, or KMS hosts and clients can be configured manually based on network configuration and security requirements.

3.2.1. KMS Activation Renewal

KMS activations are valid for 180 days. This is called the activation validity interval. To remain activated, KMS clients must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails, the client will reattempt every two hours. After a client's activation is renewed, the activation validity interval begins again.

3.2.2. Publication of the KMS

The KMS uses service (SRV) resource records (RRs) in DNS to store and communicate the locations of KMS hosts. KMS hosts use Dynamic DNS (DDNS), if available, to publish the KMS SRV RRs. If DDNS is not available, or the KMS host does not have rights to publish the RRs, the DNS records must be published manually or IT professionals must configure client computers to connect to specific KMS hosts. The Volume Activation Deployment Guide at http://go.microsoft.com/fwlink/?LinkId=150083 describes the steps necessary to publish the KMS in DNS.

Note:

DNS changes may take time to propagate to all DNS hosts, depending on the complexity and topology of the network.

3.2.3. Client Discovery of the KMS

By default, KMS clients query DNS for KMS information. The first time a KMS client queries DNS for KMS information, it randomly chooses a KMS host from the list of SRV RRs that DNS returns.

The address of a DNS server containing the SRV RRs can be listed as a suffixed entry on KMS clients, which allows advertisement of SRV RRs for KMS in one DNS server and allows KMS clients with other primary DNS servers to find KMS.

Also, priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Doing so allows IT professionals to establish KMS host priority groupings and weighting within each group, which specify the KMS host to try first, to balance traffic among multiple KMS hosts. Only Windows 7 and Windows Server 2008 R2 use the priority and weight parameters.

If the KMS host that a client selects does not respond, the KMS client removes that KMS host from its list of SRV RRs and randomly selects another KMS host from the list. After a KMS host responds, the KMS client caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client discovers a new KMS host by querying DNS for KMS SRV RRs.

By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (IT professionals can change the default port.) After establishing a TCP session with the KMS host, the client sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client is activated and the session is closed. The KMS client uses this same process for renewal requests. The communication each way is 250 bytes.

3.3. Planning a KMS Deployment

The KMS does not require a dedicated server. The KMS can be co-hosted with other services, such as Active Directory Domain Services (AD DS) domain controllers and read-only domain controllers (RODCs). KMS hosts can also run on physical computers or VMs running any supported Windows operating system, including Windows Server 2003. Although a KMS host running on Windows Server 2008 R2 can activate any Windows operating system that supports Volume Activation, a KMS host running on Windows 7 can activate only Windows client operating systems. A single KMS host can support unlimited numbers of KMS clients; however, Microsoft recommends deploying a minimum of two KMS hosts for failover. Most organizations can use as few as two KMS hosts for their entire infrastructure.

Note:

KMS is not included automatically in Windows Server 2003. To host KMS on machines running Windows Server 2003, download and install KMS for Windows Server 2003 SP1 and later from http://go.microsoft.com/fwlink/?LinkID=82964. KMS is available in several languages. The 64-bit version is available at http://go.microsoft.com/fwlink/?LinkId=83041.

3.3.1. Planning DNS Server Configuration

The default KMS auto-publishing feature requires SRV RR and DDNS support. Microsoft DNS or any other DNS server that supports SRV RRs (per Internet Engineering Task Force [IETF] RFC 2782) and dynamic updates (per RFC 2136) can support KMS client default behavior and KMS SRV RR publishing. Berkeley Internet Domain Name (BIND) versions 8.x and 9.x support both SRV records and DDNS, for example.

The KMS host must be configured so that it has the credentials needed to create and update SRV, A (IP version 4, or IPv4), and AAAA (IP version 6, or IPv6) RRs on the DDNS servers, or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS and add all KMS hosts to that group. In the Microsoft DNS server, ensure that this security group is given full control over the _VLMCS._TCP record on each DNS domain that will contain the KMS SRV RRs.

3.3.2. Activating the First KMS Host

KMS hosts on the network need to install a KMS key and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft.

KMS keys are installed only on KMS hosts, never on individual KMS clients. Windows 7 and Windows Server 2008 R2 have safeguards to help prevent inadvertently installing KMS keys on KMS client computers. Any time users try to install a KMS key, they see a warning, but they can continue to install the KMS key.

3.3.3. Activating Subsequent KMS Hosts

Each KMS key can be installed on up to six KMS hosts, which can be physical computers or VMs. After activating a KMS host, the same host can be reactivated up to nine more times with the same key.

If the organization needs more than six KMS hosts, IT professionals can request additional activations for the organization's KMS key. An example of this would be if 10 separate physical locations were under one Volume Licensing agreement, and IT wanted each location to have a local KMS host. To request this exception, call the Activation Call Center. For more information, see the Volume Licensing Web site at http://go.microsoft.com/fwlink/?LinkID=73076.

3.3.4. Upgrading Existing KMS Hosts

KMS hosts operating on Windows Server 2003, Windows Vista, or Windows Server 2008 can be configured to support KMS clients running Windows 7 and Windows Server 2008 R2. For Windows Vista and Windows Server 2008, it will be necessary to update the KMS host with a package containing the files supporting the expanded KMS client support. This package is available through the Microsoft Download Center at http://www.microsoft.com/downloads or through Windows Update and Windows Server Update Services (WSUS).

In the case of updating a Windows Server 2003 KMS host, all necessary files are contained within the KMS 1.2 downloadable package, which is available through the Microsoft Download Center at http://www.microsoft.com/downloads.

3.3.5. Planning KMS Clients

By default, computers running Volume Licensing editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are KMS clients, and no additional configuration is needed. KMS clients can locate a KMS host automatically by querying DNS for SRV RRs that publish the KMS. If the network environment does not use SRV RRs, a KMS client can be configured manually to use a specific KMS host. The steps needed to configure KMS clients manually are described in the Volume Activation Deployment Guide at http://go.microsoft.com/fwlink/?LinkId=150083.

11.3.3.6. Activating as a Standard User

4. Multiple Activation Key

A MAK is used for one-time activation with Microsoft's hosted activation services. Each MAK has a predetermined number of allowed activations; this number is based on Volume Licensing agreements and does not match the organization's exact license count. Each activation using a MAK with Microsoft's hosted activation service counts toward the activation limit.

There are two ways to activate computers using a MAK:

• MAK Independent activation MAK Independent activation requires that each computer independently connect and be activated with Microsoft, either over the Internet or by telephone. MAK Independent activation is best suited for computers within an organization that do not maintain a connection to the corporate network.

• MAK Proxy activation MAK Proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. MAK Proxy activation is configured using the Volume Activation Management Tool (VAMT). MAK Proxy activation is appropriate for environments in which security concerns may restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity.

MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers needing activation does not meet the KMS activation threshold. MAK can be used for individual computers or with an image that can be bulk-duplicated or installed using Microsoft deployment solutions. MAK can also be used on a computer that was configured originally to use KMS activation—useful for moving a computer off the core network to a disconnected environment.

4.1. Volume Activation Management Tool

Included in the Windows Automated Installation Kit (Windows AIK), VAMT is a stand-alone application that collects activation requests from several computers and then sends them to Microsoft in bulk. VAMT allows IT professionals to specify a group of computers to activate using AD DS, workgroup names, IP addresses, or computer names. After receiving the activation confirmation IDs, VAMT distributes them to the computers that requested activation. Because VAMT also stores these confirmation IDs locally, it can reactivate a previously activated computer after it is reimaged without recontacting Microsoft. The communication between VAMT and client computers is via Windows Management Instrumentation (WMI), so Windows Firewall on client computers must be configured to allow WMI traffic. Additionally, VAMT can be used to transition computers easily between MAK and KMS activation methods. Download Windows AIK, which includes VAMT, at http://go.microsoft.com/fwlink/?LinkId=136976.

4.2. MAK Architecture