Volume Activation 2.0 Planning Guide for Windows Vista® and Windows Server® 2008 Microsoft Corporation Published: March, 2008 Abstract Volume activation is designed to automate and manage the activation process for volume licensing customers. This document is intended for IT implementers whose organization is a Microsoft Volume Licensing customer and who need to plan a deployment of Volume Activation 2.0. This document and any document referenced herein is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Aero, ReadyBoost, Windows, Windows Server, and Windows Vista, and are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Volume Activation 2.0 Planning Guide Introduction ............................................................................................................ 4 Steps to Planning Volume Activations ......................................................................... 4 Review Available Activation Models ............................................................................ 4 Key Management Service (KMS) ........................................................................... 4 Minimum Computer Requirements .................................................................... 5 How KMS Works ............................................................................................. 6 Planning a KMS Deployment ............................................................................ 8 Multiple Activation Key (MAK) ............................................................................... 9 Volume Activation Management Tool (VAMT) ................................................... 10 MAK Architecture .......................................................................................... 10 Evaluate Client Connectivity .................................................................................... 11 Activation Scenarios .......................................................................................... 13 Core Network ............................................................................................... 13 Isolated Networks......................................................................................... 14 Individual Disconnected Computers ................................................................ 17 Test/Development Labs ................................................................................. 17 Map Systems to an Activation Method ...................................................................... 19 Determine Product Key Needs ................................................................................. 19 Determine Monitoring and Reporting Needs .............................................................. 21 Windows Management Instrumentation (WMI) ...................................................... 21 System Management Server (SMS) and System Center Configuration Manager (SCCM)21 Event Logs ....................................................................................................... 22 KMS Management Pack ...................................................................................... 22 Volume Activation Management Tool (VAMT) ........................................................ 22 Appendix 1: Information Sent to Microsoft During Activation ...................................... 23 Appendix 2: License Conditions .............................................................................. 23 Activated ......................................................................................................... 24 Grace .............................................................................................................. 24 Genuine ........................................................................................................... 24 Notification....................................................................................................... 25 Unlicensed/Reduced Functionality Mode (RFM) ...................................................... 26 Introduction Volume Activation 2.0 (VA 2.0) is a configurable solution that helps IT professionals automate and manage the product activation process of Windows Vista® and Windows Server® 2008 systems licensed under a Microsoft Volume Licensing program. This guide provides information to assist you in planning a deployment of VA 2.0. It contains steps for planning volume activations and VA 2.0 scenarios. For an introduction to VA 2.0, see the Volume Activation 2.0 Overview Guide. All VA 2.0 guides are available online and for download at http://go.microsoft.com/fwlink/?LinkID=75674. Steps to Planning Volume Activations A VA 2.0 deployment can be broken down into five major steps. Each step listed is expanded in a corresponding section of this document. To plan a VA 2.0 deployment, you should complete the following steps: 1. Review available activation models. 2. Evaluate client connectivity. 3. Map systems to an activation method. 4. Determine product key needs. 5. Determine monitoring and reporting needs. Review Available Activation Models Volume Activation provides two different models for implementing volume activations. The model you choose depends on the size, network infrastructure, connectivity, and security requirements of your organization. You can choose to use just one or both available models of volume activation. Key Management Service (KMS) KMS activates operating systems on your local network, eliminating the need for individual computers to connect to Microsoft®. To do this, KMS uses a client/server 4 method of implementation. KMS clients connect to a KMS server, called the KMS host, for activation. The KMS host resides on your local network. Minimum Computer Requirements To plan for the KMS model of activation, you must ensure that your network meets or exceeds the minimum number of computers that KMS requires and you must understand how the KMS host tracks the number of computers on your network. KMS Activation Thresholds KMS can activate both physical and virtual computers, but to qualify for KMS activation a network must have a minimum number of physical computers, called the activation threshold. KMS clients activate only after this threshold is met. To ensure that the activation threshold is met, a KMS host counts the number of physical computers requesting activation on the network. The count of activation requests is a combination of both Windows Vista and Windows Server 2008 computers. However, each of these operating systems begins activating after a different threshold is met. The Windows Server 2008 KMS client threshold is five (5) physical computers. The Windows Vista KMS client threshold is twenty-five (25) physical computers. Virtual computers do not contribute to the activation count, but virtual computers are activated by KMS after the physical computer threshold is met. A KMS host responds to each valid activation request from a KMS client with the count of how many physical computers have contacted the KMS host for activation. Clients that receive a count below the activation threshold do not activate. For example, if the first two computers that contact the KMS host have Windows Vista installed on a physical computer, the first receives an activation count of one and the second receives an activation count of two. If the next computer is a Windows Vista virtual computer, it receives an activation count of two, because only physical computer installations advance the activation count. None of these systems activate since Windows Vista computers must receive an activation count that is 25 or greater to activate. Clients that do not activate because the activation count is too low connect to the KMS host every two hours, by default, to receive a new count. 5 If the next computer that contacts the KMS host has Windows Server 2008 installed on a physical computer, it receives an activation count of three, because activation counts are a combination of Windows Server 2008 and Windows Vista computers. If a Windows Server 2008 computer, whether it is a physical computer or a virtual computer, receives an activation count that is five or greater, it activates. If a Windows Vista computer, whether it is a physical computer or a virtual computer, receives an activation count that is 25 or greater, it activates. Activation Count Cache To track the activation threshold, the KMS host keeps a track of the KMS clients that request activation. Each KMS client that connects to the KMS host is given a unique client identification (CMID) that is saved to a table on the KMS host. Each activation request remains in the table for 30 days. When a client renews its activation, the cached CMID is removed from the table, a new record is created, and the 30-day period begins again. If a KMS client does not renew its activation within 30 days, the corresponding CMID is removed from the table and the activation count is reduced by one. The KMS host caches twice the number of CMIDs that KMS clients require for activation. For example, on a network with Windows Vista clients, the KMS activation threshold is 25. This KMS host caches the CMIDs of the most recent 50 activations. The KMS activation threshold for Windows Server 2008 is 5. A KMS host that is only contacted by Windows Server 2008 KMS clients caches the 10 most recent CMIDs. If that KMS host is later contacted by Windows Vista, it increases the cache size to 50 to accommodate the higher activation count requirement. How KMS Works KMS activation requires TCP/IP connectivity. KMS hosts and clients are, by default, configured to use DNS to publish and use the KMS service. You can use these default settings, which require little to no administrative actions, or you can manually configure KMS hosts and clients, depending on your network configuration and security requirements. 6 KMS Activation Renewal KMS activations are valid for 180 days. This is called the activation validity interval. KMS clients must renew their activation by connecting to the KMS host at least once every 180 days to stay activated. By default, KMS client computers attempt to renew their activation every 7 days. After a client’s activation is renewed, the activation validity interval begins again. Publication of the KMS Service The KMS service uses service (SRV) resource records (RR) in DNS to store and communicate the locations of KMS hosts. KMS hosts, by default, automatically publish the information KMS clients need to find and connect to them using Dynamic DNS (DDNS). Client Discovery of the KMS Service KMS clients, by default, query the DNS server for KMS service information. The first time a KMS client queries the DNS server for KMS service information, it randomly chooses a KMS host from the list of SRV resource records returned by DNS. If the selected KMS host does not respond, the KMS client computer removes that KMS host from its list of SRV resource records and randomly selects another KMS host from the list. After a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by contacting the DNS server for KMS SRV records. Client computers connect to the KMS host for activation using anonymous Remote Procedure Calls (RPCs) over TCP, using TCP port 1688 by default. This connection is anonymous. After the client computer establishes a TCP session with the KMS host, the client then sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client activates and the session is closed. This same process is used for renewal requests. 7 Planning a KMS Deployment The KMS service does not require a dedicated server and can be co-hosted with other services. You can run a KMS host on physical or virtual system running Windows Server 2008, Windows Vista, or Windows Server 2003, but a KMS host running on Windows Vista can only activate Windows Vista KMS clients. A single KMS host can support an unlimited number of KMS clients, but for failover, two KMS hosts is the recommended minimum. Most organizations can operate with as few as two KMS hosts for their entire infrastructure. Note: KMS is automatically included with Windows Server 2008 and Windows Vista, but not with Windows Server 2003. If you want to host KMS on Windows Server 2003, you must download and install KMS for Windows Server 2003, which is available for download at http://go.microsoft.com/fwlink/?LinkID=82964 in several languages. The 64-bit version is available at http://go.microsoft.com/fwlink/?LinkId=83041. Planning DNS Server Configuration DDNS and SRV record support are needed for the default auto-publishing feature of KMS. Any DNS server that supports SRV records (per RFC 2782) and dynamic updates (per RFC 2136) can support KMS client default behavior and KMS SRV RR publishing. Berkeley Internet Domain Name (BIND) versions 8.x and 9.x support both SRV records and DDNS. You need to configure the KMS host so that it has the credentials needed to create and update SRV, A, and AAAA resource records on your DDNS servers, or you need to manually create these records. The recommended solution for giving the KMS host the needed credentials is to create a security group in Active Directory® and add all KMS hosts to that group. In the Microsoft DNS server, ensure that this security group is given full control permission over the _VLMCS._TCP record on each DNS domain that will contain the KMS SRV records. Activating the First KMS Host KMS hosts on your network need to install a KMS key and then activate with Microsoft. Installation of a KMS Key enables the Key Management Service on the KMS host. After this installation, activation is completed either by telephone or online. The KMS keys used for KMS activations are only installed on KMS hosts and 8 never on individual KMS clients. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. Activating Subsequent KMS Hosts After the first KMS host is activated, that KMS key used on the first KMS host can then activate up to five more KMS hosts on your network. After a KMS host is activated, administrators can reactivate the same host up to nine more times with the same key. If your organization needs more than six KMS hosts, you may request additional activations for your organization’s KMS key. An example of this would be if you had ten separate physical locations under one volume licensing agreement and you wanted each location to have a local KMS host. To request this exception, you should call your Activation Call Center. For more information about this, go to the Volume Licensing Web site at http://go.microsoft.com/fwlink/?LinkID=73076. Planning KMS Clients Computers running volume licensing editions of Windows Vista and Windows Server 2008 are, by default, KMS clients with no additional configuration needed. KMS clients can locate a KMS host automatically by querying DNS for SRV records that publish the KMS service. If your network environment does not use SRV records, an administrator can manually configure a KMS client to use a specific KMS host. The steps needed to manually configure KMS clients are in the Volume Activation 2.0 Deployment Guide. Multiple Activation Key (MAK) MAK is used for a one-time activation with Microsoft’s hosted activation services. Each MAK key has a predetermined number of allowed activations. This number is based on your volume licensing agreements, and does not match your organization’s exact license count. Each activation using a MAK with Microsoft’s hosted activation service counts towards the activation limit. There are two ways to activate computers using MAK: MAK Independent and MAK Proxy activation. MAK Independent activation requires that each computer 9 independently connect and activate with Microsoft, either over the Internet or by telephone. MAK Proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. MAK Proxy activation is configured using the Volume Activation Management Tool (VAMT). MAK can be used for individual computers or with an image that can be bulkduplicated or provided for download using Microsoft deployment solutions. MAK can also be used on a computer that was originally configured to use KMS activation, if that computer’s activation is about to or has reached the end of its grace period or activation validity interval. MAK is recommended for computers that rarely or never connect to the corporate network and for environments where the number of physical computers needing activation does not meet the KMS activation threshold. MAK Independent activation is best suited for computers within an organization that do not maintain a connection to the corporate network. MAK Proxy activation is appropriate for environments where security concerns may restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. Volume Activation Management Tool (VAMT) VAMT is a standalone application that collects activation requests from several systems then sends them, in bulk, to Microsoft. VAMT allows you to specify a group of computers to activate using Active Directory (AD), Workgroup names, IP addresses, or computer names. After receiving the activation confirmation codes, VAMT then distributes them back to the systems that requested activation. Because VAMT also stores these confirmation codes locally, it can reactivate a previously activated system after it is reimaged without contacting Microsoft. You can download VAMT along with prescriptive guidance at http://go.microsoft.com/fwlink/?LinkID=77533. MAK Architecture MAK Independent activation installs a MAK product key on a client computer and instructs that computer to activate against Microsoft servers over the Internet. In 10 MAK Proxy activation, VAMT installs a MAK product key on a client computer, obtains the Installation ID (IID) from the target computer, sends the IID to Microsoft on behalf of the client, and obtains a Confirmation ID (CID). The tool then activates the client by installing the CID. Evaluate Client Connectivity Each method available in VA 2.0 is best suited to a particular network configuration. To select the best activation method or methods for your organization, you need to assess your network environment to identify how different groups of computers connect to the network. Connectivity to the corporate network, Internet access, and the number of computers that regularly connect to your corporate network are some of the important characteristics to identify. Most medium to large organizations use a combination of activation methods because of varied client connectivity needs. KMS is the recommended activation method for computers that are well connected to the organization's core network or that have periodic connectivity, such as computers that are offsite. MAK activation is the recommended activation method for computers that are offsite with limited connectivity or that cannot connect to the core network because of security restrictions. Table 1 lists common network configurations and the best practice recommendations for each type. Each solution factors in the number of physical computers and network connectivity of the activation clients. 11 Table 1: VA 2.0 Planning Considerations by Network Infrastructure Recommendations Core network Well-connected LAN Most common scenario N e t w o r k I n f r a s t r u c t u r e Isolated network Branch office, high security network segments, perimeter networks Well-connected zoned LAN Test or development lab Isolated network Individual disconnected computer No connectivity to the Internet or core network Roaming computers that If physical computers > KMS activation threshold: Small (<100 machines): KMS host = 1 Medium (>100 machines): KMS host ≥ 1 Enterprise: KMS host > 1 If physical computers ≤ KMS activation threshold: MAK (by telephone or Internet) MAK Proxy If ports on firewalls can be opened between KMS clients and hosts: Use KMS host(s) in core network If policy prevents firewall modification: MAK (by telephone or Internet) MAK Proxy Considerations Minimize the number of KMS hosts Each KMS host must consistently maintain a count of physical machines > KMS activation threshold KMS hosts are autonomous KMS host is activated by telephone or Internet Firewall configuration RPC over TCP (TCP port 1688); initiated by the client Change management on firewall rule sets If physical computers > KMS activation threshold: KMS host = 1 (per isolated network) If physical computers ≤ KMS activation threshold: No activation (reset grace period) MAK (by telephone) MAK Proxy performed manually Variable configuration Limited number of systems Virtual computers KMS host and MAK activation through telephone; MAK Proxy performed manually For clients that connect periodically to the core network: Use the KMS host(s) in core network For clients that never connect to core network or have no Internet access: MAK (by telephone) For networks that cannot connect to the core network: Restricted environments or networks that cannot connect to other networks KMS host can be activated, moved to disconnected network KMS host and MAK activation by telephone; MAK Proxy performed manually 12 periodically connect to core network or connect through Virtual Private Network (VPN) If physical computers > KMS activation threshold, - Small: KMS host = 1 - Medium: KMS host ≥ 1 - Enterprise: KMS host > 1 If physical computers ≤ KMS activation threshold, MAK Independent or MAK Proxy performed manually Activation Scenarios This section illustrates a few examples of VA 2.0 solutions in heterogeneous corporate environments that require more than one activation method. Each scenario has a recommended activation solution, but some environments may have infrastructure or policy requirements that are best suited to a different solution. Core Network A centralized KMS solution is the recommended activation method for computers on the core network. This solution is for networks that are characterized by wellconnected computers on multiple network segments that also have a connection to the Internet. In Figure 1, the core network has a KMS host. KMS hosts publish the KMS service using DDNS. KMS clients query DNS for KMS SRV records and activate themselves after contacting one of the KMS hosts. The KMS hosts are activated directly through the Internet. 13 Figure 1: Core Network Scenario Note: You can install a KMS host on a virtual computer. You should select a virtual computer that is unlikely to be moved to a different physical computer. If the virtual computer KMS host is moved to a different physical computer, the operating system detects the change in the underlying hardware, and the KMS host must reactivate with Microsoft. Isolated Networks Many organizations have networks that are separated into multiple security zones. Some networks have a high security zone that is isolated because it has sensitive information, while other networks are separated from the core network because they are in a different physical location. High Security Zone High security zones are parts of a network that are separated by a firewall that limits communication to and from other networks. If the computers in a high security zone are allowed access to the core network, you can activate the high security zone computers by using KMS hosts located in the core network. This way, the number of client computers in the high security network does not have to meet any KMS activation threshold. If you use this configuration, firewalls must allow TCP port 1688 outbound from the high security zone and an RPC reply inbound. If these 14 firewall exceptions are not authorized, and the number of physical computers in the high security zone is sufficient to meet KMS activation thresholds, you can add a local KMS host to the high security zone. Figure 2 shows an environment that has a corporate security policy that does not allow any traffic between computers in the high security zone and the core network. Because the high security zone has enough computers to meet the KMS activation threshold, the high security zone has its own local KMS host. The KMS host itself is activated by telephone. Figure 2: High Security Network Scenario If KMS is not appropriate because there are only a few computers in the high security zone, MAK Independent activation is recommended. Each computer can activate independently with Microsoft, by telephone. MAK Proxy activation using VAMT is also possible in this scenario. Since the computers in the high security zone do not have Internet access, VAMT can 15 discover them using Active Directory, computer name, IP address, or membership in a workgroup. VAMT uses WMI to install MAK product keys and CIDs and to retrieve status on MAK clients. Since this traffic is not allowed through the firewall, you must have a local VAMT host in the high security zone. Branch Office Locations Figure 3 shows an enterprise network that supports client computers in three branch offices. Site A uses KMS with a local KMS host, because it has more than 25 client computers and it does not have a secure TCP/IP connectivity to the core network. Site B uses MAK activation, because KMS does not support sites with fewer than 25 Windows Vista KMS client computers and the site is not connected by a secure link to the core network. Site C uses KMS, because it is connected to the core network by a secure connection over a private WAN, and activation thresholds are met using core network KMS clients. Figure 3: Branch Office Scenario 16 Individual Disconnected Computers Some users in an organization may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers of salespeople or other users that are offsite, but not at branch locations. This scenario can also apply to remote branch office locations that have no connection or an intermittent connection to the core network. Disconnected computers can use KMS or MAK depending on how often the computers connect to the core network. Use KMS activation for computers that connect to the core network, either directly or through a VPN, at least once every 180 days, and where the core network is using KMS activation. Use MAK Independent activation, by telephone or the Internet, for computers that rarely or never connect to the core network. Figure 4 shows disconnected clients using MAK Independent activation through the Internet and also the telephone. Figure 4: Disconnected Computers Scenario Test/Development Labs In a lab environment, computers are reconfigured often and usually have a large number of virtual computers. You should first determine whether the computers in 17 test and development labs need activation. You can reset the initial 30-day grace period of a Windows Vista computer three times without activating it. If you have Windows Vista Enterprise edition, you can reset the grace period five times. The initial grace period of Windows Server 2008 computer is 60 days and can be reset three times. If you rebuild lab computers often enough, within 120 days for Windows Vista, within 180 days for Windows Vista Enterprise edition, and within 240 days for Windows Server2008, you do not need to activate lab computers. If you do need activation, labs can use KMS or MAK activation. Use KMS activation if the computers have connectivity to a core network that is using KMS. If the number of physical computers in the lab meets the KMS activation threshold, you can deploy a local KMS host. In labs that have a high turnover of computers and also have a small number of physical KMS clients, it is important to monitor the KMS activation count to maintain a sufficient number of cached CMIDs on the KMS host. A KMS host caches activation requests from physical computers for 30 days. See the Minimum Computer Requirements section of this document for more information about how CMIDs affect activations. If your lab environment needs activation, but does not meet the conditions for KMS activation, you can use MAK Independent activation, by telephone or Internet, if available. MAK Proxy activation using VAMT can also be used in this scenario. If you install a local VAMT inside a lab that has no outside connectivity, you must manually update VAMT. You need to install VAMT in the isolated lab network and also in a network that has access to the Internet. VAMT, in the isolated lab, performs discovery, obtains status, installs a MAK product key, and obtains the IID of each computer in the lab. You can then export this information from VAMT, save it to removable media, and then import the file to a computer running VAMT that has access to the Internet. VAMT then sends the IIDs to Microsoft and obtains the corresponding CIDs needed to complete activation. After you export this data to removable media, you can then take it to the isolated lab to import the CIDs so VAMT can complete the activations. 18 Map Systems to an Activation Method After evaluating the recommended activation scenarios, the next step is mapping computers using volume activation to activation methods. The goal is to ensure that all computers are associated with an activation option. Table 2 provides a simple job aid that ensures all computers are mapped to an activation method. When completing this job aid, ensure that all computers using KMS are on networks that meet KMS activation thresholds. Table 2 Activation Method Worksheet Criteria Activation Method Number of Computers Total number of computers to be activated Number of computers that will connect to the network at least once every 180 days (directly or VPN), and where the KMS activation threshold is met KMS Number of computers that do not connect to network at least once every 180 days MAK Number of computers in isolated networks where the KMS activation threshold is met KMS Number of computers in isolated networks where the KMS activation threshold is not met MAK Number of computers in test/development labs that will not be activated None Remaining computer count should be zero Determine Product Key Needs Windows Vista and Windows Server 2008 come in a variety of editions. To simplify volume activation and the number of product keys needed for an organization, Microsoft created product key groups for volume editions of these operating systems. Product keys for both KMS and MAK apply to product groups rather than individual operating system editions, but KMS and MAK each use product key groups in a different way. 19 MAK activation uses product key groups as individual groupings. Product keys for MAK activations are directly associated with a single product group and can only activate the Windows® editions within that specific product group. With KMS, product keys work hierarchically with the product groups. Figure 5 demonstrates how KMS treats product key groups hierarchically. The first and least inclusive group of the hierarchy is the Client Volume License product group, while Server Group C is the most inclusive group in the KMS hierarchy. A KMS key can activate Windows editions in its own product group and can also activate Windows editions that are higher in the pyramid of the product key group hierarchy. Figure 5 Product Key Groupings As an example, a volume licensing customer that needs to activate Windows Server 2008 Datacenter using KMS needs to use a KMS key for Server Group C. Server Group C is the most inclusive product group, so a KMS key for Server Group C can activate volume editions of Windows Server 2008 and Windows Vista that belong to all other product key groups. If a customer has a KMS key for Server Group B, that key can activate products that belong to Server Group B as well as products that 20 belong to the Client Volume License group. This functionality is automatic and requires no further actions from end users or VA 2.0 administrators. For an up-to-date list of the Windows editions that are in each of the four product key groups, go to http://go.microsoft.com/fwlink/?LinkID=75674. Determine Monitoring and Reporting Needs Organizations that use VA 2.0 need to track product key usage and the license conditions of activated computers. One tool available to volume licensing customers is the VLSC Web page at http://go.microsoft.com/fwlink/?LinkId=107544. Volume licensing customers can log on to this Web site at any time to view their KMS key information as well as the number of activations that remain on a MAK key. There are several additional tools available to assist volume licensing customers with managing activations and product key usage. This section describes the available tools and how each assists volume licensing customers. Windows Management Instrumentation (WMI) Data that is gathered during activation is accessible using WMI. Several of the tools available use WMI to access volume activation data. See Appendix 1 of the Volume Activation 2.0 Operations Guide for a list all of WMI methods, properties, registry keys, and event IDs for product activation. System Management Server (SMS) and System Center Configuration Manager (SCCM) Both MAK and KMS can use Systems Management Server (SMS) 2003 with Service Pack 3 (SP3) or System Center Configuration Manager (SCCM) 2007 to monitor the license conditions of their organization’s computers. For a detailed description of the available license conditions, see Appendix 2: License Conditions in this guide. SMS 2003 SP3 and SCCM 2007 use built-in Asset Intelligence reporting and WMI to generate detailed activation reports for Windows Vista and Windows Server 2008 computers. This information can also serve as the starting point for your organization to track and report software asset management from a licensing perspective. 21 Event Logs The KMS service records every action in the application logs of KMS clients and hosts. A KMS client records activation requests, renewals, and responses in the KMS client’s local application log using Microsoft Windows Security Licensing (SLC) event numbers 12288 and 12289. The KMS host logs a separate entry for each request it receives from a KMS client as SLC event number 12290. These entries are saved to the Key Management Service log in the Applications and Services Logs folder. Each KMS host keeps an individual log of activations. There is no replication of logs between KMS hosts. KMS Management Pack You can archive and review KMS’s event logs manually or, if you have System Center Operations Manager 2005, you can use the Microsoft Key Management Service (KMS) MOM 2005 Management Pack. The KMS Management Pack uses WMI to generate detailed activation reports for Windows Vista and Windows Server 2008 computers. To download this Management Pack and its Management Pack guide, go to the Systems Center Operations Manager Product Catalog at http://go.microsoft.com/fwlink/?LinkID=110332. Volume Activation Management Tool (VAMT) Each MAK key has a predetermined number of allowed activations, based on an organization’s volume licensing agreement. Each activation with Microsoft’s hosted activation services reduces the MAK activation pool by one. MAK implementations should include how your organization plans to monitor the number of MAK activations that are left. Both MAK Independent and MAK Proxy activations can use VAMT to monitor this. VAMT is a standalone application that can run on Windows XP, Windows Server 2003, or Windows Vista. It reports on the license condition of all systems using MAK activation and tracks the MAK activation count. 22 Appendix 1: Information Sent to Microsoft During Activation Microsoft uses the information collected during activation to confirm that you have a licensed copy of the software. The information is then aggregated for statistical analysis. Microsoft does not use the information to identify you or contact you. For more information about the information captured during activation and the use of that data by Microsoft, see the Windows Vista Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=52526. During MAK activation and KMS host activation, the following information is sent to Microsoft: Product key Edition of the operating system and the channel from which it was obtained Current date License and activation condition Hardware ID hash, a non-unique number that cannot be reverse engineered Language settings IP address, used only for verifying the location of the request Appendix 2: License Conditions Windows Vista and Windows Server 2008 may be in one of five software licensing conditions: activated, grace, genuine, notification, and unlicensed. These conditions reflect the status of the system’s activation and genuine state, which dictates the end user experience. The software licensing architecture governs the licensing condition of Windows systems. This architecture has a policy engine that is built from a number of core Windows security technologies. It is designed to protect the code and the associated licensing condition from tampering or other malicious behavior. The policy engine gets data from a set of cryptographically signed XrML license files. XrML is an industry-standard rights expression language that is used by a 23 number of Windows components. License files define the rights and conditions of the installed edition of Windows. All licensing files, or other data used by the policy engine, are digitally signed, or encrypted, using keys chained to secure Microsoft roots of trust. Activated When a system is activated, it can use the full functionality of the installed operating system. The functionality for a Windows edition is defined by a combination of licensing files and a set of policies, or rights, granted as a result of the activation process. Individual Windows components call software licensing APIs to determine what rights are granted and adjust their functionality according to the response. Grace After a Windows Vista or Windows Server 2008 operating systems is installed, but before it is activated, the computer has the full functionality of the operating system, but only for a limited amount of time, or grace period. The length of a grace period can vary from thirty days, for Windows Vista, to sixty days, for Windows Server 2008. During this initial grace period, there are periodic notifications that the system needs to be activated. The notifications are minimally intrusive and may not start at the beginning of the grace period, but do increase in frequency towards the end of the grace period. Genuine The Genuine condition is not associated with the activation process. Instead, it is a condition that is determined by the online Windows Genuine Advantage (WGA) service. When a user attempts to download or use a Genuine-Only feature, the WGA validation service checks the operating system of the requesting computer. An operating system can have one of three different Genuine statuses: • Non-Genuine. The system has obtained a ticket from the online validation service indicating that it is not genuine. • Local Genuine. The system has not obtained a valid ticket. 24 • Genuine. The system has a Microsoft signed ticket from the online validation service indicating that it is genuine. The Genuine license condition applies only to Windows Vista. Initially, during the grace period, a Windows Vista system is always in a Local Genuine condition. A system is never marked Non-Genuine until after it fails validation through the online WGA service, and received a Non-Genuine ticket. Likewise, after a system has a Non-Genuine status, it must successfully validate through the WGA service to receive a Genuine ticket. While it is necessary for a system to be activated to be considered Genuine, the process of activation does not reset or clear a previous Non-Genuine status. As a result, to return a system to a fully functional activated condition, it must be both activated and then validated against the WGA service. Notification The purpose of the notifications-based experience is to differentiate between a genuine and activated copy of Windows Vista and one that is not, and do so in a way that maintains system functionality such as logon, access to the familiar desktop etc. RFM has been removed from the product and replaced with a notifications-based experience. This new notification experience means that systems that are not activated during their grace periods (initial activations as well as those due to hardware changes) or that fail our validation may have this experience. The behavior of a system in the notification condition is similar to one that is in the activated condition, with the following exceptions: • Upon interactive logon, a dialog box appears indicating that the system is not activated. The dialog box also provides a list of actions that can be taken, such as activation with a product key or online validation. This dialog box can delay a logon for 15 seconds or up to two minutes. Non-interactive logon is unaffected. • The desktop background is set to black. 25 • Every hour a notification appears, through a task bar balloon, reminding the user of the notification condition. If the background is changed, it is reset to black when the notification appears. Three specific features are also disabled in the notification condition: • A KMS host cannot activate or renew KMS clients or other KMS hosts. • Windows Update installs only critical updates. • Optional downloads marked as Genuine Only are not available. You must activate a system for it to leave the notification condition. Unlicensed/Reduced Functionality Mode (RFM) Systems running Windows Vista (prior to SP1) that are not activated within the grace period change to an unlicensed/RFM condition. RFM can affect computers running the initial release of Windows Vista. Windows Vista SP1 and Windows Server 2008 do not have an unlicensed/RFM condition. With RFM, users are still able to use most Windows features. Users can access files, run scripts, manage the computer using WMI, change product keys, activate remotely, and log on with default browser access. However, the user may need to restart the computer in Safe Mode to access or back up personal data and applications. The user logon is limited to one-hour sessions with no access to the Start Menu, Task Manager, remote desktop or printing services. Additionally, all Genuine Only features are disabled. 26