Embed Size (px)
Citation preview
Vista Volume ActivationVista Volume Activation OverviewOverviewVLK 2.0VLK 2.0
Anders Björling
Senior Consultant
Microsoft
AgendaAgenda
Activation in Vista and LonghornActivation in Vista and LonghornOEMOEM
Key Management Service (KMS)Key Management Service (KMS)
Multiple Activation Keys (MAKs) Multiple Activation Keys (MAKs)
Supported ScenariosSupported Scenarios
Script for administrative purposesScript for administrative purposes
Activation in Vista and Activation in Vista and LonghornLonghornThere are three activation options for Vista There are three activation options for Vista
and Longhorn Server.and Longhorn Server.
OEM pre-activated machinesOEM pre-activated machinesThese machines do not need VLK 2.0 activationThese machines do not need VLK 2.0 activation
KMS (Key Management Service)KMS (Key Management Service) For managed environments where users are connected For managed environments where users are connected to the corporate networkto the corporate network
MAK (Multiple Activation Key)MAK (Multiple Activation Key) For decentralized networks where users are rarely or For decentralized networks where users are rarely or never connected to the corporate network never connected to the corporate network
Vista Volume Activation Vista Volume Activation ScenariosScenariosWe provide our media to the OEM and get our machines pre-We provide our media to the OEM and get our machines pre-installed from an OEM partnerinstalled from an OEM partner
Use OEM (No need Use OEM (No need for KMS or MAK)for KMS or MAK)
Our users are on a managed network and they connect regularly Our users are on a managed network and they connect regularly to the domainto the domain
Use KMSUse KMS
We have a multiple domain, multi-national environment with We have a multiple domain, multi-national environment with 100,000 connected PCs100,000 connected PCs
Use KMSUse KMS
We have a traveling sales force who are connected to the network We have a traveling sales force who are connected to the network less than twice per yearless than twice per year
Use MAKUse MAK
We have a remote office with it’s own network that has fewer than We have a remote office with it’s own network that has fewer than 25 users25 users
Use MAKUse MAK
We send soldiers into the field who may need to re-install and re-We send soldiers into the field who may need to re-install and re-activate Vista without access to the internet or phoneactivate Vista without access to the internet or phone
Use MAK (with Conf Use MAK (with Conf ID)ID)
We have a completely disconnected lab with 1000 machines that We have a completely disconnected lab with 1000 machines that don’t connect to the internetdon’t connect to the internet
Use MAK (with bulk Use MAK (with bulk activation)activation)
We have users in a remote area that only has a very slow and We have users in a remote area that only has a very slow and potentially expensive link to the internetpotentially expensive link to the internet
Use MAK or KMS Use MAK or KMS (modify interval)(modify interval)
Key Management Service IntroKey Management Service Intro
Key Management Service (KMS) is the central service Key Management Service (KMS) is the central service in VLK 2.0 that handles volume activation of all clients in VLK 2.0 that handles volume activation of all clients and servers in an enterprise network. and servers in an enterprise network.
Target: Larger networks (at least 25 machines) that Target: Larger networks (at least 25 machines) that clients machines can regularly connect to.clients machines can regularly connect to.
Benefits: Benefits: Secure and centralized key administrationSecure and centralized key administrationEasy OS roll-out with automatic activation of Easy OS roll-out with automatic activation of clientsclientsImproved ongoing securityImproved ongoing securityBetter accounting and trouble shootingBetter accounting and trouble shootingRuns on Vista client or Longhorn ServerRuns on Vista client or Longhorn Server
WS2K3 support is planned post Vista RTMWS2K3 support is planned post Vista RTM
Key Management Service SetupKey Management Service Setup
Deploying the KMS service is easy and straight forward.
1. Acquire VL Keys and media (same as today via online portal)
2. Install Vista or Longhorn on any machine that will host KMS
3. Install VLK to enable Key Management Service
• KMS encrypts and stores the VLK in its trusted store for security
• No other steps required
4. Configure KMS so that clients will be able to communicate with KMS periodically
• KMS activated machines automatically re-activate, but will go out of tolerance after 180 days if disconnected
• Configure TCP port and firewall (optional)
• Configure DNS as needed for KMS discovery
Vista/LH Server Client SetupVista/LH Server Client Setup
After the KMS is running, deploy the clients.
1. Roll out Vista or Longhorn Server “clients” (using the same methods used to roll-out Windows XP: DVD, Disk Imaging, Remote Imaging - WDS)
2. Optionally configure clients to locate KMS if not using auto-discovery (see next slide)
3. Each client has a 30 day grace period after installation to contact the KMS.
4. The first 25 clients to reach KMS are only counted, and kept in KMS list for 30 days
• Any subsequent client can automatically activate
• The first 25 automatically retry every 2 hours, and can then activate
KMS Deployment DetailsKMS Deployment DetailsKMS Discovery KMS Discovery
KMS attempts self-registration with DNS (via SRV resource records)KMS attempts self-registration with DNS (via SRV resource records)DNS may require setting of permissions for KMS depending on networkDNS may require setting of permissions for KMS depending on networkClient query obtains list of all KMS computers in the DNS domain and Client query obtains list of all KMS computers in the DNS domain and selects KMS at randomselects KMS at random
KMS CommunicationKMS CommunicationUses anonymous RPC over TCP (must open firewall port)Uses anonymous RPC over TCP (must open firewall port)
TCP port (default 1688) configurable via WMI (registry key) TCP port (default 1688) configurable via WMI (registry key) Requests are asynchronous and lightweight (200 bytes)Requests are asynchronous and lightweight (200 bytes)A single KMS on a desktop machine can handle 20,000 requests / hourA single KMS on a desktop machine can handle 20,000 requests / hour
Support for users that connect intermittently by automatic sensing Support for users that connect intermittently by automatic sensing when a machine comes onlinewhen a machine comes online
KMS ManagementKMS ManagementWMI support for remote management of clients and KMS serviceWMI support for remote management of clients and KMS serviceAll activity is logged in application event log of clients and KMSAll activity is logged in application event log of clients and KMSSample reporting utilities and MOM pack will be provided (Not Sample reporting utilities and MOM pack will be provided (Not available now)available now)
Multiple Activation Keys (MAKs)Multiple Activation Keys (MAKs)
If you are not sure if a user will be regularly If you are not sure if a user will be regularly on the corporate network, issue them a on the corporate network, issue them a MAKMAK. .
MAKs can be used multiple times (e.g. MAKs can be used multiple times (e.g. 100 activations), but have an upper limit100 activations), but have an upper limit
MAK usage can be viewed via Microsoft MAK usage can be viewed via Microsoft online portals, and additional activations online portals, and additional activations can be requested at no chargecan be requested at no charge
MAKS are protected in the trusted store, MAKS are protected in the trusted store, but have less ongoing security, and no but have less ongoing security, and no centralized accounting (like KMS)centralized accounting (like KMS)
Multiple Activation Keys ContMultiple Activation Keys Cont
MAKs require key roll-out to each machine. This can be MAKs require key roll-out to each machine. This can be scripted or a MAK can be included in the Vista image. scripted or a MAK can be included in the Vista image.
MAKs must activate against MS once per machine either MAKs must activate against MS once per machine either online automatically, or offline using a confirmation ID online automatically, or offline using a confirmation ID received via telephone. This confirmation ID can be used received via telephone. This confirmation ID can be used multiple times to re-activate the same hardware.multiple times to re-activate the same hardware.
Auto-activation of MAKs can be setup by an admin.Auto-activation of MAKs can be setup by an admin.
Bulk MAK activation using the telephone activation system Bulk MAK activation using the telephone activation system is supported, so that the confirmation ID’s for multiple is supported, so that the confirmation ID’s for multiple machines can be received with a single transactionmachines can be received with a single transaction
MAK activations do not have any expiration associated with MAK activations do not have any expiration associated with them, but they can go out of tolerance if enough hardware them, but they can go out of tolerance if enough hardware has been changed.has been changed.
Users can change from a KMS activation to a MAK by Users can change from a KMS activation to a MAK by installing the keyinstalling the key
Activation Scenarios & TimelineActivation Scenarios & Timeline
Grace Activated RFMGrace
AutomaticActivation Requests
(2 hrs by def)
Automatic ActivationRenewalRequests
(7 days by def)
30 days Re-activation after expiration180 days
(Each renewal extends thisto the full 180 days)
30 days UserUnable
toLog On
AutomaticActivation Requests
(2 hrs by def)
1. Machine automatically activates and re-activates within grace or expiration period
2. Machine goes out of 30 day grace period (or tolerance period) and into reduced functionality mode (RFM, which disables interactive log-on)
3. Admin user installs MAK key and activates within 30 day grace (activation does not expire)
Reduced Functionality ModeReduced Functionality Mode
““Activate today or some features will no longer work” notifications Activate today or some features will no longer work” notifications come up frequently near the end of the grace period before RFM.come up frequently near the end of the grace period before RFM.
To fix RFM mode:To fix RFM mode:Connect machine to the corporate network with KMSConnect machine to the corporate network with KMS
User with admin privilege can manually change to a MAK key (when User with admin privilege can manually change to a MAK key (when attempting to log on – this can also be scripted by IT Pro)attempting to log on – this can also be scripted by IT Pro)
VLK 1.0 VLK 1.0 ActivationActivation
VLK 2.0 KMS ActivationVLK 2.0 KMS Activation VLK 2.0 MAK VLK 2.0 MAK ActivationActivation
Getting your Getting your KeysKeys
1.1. Locate Licensing Locate Licensing Site or phone the Site or phone the call centercall center
2.2. Provide credentialsProvide credentials3.3. Acquire VLKAcquire VLK
1.1. Locate Licensing Site or phone Locate Licensing Site or phone the call centerthe call center
2.2. Provide credentialsProvide credentials3.3. Acquire VLKAcquire VLK
1.1. Locate Licensing Site or Locate Licensing Site or phone the call centerphone the call center
2.2. Provide credentialsProvide credentials3.3. Request / receive MAKRequest / receive MAK
ConfigurationConfiguration Include VLK in Include VLK in unattend.txt file for unattend.txt file for deploymentdeployment
Install VLK on KMS machine and Install VLK on KMS machine and configure discovery and configure discovery and communication for KMS servicecommunication for KMS service
NANA
OS InstallationOS Installation Install/Deploy Image Install/Deploy Image Install/Deploy ImageInstall/Deploy Image Install/Deploy ImageInstall/Deploy Image
Grace periodGrace period NANA 30 days to activate30 days to activate 30 days to activate30 days to activate
ActivationActivation NANA Activation happens automatically Activation happens automatically on the networkon the network
User with admin privileges User with admin privileges enters MAK key (UI or script) enters MAK key (UI or script) and activates online or calls and activates online or calls MS for telephone activationMS for telephone activation
Expiration &Expiration &Re-activationRe-activation
NANA Expiration is 180 days. Re-Expiration is 180 days. Re-activation against KMS activation against KMS automaticallyautomatically
NANA
Hardware Hardware ToleranceTolerance
NANA Hard drive changes will force a Hard drive changes will force a need for re-activation within 30 need for re-activation within 30 days.days.
Certain hardware changes will force a need for re-activation within 30 days
VLK Customer Experience VLK Customer Experience ComparisonComparison
Common QuestionsCommon QuestionsHow does this affect my TCO?How does this affect my TCO?
The impact on total cost of ownership will vary depending on The impact on total cost of ownership will vary depending on customer corporate network configuration. In most cases the customer corporate network configuration. In most cases the impact will be very small, requiring no new infrastructure or impact will be very small, requiring no new infrastructure or management. management. For many customers the additional asset management capabilities For many customers the additional asset management capabilities built on VLK2.0 will offset any additional IT management costs.built on VLK2.0 will offset any additional IT management costs.New hardware is not required. KMS is lightweight and can co-exist New hardware is not required. KMS is lightweight and can co-exist with other services. with other services.
What are the volume editions that support KMS?What are the volume editions that support KMS?Client Business, Client Enterprise, Server EnterpriseClient Business, Client Enterprise, Server EnterpriseThe client versions are upgrade versions only.The client versions are upgrade versions only.
Why is the value of “n” set at 25 machines?Why is the value of “n” set at 25 machines?Extensive research and customer feedback has shown that a Extensive research and customer feedback has shown that a network size of 25 machines will balance out a positive customer network size of 25 machines will balance out a positive customer experience against creation of illegal networks. Customers with experience against creation of illegal networks. Customers with networks less than 25 machines will use Multiple Activation keys. networks less than 25 machines will use Multiple Activation keys.
Isn’t this just about Microsoft trying to make more Isn’t this just about Microsoft trying to make more money?money?
While decreasing software theft of Windows benefits Microsoft, no While decreasing software theft of Windows benefits Microsoft, no enterprise wants to be responsible for illegal use of their volume enterprise wants to be responsible for illegal use of their volume keys. Improved security and accounting of volume licensing keys keys. Improved security and accounting of volume licensing keys and software benefits Microsoft customers. and software benefits Microsoft customers.
Built-in Scripting SupportBuilt-in Scripting Support
cscript C:\windows\system32\slmgr.vbs cscript C:\windows\system32\slmgr.vbs [ComputerName UserName Password] <Option>[ComputerName UserName Password] <Option>
cscript \windows\system32\slmgr.vbs –atocscript \windows\system32\slmgr.vbs –ato Activate manuallyActivate manually
cscript \windows\system32\slmgr.vbs cscript \windows\system32\slmgr.vbs –ipk–ipk
Activate machine and turn it into KMS Server Activate machine and turn it into KMS Server
cscript \windows\system32\slmgr.vbs cscript \windows\system32\slmgr.vbs –dbi–dbi
Display KMS and client license infoDisplay KMS and client license info
Questions?Questions?
