Wednesday, October 6, 2010

Introduction to Windows 7 and Office 2010 Activation


Activation of Windows 7 has become an increasingly important topic for very large organizations. This blog will not go into the benefits of why you should be moving onto Windows 7 however what I will address is the activation of Windows 7.

First the best resource to get some background on Windows 7 Activation is here - What I will do in this blog is summarize some of the more important key aspects that you should understand right off the bat. I recommend reading this for more detailed information.

Windows 7 has enhanced windows activation technologies for security purposes. The goal of Office activation for Windows 7 is to stop counterfeit software and provide new anti-piracy innovations, counterfeit detection practices and tamper resistance. If counterfeit software is used in an organization:

  • It is very common that counterfeit software have spyware, Trojans, and other malware embedded within them; some research says that is the case 25% of the time.
  • There are increased IT costs associated to sustainability of counterfeit software. There are can be 20% to 30% added support cost.
  • When counterfeit software is used because there will be decreased employee productivity and loss of critical data.
  • Security issues get compounded because updates and support will not be provided by Microsoft.
  • Finally there can be increased costs from system reactivation, employee disruption and financial penalties.

As you can see the intent here is provide to a safer and more secure computing environment for the business. This process is not mechanism for trying to ensure the license agreements are being adhered to. This is solely for the purpose to reduce cyber-terrorism, organized crime and hackers. To achieve this Microsoft has:

  • Invested in education initiatives to raise awareness.
  • Implemented engineering features such as secure packing, Software Protection Platform, product activation and online validation.
  • Support enforcement to take action against counterfeiters using the data it collects.

Basics of Activation and Licensing of Windows 7

There are several models for Windows 7 licensing:

  • Retail – Standard process where a person must activate Windows 7 within the first 30 days with the product key that was purchased.
  • OEM – Windows 7 is activated on the firmware (BIOS) of the computer during manufacturing.
  • Volume Licensing – Customized licensing programs that are for large purchases for an organization. Programs such as Open License, Select License and Enterprise Agreements only cover upgrades to a machine with a valid OS on it. Tools and technologies that are provided to automate the activation process for large organizations.

There are two tools that assist with the activation the Key Management Service (KMS) and Multiple Activation Keys (MAK).

  • The Key Management Service (KMS) is a service that can be hosted internally at an organization to do the activation process.
  • Multiple Activation Keys (MAK) activation is used for one-time activation where the activation services are hosted at Microsoft.

If you are familiar with the activation process, there have been some improvements that have been added for Windows 7:

  • Ability to add customized messages to the windows activation window that may be specific to the organization.
  • Virtual system counting for KMS that will correctly activate virtual systems in the same way physical systems are. This is important for organizations that are rapidly virtualizing their infrastructures.
  • Improved DNS support for KMS to support complex DNS installations at an organization.
  • Token-based Activation for environments that are completely disconnected from the internet or from the phone.
  • Improved manageability of activation service deployment.
  • Expanded WMI properties and methods.
  • A consolidated portal that helps to identify all their keys, key tracking and key organization.
  • MAK limit monitoring which will help avoid going over the agreed limit.
  • Improved efficiency requiring fewer system resources.

Details of KMS

For large organizations KMS will be one of the primary solutions employed. The following are some high-level notes about KMS:

  • KMS Activation Threshold ensures that a minimum amount of machines that must be activated on the network. For Windows Server 2008 it is 5 and Windows 7 it is 25. No computers will be activated until this threshold is exceeded. This includes either physical or virtual. The KMS Activation Count Cache is used to track the activation threshold and track the computers that have requested activation.
  • KMS activation requires standard TCO/IP connectivity and DNS is used to publish and find the KMS service.
  • KMS Activation Renewal is a process where the activated client computer must connect with the KMS service to remain activated. This is done every 180 days. By default, each client will try to renew itself every 7 days. If the 180 days passes without renewal, the client computer will try to connect to KMS every 2 hours. This is actually a good feature to ensure that if company resources have been improperly removed from the organization; the organization will not incur the cost of keeping that license valid as well as disable the client computer OS.
  • The KMS service user SRV resource records in DNS to communicate the locations of the activated client computers. KMS uses dynamic update protocol to publish the SRV resource records. There are other options available if this is not possible. Client computers discover the KMS service by retrieving SRV resource records from the DNS.
  • Note that the payload associated to this communication is very small; only 250 bytes each way. The only data sent is the product key, OS edition, current date, license condition, hardware ID hash, language settings and IP address (used to verify the location of the request).
  • This is a lightweight service that does not require dedicated hosting. It can be co-hosted with other services such as AD domain controllers.
  • KMS can run on either a physical or virtual machines.
  • KMS needs to run on a Windows OS and can support back to Windows Server 2003. One thing to note is that if KMS is installed on a Server 2008 machine it activate any windows operation system however if KMS is running on a Windows 7 machine it can only activate Windows 7 or Vista.
  • A single KMS host server can activate an unlimited amount of machines however it is recommend to have two KMS host servers for failover. In most organizations only two are every needed.
  • There is a KMS key which is used to activate the service. This key can be used up to six machines. This key is not installed on the clients.
  • The user does not need to do anything to connect to the LMS service that is hosted. As well the user does not need to have any administrator privileges for this activation to occur.

Details of MAK

Here is some detailed information:

  • The number of keys activated through the MAK service is based on the licensing agreement that is with Microsoft.
  • Activation can be done by the user where they do it either by internet or phone.
  • A MAK Proxy can be created on the local network which will gather activation information and will send a batch of activations requests to the Microsoft MAK service. This proxy is configured using the Volume Activation Management Toolkit.
  • MAK is recommended for computers that rarely or never connect to the corporate network.
  • MAK activation can be configured to computers that were originally activated by KMS.

Office 2010 Activation

Office 2010 activation uses the same services for activation as Windows 7. The only noticeable difference is the minimum number of licenses that must be active for KMS is only five for Office 2010 versus the 25 needed for Windows 7.

Planning and Usage Scenarios

This article, which is part of this series, really spells it all out - The usage of KMS and MAK really depend upon you knowing how people use their computers in the enterprise. KMS is recommended activation model for computers that will be on the organization network all the time or periodically. MAK is recommended when computers will be offsite with limited connectivity to the corporate network.

  • Corporate Network - It is recommended to use KMS and add more than one KMS service host if this is an enterprise deployment. If there are only 100 machines, a single KMS service is probably all that is needed. If the network will have less than 25 Window 7 machines, you should use MAK.
  • Isolated Network – This is like a brank office, high-security network, or DMZ. If ports can be opened to KMS (TCP port 1688), it is recommended to use KMS. Otherwise stand up a local KMS host service or use the MAK utilizing the same rules stated for Corporate Network.
  • Test or Development Lab – This is a completely isolated network. Standup a KMS host service the threshold will be exceeded, otherwise use MAK.
  • Disconnected Computers – There are several different scenarios. These are computers that have no internet connectivity. In that case a MAK (telephone) is recommended. For offsite machines that periodically connect/VPN in try to use KMS if they will connect within the 180 day window for KMS Activation. Otherwise MAK will have to be used. For machines that have internet access but will never have the ability to remotely connect into the network a MAK with Internet activation should be used.

So it is completely feasible to employee both KMS and MAK at the same organization based on the intended use of the computer.

Network Diagrams

To see some high-level diagrams of how the KMS host service would be placed into your infrastructure architecture please review this - This covers the corporate, isolated and test/development views that I mentioned earlier.

No comments: