To activate a retail version of Microsoft Windows, a user must enter the product key into Windows and then connect to the Internet or call Microsoft to validate the key. But that’s too cumbersome for enterprises that have thousands of computers, so Microsoft uses Volume Activation to let businesses use a single volume license key, or VLK, for all their computers.
Volume Activation 1.0 completely bypassed the activation process for customers with a VLK. Enterprises could automate deployments, regardless of whether a computer was connected to a network. Unfortunately, Volume Activation 1.0 also made it easy for software pirates to activate XP without buying a license. Even before XP’s official release, several VLKs were freely available on the Internet, and anyone could use them to activate the operating system. Once a VLK was leaked, Microsoft couldn’t stop it from being abused.
Windows Vista and Server 2008 (set for release in February) use Volume Activation 2.0. Microsoft made several significant changes to reduce piracy, including the following:
These changes will require volume license customers to put significant energy into planning and maintaining a volume activation infrastructure. Version 1.0 required little more than adding a VLK to an answer file; Volume Activation 2.0 will require you to:
Volume activations for Vista and Server 2008 will be more work than they were for XP, but it’s manageable.
Microsoft provides two ways to activate volume license versions of Vista and Server 2008: MAK and KMS. Microsoft will give you keys for both, and you will probably need to use both. Most volume license customers will do the following:
Relying primarily on KMS will let you more closely protect your MAK, minimizing the chance that it’s leaked on the Internet, which might require you to rekey any computers activated using t.
With KMS, you deploy a product activation server, known as the KMS host, on your network. Once activated with Microsoft, the KMS host lets you activate an unlimited number of computers on your internal network.
To hamper software piracy, Microsoft prevents KMS from running on small networks. You must use it to activate at least 25 computers running Vista or five running Server 2008 computers, and you must do so within 30 days of activating the KMS host. (Virtual machines don’t count.)
Even after the 30 days, you can’t let the number of computers fall below these minimums. If you do, the KMS host will stop activating computers, and any computers that already have been activated soon will expire and enter reduced functionality mode. In RFM, users won’t be able to do much besides open their Web browser, start the computer in safe mode or enter a key to reactivate the computer.
Deploying a KMS host costs nothing because the software is free, and you can install it on an existing computer (even a domain controller) with little impact. A single KMS host can activate about 500,000 clients, and each activation requires communicating less than 1 kilobyte of data.
By default, you can activate up to six KMS hosts with your host key. Most enterprise networks need only one KMS host; you don’t need separate hosts for different locations, organizational units or domains. You need an additional KMS host only if clients are on an isolated network that cannot reach the primary KMS host.
The KMS host will automatically add the Domain Name System SRV records required for clients to find it (assuming your network supports dynamic DNS), so setup is extremely easy. The first time you start a volume license version of Vista or Server 2008, the computer will attempt to identify and activate to a KMS host. So, KMS client activation occurs automatically.
You don’t need to back up your KMS host because it doesn’t keep a database. Instead, it records successful and unsuccessful activations in the event log. If the host fails, simply reinstall Windows and reactivate KMS. As long as you don’t leave the KMS host offline for more than six months, the outage shouldn’t affect KMS clients. When you bring the new host online, client computers will automatically find the new KMS host to renew their activations. For these reasons, you don’t need to configure a backup KMS host.
The KMS host software is built into volume license versions of Vista and Server 2008, and you can download the software to install it on Windows Server 2003 at www.microsoft.com/downloads/details.aspx?FamilyID=81d1cb89-13bd-4250-b624-2f8c57a1ae7b  .
After initial activation, KMS clients will attempt to renew their activation every seven days. If the KMS host is offline or a client isn’t connected to your internal network, it’s not a problem because the clients will keep trying for a total of 210 days (180 days, plus a 30-day grace period). Users who travel and offline for weeks at a time won’t have a problem; network or server failures also won’t trip up activations.
If a KMS client is away from the KMS host for more than 210 days, the computer will enter RFM. The last thing you want is for a user not to be able to access a computer while traveling, so you should avoid RFM whenever possible. If it does occur, you can talk the user through entering the MAK at the System Properties window to migrate the computer to MAK.
MAK provides functions similar to VLKs that you might have used with Volume Activation 1.0, except that every computer must contact Microsoft to activate. If computers are connected to the Internet during deployment, there’s nothing more you need to know about MAK because activation will happen automatically. Unlike KMS, MAK activations never expire.
If computers aren’t connected to the Internet, you have other activation options:
With VAMT, you can connect to computers across your internal network and perform the following tasks:
As mentioned earlier, it’s critical to keep your MAK secret because Microsoft might prevent your MAK from activating new computers if it’s abused. Microsoft also can use Windows Genuine Advantage, which can be triggered when Windows automatically downloads updates, to prevent computers activated with a compromised MAK from continuing to run normally. Although Microsoft says they won’t block your MAK without providing you with sufficient time to change it, you’ll save yourself a headache by keeping it secret.
The MAK is encrypted and kept in a trusted store on MAK clients, making it almost impossible for end users to identify. But you will need to share your MAK with the people responsible for deploying new computers. If your organization has many locations, this might require sharing the MAK with dozens of people. To help limit the risk of exposure, ask your Microsoft volume licensing representative about how to use key blocking to prevent activations from outside the internal network.
Microsoft provides a Visual Basic script for managing activation: slmgr.vbs, located in the %windir%\system32\ folder. You can use slmgr.vbs to perform the following tasks:
You can run slmgr.vbs automatically after a successful Windows installation to activate a computer. You also can run slmgr.vbs from a logon script if you need to change the MAK used to activate computers. To activate computers across the network, slmgr.vbs supports connecting to remote computers with administrative credentials.
For detailed information, run the following command at a command prompt:
cscript %windir%\system32\slmgr.vbs /?
Making changes to the activation status requires administrative privileges by default. This setting is sufficient if you plan to activate computers before deployment, and you don’t foresee the need to later change activation status. If you need to call slmgr.vbs from a logon script, or if you need to allow a traveling user to migrate a computer from KMS to MAK, set the following reg_dword registry value to 1:
With proper planning, volume activation can be easy to manage, scalable and reliable. For best results, deploy a single KMS host to your network and add KMS hosts for every isolated network with more than 25 Vista clients. Volume activation will be completely automatic. If you have any computers that might be disconnected from your network for longer than six months, activate them to a MAK.
Tony Northrup is a developer, security consultant and author with more than 10 years of professional experience developing applications for Microsoft Windows.