View
227
Download
1
Category
Tags:
Preview:
Citation preview
Windows Vista: Volume Activation 2.0
Ramprabhu RathnamDirector – Product ManagementMicrosoft Corporation
Agenda
• Introduction
• Software Protection Platform
• Activation Options
• Resources
• Q&A
• Unrestrained usage
• Not easy to track or manage
• Does not offer tools or means for easier, scalable, and more secure deployments
• Stolen or compromised
• Get confused with non-genuine software
Challenges
• Enable protection and management of license keys
• Flexible options to suit varying operating models
• Minimal impact to desktop deployment and management
• Reduce the risk of running tampered software
• Facilitate genuine differentiation
VLK 1.0 Realities Goals for Windows Vista
Software Protection Platform
• Improve the security of the software
• Reduce piracy through enhanced and flexible product activation options
• Protect software from malicious tampering & reverse engineering
• Enable differentiation & compliance
• Facilitate genuine differentiation
• Ease software asset management efforts
• Trusted license store and public APIs
• Assist in Electronic Software Distribution
• Windows Anytime Upgrade
Digital licensing and software IP protection Digital licensing and software IP protection solution for Windows Vista & “Longhorn” solution for Windows Vista & “Longhorn” customerscustomers
OnlinePhone
BIOS-bound Pre-install
Multiple Activation Key (MAK)Key Management Service (KMS)
Activation Options
Volume Activation 2.0
• Help automate and manage the activation process for all volume licensed editions of Windows Vista & Windows Server “Longhorn”
• Two types of Keys• Multiple Activation Key
• Key Management Service Key
• Three activation methods• MAK Independent Activation: Each desktop individually connects and
activates with Microsoft (online or telephone)
• MAK Proxy Activation: One centralized activation request on behalf of multiple desktops with one connection to Microsoft
• KMS Activation: Activate using customer hosted service and NOT with Microsoft
• Machines using the OEM SKU do not require VA 2.0
• Planned and managed as part of integrated desktop deployment process
Multiple Activation Key
• One time activation against Microsoft
• Two methods of activation using a MAK:
• MAK Independent Activation: Each desktop individually connects and activates with Microsoft (online or telephone)
• MAK Proxy Activation: One centralized activation request on behalf of multiple desktops with one connection to Microsoft
• Reactivation may be required if there is significant change in the underlying hardware
• Has an associated upper limit, depending on the license agreement, and can be easily refilled
`
MAK Independentclient
MAK Independent Activation
`
VAMT host
Microsoft
Internet
1. Distribute MAK :
a. Change product key wizard or WMI script
b. During OS installation
c. Volume Activation Management Tool (VAMT)
2. MAK client(s) connect once to Microsoft via Internet (SSL) for activation or use telephone.
1
2
Volume Activation Management Tool
• Performs both MAK Proxy and MAK Independent activation
• Provides activation status of all machines in the environment
• Supports discovery of machines in the environment:
• Active Directory (AD)
• Workgroup, and
• Individual machines by IP address or Machine Name
• Requires remote WMI access
• Stores all data in a well defined XML format
• Allows for Import/Export of data
• Availability in Q1 of 2007
MAK Proxy Activation using VAMT
`
VAMT host
Microsoft
2. Apply MAK and collect Installation ID (IID) using WMI
optionally export to XML file
`
MAK Proxy client
1. Find Windows Vista machine(s) from Active Directory (LDAP) or through network discovery APIs NetServerEnum()
4. Activate MAK Proxy client(s) by applying CID
optionally import updated XML file first
Active Directory
Internet
3. Connect to Microsoft over Internet (SSL) and obtain corresponding Confirmation ID (CID)
optionally update XML file with CIDs
1 23 4
Key Management Service
• Activate using customer hosted service and NOT with Microsoft
• Systems must re-activate by connecting to KMS host at least every 180 days
• Requires 25+ for Windows Vista and 5+ for Windows “Longhorn” server
• Default activation option for all volume editions of Windows Vista and Windows Server “Longhorn”
• Requires no user interaction
• Currently available on Windows Vista and “Longhorn”. Planned support for Windows Server 2003 in Q1 2007
How KMS Activation Works
KMS ClientKMS Host(s)
DNS
1. Discover KMS host via registry or DNS SRV RR (_vlmcs._tcp)
2. Send RPC request to KMS host on 1688/TCP by default (~250b)
Generate client machine ID (CMID)
Assemble and sign request (AES encryption)
On failure retry every 2 hours (default)
3. KMS host adds CMID to queue and responds with current count (~200b)
4. KMS client evaluates count vs. license policy and activates itselfitself
Store KMS host Product ID, intervals, and client hardware ID in license store
On success renew activation every 7 days (default)
1
2
3
4
Managing
• Administrative tools• Volume Activation Management Tool
• KMS Management Pack for System Center Operations Manager (MOM Pack)
• Management interfaces• Command line interface
• Public APIs
• WMI properties
• Event Logs on every machine
• Integration with Management tools• SMS 2003 SP3 and System Center Configuration Manager will
have built-in activation reports
• Public APIs that can be used by any mgmt tools to duplicate this functionality
Example Configuration using MAK/KMS
Core Network
`
`
`
Multiple Machines
KMS Client
`
KMS Client
Microsoft
Hosting KMS
KMSInternet
Internet
InternetDisconnected Machines
`
MAK PhoneActivation
MAK Independent
Isolated Lab
`
``
Desktop
KMS Client
KMS ClientKMS Client
`
Contains at least 25
machines.
KMS Phoneactivation
Hosting KMS
`
`KMS Clients
KMS Client1688/TCP
`
Secure Zone
Summary
• Activation is a required process for all editions of Windows Vista & Windows Server “Longhorn”
• Multiple activation options exist for volume customers
• MAK independent, MAK proxy and KMS
• Provides centralized management and protection of VL keys
• Enhances software asset management efforts
• Integrated with Business Desktop Deployment for easier deployment and management
Resources
• Business Desktop Deployment Solution Accelerator:
• http://www.microsoft.com/technet/desktopdeployment/bdd
• Volume Activation 2.0 on TechNet:
• http://go.microsoft.com/fwlink/?LinkID=75673
• Volume Activation 2.0 on Download Center:
• http://go.microsoft.com/fwlink/?LinkID=75674
• For product key information and call center numbers:
• http://www.microsoft.com/licensing/resources/vol/default.mspx
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Reduced Functionality Mode
• Placed in reduced functionality mode when:
• Grace period expired, Hardware changed significantly, Tampering detected, or Windows Genuine validation failed
• While in RFM the User experience differs: • Some features will be disabled e.g. ReadyBoost, Defender
• Some features will be degraded e.g. Aero
• Desktop will display non-Genuine watermark
• Users will have access to their desktop and data in “Safe” mode
• Multiple options available to restore full functionality
Volume Activation Management Tool
User interface is subject to change
Recommended