[Stephen]

So... you've been wondering just what Microsoft has been up to in regards to implementing tighter measures with corporate volume licensing in Windows Vista and Longhorn Server, huh? Well, look no further, my friend, because you've come to the right place! Let's take a moment to reflect upon the day "Devil's Own" leaked that infamous corporate copy of Windows XP of Intel's for all the world to pirate. Sure, Microsoft took a big hit with that but what a lot of people fail to realize is how much Intel had to pay Microsoft (a figure in the millions of dollars) for that leak. (Read the fine print, if you're a corporation with Volume Licensing... ) Microsoft's plans for foiling pirates with their brand new, shiny activation movement with Windows XP was certainly something seemingly laughable at that rate... especially when activation was exploited the way it was, but now it's time to see just what they've learned from the VLK 1.0 experience.

Key Terms:

VLM: Volume License Media (SKU/SKU's containing the files necessary for corporate activation which differ from files used to activate retail versions)
VLK: Volume License Key (A key containing unique characters which works only with VLM; not Retail media, thus, the distinction between corporate and retail activation)
KMS: Key Management Service (The central service in VLK 2.0 that handles volume activation of all clients and servers in an enterprise network. Target: Larger networks (at least 25 machines) that client machines can regularly connect to.)
MAK: Multiple Activation Keys (This is the new implementation of activation via the VLK 1.0 method... but with quite a few differences. They will be leveraged the same way as original VLK’s were in XP and Windows Server VLM except, unlike XP and Windows Server-generation volume licensing, MAK’s, like retail keys, *WILL* need to be activated through Microsoft, so… bye-bye to corporate keys not needing activation!)

Let's go in-depth with KMS and MAK activations, shall we? Yes, we shall. =)

KMS Activation: This is the service that will be used for managed environments where users are connected to a corporate network. Activation by means of KMS will go as follows:

- Corporation obtains Vista and/or Longhorn VLK(s) and VLM from Microsoft.
- Corporation installs Vista and/or Longhorn VLM, using their VLK, to a machine which will host KMS.
- KMS is enabled and stores the VLK in its trusted store for security. (Think: nixing the use of “key-finder” programs by keeping keys off of each individual machine on a corporate network.) KMS is also configured so that required client machines will be able to communicate with it periodically.

So, you have installed Vista and have enabled and set up KMS. Now what? Well, now every computer on your network that you install Vista on will need to be pointed to your KMS “server” so that it can activate. No key is entered or stored in the client machines and the KMS method requires that every client re-activate itself periodically! If a client machine is disconnected from the network for 180 days, it will be considered “out of tolerance” and will be placed into RFM (Reduced Functionality Mode). RFM makes it so that no user can log in to that machine. The way to alleviate RFM is to re-connect that client to the network and it will re-activate via the KMS “server.”

It’s also worth noting that KMS will require a minimum number of clients to be rolled out successfully within a corporation. At the time of this writing, the current number of required clients is 25. In up-to-date documentation, Microsoft is still representing this number 25 with an “n” to show that it’s still subject to change, but what else is new? =) The first 25 clients installed will hit the KMS “server” first and will be kept in a list for 30 days.

Every flavor of Vista, as well as Longhorn Server, will have KMS functionality and support for KMS in Windows Server 2003 is currently planned for post-Vista RTM.

Over-simplified, KMS is essentially Microsoft’s counter-measure to the employees of a corporation getting hold of their corporation’s volume license key. With such a low number of machines set as a requirement to leverage KMS (at the time of this writing, 25 clients), you can tell that Microsoft is *really* pushing to get VLK’s into the hands of as few individuals as possible within a corporation. I’m guessing Microsoft will try to make the KMS solution as cost-effective as possible so that this initiative will really take off with great success. (See: More money and less piracy. )

Key policies to remember with VLK 2.0 KMS activation:

N-Policy (Minimum # of machines per KMS): Currently 25.
Expiration period until re-activation: 180 days.
Hardware tolerance: Bound to system hard drive.
Out-of-box grace period: 30 days
Out-of-tolerance: 30 days (If user has gone beyond expiration or changed their hard drive.)


MAK Activation: This method of activation stands to be leveraged for decentralized networks where users are rarely or never connected to the corporate network. In English, lol, this is THE key that pirates will hope to get and stand a better chance of getting a hold of to leak to the masses along with the appropriate VLM. (VLK 1.0, anyone?) Ah, but this time, Microsoft has a new plan. Let’s see what they’re doing with what they’ve learned:

The foremost change with volume licensing is that no key will go without needing to be activated – period. Knocking VLK’s down to Retail level in terms of activation creates a whole new playing field for corporations and Microsoft. Perhaps equally as notable of a change is all MAK activations and activity can be viewed via Microsoft online portals. With MAK’s having an upper-limit in terms of how many activations each key can sustain, this keeps any one key from doing world-wide damage in terms of piracy. Something else unique about MAK’s is that the confirmation ID generated by them can be used to re-activate a machine! For instance, if you need to reinstall a client machine, you can use the confirmation ID that was given after installing with the MAK the first time you installed on that machine – so long as there have been no hardware changes. This also keeps it so that reinstalling a machine doesn’t count against your MAK total.

So, in essence, a MAK is nothing more than a retail license that can be used a pre-determined number of times on multiple machines.

Key policies to remember with VLK 2.0 MAK Activation:

MAK total policy (Each key has a pre-determined number of activations.)
No N-Policy
No expiration
Hardware tolerance: As with current retail versions of Windows, certain hardware changes will require a re-activation, and will count against MAK total.
Out-of-box grace period: 30 days
Out-of-tolerance: 30 days (For changed hardware only.)

There is a lot more to learn about VLK 2.0 as Microsoft approaches Vista RTM. Likewise, there is also a lot that Microsoft could change between now and then, but until then, the information provided above should give those interested plenty of insight into what to expect with corporate licensing and activation.

-Stephen

Resource: Windows Vista Volume Activation Overview VLK 2.0 (Partner Presentation)
Source: In-house

[Bryant]

 I had this off-topic comment to say:

This is why I hired you as a newsposter

I'm assuming this only applies to Windows Vista Business and Enterprise editions, correct?

[ISOHaven]

Eh, that'll all be hacked before January ;p

[Aeden]

Very, very informative stuff, Stephen .

Bryant, which bits are you assuming apply to Business and Enterprise? That was my initial assumption, too, with the whole VLK scheme entirely, but then I read this -

Quote

Every flavor of Vista, as well as Longhorn Server, will have KMS functionality

So I *guess* that blows that assumption to bits?

[ZoRoNaX (MVP)]

What are the volume editions that support KMS?

• Client Business, Client Enterprise, Server Enterprise
  
• The client versions are upgrade versions only.

If you've read the sheets, you know it's in there

[Aeden]

ZoRoNaX, on Sep 14 2006, 07:24 AM, said:

What are the volume editions that support KMS?

• Client Business, Client Enterprise, Server Enterprise
  
• The client versions are upgrade versions only.

If you've read the sheets, you know it's in there

I should probably slap myself for not having read the presentation more clearly; thanks for that .

[Karl]

that's another thing Microsoft are doing to combat piracy: Vista ultimate. That's the one people are going to want. That's the one people are going to want to pirate. Yet there is no VLK version (unlike top-tiered XP).

Very informative Stephen, good job

[Bryant]

ZoRoNaX, on Sep 14 2006, 03:24 AM, said:

What are the volume editions that support KMS?

• Client Business, Client Enterprise, Server Enterprise
  
• The client versions are upgrade versions only.

If you've read the sheets, you know it's in there

Thanks for that

[Stephen]

ZoRoNaX, on Sep 14 2006, 03:24 AM, said:

What are the volume editions that support KMS?

• Client Business, Client Enterprise, Server Enterprise
  
• The client versions are upgrade versions only.

If you've read the sheets, you know it's in there

Oops - I meant to mention this as well as the scripting, but... yeah, it's all in the powerpoint presentation, I suppose. Grab it while you can if you haven't yet! I'm sure they will remove it if they see it's being downloaded - I found a couple of other VLK presentations on their servers 3 days ago and they were REMOVED as of last night! I was going to include them with this post because I started writing it based off of the presentation I've provided. I may need someone to serve these other two and I'll write an extention in this same post with some other things the current presentation doesn't cover.

I'm glad you all enjoyed reading this - I was very excited to stumble upon this documentation, because I've been highly interested in finding out specifics about activation and how the whole corporate/volume licensing issue was being addressed with Vista.

More later... =)

-Stephen

[Bryant]

Microsoft took it down, so I changed the link to a copy of the powerpoint I backed up. (It's the same one.)

[Stephen]

Word. I'll write up a part 2 soon in which I'll ask you to serve those presentations or images. I hope that works for you. =) I'm sure MS isn't too happy about this write-up, lol. =)

[Bryant]

Stephen, on Sep 15 2006, 07:29 AM, said:

Word. I'll write up a part 2 soon in which I'll ask you to serve those presentations or images. I hope that works for you. =) I'm sure MS isn't too happy about this write-up, lol. =)

Works for me.

[Spencer]

It sounds like a little more organization for companies that need to install Windows Vista. However, in organizations that can't afford or don't want to spend on IT maintenance and setup, I can see a lot of them keeping XP SP3 until end-of-life.

If there's an SP3.

[NetRolller 3D]

Actually, it's not really a good protection. The only thing needed is a program that emulates the KMS (and a HOSTS entry that defines the location of the KMS as 127.0.0.1), and bye-bye protection.

[Stephen]

NetRolller 3D, on Sep 21 2006, 06:12 AM, said:

Actually, it's not really a good protection. The only thing needed is a program that emulates the KMS (and a HOSTS entry that defines the location of the KMS as 127.0.0.1), and bye-bye protection.

I understand your point but you're certainly assuming a lot. First, you're assuming how the OS leverages and checks the status of KMS. You make it sound as if, oh, you can just code a program to emulate KMS and everything's simple... and while there are most certainly talented-enough programmers to do as such, I very much doubt that simplicity will crack the case - no pun intended. What kind of checks and balances is the OS going to perform on the binaries involved with KMS? What all is the KMS service going to be attached to? What happens when you try to alter the binaries associated with KMS? How simple is it going to be to re-create KMS, I mean, go re-read the powerpoint presentation and look at what all KMS does. For someone to figure out how to emulate it, they're going to need to do some hefty cracking. Again, possible? Absolutely. Your logic makes sense but I highly doubt that emulating KMS will be a real-world solution for software crackers. Other workarounds will most certainly be found.

This is the kind of discussion I welcome and was looking for with this post. Naturally, I'm only working off of assumption as well, because I assume Microsoft won't make this as cut and dry as one might think... and then again, with the talented world of reverse engineers vs. Microsoft, who knows what all people will come up with as a workaround.

-Stephen