SolutionBase: Changes to Product Activation and Volume Licensing

Windows XP introduced Windows Product Activation, which helped Microsoft control piracy but became a bane to network administrators who installed and needed to activate Windows XP in large organizations. Windows Vista takes product activation worries to a new level. Here's what you'll face.

This article is also available as a TechRepublic download.

If you're installing a single version of Windows Vista in your organization, licensing is pretty simple; you just go with what came with your new machine or what came in the upgrade box. Even tracking a few licenses doesn't present much of a problem. Things become complicated when you're dealing with dozens or even hundreds of servers. To help hold down costs and improve product tracking, Microsoft created Product Activation and Volume Licensing. It's been around for a while, but there are some new changes with Windows Vista worth exploring.

In the beginning: Windows 95

When Microsoft released Windows 95 over a decade ago, it included many new innovations over Windows 3.11. Among these innovations was that Windows 95 was the first version of Windows to require a product key to be entered as a part of the installation process. Fortunately, Microsoft realized that requiring every PC to have a unique product key just wasn't practical for larger organizations. As such, Microsoft introduced volume licensing, which allowed corporations to use the same license key for every PC (although licenses must still be purchased for each PC). This not only simplified manual installations, it paved the way for image based and Remote Installation Service based images.

Volume licensing is still in use today. Although volume licensing makes life easier for IT professionals, volume licenses are a favorite target of software pirates. When Microsoft released Windows XP, they introduced the concept of activating Windows. The idea was that the product key was paired with a unique hash based on the machine's hardware and sent to Microsoft. Since a product key could only be activated a limited number of times, it was thought product activation would reduce software piracy.

The problem with this was that volume license product keys did not require activation. Therefore, software pirates began to steal volume license keys because they could be used repeatedly without the hassles of activation. In fact, the vast majority of pirated copies of Windows XP were installed using volume license keys.

Windows Genuine Advantage

To combat this problem, Microsoft created a new program called Windows Genuine Advantage. The idea behind Windows Genuine Advantage is that the Microsoft Web site will not allow you to download non-critical Windows updates until the Web site is able to prove that your computer is not running a pirated copy of Windows.

The Windows Genuine Advantage program has reduced software piracy for Microsoft, but it's still not completely effective because the program is dependent on companies knowing when their volume license key has been leaked. When a company’s volume license key is leaked, the company reports the incident to Microsoft. Upon doing so, Microsoft invalidates the product key and issues the company a new product key. When a user tries to download a non-critical update from the Microsoft Web site, Windows Genuine Advantage code compares the product keys used by the user's machine against a list of product keys that are known to have been compromised. If a match occurs, then the user is presumed to be running a pirated copy of Windows, and the download is forbidden.

Although the Windows Genuine Advantage program has helped in the war against piracy, it has shortcomings. The whole program is dependent on companies realizing when keys have been compromised and reporting the compromise. The Windows Genuine Advantage program is completely ineffective in situations in which a company is unaware that their keys have been compromised, or if a company chooses to simply look the other way when piracy occurs.

The Windows Genuine Advantage program is also ineffective at stopping piracy within a company. For example, there are undoubtedly situations in which companies use their volume licensing keys on more copies of Windows than they actually have purchased licenses for. If a company does report that their product keys have been compromised, they are assigned a new product key. Since the original product key is invalidated, computers on the corporate network will need to be updated with the new product key. IT staff might be a lot less likely to report the key being compromised when faced with added labor.

Volume license keys in Vista

In light of all of these problems, Microsoft has changed the way volume licensing works for Windows Vista. Rather than just give companies a product key to use indiscriminately, Microsoft has created two different methods for using volume license keys with Windows Vista.

The first method involves the use of a multiple activation key (MAK). MAKs are actually nothing new; they are just new to volume licensing agreements. MAKs have been in use with products such as MSDN and Microsoft Action Pack subscriptions. The basic idea is that MAKs can only be activated a specific number of times. Each time the key is entered onto a PC, the key is activated, and the remaining number of uses for the key is decreased by one.

The same basic rules apply to MAKs apply to normal Windows XP product keys. Specifically, this means that if the OS has to be reinstalled, the key will have to be activated again, which will decrease its number of remaining activations. Likewise, if the computer's hardware changes significantly, then the hardware hash will no longer match the hash stored within Windows; thus, invalidating the activation. In these situations, Windows will have to be reactivated, once again decreasing the remaining number of activations for the product key.

Key Management Service

The alternative method entails using Key Management Service, which uses a server to act as a repository for volume licensing keys. The interesting thing about this technique is that keys are not permanently assigned to computers, and computers are not permanently activated.

Instead, Windows Vista is installed on individual workstations without using a product key at all. Vista is designed so if a product key is not entered, it will only function for 30 days. When installation completes and the new OS is brought online for the first time, it performs an automatic search for a key management server. The search is possible because key management servers use a fully qualified domain name that follows a very specific pattern. The name _vlmcs._tcp is prefixed to your organization's default domain name. For example, in an organization named contoso.com, the name of the key management server would be: _vlmcs._tcp.contoso.com. Vista searches for this name on TCP port 1688.

Once Vista locates the key management server, it goes through a negotiation process of sorts and receives a temporary activation. This temporary activation is good for six months. The catch, however, is that in a week the computer will contact the key management server again and ask for a renewal on the activation. Under normal circumstances, computers on the network communicate only with the key management server for activation purposes. They never communicate directly with Microsoft. However, the key management server allegedly "phones home" from time to time to report to Microsoft how many licenses are actually in use.

Of course, this raises a valid question: What happens if a computer on the corporate network is unable to contact the key management server, due to some kind of network communications problem? As I said earlier, Vista is designed so that it will be fully functional for 30 days even though it has not been activated. Therefore, if a computer is brought online but cannot immediately contact a key management server, Vista will function normally until either a key management server can be contacted, or until the 30-day grace period has expired; whichever comes first.

Once the computer has been initially activated, Windows attempts to contact the key management server once every week in an effort to renew the activation. If the key management server cannot be contacted for some reason, it's not a problem. The activation is good for six months, regardless of whether or not Vista is able to contact the key management server. If six months pass and the activation still isn't renewed, the 30-day grace period goes into effect. Once a machine running Windows Vista has been initially activated, it can continue to function for up to seven months without being reactivated.

This brings up another interesting question: If the key management service is designed so that computers running Windows Vista can function for up to seven months without being reactivated, then why is reactivation attempted on a weekly basis?

The weekly reactivation is configurable. Microsoft designed Windows Vista to reactivate itself on a periodic basis because not all computers are connected to a network on a continual basis. For example, your company might have an employee who works off-site and only connects to the network once a month. In that situation, it would be possible for the user's activation to expire sometime between logons if the activation were not renewed on a periodic basis.

It would seem using key management services is the obvious choice for any company with a volume licensing agreement. Even so, MAKs have their place. MAKs are essential in environments in which there is no key management server, or in which clients connect to the network containing the key management server so infrequently that they risk having their activation expire. In these situations, using MAKs is ideal because MAKs never expire, once activated. Once a MAK has been activated, the only thing that can invalidate it — aside from piracy — is significant changes to the computer's hardware.

Licensing states

Given everything I have told you about volume licensing with Windows Vista, it would be easy to assume that machines running Windows Vista are considered to either be activated or not activated. However, there are actually five different licensing states that can apply to a machine running Vista. These states are:

  • Licensed: A computer is considered to be licensed once it is activated.
  • Initial Grace: The 30-day grace period when Windows is first installed. Windows must be activated by the end of this period. You can extend the 30-day grace period to 120 days: Entering the SYSPREP /GENERALIZE command resets the grace period, giving you another 30 days. This command can only be used three times, however, for a maximum of a 120-day grace period, counting the initial 30-day grace period.
  • Non-Genuine Grace: The Windows Genuine Advantage program doesn't just affect computers running Windows XP; it also applies to computers running Vista. Suppose a user has activated Windows Vista using a pirated volume license key that has been reported to Microsoft. If the user visits a Web site protected by the Windows Genuine Advantage program, the genuine validation will fail. At that point, the machine is placed into the Non-Genuine Grace licensing mode. When this occurs, the user has 30 days to reactivate Windows using a valid, genuine product key.
  • Out-of-Tolerance Grace: Occurs when excessive hardware changes are made to a computer that has been activated. When this occurs, the operating system goes into an out of tolerance grace period. This means that the computer must be reactivated within 30 days. Incidentally, if a computer has been activated by a key management server, and goes for more than six months without contacting the key management server for a renewed activation, the computer will be put in an out of tolerance grace period just as it would have this system's hardware changed.
  • Unlicensed: A computer is considered to be unlicensed once the grace period expires. When this occurs, the OS goes into reduced-functionality mode. When Vista is operating in reduced-functionality mode, the user can't really use it to do much of anything, other than perform activation or enter a new product key.