Microsofts Software Protection Platform: Planning Activation in Isolated/Secure Environments

Microsoft Windows Family of Operating Systems

White Paper January 2007

Author: Ramprabhu Rathnam ([email protected])

This is a preliminary document and may be changed substantially before final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form, by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of Microsoft Corp. Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. 2007 Microsoft Corp. All rights reserved. Microsoft, Windows Vista, Windows Server, Windows, the Windows logo, Internet Explorer and ActiveX are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corp. One Microsoft Way Redmond, WA 98052-6399 USA

Table of Contents
TABLE OF CONTENTS........................................................................................3 INTRODUCTION.................................................................................................1 ACTIVATION OPTIONS FOR MACHINES IN ISOLATED ENVIRONMENT..................1 LOCAL KEY MANAGEMENT SERVICE BASED ACTIVATION ..................................2 MULTIPLE ACTIVATION KEY ..............................................................................3 ACTIVATING PRIOR TO MOVING INTO ISOLATED ENVIRONMENT.......................3 MAK PROXY-ACTIVATION..................................................................................3 ORIGINAL EQUIPMENT MANUFACTURE ACTIVATION ........................................5 GRACE .............................................................................................................6 SCENARIOS AND APPLICATION OF ACTIVATION OPTIONS..................................7

INTRODUCTION
Volume Activation 2.0 is a collection of technology and process that enables enterprises to address the required activation for all editions of Windows Vista and Windows Server Longhorn in their environment. Deploying Windows Vista using Volume Activation 2.0 in highly connected environments is normally a straightforward process requiring minimal planning and implementation. However, there are some planning considerations for deploying of Windows in isolated or secure environments. For the purpose of this document isolated/secure environments range from environments that block client access to the internet or certain internet sites, to highly secure installations where data flow into or out of the installation is completely restricted, there is a air gap between the environment and the internet. This whitepaper is targeted at decision makers and infrastructure architects who are planning a deployment of Windows Vista or Windows Longhorn Server that have specialized network isolation requirements. This whitepaper assumes that the reader is already familiar with Volume Activation 2.0 collaterals available from Microsoft Windows Vista Volume Activation 2.0 Technical Guidance. Windows Vista Volume Activation 2.0 Step by Step Guide Microsoft Solution Accelerator for Business Desktop Deployment 2007

ACTIVATION OPTIONS ENVIRONMENT

FOR

MACHINES

IN

ISOLATED

Activating Windows under Volume Licensing using Multiple Activation Key (MAK) or Key Management Service (KMS) requires that the client computer either MAK independent active by connecting to Microsoft via internet (SSL) or telephone MAK Proxy activate using a VAMT host which connects to Microsoft on behalf of the client system KMS activate by connecting to system running the KMS service on the isolated network

There have been concerns voiced by customers who need to activate computers in isolated and/or secure environments that cannot connect to any external network. There are various deployment options available which requires no new additional operational requirements for activating the machines in these isolated environments. These options include using Running a local KMS host inside the isolated environment

Microsofts Software Protection Platform

Page 1

Pre-activation of client machines as part of the acquisition/provisioning process before they enter the isolated environment, and MAK proxy activation of computers within the environment using the Volume Activation Management Tool (VAMT) OEM Activation

In addition the out of box grace period can be leveraged wherein Windows Vista can be used with its full functionality during this grace period.

LOCAL KEY MANAGEMENT SERVICE BASED

ACTIVATION

This option involves running an instance or instances of a host system running the KMS service in the isolated environment for activating machines within the isolated environment. The KMS host itself requires a single activation with Microsoft, this can be accomplished over the telephone or by bringing the KMS host into the isolated environment after it has been successfully activated outside of the isolated environment.

Planning Considerations
Requires provisioning of KMS host by activating it either within the isolated environment using telephone activation or outside of the isolated environment before it is brought to the isolated environment For Windows Vista activation it requires activation request from 25 or more physical machines and for Windows Server Longhorn it requires 5 or more physical machines for before the KMS will start activating systems on that network. Once the KMS service starts activation it will activate virtual systems as well. If the KMS host has significant hardware changes reactivation might be required KMS hosted on Windows Server Longhorn can activate both client and server machines depending on the KMS key used while KMS hosted on Windows Vista can only activate other Windows Vista machines only Machines in the isolated environment must have required access to the KMS host running in the isolated environment for successful activation and reactivation o o Requires DNS with a SVR record for the KMS Host, if DNS is used. If DNS is not used then hard coding the KMS Host name into each system is required. RPC connectivity over TCP port 1688 is required for the activation communication, request-response. This port is configurable based on environmental requirements.

No client slide configuration requirements if using DNS publishing No need for use of product keys in the client images that are being deployed

Microsofts Software Protection Platform

Page 2

Clients machines activated using KMS host must reconnect with KMS host at least once every 180 days. Failure to reconnect within the 180 days will put the client machines in out of tolerance grace period (30 days) Reactivation is required only if the primary hard drive where the OS is running from changes

MULTIPLE ACTIVATION KEY

MAK should be used in environments of less than 25 systems. If there are more than 25 systems then KMS is the recommended method for activation.

ACTIVATING

PRIOR TO MOVING INTO ISOLATED ENVIRONMENT

As part of the provisioning process all systems that will be deployed in the isolated environment could be activated using either MAK Independent or MAK Proxy Activation before those machines are physically moved into the isolated environment.

Planning Considerations
Ability to MAK activate (using independent or proxy MAK activation) prior to bring the machines into the isolated environment If the machines are subject to rebuilt/reimaged within the isolated environment then VAMT can be used to avoid reactivation against Microsoft o During the provisioning process (first activation) capture the Installation Id and the corresponding Confirmation Id o Reapply the confirmation id after successful rebuilt/reimaging machine to avoid repeat of the activation against Microsoft. o The reapply can be performed as long as no significant hardware change has happened. Significant hardware changes might require reactivation

MAK PROXY-ACTIVATION
If the machines cannot be activated prior to entering the isolated environment then Volume Activation Management Tool (VAMT) can be used within the isolated environment to harvest the Installation Id (non sensitive information about the machine), which then can be exported for activation in an environment where connection to Microsoft online activation service is feasible. The Confirmation Ids (non sensitive information) obtained can then be deposited using Volume Activation Management Tool.

Microsofts Software Protection Platform

Page 3

The export and import files are XML files that can be opened with various applications including notepad.exe for examination by organizational security personnel to ensure no sensitive data is contained within the file. If required the XML file can be printed inside the isolated environment and then manually inputted into the VAMT tool on a connected system. Here is an example of how the process may look

Here is a screenshot of the export interface

Planning Considerations
Recommended to be used in environments with less than 25 systems
Page 4

Microsofts Software Protection Platform

Requires use of Volume Activation Management Tool within as well as outside of the isolated environment. Requires WMI access between the machine(s) running VAMT tool within the isolated environment and the machines that need to be activated within the isolated environment. These WMI port can be configured Installation Id and Confirmation Id must be exchanged in the form of well documented XML file containing just these two pieces of information for all the machines that need to be activated between the isolated environment and one other trusted environment from where the MAK proxy activation request will be processed If the machines are subject to rebuilt/reimaged within the isolated environment the confirmation id can be reapplied to the rebuild machines thereby avoid repeat of the activation steps. Significant hardware changes might require reactivation

ORIGINAL EQUIPMENT MANUFACTURE ACTIVATION

OEM Activation for Windows Vista is a software protection technology for the Windows Vista operating system that improves upon System-Locked Preinstallation, which is available for Microsoft Windows XP operating systems. OEM Activation associates the Windows operating system to the firmware (BIOS) of the physical computer. Advantages of OEM activation include persistent activation, activation without connecting to any activation provider, and the ability for OEMs to use custom media images.

Planning Considerations
Available on new PCs purchased through most established OEMs (who have the special HSM devices provided by Microsoft for generating the cryptographic OEM Windows BIOS marker and not available from local system builders) Requires that client machine being activated has the required Windows Vista OEM marker as part of the BIOS which matches to the digital certificate that is present as part of the OS image loaded by the OEM Need to maintain recovery media specific to each OEM system configuration Windows Vista Enterprise isnt one of the OEM SKUs as such this scenario doesnt support Windows Vista Enterprise edition Customers may provide their own applications to the OEM partner for pre-installation, or may install applications on top of the OEM mage. Hardware changes will not require reactivation If you must use Volume Media or you have a pre-built image that already uses the Volume Media, KMS or MAK activation will be required

Microsofts Software Protection Platform

Page 5

GRACE
If the machines are short lived (meaning if they are rebuilt/reimaged often) then the out of the box grace period (30 day) might provide a great opportunity where one could use the machines without any activation within the grace period. In addition, the system provides slmgr.vbs rearm functionality that can be executed maximum of three times to reset the grace period. If the system is mission critical and in a location where activation cannot be accomplished, the grace period can be extended by using the SLMGR.VBS script with the rearm switch.
Cscript \windows\system32\slmgr.vbs rearm

Each time the script is run it adds another 30 day grace period to the system. So if the system can be maintained in a state of grace for up to 120 days without activation.

Planning Considerations
Good only for environments where shelf-life of the image is less than the grace period These computers can not be set up for more than grace period amount allowed or they will go into Reduced Functionality Mode

Microsofts Software Protection Platform

Page 6

SCENARIOS

AND

APPLICATION

OF

ACTIVATION OPTIONS

This section of the document maps the activation options discussed above to some well known abstracted isolated environment scenarios. These should be taken as potential guidance and validated for its applicability in your environment.

CLASSIFIED NETWORK
Environment where there are significant number (25 or more Windows Vista Machines, 5 or more Windows Server Longhorn) of physical and virtual machines present with no external connectivity such as Internet. Individual machines within the environment are often well connected within the secured environment and have access to Domain Name Service (DNS) but cannot connect to any external services such as Microsoft Activation Server. KMS is the best activation option for these systems since they are highly connected within the environment with DNS. Additionally, KMS being the default activation method for Windows Vista there are no configuration change or product keys required on the individual systems. Best alternative options for this scenario include MAK proxy activation and pre-activation.

CLASSIFIED INDIVIDUAL MACHINES WITH TRUSTED CONNECTION

Environment that often represents individual machines that has the ability to connect to a trusted/central site at least once every 180 days. There are often machines in the secure isolated environment that connect to the trusted central site for software update and other functions. KMS in the trusted central site is the best activation option for these systems since they connect with the trusted central site at least once every 180 days. Additionally, KMS being the default activation method for Windows Vista there are no configuration change or product keys required on the individual systems. Best alternative options for this scenario include pre-activation or MAK-proxy activation.

CLASSIFIED INDIVIDUAL ISOLATED MACHINES

This scenario includes individual machines that have no guaranteed connection to even other trusted network. There are often machines in the secure isolated environment that has no connectivity even to the trusted central site for functions such as software update. This scenario is often referred to as BlackOps.

Microsofts Software Protection Platform

Page 7

There are multiple activation options applicable to the machines in this scenario. The options include pre-activation or MAK proxy activation by exchanging the data with the trusted network manually (i.e. fax, call, etc.,). In circumstances where the MAK based activation is not an option then grace-period or OEM-based must be considered.

Microsofts Software Protection Platform

Page 8