Home > Sample chapters

Designing a Client Life Cycle for Windows 7 Desktop Administrators

Lesson 1: Designing and Managing a Licensing Strategy

The licensing strategy that you choose depends on the circumstances of your Windows 7 deployment. When you are determining which strategy to pursue, you must take into account factors such as client connectivity to the Microsoft activation servers on the Internet, the number of clients that you need to activate, and the editions of Windows 7 that you have chosen to deploy. In this lesson, you learn about the licensing and activation options that are available to volume licensing customers and how these differ from the licensing and activation options available to normal retail customers.

Windows 7 Editions and Licensing

Windows 7 uses three types of license: the OEM license, the retail license, and the volume license. OEM licenses are tied to a specific hardware vendor. This license type is used with computers that are sold with Windows 7 already installed by the vendor, such as those you might purchase from your local computer retailer. The product keys associated with an OEM license do not allow you to transfer the license to a computer made by a different vendor. Computers that have OEM licenses undergo activation prior to being deployed to customers.

Retail keys are provided when you buy a retail copy of Windows 7. You can use the Home Premium, Professional, and Ultimate editions of Windows 7 with retail keys. Because a retail key is used only for a single computer, this type is not used with zero touch or lite touch automated volume deployments.

Volume License keys are made available to organizations that have a volume licensing agreement with Microsoft. Volume licenses include the Open, Select, and Enterprise agreement types. You can use volume license keys only with computers running the Windows 7 Professional and Enterprise operating systems. You can use a mixture of retail, volume license, and OEM keys in an organizational environment.

Windows Product Activation

Each computer that runs the Windows 7 operating system installed in your organization must undergo Windows Product Activation (WPA). Microsoft uses WPA to ensure that it is possible to use the Windows 7 operating system on a computer only when the computer has a license. Windows 7 must undergo the WPA process within 30 days of the completed installation. You can extend this 30-day period to a total of 120 days by using the slmgr.vbs–rearm command. Each use of this command extends the activation period for 30 days. You can use this command to extend the activation period only three times. After the grace period expires, the WPA process must successfully occur or Windows enters reduced functionality mode.

WPA relies on two specific identifiers and a third identifier that Windows generates based on the previous two identifiers. These identifiers have the following properties:

  • Hardware ID This identifier is generated using information about computer hardware configuration. This ID is unique and changes if the hardware configuration of the computer changes.

  • Product ID 25-character key. This is either a retail key or a Multiple Activation Key. Unless Key Management Services is in use, this key must be input on the computer running the Windows 7 operating system. You can deploy keys through the unattended installation process. You learn about Key Management Services and deploying keys in an unattended installation later in this lesson.

  • Installation ID Windows 7 generates this ID using the Hardware ID and Product ID. You forward the installation ID to Microsoft when you perform an activation using the telephone.

During the online WPA process, the computer forwards the Product and Hardware IDs to Microsoft activation servers. If the activation check determines that the Product ID has not exceeded its allowed number of activations, the activation servers record the Hardware ID and Product ID, the number of recorded activations for the Product ID is incremented, and the activation servers forward an activation code to the client.

Microsoft allows you to reinstall and reactivate Windows 7 on the same computer once without incrementing the number of recorded activations. Substantially altering the computer’s hardware configuration also triggers reactivation. This can cause problems if a prior event has triggered a reactivation: you might need to contact Microsoft if a single computer goes through several rapid hardware configuration changes that prompt multiple reactivations.

Volume Licensing Activation Methods

You can choose from two methods for performing volume licensing activation: Multiple Activation Keys (MAK keys) or Key Management Services. In the real world, one method is more appropriate for some situations but in other situations, the choice is a matter of personal preference. You often need to choose a volume activation method prior to deploying client computers running the Windows 7 operating system. In the next few pages, you learn about the solutions that you can implement and the types of situations in which you would choose one volume licensing activation method over another.

Multiple Activation Keys

MAK keys are special keys that allow an organization to perform multiple activations using a single key. MAK keys are similar to retail keys except that instead of allowing a single activation, they allow multiple activations from different computers to occur up to the limit defined by the particular key. The number of activations that a MAK key allows depends on the number you purchase when you obtain the key. You cannot recover an activation on a MAK key after you have consumed it. For example, if an organization uses a MAK key and replaces one computer running Windows 7 activated using a MAK key with another computer, the replacement computer consumes a new activation of the MAK key. In some scenarios, this circumstance makes KMS a preferred solution to MAK key activation.

As a single key is used, you can add MAK keys images when deploying them centrally. When using the Sysprep utility to prepare an image, you add a MAK key to an image during the Specialize configuration pass. When performing a traditional installation, you can enter MAK keys in the same way that you would enter a retail key. The main issue that requires consideration when using a MAK key is how you will perform activation.

You can activate a MAK key in one of two ways:

  • MAK Independent Activation Similar to normal retail activation in that it requires that each computer independently activate. You can activate the key automatically over the Internet or use the telephone to call the licensing clearinghouse. MAK Independent Activation is a good option for locations in which you do not have sufficient numbers of clients to make KMS or MAK Proxy Activation viable. For example, if you plan to deploy five clients on an isolated network, it is simpler for you to perform MAK Independent Activation over the telephone than it is to configure MAK Proxy Activation for such a small number of clients.

  • MAK Proxy Activation Allows administrators to configure activation of multiple independent clients using a single connection to Microsoft. MAK Proxy Activation is suitable for isolated networks that do not meet the KMS client threshold but have sufficient numbers of clients to make independent activation more time consuming than configuring proxy activation. For example, consider MAK Proxy Activation for an isolated network of 23 clients for the Windows 7 Enterprise operating system. Performing 23 separate telephone activations would take more time than configuring proxy activation. To use MAK Proxy Activation, you need to configure the Volume Activation Management Tool (VAMT). You learn about the VAMT in the next section.

Volume Activation Management Tool

The Volume Activation Management Tool (VAMT) allows you to collect activation requests from multiple computers and then forward those requests to Microsoft all at one time. After the VAMT receives the activation confirmation identifiers from Microsoft, it can distribute those IDs back to the computers that originally requested activation. The term for this process is MAK Proxy Activation, described previously.

The VAMT stores activation confirmation identifiers in a database called a collection. Because these identifiers are stored locally, you can perform operating system reactivation without being required to initiate a new connection between the computer hosting the VAMT and Microsoft. This allows organizations to reimage computers without the concern of consuming an additional activation on an existing MAK key. You can use the Volume Activation Management Tool to transition client computers between MAK and KMS volume activation if necessary.

To use MAK Proxy Activation, perform the following general steps:

  1. Install the VAMT on a computer on the isolated network and the VAMT on a computer that is located on a network connected to the Internet. For the purposes of this explanation, the computer on the isolated network is VAMT-Isolated and the computer on the connected network is VAMT-Connected.

  2. Create a computer group named Isolated Computers on VAMT-Isolated. Use the VAMT discovery process to discover the identity of the computers on the isolated network.

  3. Add the MAK key to the VAMT on computer VAMT-Isolated. Right-click the Isolated Computers group on VAMT-Isolated and then choose the MAK Proxy Activate option. Make sure of the following:

    • The Get Confirmation ID From Microsoft check box is not enabled.

    • The Apply Confirmation ID And Activate check box is not enabled.

  4. When VAMT finishes assigning the MAK keys on the isolated network, save the collection file on VAMT-Isolated, and then transfer and import the collection file to the VAMT-Connected computer. This action populates the VAMT on VAMT-Connected with the Isolated Computers group.

  5. On the VAMT-Connected computer, right-click the Isolated Computers group and then choose MAK Proxy Activate. Make sure of the following:

    • The Get Confirmation ID From Microsoft check box is selected.

    • The Install MAK (Overwrite Existing) check box is not selected.

    • The Apply Confirmation ID And Activate check box is not selected.

  6. VAMT on VAMT-Connected now interacts with the Microsoft servers and procures confirmation identifiers.

  7. After the confirmation IDs have been obtained from the Microsoft servers, export the collection with a new name. Transfer this file to the VAMT-Isolated computer and import the file.

  8. After you import the file, save the file in a secure location such as a removable flash device placed in a safe. This allows you to perform reactivation if it is necessary to reimage hosts on the isolated network.

  9. On VAMT-Isolated, select the Isolated Computers group and choose MAK Proxy Activate. Make sure of the following:

    • The Apply Confirmation ID And Activate check box is selected.

    • The Get Confirmation ID From Microsoft check box is not selected.

    • The Install MAK (Overwrite Existing) check box is not selected.

  10. VAMT assigns the confirmation identifiers to computers on the isolated network, activating them.

You can configure VAMT clients on an Active Directory computer account, a stand-alone workgroup membership, a fully qualified domain name, or an IP address, as shown in Figure 2-1. The tool also allows you to see the current licensing state of clients on your network, allowing you to determine whether your organization is compliant with the number of purchased licenses.

Figure 2-1

Figure 2-1 Volume Activation Management Tool

You can also use the VAMT to activate a large number of computers that are located on a network connected to the Internet. The name for this process is MAK Independent Activation. When you perform MAK Independent Activation, the VAMT installs the MAK key on a group of selected computers and then prompts those computers to undergo the activation process on Microsoft activation servers.

Key Management Service

Key Management Service (KMS) allows you to place an activation server on the local area network. Rather than activate on the Microsoft activation servers on the Internet, clients activate on the KMS server on the LAN. Clients locate KMS servers using DNS. Because KMS provides activation servers, you should not expose a KMS server to hosts on the Internet by allowing direct access from the Internet. You can also configure clients to use a specific KMS server by using the VAMT. Computers running the Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2003 operating system can function as KMS servers. When you configure a computer running Windows Server 2008 R2 as a KMS server, you can activate both server and client operating systems. When you configure a computer running the Windows 7 operating system as a KMS server, it is able to activate only computers running Windows client operating systems.

A certain number of clients must contact a KMS server before the KMS activation can occur. This number is the KMS activation threshold. Clients activating on the KMS server can be running in a traditional hardware deployment or as virtual hosts. The KMS activation threshold differs between clients and servers and is as follows:

  • The KMS client threshold is 25 Windows clients.

  • The KMS server threshold is five servers.

When a new client or server contacts the KMS server, the server increments the activation count by one. Clients do not activate until the activation count reaches the threshold value. Clients contact the KMS server every two hours until the activation threshold is reached or the activation grace period expires. After the activation count on the KMS server exceeds 5, any servers that contact or have contacted the KMS server successfully activate. After the activation count on the KMS server exceeds a value of 25, clients that contact or have contacted the server successfully activate.

To configure a host to function as a KMS server, perform the following steps:

  1. Install the KMS key on the computer that will function as the KMS server. This computer can be running the Windows 7 operating system, although this means that it is able to activate only Windows client operating systems and is unable to activate Windows server operating systems.

  2. Activate the computer that you installed the KMS key on with Microsoft over the Internet or by using the telephone. After activation is complete, the computer functions as a KMS server.

Each KMS key can be installed on up to six computers that will function as KMS servers. Each KMS server can be reactivated up to nine times with Microsoft, should it be necessary. If your organization needs more than six KMS servers, you must contact a Microsoft Licensing representative to enable additional activations for the organization’s KMS key. For example, if your organization has 12 separate sites covered by a single Volume Licensing agreement and a KMS server is to be placed at each site, you need to enable additional activations for the organization’s KMS key.

After a KMS client has been activated, it tries to reconnect with the KMS server every 7 days but must reconnect with the KMS server at least once every 180 days. If the client is unable to reconnect with the KMS server in 180 days, it enters a reduced functionality mode. Each time a KMS client successfully connects with a KMS server, the 180-day activation countdown timer is reset.

Software Licensing Management Tool

The software licensing management tool is a command-line utility that you can use to manually manage licensing. The tool uses the slmgr.vbs script. Unlike VAMT, which you must obtain and install manually, slmgr.vbs is included in a default installation of the Windows 7 operating system. The slmgr.vbs script is usually run locally from an elevated command prompt. You can also use it to manage licensing on computers configured for remote management. You can configure the slmgr.vbs command to perform the following tasks:

  • Install and remove product keys from hosts.

  • Display current host licensing information including current license expiration date.

  • Force a host to undergo the activation process.

  • Configure a client to use a KMS server and specify the address of the KMS server.

  • Extend the evaluation period by 30 days up to three times.

Lesson Summary

  • MAK keys and KMS can be used only with editions of Windows 7 that support volume licensing. Only the Windows 7 Professional and Enterprise editions support this type of licensing.

  • A KMS server requires 25 clients before it can function. A client must check in with the KMS server every 180 days.

  • You can use the VAMT to perform MAK proxy activation.

  • You add the MAK key to an operating system image using Sysprep during the configuration pass.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 1, “Designing and Managing a Licensing Strategy”. The questions are also available on the companion CD if you prefer to review them in electronic form.

  1. You need to deploy the Windows 7 operating system to 10 computers that are located on a network isolated from the Internet. These computers have been custom-built using hardware purchased from different vendors. These 10 computers are the only hosts on this network. These computers have the Windows 7 Enterprise operating system installed. Which of the following components should you deploy in your solution?

    1. Retail key

    2. MAK key

    3. OEM key

    4. KMS server

  2. Your organization has an isolated network with one computer running the Windows Server 2008 R2 operating system. This server is configured as a KMS server and uses KMS for activation. How many clients running the Windows 7 Enterprise edition operating system must you add to this isolated network before clients can successfully activate using the KMS server?

    1. 4

    2. 9

    3. 24

    4. 29

  3. Which of the following methods can you use to activate 15 clients using a MAK when they are on a network isolated from the Internet? (Choose all that apply; each answer forms a complete solution.)

    1. MAK Independent Activation

    2. MAK Proxy Activation

    3. KMS

    4. Telephone activation

  4. You are using Sysprep to prepare a Windows 7 Enterprise image for deployment. During which Sysprep configuration pass do you add the MAK key?

    1. auditUser

    2. Generalize

    3. Specialize

    4. auditSystem

  5. Which of the following editions of Windows 7 support volume licensing? (Choose all that apply; each answer forms a complete solution.)

    1. Enterprise

    2. Ultimate

    3. Professional

    4. Home Premium