Volume Activation in Disconnected Environments
Windows 7 and Windows Server 2008 R2
.jpg "Windows Server 2008 R2")
.jpg "Windows 7")
Microsoft Corporation
Published: June 2009
Abstract
This guide is for IT pros maintaining the Windows® 7 and Windows Server® 2008 R2 operating systems in disconnected environments. It describes activation techniques for operating systems in environments with no Internet connectivity.
On This Page
Introduction
High-security Zones
Branch Office Locations
Individual Disconnected Computers
Introduction
Product activation is the process of validating software with the manufacturer. Activation confirms the genuine status of a product and that the product key is not compromised. It is analogous to the activation of credit cards or new mobile phones. Activation establishes a relationship between the software’s product key and a particular installation of that software on a device.
Volume Activation is a configurable solution that helps IT pros automate and manage the product-activation process on computers running the Windows Vista®, Windows® 7, Windows Server® 2008, and Windows Server 2008 R2 operating systems licensed under a Microsoft® Volume Licensing program and other programs that provide Volume Licensing editions of Windows. This guide provides information to assist in a Volume Activation deployment specifically for the Windows 7 and Windows Server 2008 R2 operating systems in disconnected networks, such as branch offices and high-security zones within a production environment.
Volume Activation provides two models for completing volume activations: Key Management Service (KMS) and Multiple Activation Key (MAK). KMS allows organizations to activate systems within their own network, while MAK activates systems on a one-time basis using Microsoft’s hosted activation services. Customers can use either or both models to activate systems in their disconnected environment. For more information about both activation models, see the Volume Activation Planning Guide at https://go.microsoft.com/fwlink/?LinkId=155926, the Volume Activation Deployment Guide at https://go.microsoft.com/fwlink/?LinkId=150083, the Volume Activation Operations Guide at https://go.microsoft.com/fwlink/?LinkId=150084, and the Volume Activation Technical Reference Guide at https://go.microsoft.com/fwlink/?LinkId=152550.
Figure 1 summarizes the options available for disconnected environments. The following sections recommend activation methods for the following scenarios:
High-security zones
Branch office locations
Individually disconnected computers
.jpg "Activation methods for disconnected environments")
Figure 1. Activation methods for disconnected environments
High-security Zones
High-security zones are network segments air-gapped or separated by a firewall that limits or prevents communication to and from other network segments. If the computers in a high-security zone are allowed access to the core network by allowing TCP port 1688 outbound from the high-security zone and a remote procedure call (RPC) reply inbound, activate computers in the high-security zone by using KMS hosts located in the core network. This way, the number of client computers in the high-security network does not have to meet any KMS activation threshold.
If these firewall exceptions are not authorized and the number of computers in the high-security zone is sufficient to meet KMS activation thresholds, add a local KMS host to the high-security zone. Then, activate the KMS host in the high-security zone by telephone.
Figure 2 shows an environment that has a corporate security policy that does not allow traffic between computers in the high-security zone and the core network. Because the high-security zone has enough computers to meet the KMS activation threshold, the high-security zone has its own local KMS host. The KMS host itself is activated by telephone.
.jpg "High-security network scenario")
Figure 2. High-security network scenario
If KMS is not appropriate because there are only a few computers in the high-security zone, MAK Independent Activation is recommended. Each computer can be activated independently with Microsoft by telephone.
MAK Proxy Activation using the Volume Activation Management Tool (VAMT) is also possible in this scenario. VAMT can discover computers in this environment by using Active Directory® Domain Services (AD DS), computer name, IP address, or membership in a workgroup. VAMT uses Windows Management Instrumentation (WMI) to install MAK product keys and confirmation IDs (CIDs) and to retrieve status on MAK clients. Because this traffic is not allowed through the firewall, there must be a local VAMT host in the high-security zone.
Branch Office Locations
Figure 3 shows an enterprise network that supports client computers in three branch offices:
Site A uses a local KMS host, because it has more than 25 client computers and it does not have secure TCP/IP connectivity to the core network.
Site B uses MAK Independent Activation by telephone and MAK Proxy Activation, because KMS does not support sites with fewer than 25 KMS client computers and the site is not connected by a secure link to the core network.
Site C uses KMS, because it is connected to the core network by a secure connection over a private wide area network (WAN) and activation thresholds are met using core network KMS clients.
.jpg "Branch office scenario")
Figure 3. Branch office scenario
Individual Disconnected Computers
Some users in an organization may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers of salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection or an intermittent connection to the core network.
Disconnected computers can use KMS or MAK depending on how often the computers connect to the core network:
Use KMS activation for computers that connect to the core network—either directly or through a virtual private network (VPN)—at least once every 180 days and where the core network is using KMS activation.
Use MAK Independent Activation—by telephone or the Internet—for computers that rarely or never connect to the core network. Figure 4 shows disconnected clients using MAK Independent Activation through the Internet and also the telephone.
.jpg "Disconnected computers scenario")
Figure 4. Disconnected computers scenario