Manage Privacy: Activation and Resulting Internet Communication
Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8
In this section
Overview: Activation in a managed environment
How a computer communicates with sites on the Internet during activation
This section discusses the purposes of product activation and how activation-related features communicate over the Internet. It explains steps to take to limit, control, or prevent that communication in an organization with many users.
Purposes of activation
Product activation reduces software piracy, helps ensure that Microsoft customers are receiving genuine Microsoft software, and helps to avoid the risks that are associated with the use of unlicensed software. Genuine Windows provides assurance that the software is reliable, and it helps protect against the security threats and increased cost-of-ownership that can be introduced by counterfeit software. Using genuine Windows products helps ensure that software is reliable as follows:
Ensures that the software is supported by Microsoft and its partners.
Assists with license compliance.
Enhances protection from the risks associated with counterfeit software, such as spyware, malware, and viruses.
Protects against the potential financial penalties and risks to an organization’s reputation due to using non-licensed software.
For Windows client, activation by phone or online is required. OEM installed Windows Server systems are pre-activated by the OEM.
If you acquire licenses through a volume license program, you can perform Windows volume activation and verify that the software is genuine by using the following features:
Active Directory-Based Activation
Key Management Service (KMS)
Multiple Activation Key (MAK)
For more information about volume activation, see Activation options with volume licensing later in this section.
Note
Product activation means that a specific product key becomes associated with the computer hardware that it is installed on. Making significant changes to computer hardware or other significant configuration changes may require that the activation process be completed again.
For more information about product activation, see Microsoft Product Activation.
Overview: Activation in a managed environment
In an environment with many computers you probably want to use an activation option that is designed for use with volume licensing. The following subsection describes these options.
Activation options with volume licensing
Organizations that have a volume license agreement have multiple options for activation:
Active Directory-based Activation Active Directory-based Activation enables you to use Active Directory Domain Services (AD DS) to store activation objects, which can further simplify the task of maintaining volume activation services for a network. With Active Directory-based Activation, IT pros can complete activations on their local network, which eliminates the need for individual computers to connect to Microsoft for product activation. With Active Directory-based Activation, no additional host server is needed, and activation requests are processed transparently with no user interaction or messages during computer startup.
Any computers with a Generic Volume License Key (GVLK) that are connected to an activated domain activate automatically and transparently. They stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the licensing service starts and renews every seven days. When this service starts, the computer contacts AD DS automatically, receives the activation object, and activates without user intervention.
Note
The AD DS schema must be at the server or client functional level for activation objects to be stored in AD DS.
Key Management Service (KMS) KMS is a role of the Software Licensing Service that allows organizations to activate systems within their network from a server where a KMS host key has been installed. With KMS, IT pros can complete activations on their local network, which eliminates the need for individual computers to connect to Microsoft for product activation. By default, KMS clients (GVLK on Client or Server) contact the KMS host and if that connection doesn’t happen within 180 days the system falls into Notifications mode. KMS does not require a dedicated system, and it can be cohosted on a system that provides other services. By default, volume editions connect to a configured KMS host to request activation. No action is required from the user.
Multiple Activation Key (MAK) A MAK is a volume license key that is used for one-time activation with activation services that are hosted by Microsoft. There are two ways to use MAK to activate computers:
MAK independent activation Each computer must independently connect and be activated by Microsoft over the Internet or by telephone.
MAK proxy activation A computer that is acting as a MAK proxy gathers activation information from multiple computers on the network, and then sends a centralized activation request to Microsoft on their behalf. MAK proxy activation is configured by using the Volume Activation Management Tool (VAMT).
For more information about the Volume Activation Management Tool, see Volume Activation Management Tool (VAMT) Overview
For information about Automatic Virtual Machine Activation (AVMA) see Automatic Virtual Machine Activation.
How a computer communicates with sites on the Internet during activation
If you are using MAK, OEM or Retail activation, you can activate over the Internet or by phone. The following list describes what is communicated when activation is done directly over the Internet:
Specific information sent or received: During the online activation process, the following information is sent to an activation server that is maintained by Microsoft:
Computer make and model
Version information for the operating system and software that is using Genuine Advantage
Region and language settings
A unique number that is assigned to your computer (a globally unique identifier or GUID)
Product key (hashed) and product ID
BIOS name, revision number, and revision date
Hardware ID – non-reversible hash of hardware component IDs.
Important
The tools do not collect a user’s name, address, email address, or any other information that Microsoft can use to identify or contact a person.
In addition to the configuration information above, the following status information is also transferred:
Whether the installation was successful, if one was performed
The result of the validation check, including information about any activation exploits and any related malicious or unauthorized software that is found, disabled, or removed
The name and a hash of the contents of the computer's start-up instructions file (commonly called the boot file) to help Microsoft discover activation exploits that modified this file
Note
If your system is identified as non-genuine, additional information may be sent to Microsoft to better understand why your system failed validation. This information can include error codes and the names and paths of files that compromise the integrity of your system.
For activation of an individual computer (where volume licensing is not being used), owners can allow the preceding information to be sent over the Internet to the activation system at Microsoft, or they can present the product key information and hardware hash (combined into one number) by phone.
Disabling Activation: Product activation cannot be disabled, but if you acquire licenses through a volume license program, you can perform Volume Activation through Active Directory-based Activation, the Key Management Service (KMS), or a Multiple Activation Key (MAK). For more information, see Activation options with volume licensing earlier in this section.
The system must be activated immediately upon installation. Failure to activate the Windows operating systems prevents you from being able to complete system customization.
Logging: Entries that track the progress of activation (for example, return codes and error codes) are logged in Event Viewer. If activation fails, you can use these events to troubleshoot the issue. To locate the events, click Windows Logs, click Application, click Source, and then click Security-SPP.
Encryption and storage: Data that is transmitted is encrypted during transmission by using HTTPS (that is, Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with HTTP), and it is stored in Microsoft-controlled facilities. The data is accessible to a restricted number of support personnel who oversee and maintain the activation servers and the product activation program.
Privacy: Customer privacy was a paramount design goal in building the product activation technology. Microsoft uses the information that is sent to confirm that you have a licensed copy of the software. The information is aggregated for statistical analysis. Microsoft does not use the information to identify or contact a person.
Transmission protocol and port: When activating over the Internet, the first transmission uses HTTP through port 80. It communicates with go.microsoft.com to check the HTTP response code. A response code of less than 500 indicates that a product activation server is available. If the product activation server can be reached, any activation data that is sent by Windows Product Activation uses HTTPS through port 443 to sls.microsoft.com. For a complete list of all URLs and ports required to complete activation, see Using MAK Activation.
Additional references
For more information about volume licensing, activation, and Genuine Advantage, see the following pages on the Microsoft website: