Vista Activation and Virtual Server VMs...?

[Shepp]

Hello,

Can someone explain how volume licsencing and activation will work
using MAK with Vista and VMs? We run a Virtual Lab for R&D and we have
an MSDN Volume Licese for Vista (All flavors). We will not have enough
Vista VMs running to use KMS (as VMs don't count towards actual systems
running Vista and you need minimum 25 running Vista). Does anyone know
if VMs running Vista that activate using the MAK system will also not
count towards ones N-count of activations? In our environment we could
be bringing up a few Vistat VMs one week and the next possibly bring up
10 or more. Then we may sela these VMs up after our product release
and for future projects bring up new VMs.


For all of our other supported OSs (2000, XP, 2003) We are able to use
one Volume License and activate unlimited # of times... but it seems
Vista will work differently.


Thanks,


Joel

 

[Colin Barnhorst]

See: http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx

 

[Shepp]

I've read this at least 2X and no where does it state if Virtual Machines
that use MAK activation do or do not count against ones N -Count (or System
count if you lie), but the KMS section sure does:
"Systems operating in virtual machine (VM) environments can also be
activated using KMS, but they do not contribute to the system count."

Anyone from MS care to chime in and clear this one up?

Thanks,

Joel

 

[Shepp]

Bump...

 

[Shepp]

Since it appears that no one knows this answer, or those who do care not to
reply to this board, here is the official answer to my question (straight
from MS themselves):

MAK Activation - Virtual Machines DO count against your N -count of
activations, period.

KMS - If one does not have at least 25 PHYSICAL systems that will attach to
the local KMS, the KMS will never, ever contact the MS clearinghouse. Your
systems (or in my case virtual machines) will bark at you to activate after
the 30-day grace period... and if you try to point it/them at your KMNS
again, they will go into reduced functionality mode (read: useless OS until
a real activation).

Hope this helps others, it sure has helped me. We now know that we have to
use MAK and that we will only activate Vista VMs that we really need to keep
running longer than the 30-day grace.

Enjoy!

Joel Sheppard
Sr. Lead QA Engineer

 

[Joe Morris]

[response to question about activations and virtual instances snipped]

Allow me to hook onto this thread for another activation question:

How does Microsoft expect to re-activate classified machines?

Initial activation isn't an issue; you build the system, activate it, and
then give it to the security people to bless with their tamper-proof tapes,
after which the box disappears into a secure vault, never again to see the
light of day.

But...at some point in the future the hardware changes. An additional disk
drive is added, two more sticks of memory are plugged in, and the system
board fries itself and is replaced. Vista now wants to be reactivated...but
being a classified machine, it cannot be connected to any network in the
outside world, and no information from the computer can leave the vault.

KMS activation is unworkable for the same reason, plus the fact that many
systems in vaults have no networking capabilities.

Conference calls with Microsoft about this have not yielded an explanation
of how Microsoft expects Vista to have any piece of the action in classified
areas. Has anyone on the list heard of a workable way to fix this (other
than abandoning any plans for Vista)?

And to go back to the original poster's problem: how can a virtual instance
of Vista be activated in a classified area?

Joe Morris

 

[Dale]

Telephone. Though you may have to use a runner since classified vaults
dont' always have unclassified phones in them.

Dale

 

[Joe Morris]

Um...unless they've changed the rules while I wasn't looking, data in a
classified machine does not leave the classified area unless it's been
inspected, poked, prodded, dissected, reassembled, filtered, redacted, and
sent to Karl Rove for approval. The activation process involves a challenge
generated by the machine involved; Microsoft's activation tools (on the net
or on the other end of the telephone line) use the challenge to map the
request to a specific product ID, and then return a response. The client
machine then validates the response (ensuring that it really is a response
to the challenge the client generated) and declares itself holy again.

What procedures for classified operation do you know of that would allow the
challenge -- which as data within the classified computer would itself be
classified -- to be disclosed to Microsoft? Or has Microsoft convinced DoD
that its hashing is sufficient protection for all levels of classification?

Don't get me wrong; there may be a workaround to this that I'm not
seeing...but for now I'm still forced to assume that Microsoft totally
ignored the issue, at least until I talked to some of the managers in
Redmond in November after hearing about the everybody-is-considered-a-thief
activation policy for volume customers. If you (or anyone else) knows what
the solution is, please post a response here. My customers will thank you
(and so will I!)

Joe Morris

Telephone. Though you may have to use a runner since classified vaults
dont' always have unclassified phones in them.

[response to question about activations and virtual instances snipped]

Allow me to hook onto this thread for another activation question:

How does Microsoft expect to re-activate classified machines?

Initial activation isn't an issue; you build the system, activate it, and
then give it to the security people to bless with their tamper-proof
tapes, after which the box disappears into a secure vault, never again to
see the light of day.

But...at some point in the future the hardware changes. An additional
disk drive is added, two more sticks of memory are plugged in, and the
system board fries itself and is replaced. Vista now wants to be
reactivated...but being a classified machine, it cannot be connected to
any network in the outside world, and no information from the computer
can leave the vault.

KMS activation is unworkable for the same reason, plus the fact that many
systems in vaults have no networking capabilities.

Conference calls with Microsoft about this have not yielded an
explanation of how Microsoft expects Vista to have any piece of the
action in classified areas. Has anyone on the list heard of a workable
way to fix this (other than abandoning any plans for Vista)?

And to go back to the original poster's problem: how can a virtual
instance of Vista be activated in a classified area?

 

[Dale]

Well, then, perhaps Vista isn't for you.

While you can try to impress the world with your level of access, decisions
about what operating systems to use on classified government computers will
be made at sufficiently high enough of a level that the people making them
will not be looking at public newsgroups for answers.

Those people making the decisions will have input from and access to the
highest levels of Microsoft for answering their technical concerns for how
to protect classified material. Not only will they have exact, from the
horse's mouth, details on how to activate those computers - or run their own
KMS servers, they will also have access to the source code - and people
capable of reviewing and understanding that source code will be doing it.
There will be no need to use a newsgroup. *shaking my head*... Imagine..
our government uses public newsgroups for deciding how to protect the
nations secrets. LMFAO

So, we're all quite impressed that you may work in a classified
environment... Now leave it for those who are able make those decisions.

Dale

Um...unless they've changed the rules while I wasn't looking, data in a
classified machine does not leave the classified area unless it's been
inspected, poked, prodded, dissected, reassembled, filtered, redacted, and
sent to Karl Rove for approval. The activation process involves a
challenge generated by the machine involved; Microsoft's activation tools
(on the net or on the other end of the telephone line) use the challenge
to map the request to a specific product ID, and then return a response.
The client machine then validates the response (ensuring that it really is
a response to the challenge the client generated) and declares itself holy
again.

What procedures for classified operation do you know of that would allow
the challenge -- which as data within the classified computer would itself
be classified -- to be disclosed to Microsoft? Or has Microsoft convinced
DoD that its hashing is sufficient protection for all levels of
classification?

Don't get me wrong; there may be a workaround to this that I'm not
seeing...but for now I'm still forced to assume that Microsoft totally
ignored the issue, at least until I talked to some of the managers in
Redmond in November after hearing about the
everybody-is-considered-a-thief activation policy for volume customers.
If you (or anyone else) knows what the solution is, please post a response
here. My customers will thank you (and so will I!)

Joe Morris

Telephone. Though you may have to use a runner since classified vaults
dont' always have unclassified phones in them.

[response to question about activations and virtual instances snipped]

Allow me to hook onto this thread for another activation question:

How does Microsoft expect to re-activate classified machines?

Initial activation isn't an issue; you build the system, activate it,
and then give it to the security people to bless with their tamper-proof
tapes, after which the box disappears into a secure vault, never again
to see the light of day.

But...at some point in the future the hardware changes. An additional
disk drive is added, two more sticks of memory are plugged in, and the
system board fries itself and is replaced. Vista now wants to be
reactivated...but being a classified machine, it cannot be connected to
any network in the outside world, and no information from the computer
can leave the vault.

KMS activation is unworkable for the same reason, plus the fact that
many systems in vaults have no networking capabilities.

Conference calls with Microsoft about this have not yielded an
explanation of how Microsoft expects Vista to have any piece of the
action in classified areas. Has anyone on the list heard of a workable
way to fix this (other than abandoning any plans for Vista)?

And to go back to the original poster's problem: how can a virtual
instance of Vista be activated in a classified area?