Windows 2008/7 Offline activation via TBA

Microsoft, in their infinite wisdom, has imposed much stricter licensing controls in Windows Server 2008 and beyond. This is in an effort to stem the flow of piracy, which is probably pretty rampant in some communities. To help combat these evil forces in the world, Microsoft introduced Volume Activation 2.0. I won’t go into all the gory details about MAK and KMS keys, but let’s suffice it to say that it’s not a totally offline experience. At some point the PC/server needs to either call home to Microsoft, contact an authorized KMS server, or manually activate via the telephone.

As you can imagine, there are many cases where these options are totally unacceptable. Many of these cases are within Governments, Intelligence agencies, and other entities like foreign Governments.

Microsoft offers to very select people a third type of activation, which can be completely offline. If packaged properly into a deployment image the OS activates out of the box with no network connection whatsoever. This option is called TBA, or Token Based Activation. From TechNet:

Token-based activation is a specialized activation option that is available for approved Microsoft Volume Licensing customers. It is designed for specific scenarios in which the end systems are completely disconnected from the network or phone. This option enables customers to use the public key infrastructure (PKI) and digital certificates (or “tokens,” which are typically stored on smart cards) to locally activate Windows 7 (and Windows Server 2008 R2). Customers do not have to activate the software through KMS or MAK.

In its simplest terms you work with your Microsoft account manager to understand the entire process. 🙂 But at a high level you first obtain a special PKI certificate from a root certificate authority that you trust. You then submit certain properties of the certificate to Microsoft via some software. These properties is what the certificate that Microsoft issues you, an Issuance License, checks to verify you are an authorized user of TBA.

When you combine all of the right pieces (generic VLK, your certificate, Microsoft IL certificate, and your trusted root/intermediary certificate chain), Windows will activate without contacting any entity. All of these pieces can be sealed into your golden image and then when deployed, your server or client will be activated. Depending on your scenario and agreement with Microsoft, you may be required to use a hard token (such as smartcard/CAC), or a software digital certificate file.

Bottom line is that you must work with your Microsoft technical rep, ask about “Token Based Activation” and see if you qualify for such an arrangement. If you don’t qualify, then you are stuck with using MAK or KMS for product activation.

There are a lot more technical details, and I’ve oversimplified the entire process. But the end result is a set of files and procedures that allow your images to act like VLK 1.0 systems that to the end user didn’t appear to need any activation. This technology is baked into Windows Server 2008 R2, Windows 7, and Server 2008 SP2. Microsoft has a very detailed guide about the entire process called the “Token Based activation deployment guide.” This document is not on the public Microsoft web site, so ask your Microsoft rep for a copy.

This method should also work for Office 2010, as it will require the same activation techniques as Windows Server 2008 and later. I’m very glad Microsoft has come up with this solution, although I found virtually no reference to it on Microsoft’s own web site.

As a side note, for those of you familiar with OEM activation which is also completely offline, TBA is very similar. Instead of relying on special digitally signed information in your system’s BIOS (SLIC 2.1), it’s relying on a hard token (smart card) or a soft token (PKI certificate file) for the authentication. The best place for additional information is your Microsoft rep, as there’s virtually no public information about this program. There are a few references here (search for the key word token).

One final note, this method will work with KMS/VLK versions of Windows 7 Professional, Enterprise, and all server editions. This does NOT work with retail copies of products such as Windows 7 home premium or Ultimate. Vista is compatible as well, but seriously, who uses that operating system?

Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments