The Austrian Ministry of Education (MoE) is a large educational institution committed to steering Austria’s schools to new levels of achievement. A key strategy for the MoE is ensuring that Austrian students always have access to the most current software available. To this end, the MoE sought to deploy Windows Vista® Enterprise operating system and Windows Server® 2008 operating system across its 812 secondary schools. This case study focuses on the software deployment approach that the MoE used, which proved to be a great example of the flexibility of the Microsoft deployment and activation technologies. As the MoE discovered, despite dramatic variations of IT infrastructure throughout its secondary schools, it was still able to implement a multi-tiered activation strategy that worked for individual school systems and their varied IT infrastructures.
Profiles and Background
The Austrian MoE is an administrative organization that not only provides strategic guidance to the Austrian school system but also has specific authority, including budgetary administration, for 812 secondary schools (“member” schools) that are broadly dispersed throughout Austria. Despite MoE oversight, the individual member schools have historically maintained some autonomy in IT system architecture and purchasing decisions, which has led to considerable differences among network infrastructures, software and hardware, and on-site IT capabilities.
In reference to a key MoE objective, Dr. Robert Kristoefl, the Information Technology department head for the MOE, stated:
||It’s important to us that our students have access to up-to-date technologies and IT solutions, so that when they graduate, their knowledge and skills are current and relevant.
||Dr. Robert Kristoefl
Department Head, Information Technology
Austrian Ministry of Education
“It’s important to us that our students have access to up-to-date technologies and IT solutions, so that when they graduate, their knowledge and skills are current and relevant.”
To achieve this objective, the MoE signed (and continues to renew) an umbrella Microsoft Volume Licensing (VL) agreement. The MoE also partners with ACP IT Solutions (ACP), an Austrian-based Large Account Reseller (LAR) that provides a comprehensive IT portfolio for its customers, including IT services, hardware, software, solutions, and financing. The MoE chose an umbrella VL agreement, rather than dividing funds among individual schools, because such an agreement would cover licensing for all of its member schools, yielding cost efficiencies and enabling standardization of technology across all of the schools.
The MoE maintains strong ties to the Microsoft Austria Education Team, whose primary goal is to ensure that the MoE and its member schools are successful in their use of Microsoft software. The Education Team is comprised of Account Representatives for the MoE and a number of Technical Advisors who work with individual schools as consultants. “Our goal is to help the MoE and its member schools reach the point where they can sufficiently help themselves,” said Thomas Hauser, a Microsoft Technical Advisor who actively helped the MoE with its Windows Vista deployment.
Situation and Challenges
With the release of Windows Vista Enterprise and Windows Server 2008, the MoE was eager to make the new software available to its schools, and the schools were equally eager to provide the software to its students.
The MoE’s primary goals for this deployment included:
- Ensure that each school’s IT team had the resources needed to deploy successfully
- Improve compliance with the license terms of the umbrella VL agreement
- Manage all product keys in a more secure and centralized manner, both now and in the future
Given these goals, it was clear that the MoE’s activation strategy would be a key factor in the overall success of the software deployment. Accordingly, the Microsoft Education Team was excited to work with the MoE to help create an efficient and effective activation plan. As Hauser stated, “Microsoft has a broad set of activation tools, and we wanted to help the MoE get the most out of those tools.”
Volume Activation automates the activation process through the use of volume media and volume activation keys, such as Key Management Service (KMS) and Multiple Activation Keys (MAK). With KMS, organizations can connect client PCs to a local KMS host to activate PCs the first time, and then reconnect at least once every 180 days to keep activation current. KMS is capable of activating an unlimited number of PCs, so it works well for large VL agreements similar to the MoE’s environment. With MAK activation, organizations can activate single or multiple computers, either by connecting to Microsoft servers over the Internet or by calling Microsoft directly. MAK activation is simplified by using the Volume Activation Management Tool (VAMT), which enables organizations to manage MAK-activated systems throughout their deployments. For a more thorough overview of activation methods, please see the Volume Activation site on TechNet.
With the release of Windows Vista, Microsoft introduced a rich set of improved technologies and tools for Volume Activation (VA). These VA technologies were designed to automate the activation process for end users. These technologies include several activation tools: Key Management Service (KMS), Multiple Activation Keys (MAK), and the Volume Activation Management Tool (VAMT), all of which ended up being used as part of the MoE’s comprehensive activation solution. (See the sidebar for more information on VA.)
In the initial phase of activation deployment, the MoE faced two key challenges: first, how to handle activation and the associated product keys among schools with widely varying IT infrastructures, and second, how to help minimize product key leakages and misuse.
Activation Plan and Pilot
Since the MoE was working toward centralized management of its licenses, the Microsoft Education Team recommended that the MoE set up a Key Management Service (KMS) on a centralized server from which it could host the single KMS key. The member schools could then activate each eligible PC through a connection to the centralized KMS host. The diagram below illustrates this centralized KMS approach:
Using this approach, activations could be automated and transparent for each school’s IT team. “Our school administrators liked this new approach because it eliminated the need for individual systems to contact Microsoft for activation reasons,” explained Dr. Kristoefl.
With the goal of implementing the approach illustrated above, the Microsoft Education Team and ACP worked together to develop the following activation plan for the MoE:
- Microsoft would help the MoE set up a KMS server to host the KMS key.
- Since some schools’ IT resources were less experienced technically, Microsoft would create documentation for schools to use to create a Virtual Private Network (VPN) connection to the KMS host in order to activate their eligible PCs.
- ACP would provide each school with a unique password to help set up the VPN in a secure fashion.
Once these items were in place, each school would create a VPN connection to the KMS host, enter the unique password to complete the connection, and activate its qualifying software.
The MoE approved of this plan and appreciated the assistance it received from Microsoft and ACP to develop the solution. “We were very pleased with the way the Microsoft Education Team and ACP worked together to help us implement the plan. We felt supported throughout the entire project,” said Dr. Kristoefl.
Once the KMS host was deployed at the MoE, two schools were chosen to participate in a pilot. Both schools used Microsoft® Internet Security and Acceleration (ISA) Server 2006 for the VPN connection, connected to the KMS host, and successfully activated using the KMS. Given the pilot’s success, the decision was made to open up the KMS host for all of the member schools.
Opening Up Centralized Activation to All Schools
To launch the solution broadly, the MoE notified each school of the new activation process and provided the school with the required documentation to connect to the KMS host and activate its software.
As individual schools began to attempt the centralized activation process, it became evident that the KMS was operating seamlessly. In fact, the single biggest factor for success was the VPN connection. If a school could create the VPN connection, then it was able to activate its eligible software using the KMS. However, the VPN connection itself became a considerable challenge for some schools.
Challenge—the VPN Connection
While system variances are always a factor in large deployments, no one anticipated the degree of variation among the schools. According to Hauser, “The schools used a vast array of different firewall and networking products, adding a great deal of complexity to the problem.”
Providing Local Activation
For those schools unable to connect to a centralized KMS, the next logical alternative was to provide a KMS activation solution at the local school level.
This plan consisted of hosting KMS at individual schools. Doing so would require the following:
- The MoE was provided with a KMS key with sufficient activations for each designated school (since, by default, each KMS key is configured for use on a maximum of six host machines).
- A private website would be established so that schools could get the KMS key.
- Microsoft would provide documentation for setting up a local KMS.
- Microsoft Technical Advisors would work with individual schools, as needed, to provide local support.
- Each school would use its local KMS installation to activate all eligible software.
Since the MoE had limited development resources, it called upon ACP to create a website to help the schools get their local KMS key in a secure manner. “When the MoE approached us to develop the website, we understood their requirement for high levels of security, and we were pleased that we could offer our expertise to provide a solution that met their needs,” said ACP’s Christian Scheffenacker.
Once the site was developed, activation could begin by having a school administrator access the website and provide a set of required data including the school’s name, an identification number, the number of eligible PCs at the school, and the administrator’s name. Upon validation of the data, the website displayed the school’s official e-mail address (provided by the MoE), which the administrator could validate. The matching KMS key and the documentation for setting up the KMS were then sent to the valid e-mail address. The administrator then set up the local KMS and used it to activate all of the qualified systems at the school.
While this local KMS solution proved successful with many of the schools, there were some situations where systems simply could not be activated using KMS. Situations where the local KMS solution would not work included:
- Not Enough Systems to Use KMS: KMS requires a minimum of 25 machines or five servers to connect to it before it will activate a single machine, so it’s not a solution for environments that do not meet those minimums.
- No Network Connection: If a PC could not be connected to a network for either the activation period or the required 180-day interval, then KMS was not an alternative.
- Systems without a Qualifying Operating System: During deployment it was discovered that some target systems didn’t have the required qualifying operating system license. These systems were purchased from PC manufacturers without pre-installed Windows licenses. KMS activation will not work on systems sold by PC manufacturers without pre-installed licenses of Windows® included.
Dealing with Activation Anomalies
To deal with the situations described in the previous section, it was clear that something other than a KMS approach would be required for some schools. Fortunately, VA includes tools for such cases. As a result, Microsoft developed a plan using the MAK and VAMT tools.
Because there were a number of individual schools that required a MAK/VAMT solution and because those schools were geographically dispersed, the MoE wanted to maximize manageability and help provide secure tracking of keys. As a result, it was decided that rather than burn the MAK into a single image and distribute it among the schools, the MoE would acquire separate MAKs for each school and have each school acquire the appropriate MAK through ACP's website.
The proposed solution included the following:
- Microsoft would work with the MoE and acquire MAKs with sufficient activations for each designated school.
- ACP would add workflow to the website through which eligible schools could acquire their respective MAK.
- Microsoft would provide documentation for using the MAK for activation and VAMT for managing activation information.
- The school would use the MAK to activate all eligible software.
The first step in the process was for a qualifying school’s administrator to log into the website provided by ACP and validate his or her identity by supplying required information. The administrator would then select options indicating (1) that the administrator had a comprehensive understanding of the licensing terms and conditions and (2) that the administrator’s school had the correct qualifying base licenses from the PC manufacturer for all eligible PCs.
After selecting the appropriate options, the school’s official e-mail address would be displayed for the administrator to validate. After the administrator validated the address, MAKs equal to the number of PCs for the school (a number which was collected as part of the process) would be sent to the valid e-mail address. Additionally, the site would e-mail the documentation for using the MAKs and VAMT to activate the respective systems.
Finally, in cases where administrators were unsure about the licensing from the PC manufacturer or needed to buy more licenses, they could request direct help from ACP through an additional option provided on the website.
This solution, though the least efficient of the three described, allowed the remaining schools to activate their software while working toward developing an infrastructure that could take advantage of the economies of the two KMS solutions previously described.
Solution Impacts and Benefits
The multifaceted activation solution described in this case study—with its centralized KMS, local KMS, and MAK strategies—was successful in resolving the MoE’s activation needs for Windows Vista and Windows Server 2008. As with all deployment plans, the MoE’s activation solution had its impacts and benefits. The following is not intended to be a comprehensive list of key impacts and benefits, but does summarize some of the most important elements of the solution.
The centralized KMS approach to activation was the most efficient of the three approaches, based on the aggregate number of administrative steps required for deployment as well as the efficiencies gained from maintaining a centralized KMS host versus maintaining multiple KMS hosts distributed throughout the schools. Nevertheless, there were two primary impacts. KMS had to be installed on a central server at the MoE to host the single KMS key received through the VL purchase. Also, schools needed a VPN connection to the KMS host to activate their eligible software and renew it in the future.
In situations where schools could not connect to the central KMS host but could install KMS on a local server, three primary impacts resulted: a local KMS server had to be set up within the school’s network, a KMS key had to be made available for local use at each school, and a website had to be developed through which the schools could acquire their KMS keys.
For schools that were unable to take advantage of either of the KMS solutions, MAKs were made available for use those schools, a workflow was added to the website for eligible schools to acquire their MAK, and individual schools used the MAK to activate their eligible software by contacting Microsoft (either over the Internet or by phone). In addition, individual schools used VAMT for discovery and management of system activation status.
For each strategy, step-by-step guides were provided to help schools implement their activation plan. This documentation has proven successful among the schools’ IT groups, especially those with less experienced teams, and has also provided consistency as some of the personnel on the IT teams at the schools and the MoE has changed over time. In addition to the guides, a degree of on-site technical support was sometimes required at individual schools, depending on the technical expertise of the local IT team.
One of the primary benefits to both the MoE and its member schools was being able to make current versions of Windows Vista and Windows Server 2008 available to the students at those schools. In addition, the member schools benefited, and continue to benefit, from having activation tools that simplify initial activation, provide current activation status, and automatically refresh activation as needed. Finally, schools with KMS solutions no longer need to connect to Microsoft for any activation tasks.
For the MoE, additional benefits included being able to provide a VA solution to all member schools, despite the great diversity of IT infrastructures, and taking a major step toward ultimately having a completely centralized KMS activation solution, with centralized management now and into the future. Another benefit was being able to help provide schools a secure means by which to acquire their activation key(s), minimizing key leakage through the use of both KMS keys and MAK.
To varying degrees, the MoE, ACP, and the Microsoft Education Team learned several important lessons as a result of implementing the activation solutions described above.
The Costs of Diversity and Benefits of Standardization
Across the board, the biggest challenge was the diversity of IT infrastructure across the schools. Had the schools been able to standardize on a limited number of approved networking and firewall solutions prior to the project, more targeted documentation and tools could have been provided, fostering greater expertise among local IT administrators and providing better support for a smaller number of unique problems. This would have saved the MoE and its member schools time and other resources. As Dr. Kristoefl stated, “At the ministry, we’d always thought of the benefits of standardization as only applying to us, but through this experience, we’ve learned what each individual school has to gain from standardized IT environments as well.”
The Flexibility of Microsoft Volume Activation
As has been illustrated throughout this case study, VA includes a wide variety of technologies and tools that can be used across extremely diverse installations. The MoE appreciated that VA included a cascading set of solutions, from completely centralized activation management to the realities of unique local activations. ”We were very pleased that Microsoft provided activation solutions that met our needs, even in cases where schools had individual machines that were nonstandard or completely disconnected from any network,” said Dr. Kristoefl.
As the project progressed, it became increasingly clear that a shared understanding of VL requirements is important for IT and purchasing personnel at all levels of the organization. For example, when it came time to upgrade and activate, some schools discovered that some of their PCs did not have the qualifying base licenses required for the VL software upgrade.
Microsoft Volume Activation and the Windows Marker
The teams learned that before implementing an activation solution, it’s important to know which machines within the organization have a Windows Marker in the firmware (and can use a KMS solution) and which do not (and thus require a MAK solution). This knowledge allows for appropriate activation planning.
Despite the great amount of variation among IT infrastructures at its 812 member schools, the Austrian Ministry of Education was able to use VA tools to provide a three-tiered set of activation solutions for deploying Windows Vista Enterprise and Windows Server 2008. Depending on the specific needs of an individual school, the solutions provided activation through (1) a centralized KMS host, (2) local network KMS hosting with the release of local KMS keys, or (3) a MAK solution with the release of appropriate multiple activation keys in environments where KMS could not be implemented. Using these activation technologies, tools, and solutions, the MoE can better manage the licenses for its Microsoft products now and is better positioned for managing software activation in the future.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Server and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.