locked
Vista on a closed LAN RRS feed

  • Question

  • The Security Focus article on Vista : http://www.securityfocus.com/columnists/423/ quotes Vistas EULA: “from time to time validate the software, update or require download of the validation feature of the software”, pointing out that in addition to activation - a connection to the internet and allowed phoning home is a prequisite to continue using Vista.

    Those of us who may want to deploy Vista on PCs that don't connect to the internet are out of luck. Right?

    Saturday, December 2, 2006 7:38 PM

Answers

  • Stevenestrada,

    If you scroll about 3/4 of the way down on this guide http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx, under troubleshooting it talks about OEM considerations; it appears that if the right marker is in the BIOS APIC table, OEM licenses for Vista can participate in KMS.

    However, in Table 1 of the same document, it says:

    "High security network (no external data transfer allowed)

    Data of any kind may not be transferred across network boundary.

    OEM activation may be the best solution in these scenarios."

     

    Monday, December 4, 2006 1:01 AM

All replies

  • Stevenestrada,

    The KMS volume activation model would seem appropriate for LANs that do not connect to the internet:  http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx

    http://www.microsoft.com/technet/windowsvista/plan/faq.mspx#EABAC

    Saturday, December 2, 2006 8:26 PM
  • Dan - thanks for the info. 

    New PCs may be purchased with preactivated OEM copies of Windows Vista and not connect to the internet.

    Can they be validated/revalidated through a license server?

     

     

     

     

     

     

     

    Sunday, December 3, 2006 11:43 PM
  • Stevenestrada,

    If you scroll about 3/4 of the way down on this guide http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx, under troubleshooting it talks about OEM considerations; it appears that if the right marker is in the BIOS APIC table, OEM licenses for Vista can participate in KMS.

    However, in Table 1 of the same document, it says:

    "High security network (no external data transfer allowed)

    Data of any kind may not be transferred across network boundary.

    OEM activation may be the best solution in these scenarios."

     

    Monday, December 4, 2006 1:01 AM
  • Dan,

    Thanks.

    If we get a case of PCs with preactivated OEM Vista, we can validate one over the internet, image it, then deploy that image to the rest on the closed net like we do with OEM XP Pro?   Right?   If audited - are the COA stickers enough?

     

     

     

     

    Saturday, December 23, 2006 4:21 PM
  • Microsoft - any comment on this?

    From Full Disclosure

    ---

    The other day I used my router to limit my Vista laptop from talking to anything but one subnet on the internet. 3 days later suddenly some things would not work.

    Solitaire failed to start, click on it and you get the magic donut showing it�s starting up then nothing.

    Right click on network and pick properties you get the magic donut showing it�s starting up then nothing.

    So I removed the routes so Vista could once again phone home and within a minute or two both solitaire and network properties worked just fine.

    Now this Vista system is less than 30 days old and has already been activated. So the claims that Reduced Function mode only kicks in if you don�t activate within 30 days is bunk if this is Reduced Function mode.

    So I decided to trigger RF mode on purpose to see how it responds. I stopped the Software License service which claims that doing so will trigger RF mode. 24 hours later solitaire, network properties, and control panel all show the same behavior, the magic donut showing they are starting up then nothing. No events in event log, nothing.

    I then started the Software License service and presto like magic these functions work again. So I�m convinced that the machine being routed so it can�t talk to MS triggered RF mode within a few days. Now to me this seems pretty clear even though it wasn�t a real scientific method of testing. And further, this looks to me like an accident waiting to happen. I mean imagine if MS fell off the planet we would have a pretty major problem as the bulk of the worlds computers started shutting down, talk about a security issue? of the worlds computers started shutting down, talk about a security issue?

    http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051513.html

     

     

     

     

    Tuesday, January 2, 2007 2:17 AM
  •  

    Stevenstrada:

    Regarding:

    <quote>

    The other day I used my router to limit my Vista laptop from talking to anything but one subnet on the internet. 3 days later suddenly some things would not work.
    Solitaire failed to start, click on it and you get the magic donut showing it�s starting up then nothing.
    Right click on network and pick properties you get the magic donut showing it�s starting up then nothing.

    </quote>

    I would like to understand if you stoppped SLSVC as well when you configured this system to talk only to one subnet. SLSVC process must be running for licensing features to work and stopping SLSVC will result in RFM like behavior.

    If SLSVC has not been stopped in this process, then I would like to engage with you to find out more. I am unable to repro the behavior just by following the steps outlined above.

     

    Thanks,

    Srikanth [MSFT]

     

     

     

    Saturday, February 10, 2007 1:04 AM
  • Hello,

    Thanks for your interest.

    Based on the problems we're having with XP Pro on our closed LAN made from images infected with post August 2006 anti piracy measures, some using WSUS for updates, it's doubtful if we'll be moving up to something potentially more trouble like Vista and it's iteration of WGA.   It's more likely recommendations will be to downgrade to older MS desktops and/or open source.

    After February 2007 update - domain admins logging in to WSUS patch managed XP Pro workstations on a closed lan with no internet access made from images not more than a few months old are getting Dr Watson dumps implicating a wga dll.    I put one of those computers on the internet, visited the MS update website with it, found a WGA update waiting, and installed it.  Back as a domain member, the trouble disappeared.   I sysprepped/resealed and pushed a new image from it out - OK so far.  The month before WMP11 kept asking everyone to validate even when 1st run was by an admin. The month before - something else.    Since the master images are stuck with WGA and WSUS doesn't include WGA, and the problem cleared with a WGA update just applied, this may be a hint WGA may be time bombed.

    Because of continuing problems, and the the difference between what I read and experience concerning WGA - I  believe it may just be a matter of time before all the XP Pro computers on my closed lan - whether they update through WSUS, or not at all - will someday complain of being pirated and/or completely stop working.

     

     

     

     

     

     

     

     

    Sunday, March 18, 2007 2:41 PM