Dell, HP, Toshiba, Samsung (‘da big boys) are no longer shipping PC’s and laptops with Microsoft Windows 8 stickers. Smaller companies are still using Win8 Certificate of Authenticity (COA) stickers which contain the CD Key you need for resinstalls. Sooooo the question is, how are Dell, HP, Samsung… doing this, and if you are a corporate admin you should also be asking how you can survive an audit in this scenerio. Well, read on for the answers.
WHERE’S MY WINDOWS 8 KEY?
The key is now contained in your BIOS in an encrypted hash (and on many BIOS’ you can’t even see the hash through the standard BIOS interface). In other words, not only do you no longer get backup disks or CD key’s, you just have to take your manufacturers word that they have a legal install.
This new validation process is called OEM ACTIVATION 3.0 (or OA3.0) . Under OA3, if you wipe/replace the hard drive and then install Windows 8, the operating system knows how to read and decrypt the license key from the BIOS and then SHOULD automatically activate the appropriate version (i.e. Home vs Professional).
You might ask yourself what happens if your BIOS \ motherboard dies and the hardware manufacturer (i.e. Dell, Samsung…) replaces it… what then? I found the following in in a formerly “internal only” Microsoft staff training document, which basically says, the manufacture is on the hook for new license key either in the BIOS or a COA sticker:
Replacement motherboards may or may not have a key ejected into them, particularly since the supplier would have pay for the key when ejecting it….
…In situations where the motherboard of a machine is replaced and the hard drive is not reimaged, the machine will be out of tolerance. OEMs are required to provide users with a replacement product key for activation in these situations. Activating the new product key should succeed.
…The overall process of OEM Activation utilizes the following process:
- Microsoft generates and delivers OEM product keys to the OEM/Original Device Manufacturer (ODM). The OEM/ODM is responsible for securely storing these product keys
- The OEM/ODM runs a Microsoft provided tool to construct the Microsoft proprietary payload to the ACPI Microsoft Data Management (MSDM) table
- The OEM/ODM runs a BIOS/UEFI injection tool provided by the motherboard vendors or the in-house engineering team and injects the entire ACPI MSDM table into the motherboard.
- The OEM/ODM then reports the machine information, including the injected product key data and the local hardware ID (HWID) to a Microsoft OEM Ops server that forwards them to the Microsoft Activation and Validation Servers (AVS).
- The OEM/ODM ships the systems to end-users who activate and validate during (or after) the OOBE phase of setup.
- If significant hardware changes occur, end-users may be required to reactivate their installation.
Volume licensing activation continues to be a separate procedure from OEM and retail activation. Because the OA 2.x bypass style activation will continue to exist in Windows 8 for Server editions, SPPSVC must check for the product key type and determine the appropriate activation path for OA 2.x vs. OA 3.0. The figure below shows the flow of SPPSVC activating OA 3.0 installations.
The OEM ships the operating system with a generic edition specific key in the image (this is similar to a GVLK but its for use by OEMs). At first boot, if that key is present, the sppsvc retrieves the unique key from firmware ( MSDM table), injects that into the machine and attempts to activate using that key. So if the MSDM table does not contain a key, only the generic key is installed, which cannot activate. If the edition installed as the image does not match the key in the MSDM table, it will fail to install since the edition is different.
Replacement motherboards may or may not have a key ejected into them, particularly since the supplier would have pay for the key when ejecting it.
WHAT ABOUT SERVER 2012?
Oddly, OA3.0 does NOT apply to any versions of Server 2012; this is strickly a Windows 8 (and 9 and 10…) licensing model. OA3.0 will no doubt be hooked into future versions of Server, but that is not todays situation.
HOW DOES MY COMPANY SURVIVE A SOFTWARE AUDIT?
That is a good question. Right now I have no details other than Microsoft is being bombarded by customers asking these types of questions. When I get an official response, I will post it here.
In the interim, I can (safely?) guess that during a software audit, Microsoft will provide some software that scans all devices on the network and pulls some portion of the COA or the COA hash to prove you have the licenses you need.
You might find the following helpful if you need more information:
The following DELL video neglects to say that you MUST go into the BIOS, disable SECURE BOOT and enable LEGACY BOOT options if you want to restore your Dell from your recovery USB stick or CD/DVD (that you made prior to the hard drive needing to be wiped out… hope you did that!)