Volume licensing

In software licensing, volume licensing is the practice of using one license to authorize software on a large number of computers and/or for a large number of users. Customers of such licensing schemes are typically business, governmental or educational institutions, with prices for volume licensing varying depending on the type, quantity and applicable subscription-term. For example, Microsoft software available through volume-licensing programs includes Microsoft Windows and Microsoft Office.

Traditionally, a volume licensing key (VLK), which could be supplied to all instances of the licensed computer program, was involved in volume licensing. With the popularity of the software as a service practices, volume licensing customers only supply their software with credentials belonging to an online user account instead, which is used for other aspects of services and provisioning.

Overview
Traditionally, a product key has been supplied with computer programs. It acts analogously to a password: The computer programs of old ask the user to prove their entitlement; in response, the user provides this key. This key, however, must only be used once, i.e. on one computer. A volume licensing key (VLK), however, can be used on several computers. Vendors can take additional steps to ensure that their products' key are only used in the intended number. These efforts are called product activation.

Volume licenses are not always transferable. For example, only some types of Microsoft volume license can be transferred, provided a formal transfer process is completed, which enables Microsoft to register the new owner. A very small number of software vendors specialize in brokering such transfers in order to allow the selling of volume licenses and keys. The most notable of these, Discount-Licensing, pioneered the sale of Microsoft volume licenses in this way.

Microsoft
Microsoft has been engaged in volume licensing since its inception, as the enterprise sector is its primary market. With the release of Windows XP in 2001, Microsoft introduced Microsoft Product Activation, a digital rights management (DRM) scheme to curb software piracy among consumers by verifying the user's entitlement to the product license. At the time, however, the volume-licensed versions of Windows XP were exempt from this measure. (See .) Starting with Windows Vista, Microsoft introduced two volume licensing methods for IT professionals in charge of installing Windows in organizations, both of which are covered by Microsoft Product Activation: The first is Multiple Activation Keys (MAK), which are the same as Windows XP's volume licensing keys but require product activation. The second is Key Management Server (KMS) and its corresponding keys. Hosts activated via a KMS have to report back to a software license server once every 180 days. Licenses using these schemes can be procured via the Microsoft Software Assurance program.

A large group of Microsoft customers are OEMs that assemble and sell computers, such as desktops, laptops, tablet computers and mobile device. In the devices sold by these OEMs, Windows license data is stored in the computer's BIOS in an area referred to as the "ACPI_SLIC", so that KMS can detect the use of previous Microsoft products even with the storage device removed or erased. For Windows Vista and Windows 7, the SLIC data are complementary; a volume licensing product key is still supplied with the device, which the user needs in the event of reinstalling Windows. Starting with Windows 8, however, everything needed to authorize the device is stored with SLIC data.

In 2010, Microsoft introduced the Office 365 licensing program. in which Microsoft Office, Microsoft Exchange Server and Skype for Business Server products are licensed based on the software as a service (SaaS) model: In exchange for a monthly subscription fee, software, its updates, support for them, provisioning, administration, licensing and additional services are all provided through an online web-based dashboard. In this scheme, licensed apps communicate recurrently with Microsoft over the Internet; as such, a product key needs not be issued to the user. Instead the administrator needs to sign up for Microsoft account, which holds details such as licensed apps, their number, and payment methods. This account is protected by credentials such as a username and a password.

Adobe
Introduced in 2011, Adobe Creative Cloud is a SaaS offering in which software produced by Adobe, their updates, support for them, provisioning, administration, licensing and additional services are all provided over the Internet, in exchange for a monthly subscription fee. As with the Office 365, a user account registered with Adobe is all that is required to authorize software and store payment information.

Unauthorized use
Microsoft has blocked several volume license keys that have been abused in service packs, starting with Windows XP Service Pack 1. Microsoft even developed a new key verification engine for Windows XP Service Pack 2 that could detect illicit keys, even those that had never been used before. Several security consultants have condemned the move by Microsoft, saying that leaving a large install base unpatched from various security holes is irresponsible because this unpatched install base can be leveraged in large scale Internet attacks, such as Trojan horses used to send spam e-mail. Others have come to Microsoft's defense, arguing that Microsoft should not have to provide support for illegal users. After much public outcry, Microsoft elected to disable the new key verification engine. Service Pack 2 only checks for the same small list of commonly used keys as Service Pack 1. Users of existing installations of Windows XP can also change their product key by following instructions from Microsoft.

Leaked keys
A volume license key that was commonly used to bypass product activation in early versions of Windows XP was. This key was part of the first warez release of the final version of Windows XP by a group called devils0wn, 35 days before the operating system's official retail release on 28 August 2001. The key is now obsolete, as it has been blacklisted by Microsoft since August 2004, and affected computers will display a WGA notification. It was made famous partly because it featured in a popular image circulated on the Internet before the retail launch of Windows XP. In the image, the key is written on a CD-R containing the leaked operating system and held in front of a digital Microsoft sign counting down the days until the release of Windows XP.

Users using these keys will receive an error message when they install the latest service pack, and such users are told to obtain a legitimate license and change their product key.

Public KMS servers
Any client machine with the correct KMS client setup keys can authenticate against any KMS server. KMS client keys are well known and documented publicly by Microsoft. KMS servers require a minimum of 25 clients to properly activate, but also stop counting additional licenses beyond 50, and automatically accept any client key once reaching the 25 client threshold.

Businesses operating KMS servers are required to properly shield the KMS server behind firewalls so that it cannot be reached from the Internet and be used by the general public to authorize illegitimate KMS client keys. Public exposure of a KMS server can result in Microsoft revoking the server key, thereby disabling all attached clients.

External KMS server access is desirable for devices on long-term leave away from the corporate network, as KMS client activation will expire after six months of not being able to contact a KMS server. For this situation, a business can make it accessible through a virtual private network (VPN) known only to the devices outside the corporate network.

KMS server and client emulators
An unofficial KMS server emulator exists that will activate Windows or Office even if the software was not licensed or paid for, regardless of whether or not there are 25 or more computers on the network, and regardless of whether or not a previous version of Windows was installed. There is also a program that will send KMS requests to a legitimate KMS server, in order to fool the server into thinking that there are 25 or more computers on the network. Microsoft considers both of these exploits to be a violation of the Terms and Conditions.