A Secure Way to Activate the Windows Server 2016 without Internet Connectivity
XYZ Company is a leading provider of electronic systems for military, security, and commercial aviation customers. XYZ is an agile innovator; founded in the 90s, it now has over 30,000 employees worldwide and annual revenues of USD 9 billion.
XYZ Company was planning to use the Windows Server 2016 as the OS for their full-body scanner system project. However, traditional OS activation requires an internet connection for the system to access the Microsoft activation server where product key validation is performed. For security reasons, body scanner systems cannot have an internet connection. Without a connection, the OS activation on these systems is very difficult to achieve.
If no solution could be found, XYZ would have needed to explore the possibility of pre-activating the OS on these systems before shipment. However, this method presented many potential complications. First, it would result in increased labor costs on the production line. Second, pre-activation ran the risk of not being compliant with security regulations. Third, it would be troublesome if the system required re-activation in the field.
XYZ was looking for a solution that bypassed OS activation via an internet connection.
After consulting with the Advantech software team, a solution was found. Advantech leveraged a special mechanism that activated the OS by pairing the pre-inserted key in the OS with a matching certificate in the BIOS. This method did not require an internet connection and didn’t perform activation automatically during the first system boot up. If the BIOS did not have a certificate to pair with the key in the OS, activation would fail.
XYZ Company provided Advantech with their custom OS image and Advantech took care of the rest. The entire process included applying a special key, generating a BIOS certificate, and inserting the key and certification into the designated location. Together with Advantech’s software engineer, product manager, and BIOS engineer, the whole process took around two weeks to complete.
With the mechanism implemented on the Windows Server 2016, XYZ’s full-body scanner system now met all regulatory requirements.