Microsoft is the US military's biggest supplier. There is definitely a solution for this. And that solution is probably not available to regular users.
There are several solutions, and while most are limited to volume licensing, which, depending on your definition, may exclude "regular users", at least one is not:
1. Supply the code given by the "slmgr /dti" command to Microsoft over the phone or online from a non-air gapped machine.
2. Apply the resulting activation code with the "slmgr /atp" command.
Now when trying to activate the OS by attempting to call the phone number for Microsoft Product Activation, an automated voice response says the following: "Support for product activation has moved online. For the fastest and most convenient way to activate your product, please visit our online product activation portal at aka.ms/aoh"
It does require logging in (to the website) with a Microsoft account, but Microsoft claims:
By logging in with your account, it will not associate the account to the licenses.
From there, it's just a web version of phone activation (you enter your Installation ID and presumably they give you the Confirmation ID). No idea what happens when moving a licence between machines (with phone activation, the automated process would fail due to the existing activation and you'd be handed off to someone in a call center who would generate the Confirmation ID for you).
I don't think regular Windows 11 is that useful in those cases. You probably either want an intranet connected Windows client, that gets activated and updated via a local server. Probably also a LTSC release, that doesn't get feature updates all the time.
Or a Windows 11 IoT image, that only enables some specific features, and is stripped down for a specific purpose.
For individual use I guess the solution is to set it up once with internet connectivity and air gap afterwards.
>For individual use I guess the solution is to set it up once with internet connectivity and air gap afterwards.
That's simply not good enough for some purposes. Once a computer is connected to the internet, at all for any amount of time, the system could be considered to be less secure.
VAMT proxy activation is airgapped in the exact same way the “old” telephone way was; VAMT acts as the server that you used to call on the phone. It trades one token for another. You side channel the tokens across to and from the airgapped machine.
The original post said "air gapped environments", not "air gapped computers". Running several computers on a network which has no connections to the outside qualifies as an air gapped environment, and will let you use a key server just fine.
My assumption is that the system is on an air-gapped network, as individual systems that are completely isolated are typically not very useful as a full user environment, and are more likely to be fully embedded systems instead.
Internal key activation can be done through a KMS host , which can be activated by phone (or some other dedicated mean if you're big enough for MS to care)
That's my point. The question is which fraction of users/businesses actually ever ask for support? And as long as error can be replicated on an activated install, I guess they could still get support.
I knew a number of companies who were using a handful of RedHat servers and many more running CentOS and whenever they encountered issues on a CentOS system they would just replicate it on a RedHat one before asking for support and sending logs. Morally dubious but contractually OK.
Last time I tried to use it for an appliance, we weren't able to buy licenses. Microsoft gave us the contact to the only reseller in our country, and they couldn't find anyone in the company who knew how to sell Windows IoT licenses.
Edit: We only wanted to buy around 20 licenses, so their motivation was also not that big to figure it out.
Is it possible to activate via a web browser on a separate computer, similar to the flow for phone activation?