Understanding KMS
On This Page
Minimum Computer Requirements
How KMS Works
Planning a KMS Deployment
KMS activates computers on a local network, eliminating the need for individual computers to connect to Microsoft. To do this, KMS uses a client–server topology. KMS client computers can locate KMS host computers by using Domain Name System (DNS) or a static configuration. KMS clients contact the KMS host by using remote procedure call (RPC). KMS can be hosted on computers that are running the Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 operating systems.
Minimum Computer Requirements
When planning for KMS activation, the network must meet or exceed the activation threshold, or the minimum number of qualifying computers that KMS requires. You must also understand how the KMS host tracks the number of computers on the network.
KMS Activation Thresholds
KMS can activate both physical computers and virtual machines. To qualify for KMS activation, a network must meet the activation threshold: KMS hosts activate client computers only after meeting this threshold. To ensure that the activation threshold is met, a KMS host counts the number of computers that are requesting activation on the network. For computers running Windows Server 2008 or Windows Server 2008 R2, the activation threshold is five. For computers running Windows Vista or Windows 7, the activation threshold is 25. The thresholds include client computers and servers that are running on physical computers or virtual machines.
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have contacted the KMS host for activation. Clients that receive a count below their activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 7, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a Windows 7 virtual machine, it receives an activation count of 3, and so on. None of these computers is activated, because computers running Windows 7 must receive an activation count ?25 to be activated. KMS clients in the grace state that are not activated because the activation count is too low connect to the KMS host every two hours to get the current activation count and will be activated when the threshold is met.
If the next computer that contacts the KMS host is running Windows Server 2008 R2, it receives an activation count of 4, because activation counts are a combination of computers running Windows Server 2008 R2 and Windows 7. If a computer running Windows Server 2008 or Windows Server 2008 R2 receives an activation count that is ?5, it is activated. If a computer running Windows 7 receives an activation count ?25, it is activated.
Activation Count Cache
To track the activation threshold, the KMS host keeps a record of the KMS client computers that request activation. The KMS host gives each KMS client computer a client machine identification (CMID) designation, and the KMS host saves each CMID in a table. Each activation request remains in the table for 30 days. When a client computer renews its activation, the cached CMID is removed from the table, a new record is created, and the 30-day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding CMID from the table and reduces the activation count by one.
The KMS host caches twice the number of CMIDs that KMS clients require to help ensure that the CMID count does not drop below the activation threshold. For example, on a network with client computers running Windows 7, the KMS activation threshold is 25, so the KMS host caches the CMIDs of the most recent 50 activations. The KMS activation threshold for Windows Server 2008 R2 is 5. A KMS host that is contacted only by KMS client computers running Windows Server 2008 R2 would cache the 10 most recent CMIDs. If a client computer running Windows 7 later contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
How KMS Works
KMS activation requires TCP/IP connectivity. By default, KMS hosts and client computers use DNS to publish and find the KMS service. The default settings can be used, which require little to no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
KMS Activation Renewal
KMS activations are valid for 180 days—the activation validity interval. To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails , the client will retry every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
Publication of the KMS Service
The KMS service uses service (SRV) resource records (RR) in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol , if available, to publish the KMS SRV RRs. If dynamic update is not available or the KMS host does not have rights to publish the RRs, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
Note DNS changes may take time to propagate to all DNS hosts, depending on the complexity and topology of the network.
Client Discovery of the KMS Service
By default, KMS clients query DNS for KMS service information. The first time a KMS client queries DNS for KMS service information, it randomly chooses a KMS host from the list of SRV RRs that DNS returns.
The address of a DNS server containing the SRV RRs can be listed as a suffixed entry on KMS clients, which allows advertisement of SRV RRs for KMS in one DNS server and KMS clients with other primary DNS servers to find it.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the clients should try first and balances traffic among multiple KMS hosts. Only Windows 7 and Windows Server 2008 R2 provide the priority and weight parameters.
If the KMS host that a client selects does not respond, the KMS client removes that KMS host from its list of SRV RRs and randomly selects another KMS host from the list. When a KMS host responds, the KMS client caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client discovers a new KMS host by querying DNS for KMS SRV RRs.
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client is activated and the session is closed. The KMS client uses this same process for renewal requests. The communication each way is 250 bytes.
Planning a KMS Deployment
The KMS service does not require a dedicated server. The KMS service can be co-hosted with other services, such as Active Directory® Domain Services (AD DS) domain controllers and read-only domain controllers (RODCs). KMS hosts can also run on physical computers or virtual machines that are running any supported Windows operating system, including Windows Server 2003. Although a KMS host that is running Windows Server 2008 R2 can activate any Windows operating system that supports Volume Activation, a KMS host that is running Windows 7 can activate only computers running Windows 7 and Windows Vista. A single KMS host can support unlimited numbers of KMS clients; however, Microsoft recommends deploying a minimum of two KMS hosts for failover. Most organizations can use as few as two KMS hosts for their entire infrastructure.
Note KMS is not automatically included in Windows Server 2003. To host KMS on computers that are running Windows Server 2003, download and install KMS from one of the following sites:
-
For x86-based computers: Key Management Service 1.2 (x86) for Windows Server 2003 SP1 and Laterhttp://www.microsoft.com/downloads/details.aspx?FamilyID=f3a0d90c-b7fd-44cf-bf81-11587adc599f
-
For x64-based computers: Key Management Service 1.2 (x64) for Windows Server 2003 SP1 and Laterhttp://www.microsoft.com/downloads/details.aspx?FamilyID=1678151b-b577-476f-87da-df54024b98e2
Planning DNS Server Configuration
The default KMS auto-publishing feature requires SRV RR and DNS dynamic update protocol support. KMS client default behavior and KMS SRV RR publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports SRV RRs (per Internet Engineering Task Force [IETF] Request for Comments [RFC] 2782) and dynamic updates (per RFC 2136) . For example, Berkeley Internet Domain Name (BIND) versions 8.x and 9.x support both SRV records and dynamic update.
The KMS host must be configured so that it has the credentials needed to create and update SRV, A (Internet Protocol version 4, or IPv4), and AAAA (Internet Protocol version 6, or IPv6) RRs on the DNS servers, or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, and then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the _VLMCS._TCP record on each DNS domain that will contain the KMS SRV RRs.
Activating the First KMS Host
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the Key Management Service on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft.
KMS keys are only installed on KMS hosts, never on individual KMS clients. Windows 7 and Windows Server 2008 R2 have safeguards to help prevent inadvertently installing KMS keys on KMS client computers. Any time users try to install a KMS key, they see the warning shown in Figure 1.
Figure 1. Installing a KMS key
Activating Subsequent KMS Hosts
Each KMS key can be installed on up to six KMS hosts, which can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine more times with the same key.
If the organization needs more than six KMS hosts, You can request additional activations for the organization’s KMS key by calling the Activation Call Center to request an exception. For more information, see the Volume Licensing Web site athttp://go.microsoft.com/fwlink/?LinkID=73076.
Upgrading Existing KMS Hosts
KMS hosts that are running Windows Server 2003, Windows Vista, or Windows Server 2008 can be configured to support KMS clients running Windows 7 and Windows Server 2008 R2. For Windows Vista and Windows Server 2008, it is necessary to update the KMS host with a package with files that support the expanded KMS client. This package is available through the Microsoft Download Center athttp://www.microsoft.com/downloads. Once the package is installed on the KMS host, a KMS key that is designed to support Windows 7 and Windows Server 2008 R2 can be installed and activated as described earlier in this guide. The KMS key that supports the new versions of the Windows operating systems also provides support for the previous Volume Licensing editions of Windows that are acting as KMS clients.
In the case of updating a Windows Server 2003 KMS host, all necessary files are contained within the KMS 1.2 downloadable package, which is available through the Microsoft Download Center at http://www.microsoft.com/downloads.
Planning KMS Clients
By default, computers that are running Volume Licensing editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are KMS clients , and no additional configuration is needed. KMS clients can locate a KMS host automatically by querying DNS for SRV RRs that publish the KMS service. If the network environment does not use SRV RRs, a KMS client can be manually configured to use a specific KMS host.
To manually configure KMS clients, follow the steps in the section titled, “Manually Specifying a KMS Host,” later in this guide.
Activating as a Standard User
Windows 7 and Windows Server 2008 R2 do not require administrator privileges for activation. However, this change does not allow standard user accounts to remove Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
How to use the Windows Server License Manager Script - slmgr.vbs which is used to activate your Windows Server 2008 License.
Introduction
Like it or not, Windows Server licensing is more critical than ever before with Windows Server 2008. It is important to know how to license your Windows 2008 Servers from the command line, to see how much time you have left in an eval, or uninstall licenses. In this article, you will learn how to use Microsoft’s command line tool for doing that – slmgr.vbs.
What is slmgr.vbs?
Microsoft’s command line licensing tool is slmgr.vbs. The name actually stands for Windows Software Licensing Management Tool.
This is a visual basic script used to configure licensing on any Windows 2008 Server – either the full version or the core version. To see what slmgr.vbs can do, you can simply run a Windows command prompt (with cmd) and type:
slmgr.vbs /?
Figure 1: Help window for slmgr.vbs
This will pop up a help window that will give you all the slmgr.vbs options. Here are the various tasks you can perform with slmgr.vbs:
- Manage licensing not only on the local server but also on remote Windows 2008 Servers, over the network. A username and password is required for this. The default machine to manage, if none is specified, is the localhost.
- Install product keys with the –ipk option.
- Active Windows 2008 with the –ato option.
- Display license information with the –dli option.
- Display detailed license information with the –dlv option.
- Show when the current Windows license will expire with the –xpr option.
- Clear the current Windows product key from the registry for security reasons with the –cpky option.
- Install a license with the –ilc option.
- Reinstall system license files with the –rilc option.
- Reactive a Windows evaluation license with the –rearm option.
- Uninstall a certain product key with the –upk option.
- Display your installation ID, used by Microsoft for offline (telephone) activation, with the –dit option.
- And finally, you can active a product with the confirmation ID using the –ato option.
Let’s see some examples of how Windows 2008 slmgr.vbs can help us.
How can slmgr.vbs help with Evaluation licensing?
If you are evaluating Windows Server 2008, you should know that license activation is not required. An evaluation version of Windows Server 2008 will work for 60 days. While many admins do not know it, you can “re-arm” that evaluation period for another 60 days, three times over. Thus, you could evaluate Windows 2008 Server for a total of 240 days, or about 8 months – wow!
You can re-arm this evaluation of Windows 2008 using slmgr.vbs. To do this, just type:
slmgr.vbs –rearm
Figure 2: Results after rearming your Win 2008 evaluation copy for another 60 days
To see how much time you have left in your current evaluation period, just type:
slmgr.vbs –xpr
Figure 3: Results of xpr command, showing the date and time that the license grace period for Win 2008 expires
In fact, Microsoft even has an interesting knowledgebase document on how to automatically extend the evaluation of licensing with a script. By implementing this script, you could use Windows Server 2008 for the full 240 days without having to do anything. For more information on that, please see Microsoft KB 948472.
How do I get detailed information on my Windows Server 2008 license?
To get more detailed information than just the expiration date (given by the xpr command), you can use the dli or dlvoptions. Here is what their output looks like:
Figure 4: slmgr.vbs –dli output showing license information
As you can see in the –dli option output, there is more information on the version of Win 2008 you are running, the license status, time renaming (down to the second), and all about the key management server.
Figure 5: slmgr.vbs –dlv output showing detailed license information
With the –dlv option, there is even more detailed information about the current state of your licenses.
How can I activate my license in Windows 2008 Server Core?
As I mentioned above, when I listed out the options, slmgr.vbs is used to activate Windows 2008 Server at the command line. Now in Windows Server Core, with only a command prompt, you are forced to use slmgr.vbs to activate your Core server from the command line. Thus, it is much more critical to know how to use slmgr.vbs if you are using Windows Server Core. Still, every Admin, in my opinion, should know the basics of using it.
So, say that you are on your new Windows Server 2008 Core server and you want to activate it. Let’s assume that you entered a product key during the installation process. To activate your OS, just type:
slmgr.vbs –ato
If you do not have networking configured, or you get another error, you will get a window that says something like this:
Figure 6: Error from slmgr license activation
In my case, I received this error because I had not yet configured an IP address on the Win 2008 Core Server. And, I received the error again because I did not have DNS and a default gateway configured. Keep in mind that all of these things are necessary for a successful activation of Windows 2008!
If you did not enter a product key during the install process, you can enter one with slmgr.vbs at the command line with:
slmgr.vbs –ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
(assuming you have a MAK key, not a KMS key)
From there, you can attempt the auto activation again.
Figure 7: Successful activation of Windows 2008 with slmgr.vbs
If you are successful (as I finally was), you should see the “product activated successfully” window, as you see in Figure 7. Hoorah!
How do I administer licensing of a remote Windows 2008 Server using slmgr.vbs?
As I mentioned above, you can administer not only local servers but also remote Win 2008 Servers from the command line, using slmgr.vbs. You just need the server hostname/IP address as well as the administrator username and password.
To do this, just place the machinename, then username, and then the password between the slmgr command and the options, like this:
slmgr.vbs server2 administrator MyPassWord1 -xpr
Note:
You do not have to use the .vbs extension on the slmgr command. It will work just fine if you type slmgr and your command options.
Summary
Windows Server licensing is critical to your Windows 2008 Server functioning, or not functioning. In this article, you saw how to use Microsoft’s Software Licensing Management Tool – slmgr.vbs – to manage your Windows Server licenses from the command line. While there are a number of applications for slmgr.vbs, after reading this article I know that the next time you are at a command prompt of a Win 2008 Core Server with an expired license, you will know exactly what to do.
Creating DNS Records for Accessing the KMS Server
This page is intended for technical support providers and network administrators. If you're not one of those, you should talk to your TSP or net admin before proceeding. The concept behind the procedure on this page is explained on our main KMS page.
This page describes how to register the KMS servers in your DNS domain for autodiscovery.
You'll need to know the Connection-specific DNS Suffix for your domain. Here's how to find that information.
- From a Windows computer in your DNS domain, click the Search box, type
cmd
and press .
orb. In the - In the command prompt window, type
ipconfig /all
and press . - Take note of the entry following Connection-specific DNS Suffix.
This is the DNS domain that you will need to specify later in this process.
Next follow the steps below that best describes your domain's setup:
- Your department/unit/domain uses CIT's DNS servers, and your clients use the CIT servers for name resolution.
OR
- Your department/unit/domain uses local DNS servers for name resolution, and the DNS Zone has been delegated to the local IT group responsible for your unit.
Method 1-A: Using CIT's DNS Servers
Domains that use CIT's DNS servers have all been registered for KMS autodiscovery. No action should be needed.
Method 1-B: Using Local DNS Servers
These instructions assume you are familiar with the DNS server software your department uses.
You will create two records: one for the primary KMS server and another for the secondary (failover) KMS server.
Below you'll find the steps for Windows and for *NIX systems.
Windows Server 2000-2008
- Open the DNS Microsoft Management Console (MMC).
- Expand the DNS Zone to the Connection-specifc DNS Suffix you noted earlier.
- Right-click on the _tcp folder and select .
- Select as the new record type.
- Fill in the following information for the new record:
- Service: _VLMCS
(Note: This is not in the drop-down list, so you'll need to type it in. Be sure to include the underscore at the beginning.) - Protocol: _tcp
(Note: Select this from the drop-down list.) - Port: 1688
- Priority: 10
- Host offering the service: kms01.cit.cornell.edu.
(Note: Be sure to include the trailing dot.)
- Follow the steps above to create a second new SRV record with the following information (the Priority and Host fields are different):
- Service: _VLMCS
(Note: This is not in the drop-down list, so you'll need to type it in. Be sure to include the underscore at the beginning.) - Protocol: _tcp
(Note: Select this from the drop-down list.) - Port: 1688
- Priority: 20
- Host offering the service: kms02.cit.cornell.edu.
(Note: Be sure to include the trailing dot.)
And you're done.
Bind 8.2 or higher (Linux, Unix, Solaris)
On the DNS server, open the Bind zone file.
Add these two lines to the file, substituting the Connection-specific DNS Suffix you noted above. In our example, we use sheep-shearing.cornell.edu for our DNS suffix; replace that text with yours DNS suffix. Be sure to include the two underscore characters in each line (four in total) and the trailing dots after the DNS suffix and the host names in both lines.
_vlmcs._tcp.sheep-shearing.cornell.edu. 3600 IN SRV 10 0 1688 kms01.cit.cornell.edu.
_vlmcs._tcp.sheep-shearing.cornell.edu. 3600 IN SRV 20 0 1688 kms02.cit.cornell.edu.
Save the file. And you're done.
Volume Activation Management Tool (VAMT) 2.0
Managing Activation Using the Volume Activation Management Tool (VAMT)
White Paper
Microsoft Corporation 2010
On This Page
What Is VAMT?
The Volume Activation Management Tool, or VAMT, is a free Microsoft tool to help administrators perform many tasks related to Windows product activation, using a single tool.
VAMT 1.2 released as part of the Windows Automated Installation Kit (AIK), supports Windows Vista and later, and Windows Server 2008 and later. VAMT 1.2 can perform activations with a Multiple Activation Key (MAK), and enables Key Management Service (KMS) client activations.1
VAMT 2.0 includes several significant improvements over VAMT 1.2. It supports all of the above Windows operating systems plus Office 2010, Visio 2010 and Project 2010. VAMT 2.0 is a Microsoft Management Console (MMC) snap-in for a consistent administration experience, and is available as a standalone download. This version additionally enables administrators to manage KMS host and retail keys and activations. Admins may optionally use a Command Line Interface to script VAMT tasks vs. using the interactive GUI.
This document explains VAMT 2.0 and its benefits in more detail. We use Windows systems as our focus, but all of the capabilities apply also to Office 2010 products.
How Can VAMT Help in My Environment?
VAMT can be an important tool to help you centrally manage and automate a range of activities related to Windows activation. Core benefits of VAMT include:
- The ability to protect product keys by retaining them only in the VAMT console, vs. including a key in an image or distributing it in plain text
- Perform activations without each system having to connect and activate with Microsoft activation services
- Inventory and monitor systems in the environment from an activation and licensing standpoint
VAMT enables you to manage Multiple Activation Key (MAK), Key Management Service (KMS), and retail product keys—whether you obtained them from the Volume Licensing Service Center (VLSC) or from a Microsoft subscription program such as MSDN—and product activations using those keys.
VAMT enables you to remotely activate managed systems. You can perform MAK, KMS host, KMS client, and retail activations. VAMT uses WMI to remotely manage activations and other related tasks on managed systems.
VAMT also can assist with license compliance, letting you monitor license state for the systems under management, so you know whether they are licensed and running genuine Windows.
The following sections highlight VAMT's capabilities.
Discover computers and products
A typical first step using VAMT is to discover computers in your environment, then add them into VAMT. To manage activation on the systems in your environment, you must discover and catalog those systems in VAMT. VAMT provides multiple ways by which physical and virtual systems can be discovered.
After you add the target systems to VAMT, the next step is to discover products installed on them. VAMT discovers Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and Office 2010 client products. VAMT also discovers computers running prior volume license operating system versions (Windows XP SP2 and Windows Server 2003 SP1 or later).2 However, VAMT does not provide any data or support for product keys and activations of these machines. See Product Activation Using VAMT 2.0 for details on how to discover computers and installed products.
Manage product keys
Depending on your organization's volume license agreement(s) and/or subscription programs, you may be eligible for a number of product keys. Managing keys for numerous product versions and editions can be challenging. VAMT can help to manage your MAKs, KMS host keys, and even retail product keys (e.g., for software acquired via an MSDN, TechNet or Microsoft Partner Network subscription).
Product key management with VAMT enables:
- Single local console to manage keys for Windows client, Windows Server and Office 2010
- Installation of the keys on remote managed systems through WMI
- Tracking remaining activations on MAKs3
Read Manage Product Keys Using VAMT 2.0 for details on how to use VAMT to manage your product keys.
Manage activations
Product activation is required for all installations of Windows client and server, and Microsoft Office client starting with Windows Vista and Microsoft Office 2010. Product activation helps confirm the integrity and reliability of the software that you will be using within your environment. You can use VAMT to manage MAK, KMS and retail activations, including transitioning a system from one activation method to another. Here are some common activation scenarios that VAMT can help with:
- KMS activation is generally the preferred method for network-connected systems. You can use VAMT to set up and activate your KMS host, and then to activate target KMS client systems.
- MAK activation is commonly suitable for lab computers, small offices or branch locations, or for computers used by remote workers. VAMT can help you activate computers in all of these cases, whether or not the systems are connected to the core organizational network, or even the internet.
- Systems activated using MAK or retail keys may need to be redeployed into the general production environment, where KMS activation is used. VAMT simplifies changing to KMS activation in such transitions.
To perform activations, VAMT utilizes two primary activation processes, online and proxy. We explain each activation process below. We also cover other activation options available in VAMT. These include KMS client activation, activation in disconnected environments, and local reactivation after reimaging. Read Product Activation Using VAMT 2.0 for details on how to perform many types of activations using VAMT.
Online activation
With online activation4, each system individually connects to and activates with Microsoft activation servers. You can use online activation for MAK, KMS host, and retail activations. To perform online activation with the VAMT console, you add a key to VAMT, install the key on the target system(s), and then select Online Activate to complete the activation process. VAMT does not store activation confirmation information when you perform online activations.
Proxy activation
With proxy activation, the VAMT host computer connects to Microsoft on behalf of multiple systems. You can use proxy activation for all of your MAK, KMS host or client, and retail activations.
To perform proxy activation for systems connected to the VAMT console, you add a key to VAMT, install the key on the target computers, and then select Proxy Activate. The VAMT console sends the installation ID (IID) collected from each computer to Microsoft activation servers with a single connection. VAMT obtains the corresponding confirmation IDs (CID) and distributes them to the target systems, completing activation. With proxy activation, VAMT stores all this information in a Computer Information List .xml file (CIL). The diagram below shows the proxy activation process.
Because VAMT does not store activation confirmation information with online activation, proxy activation is necessary if you want to save the activation confirmation information for any of the activations performed using VAMT. We recommend storing a backup copy of the CIL as a standard practice. The confirmation data also can be helpful in case of disaster recovery.
Additionally, you would use proxy activation if you plan to reactivate after reimaging using VAMT, explained below. Optionally, you also can use proxy activation if you prefer that the computers not connect directly with Microsoft activation servers.
KMS client activation
If you are switching computers from MAK to KMS activation, you can use VAMT to apply KMS client setup keys, and then to activate those systems. It is easy to install a KMS client setup key using VAMT because the keys are embedded in the tool. You do not have to manually add a key to the console.
Activation in disconnected environments
Some environments may be completely disconnected from the internet or the core organizational network, such as branch offices and high-security zones within a production environment. High-security zones are network segments air-gapped or separated by a firewall that limits or prevents communication to and from other network segments. VAMT can simplify the activation process for the systems in this environment.
Here we describe a solution that you can use when the systems are networked within the firewalled or disconnected environment. Basically, you set up one VAMT host in the disconnected environment, and a second VAMT host in the core network. Data is transported between the hosts in the two environments on removable media.
Using proxy activation, collect the IIDs on the first VAMT host and save them on removable media. The admin takes the media to the second VAMT host and imports the IIDs into that console. The second host connects with Microsoft, sends over the IIDs, and obtains the CIDs. The admin exports the CIDs onto the removable media. After transporting the file back to the first VAMT host, the CIDs are applied, completing the activation process. Read Activation in Disconnected Environments Using VAMT 2.0 for a more detailed explanation of this process. Microsoft enumerates other options for activation in disconnected environments in a white paper, Volume Activation in Disconnected Environments.
Local reactivation
If your systems require frequent reimaging, as in testing or training labs, using proxy activation with VAMT can facilitate reactivating the systems. After reimaging, you can apply the same CID that was saved in the .xml CIL file. You can reapply the CID without limit, if the hardware has not changed significantly. By applying the same CID, you conserve remaining activations on the product key. Microsoft enumerates other options for activation in development environments in a white paper, Windows Activation in Development and Test Environments.
Activation status
VAMT lets you check the current activation status of managed computers. Available data include license state (e.g., Licensed, Out-of-Box Grace, Notification), genuine status, Windows edition, and the last 5 characters of the product key installed. Knowing a computer's status can be useful in several situations.
- User experience—Windows will enter a notifications experience after a grace period expires. The system will continue to operate with full functionality, but the notifications may be confusing or annoying to end users. With VAMT, admins can determine the activation status of remote managed systems and take steps to activate those that are in a grace period.
- Helpdesk support—Activation status information may be useful for helpdesk technicians to help troubleshoot a user's computer.
- License compliance—Using VAMT, it is easy to determine whether or not a given system is licensed and genuine. With this knowledge, admins can take corrective action as appropriate.
Scripting options
In addition to the MMC interface, you can use a Command Line Interface that can be scripted to run VAMT tasks without the interactive UI. Typical usage includes nightly or weekly automatic updates to the products list, or embedding VAMT tasks into other automated tasks. An example of a typical script is to refresh product status for an existing CIL file and use an alternative credential.
VAMT /r /i myproducts.CIL /o vamtout.CIL /user mydomain\myusername /password *
How Can I Learn More?
For more information about using VAMT, review the VAMT 2.0 "how to" documents. You can watch video demos of several VAMT tasks at www.technet.com/volumeactivation. Several of these demos use VAMT 1.2 but the process is the same using VAMT 2.0. The Helpfile in the VAMT 2.0 download has detailed information on how to perform many tasks using the tool.
To learn more about volume activation, visit www.technet.com/volumeactivation. Also, check the Genuine Windows Team Blog for what's new.
1 | KMS and MAK are the two activation methods available for volume licensing versions of Windows client and server operating systems, and Office 2010. For information on activating with KMS or MAK, visit www.technet.com/volumeactivation. |
2 | VAMT discovers these prior version systems to manage any Office 2010 client installations on these versions. |
3 | Determining remaining activations is not available for KMS host or retail keys. |
4 | Online activation is alternatively referred to as independent activation in other volume activation documentation. |
Manage Product Keys Using Volume Activation Management Tool 2.0
As an IT administrator in a medium or large organization, you are responsible for managing product keys, often for multiple products that are acquired from multiple sources. Sometimes it can be challenging to keep track of these keys and prevent their leakage to unauthorized personnel. Microsoft's free Volume Activation Management Tool (VAMT) 2.0 can help with key management.
VAMT 2.0 enables you to manage the following product key types, for Windows 7, Windows Vista, Windows Server 2008 R2, Windows Server 2008, Office 2010 client suites and applications, Visio 2010 and Project 2010:
- Key Management Service (KMS) host keys (CSVLK)
- KMS client setup keys (GVLK)
- Multiple Activation Key keys (MAK)
- Retail keys
VAMT 2.0 supports these keys regardless of how your organization obtained them. VAMT handles keys acquired through a Microsoft volume license agreement(s), subscription programs such as MSDN, TechNet or Microsoft Partner Network, or the retail channel. VAMT cannot manage other key types such as volume license "bypass" keys (VLKs), or keys installed by an OEM. VAMT 1.2, available as part of the Windows Automated Installation Kit (AIK), supports MAK and GVLKs but not CSVLK or retail keys.
Let's run through how you can manage product keys in VAMT 2.0. The process is the same for KMS host keys, MAKs and retail keys. KMS client keys are already embedded in VAMT so you never need to add them.
On This Page
- Add a key to VAMT
- Determine remaining activations on a MAK
- Delete a product key
- Save product key data in the CIL
- Protect access to the CIL
Add a key to VAMT
Before you can install a key in a product, you need to add it to VAMT.
- Type in the product key and verify it
- In the left pane of VAMT's UI, click the Product Keys node.
- In the center pane, type the 25-character key without the hyphens. VAMT adds these automatically. In the example below, we added a MAK for Windows 7 Enterprise/Professional. We blocked out much of the actual key data. See Figure 1.
- Click Verify. The Edition, official key Description, and Key Type fields populate after the key is verified.
- Enter a description for the key and add it to VAMT
- In Remarks, enter a description for the key that is meaningful to you and your organization. Our example key has been assigned to a development department. See Figure 1.
- Click Add Product Key to add the key to VAMT. The key is now added to VAMT and can be used. See Figure 2.
Figure 1. Entering a key and description
Figure 2. The product key is added to the list of keys.
Determine remaining activations on a MAK
A handy piece of information to check is the number of remaining activations on a MAK. It's a good idea to refresh the MAK's activation count before you deploy it on a large number of systems. This feature is not available for KMS host or retail keys.
- Select the MAK and then Refresh Product Key Data Online. VAMT connects to Microsoft and retrieves the number of remaining activations. See Figure 3.
- If you need more activations, call your Microsoft Activation Center to request an increase.
Figure 3. Refresh MAK remaining activations data
Delete a product key
There may be times when you need to delete a key from VAMT. Deleting a key that has been installed in a product and activated will have no effect on the product or its status.
- To remove a product key from the list, click Product Keys in the left pane.
- Select the key in the list and click Delete from the Action menu.
- Click OK to confirm deletion of the product key. See Figure 4.
Figure 4. Delete a product key
Save product key data in the CIL
VAMT stores data in the Computer Information List, or CIL, an XML file created when you save or export data. In this step, you will save the Computer Information List (CIL) for backup and future use.
- Choose Save List or Save List As from the Actions menu. VAMT will display Save the Computer Information List dialog box. See Figure 5.
- Enter a desired CIL file name or select a directory and then enter a CIL file name such as "DevelopmentDept.CIL"
- Click Save.
Figure 5. Save the CIL
Protect access to the CIL
To prevent key leakage, you should limit access to VAMT and the CIL to only those personnel with a reason to see the product keys and activate products. Secure access to the CIL file on the local hard drive by encryption or set permissions for the folder where the CIL is stored. Make sure that you similarly protect the backup location if you create a back up file e.g. for disaster recovery.
More Using VAMT 2.0 Guidance
Check out the other Using VAMT 2.0documents:
- Product Activation Using VAMT 2.0
- Reporting Activation Information Using VAMT 2.0
- Activation in Disconnected Environments Using VAMT 2.0
You can watch video demos of several VAMT tasks at www.technet.com/volumeactivation. Several of these demos use VAMT 1.2 but the process is the same using VAMT 2.0. The Helpfile in the VAMT 2.0 download has detailed information on how to perform many tasks using the tool.
Configuring KMS Clients
This section describes concepts for installing and configuring computers as KMS clients. By default, Volume License editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are KMS clients. If the computers the organization wants to activate by using KMS are using either of these operating systems and the network allows DNS auto-discovery, no further configuration is needed.
If a KMS client is configured to search for a KMS host using DNS but does not receive SRV records from DNS, Windows 7 and Windows Server 2008 R2 log the error in the event log.
Manually Specifying a KMS Host
Administrators can manually assign a KMS host to KMS clients by using KMS host caching. Manually assigning a KMS host disables auto-discovery of KMS on the KMS client. A KMS host is manually assigned to a KMS client by running:
slmgr.vbs /skms <value>:<port>
where value is either the KMS_FQDN, IPv4Address, or NetbiosName of the KMS host and port is TCP port on the KMS host.
Enable Auto-discovery for a KMS Client
By default, KMS clients automatically attempt to discover KMS hosts. Auto-discovery can be disabled by manually assigning a KMS host to a KMS client. This action also clears the KMS host name from the KMS client’s cache. If auto-discovery is disabled, it can be re-enable by running slmgr.vbs /ckms at a command prompt.
Adding Suffixed Entries to KMS Clients
By adding the address of a DNS server containing the SRV RR as a suffixed entry on KMS clients, administrators can advertise KMS hosts on one DNS server and allow KMS clients with other primary DNS servers to find it. For more information about configuring a domain suffix search list on KMS clients, see the Microsoft Help and Support article, “How to configure a domain suffix search list on the Domain Name System clients,” at http://support.microsoft.com/kb/275553.
Deploy KMS Clients
The information in this section is for Volume Licensing customers using the Windows Automated Installation Kit (Windows AIK) to deploy and activate a Windows operating system. Prepare KMS clients for deployment by using the System Preparation Tool (Sysprep) or the Slmgr.vbs script:
-
Sysprep. Before capturing an image, run Sysprep with the /generalize command-line option to reset the activation timer, security identifier (SID), and other important settings. Resetting the activation timer prevents the image’s grace period from expiring before the image is deployed. Running Sysprep.exe does not remove the installed product key, and administrators are not prompted for a new key during mini-setup. If no rearms are left, the Sysprep operation completes but the activation timers are not changed and an error is returned that explains the situation.
-
Slmgr.vbs. When building demo virtual machines (VMs) for internal use (e.g., building VMs for the organization’s sales department or to set up a temporary training environment), running the Slmgr.vbs script with the /rearm command-line option extends the grace period another 30 days, which in turn resets the activation timer but makes no other changes to the computer. The activation timer can be reset three times for computers running Windows 7 or Windows Server 2008 R2.
Manually Activate a KMS Client
By default, KMS clients automatically attempt to activate themselves at preset intervals. To manually activate KMS clients (for example, disconnected clients) before distributing them to users, use the Control Panel System item, or run slmgr.vbs /ato at an elevated command prompt. The Slmgr.vbs script reports activation success or failure and provides a result code. To perform activation, the KMS client must have access to a KMS host on the organization’s network.
Converting MAK Clients to KMS and KMS Clients to MAK
By default, Windows 7 and Windows Server 2008 R2 operating systems use KMS for activation. To change existing KMS clients to MAK clients, simply install a MAK key. Similarly, to change MAK clients to KMS clients, run:
slmgr.vbs /ipk <KmsSetupKey>
where KmsSetupKey is one of the setup keys shown in Table 4. After installing the KMS setup key, activate the KMS client by runningcscript slmgr.vbs /ato.
Table 4 KMS Client Setup Keys
Operating System Edition |
Product Key |
---|---|
Windows 7 |
|
Windows 7 Professional |
FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4 |
Windows 7 Professional N |
MRPKT-YTG23-K7D7T-X2JMM-QY7MG |
Windows 7 Enterprise |
33PXH-7Y6KF-2VJC9-XBBR8-HVTHH |
Windows 7 Enterprise N |
YDRBP-3D83W-TY26F-D46B2-XCKRJ |
Windows 7 Enterprise E |
C29WB-22CC8-VJ326-GHFJW-H9DH4 |
Windows Server 2008 R2 |
|
Windows Server 2008 R2 HPC Edition |
FKJQ8-TMCVP-FRMR7-4WR42-3JCD7 |
Windows Server 2008 R2 Datacenter |
74YFP-3QFB3-KQT8W-PMXWJ-7M648 |
Windows Server 2008 R2 Enterprise |
489J6-VHDMP-X63PK-3K798-CPX3Y |
Windows Server 2008 R2 for Itanium-Based Systems |
GT63C-RJFQ3-4GMB6-BRFB9-CB83V |
Windows Server 2008 R2 Standard |
YC6KT-GKW9T-YTKYR-T4X34-R7VHC |
Windows Web Server 2008 R2 |
6TPJF-RBVHG-WBW2R-86QPH-6RTM4 |
Converting Retail Editions to Volume Activation
Retail editions of Windows 7 Professional and Windows Server 2008 R2 can be converted to KMS clients, provided that the organization has acquired the appropriate volume licenses and conforms to the Product Use Rights. To convert Windows 7 Professional and all editions of Windows Server 2008 R2 from retail to a KMS client, skip the Product Key page during operating system installation. When installation is complete, open an elevated Command Prompt window and type:
Slmgr.vbs /ipk <SetupKey>
where SetupKey is the KMS client setup key from Table 4 that corresponds to the edition of Windows 7 or Windows Server 2008 R2.
Windows Server 2016
Operating system edition |
KMS Client Setup Key |
---|---|
Windows Server 2016 Datacenter |
CB7KF-BWN84-R7R2Y-793K2-8XDDG |
Windows Server 2016 Standard |
WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY |
Windows Server 2016 Essentials |
JCKRF-N37P4-C2D82-9YXRT-4M63B |
Windows 10
Operating system edition |
KMS Client Setup Key |
---|---|
Windows 10 Professional |
W269N-WFGWX-YVC9B-4J6C9-T83GX |
Windows 10 Professional N |
MH37W-N47XK-V7XM9-C7227-GCQG9 |
Windows 10 Enterprise |
NPPR9-FWDCX-D2C8J-H872K-2YT43 |
Windows 10 Enterprise N |
DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4 |
Windows 10 Education |
NW6C2-QMPVW-D7KKK-3GKT6-VCFB2 |
Windows 10 Education N |
2WH4N-8QGBV-H22JP-CT43Q-MDWWJ |
Windows 10 Enterprise 2015 LTSB |
WNMTR-4C88C-JK8YV-HQ7T2-76DF9 |
Windows 10 Enterprise 2015 LTSB N |
2F77B-TNFGY-69QQF-B8YKP-D69TJ |
Windows 10 Enterprise 2016 LTSB |
DCPHK-NFMTC-H88MJ-PFHPY-QJ4BJ |
Windows 10 Enterprise 2016 LTSB N |
QFFDN-GRT3P-VKWWX-X7T3R-8B639 |
Windows Server 2012 R2 and Windows 8.1
Operating system edition |
KMS Client Setup Key |
---|---|
Windows 8.1 Professional |
GCRJD-8NW9H-F2CDX-CCM8D-9D6T9 |
Windows 8.1 Professional N |
HMCNV-VVBFX-7HMBH-CTY9B-B4FXY |
Windows 8.1 Enterprise |
MHF9N-XY6XB-WVXMC-BTDCT-MKKG7 |
Windows 8.1 Enterprise N |
TT4HM-HN7YT-62K67-RGRQJ-JFFXW |
Windows Server 2012 R2 Server Standard |
D2N9P-3P6X9-2R39C-7RTCD-MDVJX |
Windows Server 2012 R2 Datacenter |
W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9 |
Windows Server 2012 R2 Essentials |
KNC87-3J2TX-XB4WP-VCPJV-M4FWM |
Windows Server 2012 and Windows 8
Operating system edition |
KMS Client Setup Key |
---|---|
Windows 8 Professional |
NG4HW-VH26C-733KW-K6F98-J8CK4 |
Windows 8 Professional N |
XCVCF-2NXM9-723PB-MHCB7-2RYQQ |
Windows 8 Enterprise |
32JNW-9KQ84-P47T8-D8GGY-CWCK7 |
Windows 8 Enterprise N |
JMNMF-RHW7P-DMY6X-RF3DR-X2BQT |
Windows Server 2012 |
BN3D2-R7TKB-3YPBD-8DRP2-27GG4 |
Windows Server 2012 N |
8N2M2-HWPGY-7PGT9-HGDD8-GVGGY |
Windows Server 2012 Single Language |
2WN2H-YGCQR-KFX6K-CD6TF-84YXQ |
Windows Server 2012 Country Specific |
4K36P-JN4VD-GDC6V-KDT89-DYFKP |
Windows Server 2012 Server Standard |
XC9B7-NBPP2-83J2H-RHMBY-92BT4 |
Windows Server 2012 MultiPoint Standard |
HM7DN-YVMH3-46JC3-XYTG7-CYQJJ |
Windows Server 2012 MultiPoint Premium |
XNH6W-2V9GX-RGJ4K-Y8X6F-QGJ2G |
Windows Server 2012 Datacenter |
48HP8-DN98B-MYWDG-T2DCC-8W83P |
Windows 7 and Windows Server 2008 R2
Operating system edition |
KMS Client Setup Key |
---|---|
Windows 7 Professional |
FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4 |
Windows 7 Professional N |
MRPKT-YTG23-K7D7T-X2JMM-QY7MG |
Windows 7 Professional E |
W82YF-2Q76Y-63HXB-FGJG9-GF7QX |
Windows 7 Enterprise |
33PXH-7Y6KF-2VJC9-XBBR8-HVTHH |
Windows 7 Enterprise N |
YDRBP-3D83W-TY26F-D46B2-XCKRJ |
Windows 7 Enterprise E |
C29WB-22CC8-VJ326-GHFJW-H9DH4 |
Windows Server 2008 R2 Web |
6TPJF-RBVHG-WBW2R-86QPH-6RTM4 |
Windows Server 2008 R2 HPC edition |
TT8MH-CG224-D3D7Q-498W2-9QCTX |
Windows Server 2008 R2 Standard |
YC6KT-GKW9T-YTKYR-T4X34-R7VHC |
Windows Server 2008 R2 Enterprise |
489J6-VHDMP-X63PK-3K798-CPX3Y |
Windows Server 2008 R2 Datacenter |
74YFP-3QFB3-KQT8W-PMXWJ-7M648 |
Windows Server 2008 R2 for Itanium-based Systems |
GT63C-RJFQ3-4GMB6-BRFB9-CB83V |
Windows Vista and Windows Server 2008
Operating system edition |
KMS Client Setup Key |
---|---|
Windows Vista Business |
YFKBB-PQJJV-G996G-VWGXY-2V3X8 |
Windows Vista Business N |
HMBQG-8H2RH-C77VX-27R82-VMQBT |
Windows Vista Enterprise |
VKK3X-68KWM-X2YGT-QR4M6-4BWMV |
Windows Vista Enterprise N |
VTC42-BM838-43QHV-84HX6-XJXKV |
Windows Web Server 2008 |
WYR28-R7TFJ-3X2YQ-YCY4H-M249D |
Windows Server 2008 Standard |
TM24T-X9RMF-VWXK6-X8JC9-BFGM2 |
Windows Server 2008 Standard without Hyper-V |
W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ |
Windows Server 2008 Enterprise |
YQGMW-MPWTJ-34KDK-48M3W-X4Q6V |
Windows Server 2008 Enterprise without Hyper-V |
39BXF-X8Q23-P2WWT-38T2F-G3FPG |
Windows Server 2008 HPC |
RCTX3-KWVHP-BR6TB-RB6DM-6X7HP |
Windows Server 2008 Datacenter |
7M67G-PC374-GR742-YH8V4-TCBY3 |
Windows Server 2008 Datacenter without Hyper-V |
22XQ2-VRXRG-P8D42-K34TD-G3QQC |
Windows Server 2008 for Itanium-Based Systems |
4DWFP-JF3DJ-B7DTH-78FJB-PDRHK |