Acronyms

Volume License Basics Volume Activation 2.0 Key Management

AD DS
Volume Licensing Volume Licensing Service Center (VLSC) Product Keys and Its Applicability
Active Directory Domain Services
Customers receive 1 MAK per group and 1 KMS per group.
API KMS keys are hierarchical while MAK can only activate Windows editions within the group.
VL offering for Windows Vista® is an upgrade license and VLSC provides management of VL agreements,
Application Programming Interface requires a qualifying Windows® client operating system. download licensed products, and accessing of
KMS hosted on Windows Server 2003 and Windows Server 2008 can activate all Windows Vista and Windows Server 2008 editions (dependent on the KMS key that is used).
KMS Host on Windows Vista can only activate Windows Vista.
CID With VL media, no product key is required during setup. product keys. Request additional activations on an organization’s MAK or KMS key by calling the Product Activation Call Center (http://www.microsoft.com/licensing/resources/vol/numbers.aspx).
Product keys can also be replaced if they have been compromised (i.e. leaked to unauthorized personnel).
Confirmation ID To create bootable images download the media from VLSC allows viewing of Microsoft License Statements
CIL VLSC. and reporting of VL entitlements.
VLSC is the replacement for eOpen and MVLS sites. Which Products are Activated
Computer Information List VL customers (By default) get upgrade media for Windows Product Group
Vista. Client VL A B C
CMID For more information:
Windows Vista Ultimate is available for VL customers only Product Group Client VL:
https://licensing.microsoft.com/eLicense KMS
Client Machine ID as an SA benefit. Cannot activate via KMS or MAK; retail Windows Vista Business,
MAK
Windows Vista Enterprise
DDNS keys provided for Windows Vista Ultimate via SA Call
Center. Product Group A KMS
Dynamic DNS Windows Web Server 2008
KMS
MAK
DNS For more information: Product Group B
KMS
Domain Name System http://www.microsoft.com/licensing
Windows Server 2008 Standard, KMS KMS
MAK
Windows Server 2008 Enterprise*
DMZ
Product Group C: KMS
Demilitarized zone Windows Server 2008 Datacenter*, KMS KMS KMS
MAK
Windows Server 2008 for Itanium-based Systems
IID
*Includes editions without Hyper-V.
Installation ID
KMS
Key Management Service
MAK Key Management Service (KMS) Multiple Activation Key (MAK)
Multiple Activation Key
MVLS
Microsoft Volume Licensing Customer-Hosted Local Activation Service
Microsoft Hosted Activation Services One-time Activation with Microsoft’s Hosted Activation Services
Services
OOB DNS SRV Record: _vlmcs._tcp Confirmation ID (CID): Microsoft® Hosted Activation Services
Out-of-Box Activation response from Send IID and Receive CID
OOT KMS 3 Microsoft
Internet KMS Activation Threshold Examples
Out-of-Tolerance Register 1 Discover KMS 4 MAK Internet
1 Install KMS requires a minimum number of computers in a
OS One time – Phone or Online Key DNS network environment, called the activation threshold, to 1 1
DNS
Operating System activate KMS client machines. Activation threshold for
®
One time – Phone or Online
Windows Vista is twenty-five physical computers. For Active Directory
PKey 2 KMS Host 2 Windows Server 2008 it is five physical computers.
5 MAK
Product Key Service 2 2
4 Volume Activation
SA Management Tool 5
Windows Windows KMS Activation
Software Assurance 3 Windows Server 2008 Server Vista Host Count KMS Activation Status
Computer (VAMT) Windows Server® 2008
2008 On KMS Host
SRV KMS Host 2 Information 2 5
4 4 1 1 5 Windows Server 2008 List (CIL) – 3 MAK
DNS Service Record CMID / Date Stamp Only 2
XML File Windows
VLSC Machine1 CMID 7/11/08 00:00:00
1 4 1 5 Windows Server 2008
Machine2 CMID 7/11/08 00:00:00 Only Vista®
Volume License Service Center ...maximum of 50 CMIDs cached for 30 days
5 1 1 1 2 None
SP Windows Vista CIL XML file saved with VAMT Remote WMI (local admin required)
Client Machine ID (CMID) – Value cached (with Both
Service Pack 4 22 1 26 containing computers, MAK Firewall – exception, Local subnet (default)
timestamp) on the KMS host during activation. Date
VAMT is updated on client renewal. keys, CIDs, and other
machine information used
Volume Activation during activation.
Management Tool
Understanding the KMS Activation Process KMS Reference Information
VPN Understanding the MAK Activation Process
KMS Host Setup MAK Reference
Virtual Private Network Default activation method for volume builds of MAK Independent Activation Information
1 Install “KMS” key on KMS Host using SLMGR Command.
VL Windows Vista and Windows Server 2008.
Distribute MAK using VAMT, as part of an image, using change product key wizard or
1
2 KMS host is activated with the KMS key using Microsoft’s Hosted Activation Services. The Multiple Activation Key (MAK) is
Volume License Each KMS key can activate 6 KMS hosts up to 10
using a WMI script.
3 KMS Service registers SRV resource records in DNS each time KMS Service is started. used for one-time perpetual
WAN times each. 2 MAK client(s) connect once to Microsoft via Internet (SSL) for activation or use telephone. activation with Microsoft’s hosted
Wide Area Network KMS Client interaction with KMS Host Significant hardware changes will require reactivation. activation services. MAK
Each KMS host enables unlimited number of Independent activation is via phone
WGA 1 Discover KMS host using registry entry. If no entry then query DNS for KMS SRV record. activations. or online.
MAK Proxy Using VAMT
Windows Genuine Advantage 2 Send RPC request to KMS host on 1688/TCP by default (~250b).
Each MAK has a predetermined
KMS clients are activated for 180 days. number of allowed activations,
WMI 1 Find machine(s) from Microsoft Active Directory or through network discovery APIs.
· Generate client machine ID (CMID). based on an organization’s volume
Windows Management · Assemble and sign request (AES encryption). Configurable parameters (KMS host) are Renewal license agreement.
2 Apply MAK and collect Installation ID (IID) using WMI.
· On failure, retry (2 hours for machine in Grace, 7 days for (KMS) activated machine). Interval (7d), Retry Interval (2h), and Port (1688)
Instrumentation KMS is autonomous (no replication of data between
MAK Proxy activation (VAMT)
3 3 Optionally export machine information to XML file (Computer Information List - CIL).
KMS host adds CMID to table. x86, English Only.
XML hosts).
Windows® XP SP2 or greater,
4 KMS host returns activation count to client. Connect to Microsoft over Internet (SSL) and obtain corresponding Confirmation ID (CID).
Extensible Markup Language KMS activation threshold is cumulative between OS
4
Optionally update CIL XML file with CIDs. Windows Vista, Windows Server
5 KMS client evaluates count vs. license policy and activates itself if the activation threshold is met. 2003, and Windows Server 2008.
types.
· Store KMS host Product ID, intervals, and client hardware ID in license store. 5 Activate MAK Proxy client(s) by applying CID (optionally import updated XML file first).
· On success automatically attempt to renew activation every 7 days (default). Significant hardware changes will require reactivation.

Microsoft Windows Volume Activation 2.0 Timeline Volume Activation 2.0 License States

Windows
WindowsActivation
Activation2.0
2.0Operations
Operation
Days 0 15 30 60 90 120 150 180 210 235 A Windows Vista or Windows Server 2008 machine can be in one of 3
states: Grace, Licensed, or Notifications.
Installation

Install Machine
Activation can be performed anytime when the system is in grace. 1 Machine is in Out-Of-Box (OOB) grace after initial installation.
Initial Grace (OOB) Rearm Machine
Initial

30d/60d Rearm Machine Initial Grace (OOB) is 30 days for Windows Vista and 60 days for Windows 2 To activate, install a product key (MAK) and activate online/via phone or
Initial Grace (OOB)
Initial Grace (OOB) Rearm Machine Server 2008. discover a KMS host (KMS) and activate over the network.
30d/60d
30d/60d Initial Grace (OOB) Notifications
All OOT grace periods = 30d
Rearm Machine
30d/60d 3 If a machine fails to activate (or reactivate with KMS) then it will transition
All editions can be Rearmed up to 3 times. to Notifications.
3 times per machine Windows Vista Enterprise SP1 can be Rearmed up to 5 times.
4 A machine can transition from Notifications to Licensed by following Step 2 .
5 For significant hardware changes the machine may fall Out-of-Tolerance
Install Machine Install MAK Key
(OOT) and enter grace. A machine can transition from grace by activating
Initial Grace (OOB) Activate with Microsoft (phone or internet)
MAK Activation

30d/60d Machine (Step 2 ).

Successful activation from OOB – Indefinite 6 If a machine fails an online validation then it will transition to Notifications.
MAK
Install key 7 Activate by following Step 2 and validate (http://www.microsoft.com/genuine)
Install Machine Hardware
Initial Grace (OOB)
to transition from Notifications to Licensed.
Change
30d/60d Machine
Successful activation from OOB – Indefinite
Out of Tolerance
MAK (OOT) Grace Notifications
MAK
30d
Licensed Licensed
Machine (Activated)
Machine can be activated at
any time online or via phone. Successful activation from OOT - Indefinite
7 6

2 4 2
Activate and validate
5
KMS expires
HW OOT or

Install KMS Host Key

Activate

Not Licensed
Activate

Fail WGA validation

Install Machine Activate with Microsoft (phone or internet)
Initial Grace (OOB)
30d/60d KMS Host (Grace)
Successfully Activated - Indefinite
KMS Same behavior as a MAK activated machine, including hardware change
Install key
Activate

Install Machine
Notifications
KMS Activation

Initial Grace (OOB) Install

30d/60d Attempt every 2h OOB Grace OOT Grace
1
Machine
7d Successful activation from OOB
180d
expires
Grace

OOT Grace
expires
Grace

30d Notifications 3 3
Renewal attempt
Every 7d
Machine
Successful renew at 7d
Every renewal restarts 180d Notifications
Hardware
Machine Change Notifications Notifications
Successfully activated machine
180d Grace period expiration: must WGA validation failure:
OOT Grace - 30d Notifications activate or reactivate. must activate with
Reactivation attempt every 2h authorized key and pass
Machine will automatically
validation.
Machine
activate as soon as it can
180d
discover the KMS host.

Planning for Activation Deployment and Management

KMS is the recommended activation method for computers that are well connected to the organization's core network or that have periodic
connectivity. MAK activation is the recommended activation method for computers that are offsite with limited connectivity or that cannot connect Volume Activation 2.0 Resources Monitoring and Management Tools
to the core network, even intermittently. Resources Tools to monitor and manage the activation status of volume license editions of Windows Vista and Windows Server 2008.

Determine activation methods by assessing how different groups of computers connect to the network Microsoft Volume Activation Management Option Activation Methods Notes
http://www.microsoft.com/technet/volumeactivation
Built in capabilities All SLMGR VBS
Infrastructure Options Recomendations Tools
WMI Interface
Event Logs
If physical machines ≥ KMS activation threshold: Volume Activation Management Tool (VAMT) Public APIs
Small organization (<100 machines): KMS host = 1 http://go.microsoft.com/fwlink/?LinkID=77533 Volume Activation MAK / MAK Proxy Discovery via AD DS , Workgroup, IP or machine name
Medium organization (>100 machines): KMS host ≥ 1 Management Tool (VAMT) Proxy Activate 1 or more machines with Microsoft
Core Ethernet
KMS host on Windows Server 2003 Cache CIDs and reapply to rebuild/reimage hardware
Connected LAN Enterprise: KMS host > 1 http://go.microsoft.com/fwlink/?LinkID=82964
Microsoft Operations KMS KMS MOM Pack (http://go.microsoft.com/fwlink/?linkid=83216)
Most common scenario KMS Management Pack for System Center Operations Manager 2005 Event Reporting and activation monitoring
If physical machines ≤ KMS activation threshold: http://go.microsoft.com/fwlink/?LinkId=110332
Manager 2005 (MOM)
MAK (phone or internet) Core KMS Microsoft Systems Management
MAK and KMS Collect and report activation client data
MAK Proxy Host Server (SMS) SP3
Secure If firewalls can be opened between clients and existing KMS host:
Use KMS host(s) in Core network
Volume Activation 2.0 Image Management
Branch office, secure network If policy prevents firewall modification: The following process diagram explains how to manage image creation and the Rearm count. Rearm is used to reset the activation timer (back to OOB Grace).
segment, DMZ If physical machines > KMS activation threshold, use a local KMS host 1 The /generalize parameter for Sysprep.exe resets the activation timer, security identifier, and other important parameters. Resetting the activation timer prevents the image’s grace period from expiring before the image is
Well-connected LAN, zoned MAK (phone or internet) or MAK Proxy deployed. Each time /generalized is used, the Rearm count is reduced by one. Once a system has a Rearm=0, /generalize may not longer be used to create a reference image.
2 By activating with KMS, the Rearm count is increased to 1, thereby allowing /generalize to create a new reference image.
If physical machines ≥ KMS activation threshold:
Isolated KMS host = 1 (per isolated network) 1 Install OS and Sysprep / Install Sysprep / Install 2
applications on Sysprep / Activate with KMS Install Sysprep / Activate with KMS Install Sysprep /
Isolated, Lab/Development, If physical machines ≤ KMS activation threshold: Reference System generalize Update 1 generalize Update 2 (Rearm = 1) Update 1 generalize (Rearm = 1) Update 2 generalize
No activation (rearm) generalize
or Short Term Use MAK (phone)
MAK Proxy (Sneakernet) Archive Reference Archive Reference Archive Reference
Image Image Image
Roaming For clients that connect periodically to Core: New Reference Image #2
(Rearm = 2) (Rearm = 1) (Rearm = 0) New Reference Image #1
Use the KMS host(s) in Core network (ReArm = 0)
Or (Rearm = 0)
For clients that never connect to Core or have no internet access:
Disconnected MAK (phone) Archive Installation Details
Install Sysprep / Archive Reference
For air-gapped networks: Reference Image Install Sysprep /
Update 1 generalize Image Volume Editions of Windows Vista and Windows Server 2008 are KMS clients by default.
No connectivity to the If physical machines ≥ KMS activation threshold, (Rearm = 2) Update 1& 2 generalize
(Rearm = 2)
internet/Core Small organization: KMS host = 1 The MAK is added to a reference image in the “specialize” pass, in the unattend.xml. The MAK is stored
Medium organization: KMS host ≥ 1 Archive Reference Archive Reference in clear text in the unattended text file, as required by the setup process. At the end of the process, it is
Enterprise: KMS host > 1 Image Image deleted from the unattend.xml.
Roaming machines connect If physical machines ≤ KMS activation threshold, (Rearm = 1) (Rearm = 1)
periodically at Core or via VPN MAK or MAK Proxy (Sneakernet)

Microsoft Windows Volume Activation 2.0 Reference Guide

More information is available on the Volume
More information is available at TechNet Vista Springboard
Activation 2.0 Center on TechNet at
http://www.microsoft.com/springboard
http://www.microsoft.com/technet/volumeactivation

©2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. The information in this document represents the view of Microsoft on the content. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.