Acronyms

Volume License Basics

Volume Activation Key Management

AD DS
Active Directory Domain Services
Volume license offering for Windows 7 is an upgrade license and requires
a qualifying Windows client operating system. Volume License offerings
for Windows Server 2008 R2 are full licenses.

VL keys are organized by Product Group.

Customers receive 1 MAK per group and 1 KMS per
Product Group.

VLSC allows management of VL agreements, download of licensed

products, provides access to product keys, viewing of Microsoft License
Statements, and reporting of VL entitlements.

CIL
Computer Information List
CMID
Client Machine ID

With volume license media, no product key is required during setup and
there is a 30 day grace period to activate software after installation.

DNS
Domain Name System

Volume license customers typically get media kits for Windows 7 and
Windows Server 2008 R2.

IID
Installation ID

For more information:

http://www.microsoft.com/licensing
https://licensing.microsoft.com/eLicense

Volume
Volume Product
Product Group
Group Contains
Contains

Windows Vista and Windows Server 2008 KMS keys follow the same
hierarchy (groups VL, A, B, C) as Windows 7 and Windows Server 2008 R2.
The primary difference to note is that the Windows 7 and Windows Server
2008 R2 KMS keys can be used to activate down-level operating systems as
well (Windows Vista and Windows Server 2008).

Windows Client VL
Windows 7 Professional
Windows 7 Enterprise
Server Group A Windows Server 2008 R2
Windows Web Server 2008 R2
Windows Server 2008 R2 HPC Edition
Windows HPC Server 2008 R2
Server Group B Windows Server 2008 R2
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Server Group C Windows Server 2008 R2
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 for Itanium-based Systems

MAK
Multiple Activation Key

MAK Keys

Windows Vista and Windows Server 2008 MAK keys follow the same
hierarchy (groups VL, A, B, C) as Windows 7 and Windows Server 2008 R2.

KMS Activation Threshold Examples

DNS SRV Record: _vlmcs._tcp

OS
Operating System

1
One time Phone or Online

SRV
DNS Service Resource Record

Install
Key

4 Discover KMS

Register
DNS

KMS Host
Service

VLSC
Volume License Service Center

Windows Server 2008 R2

KMS Host

SP
Service Pack

Number of...
Activation
Windows Windows
Count
Servers Clients On KMS Host

CMID / Date Stamp

Machine1 CMID 7/11/08 00:00:00
Machine2 CMID 7/11/08 00:00:00
...maximum of 50 CMIDs cached for 30 days

VAMT
Volume Activation Management Tool

8
Windows 7

Client Machine ID (CMID) Value cached (with

timestamp) on the KMS host during activation. Date
is updated on client renewal.

VPN
Virtual Private Network

WAN
Wide Area Network

Install KMS host key on designated system using SLMGR Command.

KMS host is activated with the KMS key using Microsofts Hosted Activation Services.

If enabled, the KMS Service registers SRV resource records in DNS each time KMS
Service is started and once per day.

Windows Server Only

Windows Server Only

None

WMI
Windows Management Instrumentation

22

26

XML
Extensible Markup Language

KMS host returns activation count to client.

KMS client evaluates count vs. license policy and activates itself if the activation threshold is met.
Store KMS host Product ID, intervals, and client hardware ID in license store.
On success automatically attempt to renew activation every 7 days (default).

One time Phone or Online

Initial
Installation

15

30

KMS activation threshold is cumulative between OS

editions, and physical and virtual machines.

Install Machine
Initial Grace (OOB)
30d

90

60
Rearm Machine
Initial Grace (OOB)
30d

Rearm Machine
Initial Grace (OOB)
30d

Rearm Machine
Initial Grace (OOB)
30d

Rearm Machine
3 times per machine

Windows Server 2008 R2

5
MAK

2
Windows 7

MAK Reference
Information

Distribute MAK using VAMT, as part of an image, using the change product
key wizard or using a WMI script.

MAK client(s) connect once to Microsoft via Internet (SSL) for activation or
use telephone. Significant hardware changes will require reactivation.

The Multiple Activation Key (MAK)

is used for one-time perpetual
activation with Microsofts hosted
activation services. MAK
Independent activation is via
phone or online.
Each MAK has a predetermined
number of allowed activations,
based on an organizations
volume license agreement.

Find machine(s) from Microsoft Active Directory or through network

discovery APIs.

Apply MAK and collect Installation ID (IID) using WMI.

Optionally export machine information to XML file (Computer Information List

- CIL).
Connect to Microsoft over Internet (SSL) and obtain corresponding
Confirmation ID (CID). Optionally update CIL XML file with CIDs.

CIL XML file saved with VAMT

can contain computers, MAK
keys, CIDs, and other machine
information used during
activation.It is also possible to
save the CIL without any sensitive
data (IID and Product ID only).

Activate MAK Proxy client(s) by applying CID (optionally import updated XML
file first). Significant hardware changes will require reactivation.

Volume Activation License States

150

Notifications

Use DNS to enable automatic discovery of the KMS

hosts; Add Priority and Weight parameters to define which
KMS host to balance traffic among multiple hosts

120

MAK

Volume Activation
Management Tool
(VAMT)

Microsoft Windows Volume Activation Timeline

Days

Internet

MAK Proxy Using VAMT

Each KMS host is autonomous (no replication of data

between hosts).

Server Group C

MAK Independent Activation

Configurable parameters (KMS host) are Renewal Interval

(7d), Retry Interval (2h), and Port (1688)

KMS host adds CMID to table.

Server Group C
Windows Server 2008 R2

Understanding the MAK Activation Process

Discover KMS host using registry entry. If no entry then query DNS for KMS SRV record.

Server Group B

Windows Client and

Server

KMS clients are activated for 180 days.

Send RPC request to KMS host on 1688/TCP by default (~250b).

Generate client machine ID (CMID).
Assemble and sign request (AES encryption).
On failure, retry (2 hours for machine in Grace, 7 days for (KMS) activated machine).

Server Group B
Windows Server 2008 R2

Remote WMI (local admin required)

Firewall exception, Local subnet (default)

Each KMS key can activate 6 KMS hosts up to 10 times

each. There are no limits on the number of clients that
can be activated.

KMS Client interaction with KMS Host

4

Server Group A

Computer
Information
List (CIL)
XML File

Default activation method for volume builds of Windows

7,Windows Server 2008 R2, Windows Vista and Windows
Server 2008.

Server Group A
Windows Server 2008 R2

MAK

KMS Reference Information

KMS Host Setup

VLSC
Volume License Service Center

Active Directory

What OS will
Activate?

Understanding the KMS Activation Process

VL
Volume License

What
What Systems
Systems Are
Are Activated
Activated
With
With This
This MAK
MAK Key?
Key?
Windows 7 Client VL Group

Volume
Volume Product
Product Group
Group

The activation threshold for Windows client (Windows 7

and Windows Vista) is twenty-five computers. For
Windows server (Windows Server 2008 R2 and Windows
Server 2008) it is five computers. This count is
cumulative and can contain both clients and servers.

Server Group C
Windows Server 2008 R2

Send IID and Receive CID

Beginning with Service Pack 2 for Windows Vista and

Windows Server 2008, the threshold includes both
physical and virtual machines.

DNS

Server Group A
Server Group B
Windows 7 Client VL Group
Server Group A
Server Group B
Server Group C
Windows 7 Client VL Group

Microsoft Hosted Activation Services

Confirmation ID (CID):
Activation response from
Microsoft

KMS requires a minimum number of computers to

connect within a 30 day period, called the activation
threshold, to activate KMS client machines.

KMS

Server Group B
Windows Server 2008 R2

One-time Activation with Microsofts Hosted Activation Services

Customer-Hosted Local Activation Service

Internet

Server Group A
Windows 7 Client VL Group

Multiple Activation Key (MAK)

Microsoft Hosted Activation Services

OOT
Out-of-Tolerance

Server Group A
Windows Server 2008 R2

Windows Client VL

MAK keys are lateral in nature. This means they activate the products
within a particular Volume Product Group only. For example, to MAK
activate Windows 7, you will use the Windows Client VL MAK key for
Windows 7. To MAK activate Windows Vista, you will use the Windows
Client VL MAK key for Windows Vista.

Key Management Service (KMS)

OOB
Out-of-Box

Windows Client VL

KMS host on a Windows client operating system can only activate Windows
clients (Windows 7 and Windows Vista). KMS host on Windows Server
operating system can activate both clients and servers.

KMS
Key Management Service

MVLS
Microsoft Volume Licensing
Services

KMS keys are hierarchical in nature. The KMS Host key is used to activate
the KMS service on a designated host system. The KMS Client key is a
generic key installed by default on volume media. The KMS client keys are
non-customer specific (one key per product edition) and can be found in the
prescriptive guidance on TechNet or in VAMT. This key is also used to
transition a MAK activated system to a KMS client.

KMS Host Key Hierarchy

CID
Confirmation ID

What
What Clients
Clients Are
Are Activated
Activated By
By
aa KMS
KMS Host
Host With
With This
This Key?
Key?
Windows 7 Client VL Group

Volume
Volume Product
Product Group
Group

KMS Keys

Volume License Keys

180

210

Windows
Activation
2.0 Operation
Operations
Windows
Activation

235

A Windows 7 or Windows Server 2008 R2 machine can be in one of 3

states: Grace, Licensed, or Notifications.

Activation can be performed anytime when the system is in grace.

1 Machine is in Out-Of-Box (OOB) grace after initial installation.

Initial Grace (OOB) = 30 days for Windows 7 and Windows Server 2008 R2.

2 To activate, install a product key (MAK) and activate online/via phone or

discover a KMS host (KMS) and activate over the network.

Out of Tolerance (OOT) grace = 30 days.

3 If a machine fails to activate then it will transition to Notifications. If a

machine fails to reactivate, it will transition to OOT then Notifications.

All editions can be Rearmed up to 3 times.

4 A machine can transition from Notifications to Licensed by following Step 2 .

5 For significant hardware changes the machine may fall Out-of-Tolerance
(OOT) and enter grace. This will happen if KMS activation expires as well.
A machine can transition from grace by activating (Step 2 ).
6 If a machine fails an online validation then it will transition to Notifications.
This machine is non-genuine.

Install MAK Key

Activate with Microsoft (phone or internet)
Machine
Successful activation from OOB Indefinite

MAK

7 To activate a non-genuine machine, follow Step 2 and validate (http://

www.microsoft.com/genuine) to transition from Notifications to Licensed.

Hardware
Change
Out of Tolerance
(OOT) Grace
30d

Notifications

KMS Activation

Grace
(Not Licensed)

KMS Host
Successfully Activated - Indefinite
Same behavior as a MAK activated machine, including hardware change

Notifications

Install
1
Machine
Successful activation from OOB
180d

7d

OOT Grace
30d

Renewal attempt
Every 7d

OOT Grace - 30d

Reactivation attempt every 2h

Notifications

Machine will automatically

activate as soon as it can
discover the KMS host.

Volume Activation Resources

Secure
Branch office, secure network
segment, Bastion host
Well-connected LAN, zoned

Recomendations

Management Option

Notifications

Grace period expiration: must

activate or reactivate.

Validation failure: must

activate with authorized key
and pass validation.

KMS Management Pack for System Center Operations Manager 2007

http://go.microsoft.com/fwlink/?LinkId=110332

All

Volume Activation
Management Tool (VAMT)

MAK / MAK Proxy

System Center Operations

Manager 2007

KMS

Ethernet

KMS update for Windows Vista and Windows Server 2008

http://support.microsoft.com/kb/968912
KMS 1.2 for Windows Server 2003
http://support.microsoft.com/kb/968915

Core KMS
Host

If firewalls can be opened between clients and existing KMS host:

Use KMS host(s) in Core network

Tools to monitor and manage the activation status of volume license editions of
Windows 7, Windows Vista, Windows Server 2008 R2 and Windows Server 2008.

Activation Methods

Built in capabilities

If physical and virtual machines KMS activation threshold:

Small organization (<100 machines): KMS host = 1
Medium organization (>100 machines): KMS host 1
Enterprise: KMS host > 1
If physical and virtual machines KMS activation threshold:
MAK (phone or internet)
MAK Proxy

Notifications

Monitoring and Management Tools

Volume Activation Management Tool (VAMT): VAMT 1.2 is a part of Windows

Automated Installation Kit (AIK)
http://go.microsoft.com/fwlink/?LinkId=136976

Determine activation methods by assessing how different groups of computers connect to the network

Connected LAN
Most common scenario

OOT Grace

Deployment and Management

KMS is the recommended activation method for computers that are well connected to the organization's core network or that have periodic
connectivity. MAK activation is the recommended activation method for computers that are offsite with limited connectivity or that cannot connect
to the core network, even intermittently.

Core

Machine
180d

Planning for Activation

Infrastructure Options

Notifications

Hardware
Change

Machine
Successfully activated machine
180d

OOB Grace

Notifications

Machine
Successful renew at 7d
Every renewal restarts 180d

Fail WGA validation

Install KMS Host Key

Activate with Microsoft (phone or internet)

KMS
Install key
Install Machine
Initial Grace (OOB)
30d Attempt every 2h

Activate

Install Machine
Initial Grace (OOB)
30d

(Activated)

Activate and validate

Machine can be activated at

any time online or via phone.

Licensed

Licensed

Machine
Successful activation from OOT - Indefinite

HW OOT or
KMS expires

MAK

Activate

MAK

Grace
expires

Machine
Successful activation from OOB Indefinite

Grace
expires

Install key
Install Machine
Initial Grace (OOB)
30d

Activate

MAK Activation

Install Machine
Initial Grace (OOB)
30d

System Center Configuration

Manager 2007 R2

Notes
SLMGR VBS and SLUI.EXE
WMI Interface
Event Logs
Discovery via AD DS , Workgroup, IP or machine name
Proxy Activate one or more machines with Microsoft
Cache CIDs and reapply to rebuild/reimage hardware
Event Reporting and health monitoring
Collect and report activation client data
http://technet.microsoft.com/en-us/library/bb680578.aspx

All

Volume Activation Image Management

If policy prevents firewall modification:

If physical and virtual machines > KMS activation threshold, use a local KMS host
MAK (phone or internet) or MAK Proxy

The following process diagram explains how to manage image creation and the Rearm count. Rearm is used to reset the activation timer (back to OOB Grace).
1 The /generalize parameter for Sysprep.exe resets the activation timer, security identifier, and other important parameters. Resetting the activation timer prevents the images grace period from expiring
before the image is deployed. Each time /generalized is used, the Rearm count is reduced by one. Once a system has a Rearm=0, /generalize may not longer be used to create a reference image.

If physical and virtual machines KMS activation threshold:

KMS host = 1 (per isolated network)

Isolated
Isolated, Lab/Development,
or Short Term Use

If physical and virtual machines KMS activation threshold:

No activation (rearm)
MAK (phone)
MAK Proxy (Sneakernet)

Roaming
Or
Disconnected
No connectivity to the
internet/Core
Roaming machines connect
periodically at Core or via VPN

For clients that connect periodically to Core:

Use the KMS host(s) in Core network
For clients that never connect to Core or have no internet access:
MAK (phone)
For air-gapped networks:
If physical and virtual machines KMS activation threshold,
Small organization: KMS host = 1
Medium organization: KMS host 1
Enterprise: KMS host > 1
If physical and virtual machines KMS activation threshold,
MAK or MAK Proxy (Sneakernet)

Where the Rearm = 0, activating with KMS will increase the count by 1, thereby allowing /generalize to create a new reference image.
1

Install OS and
applications on
Reference System

Sysprep /
generalize

Install
Update 1

Archive Reference
Image
(Rearm = 2)
Archive
Reference Image
(Rearm = 2)

Install
Update 1

Sysprep /
generalize
Archive Reference
Image
(Rearm = 1)

Sysprep /
generalize
Archive Reference
Image
(Rearm = 1)

Archive Reference
Image
(Rearm = 2)

Install
Update 2

Sysprep /
generalize

Archive Reference
Image
(Rearm = 0)

Install
Update 1& 2

Activate with KMS

(Rearm = 1)

Install
Update 1

Sysprep /
generalize

Activate with KMS

(Rearm = 1)

New Reference Image #1

(Rearm = 0)

Install
Update 2

Sysprep /
generalize

New Reference Image #2

(Rearm = 0)

Sysprep /
generalize
Archive Reference
Image
(Rearm = 1)

Microsoft Windows Volume Activation Reference Guide

More information is available on the Volume
Activation Center on TechNet at
http://www.technet.com/volumeactivation

Publication Date: October 2009

More information is available at TechNet Windows 7

Springboard http://www.microsoft.com/springboard

2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. The information in this document represents the view of Microsoft on the content. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.