deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fixing conflicts

Browse Source
This commit is contained in:
Dani Halfin
2020-05-05 17:46:51 -07:00
parent fa27d7af38 9ad38a614a
commit 19f93f949d
658 changed files with 8303 additions and 6333 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
windows/deployment/volume-activation/configure-client-computers-vamt.md
View File

@ -5,14 +5,14 @@ ms.custom: seo-marvel-apr2020
ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
ms.reviewer:
manager: laurawi
author: greg-lindsay
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro
author: greg-lindsay
ms.date: 04/25/2017
ms.date: 04/30/2020
ms.topic: article
---
@ -20,26 +20,27 @@ ms.topic: article
To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers:
- An exception must be set in the client computer's firewall.
- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
- An exception must be set in the client computer's firewall.
- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
**Important**  
This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933).
> [IMPORTANT]  
> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
## Configuring the Windows Firewall to allow VAMT access
Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
1. Open Control Panel and double-click **System and Security**.
2. Click **Windows Firewall**.
3. Click **Allow a program or feature through Windows Firewall**.
4. Click the **Change settings** option.
5. Select the **Windows Management Instrumentation (WMI)** checkbox.
6. Click **OK**.
**Warning**  
By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
1. Open Control Panel and double-click **System and Security**.
2. Click **Windows Firewall**.
3. Click **Allow a program or feature through Windows Firewall**.
4. Click the **Change settings** option.
5. Select the **Windows Management Instrumentation (WMI)** checkbox.
6. Click **OK**.
**Warning**  
By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
## Configure Windows Firewall to allow VAMT access across multiple subnets
@ -47,50 +48,54 @@ Enable the VAMT to access client computers across multiple subnets using the **W
![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
1. Open the Control Panel and double-click **Administrative Tools**.
2. Click **Windows Firewall with Advanced Security**.
3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
1. Open the Control Panel and double-click **Administrative Tools**.
2. Click **Windows Firewall with Advanced Security**.
3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel.
5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box.
- On the **General** tab, select the **Allow the connection** checkbox.
- On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
- On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
- On the **General** tab, select the **Allow the connection** checkbox.
- On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
- On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911).
In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://support.microsoft.com/help/929851).
## Create a registry value for the VAMT to access workgroup-joined computer
**Caution**  
This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912).
> [WARNING]  
> This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://support.microsoft.com/help/256986).
On the client computer, create the following registry key using regedit.exe.
1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
2. Enter the following details:
**Value Name: LocalAccountTokenFilterPolicy**
**Type: DWORD**
**Value Data: 1**
**Note**  
To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
2. Enter the following details:
- **Value Name: LocalAccountTokenFilterPolicy**
- **Type: DWORD**
- **Value Data: 1**
> [NOTE]
> To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
## Deployment options
There are several options for organizations to configure the WMI firewall exception for computers:
- **Image.** Add the configurations to the master Windows image deployed to all clients.
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility.
- **Manual.** Configure the WMI firewall exception individually on each client.
- **Image.** Add the configurations to the master Windows image deployed to all clients.
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility.
- **Manual.** Configure the WMI firewall exception individually on each client.
The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
## Related topics
- [Install and Configure VAMT](install-configure-vamt.md)

160
windows/deployment/volume-activation/install-vamt.md
View File

@ -1,80 +1,80 @@
---
title: Install VAMT (Windows 10)
description: This article is a guide to help you learn how to install the Volume Activation Management Tool (VAMT).
ms.custom: seo-marvel-apr2020
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 03/11/2019
ms.topic: article
---
# Install VAMT
This topic describes how to install the Volume Activation Management Tool (VAMT).
## Install VAMT
You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
>[!IMPORTANT]
>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
>[!NOTE]
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
### Requirements
- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express)
- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP
### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer
1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
2. Select **Basic**.
3. Accept the license terms.
4. Enter an install location or use the default path, and then select **Install**.
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
### Install VAMT using the ADK
1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
Reminder: There won't be new ADK release for 1909.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
6. On the completion page, select **Close**.
### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server
1. Open **Volume Active Management Tool 3.1** from the Start menu.
2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
for remote SQL Server use
servername.yourdomain.com
## Uninstall VAMT
To uninstall VAMT using the **Programs and Features** Control Panel:
1. Open **Control Panel** and select **Programs and Features**.
2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
---
title: Install VAMT (Windows 10)
description: Install VAMT
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 03/11/2019
ms.topic: article
---
# Install VAMT
This topic describes how to install the Volume Activation Management Tool (VAMT).
## Install VAMT
You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
>[!IMPORTANT]
>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
>[!NOTE]
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
### Requirements
- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
- Alternatively, any supported **full** SQL instance
### Install SQL Server Express / alternatively use any full SQL instance
1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
2. Select **Basic**.
3. Accept the license terms.
4. Enter an install location or use the default path, and then select **Install**.
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
### Install VAMT using the ADK
1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
Reminder: There won't be new ADK release for 1909.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
6. On the completion page, select **Close**.
### Configure VAMT to connect to SQL Server Express or full SQL Server
1. Open **Volume Active Management Tool 3.1** from the Start menu.
2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
for remote SQL Server use
servername.yourdomain.com
## Uninstall VAMT
To uninstall VAMT using the **Programs and Features** Control Panel:
1. Open **Control Panel** and select **Programs and Features**.
2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.