deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr

Browse Source
This commit is contained in:
tiaraquan 2024-04-08 18:34:16 -07:00
commit 7fc0109906
40 changed files with 800 additions and 757 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.openpublishing.redirection.windows-deployment.json
View File

@ -1129,6 +1129,16 @@
"source_path": "windows/deployment/windows-10-missing-fonts.md",
"redirect_url": "/windows/deployment/windows-missing-fonts",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/volume-activation/volume-activation-windows-10.md",
"redirect_url": "/windows/deployment/volume-activation/volume-activation-windows",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/volume-activation/activate-windows-10-clients-vamt.md",
"redirect_url": "/windows/deployment/volume-activation/activate-windows-clients-vamt",
"redirect_document_id": false
}
]
}

2
windows/configuration/start/supported-csp-start-menu-layout-windows.md
View File

@ -39,7 +39,7 @@ For information on customizing the Start menu layout using policy, see [Customiz
- [Start/HideUserTile](/windows/client-management/mdm/policy-csp-start#start-hideusertile)
- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
- **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 1. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored.
- **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 11. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored.
The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu.

24
windows/deployment/TOC.yml
View File

@ -16,13 +16,9 @@
- name: Prepare servicing strategy for Windows client updates
href: update/waas-servicing-strategy-windows-10-updates.md
- name: Deployment proof of concept
items:
- name: Deploy Windows 10 with MDT and Configuration Manager
items:
- name: 'Step by step guide: Configure a test lab to deploy Windows 10'
href: windows-10-poc.md
- name: Deploy Windows 10 in a test lab using MDT
href: windows-10-poc-mdt.md
- name: Deploy Windows 10 in a test lab using Configuration Manager
href: windows-10-poc-sc-config-mgr.md
- name: Deployment process posters
@ -79,10 +75,6 @@
href: do/waas-delivery-optimization-setup.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Configure BranchCache for Windows client updates
href: update/waas-branchcache.md
- name: Prepare your deployment tools
items:
- name: Prepare for deployment with MDT
href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
- name: Prepare for deployment with Configuration Manager
href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
- name: Build a successful servicing strategy
@ -112,16 +104,6 @@
href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
- name: In-place upgrade
href: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
- name: Deploy Windows client with MDT
items:
- name: Deploy to a new device
href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
- name: Refresh a device
href: deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
- name: Replace a device
href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
- name: In-place upgrade
href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
- name: Deploy Windows client updates
items:
- name: Assign devices to servicing channels
@ -185,15 +167,15 @@
- name: Volume Activation
items:
- name: Overview
href: volume-activation/volume-activation-windows-10.md
href: volume-activation/volume-activation-windows.md
- name: Plan for volume activation
href: volume-activation/plan-for-volume-activation-client.md
- name: Activate using Key Management Service
href: volume-activation/activate-using-key-management-service-vamt.md
- name: Activate using Active Directory-based activation
href: volume-activation/activate-using-active-directory-based-activation-client.md
- name: Activate clients running Windows 10
href: volume-activation/activate-windows-10-clients-vamt.md
- name: Activate clients running Windows
href: volume-activation/activate-windows-clients-vamt.md
- name: Monitor activation
href: volume-activation/monitor-activation-client.md
- name: Use the Volume Activation Management Tool

2
windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -17,7 +17,7 @@ ms.date: 10/27/2022
- Windows 10
This article will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
This article will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation.
A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:

18
windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -19,7 +19,7 @@ ms.date: 10/27/2022
In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10.
In this article, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
In this article, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006.
## Infrastructure
@ -221,11 +221,11 @@ Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager
## Related articles
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
- [Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)

2
windows/deployment/do/mcc-ent-edu-overview.md
View File

@ -20,7 +20,7 @@ ms.date: 05/09/2023
> [!IMPORTANT]
> - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> - We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
> - As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.

3
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -32,14 +32,13 @@ To deploy MCC to your server:
1. [Verify MCC functionality](#verify-mcc-server-functionality)
1. [Review common Issues](#common-issues) if needed.
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
### Provide Microsoft with the Azure subscription ID
As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft.
> [!IMPORTANT]
> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step.
> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).

10
windows/deployment/do/mcc-enterprise-prerequisites.md
View File

@ -19,16 +19,16 @@ ms.date: 11/07/2023
# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
> [!NOTE]
> We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
## Enterprise requirements for MCC
1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.
Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription costs you nothing. If you don't have an Azure subscription already, you can create an Azure [pay-as-you-go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
1. **Hardware to host MCC**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
> [!NOTE]
> Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
@ -36,7 +36,7 @@ ms.date: 11/07/2023
**EFLOW requires Hyper-V support**
- On Windows client, enable the Hyper-V feature.
- On Windows Server, install the Hyper-V role and create a default network switch.
- For additional requirements, see [EFLOW requirements](/azure/iot-edge/iot-edge-for-linux-on-windows#prerequisites).
- For more requirements, see [EFLOW requirements](/azure/iot-edge/iot-edge-for-linux-on-windows#prerequisites).
Disk recommendations:
- Using an SSD is recommended as cache read speed of SSD is superior to HDD
@ -44,7 +44,7 @@ ms.date: 11/07/2023
NIC requirements:
- Multiple NICs on a single MCC instance aren't supported.
- 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
- For best performance, NIC and BIOS should support SR-IOV
- For best performance, NIC and BIOS should support SR-IOV.
VM networking:
- An external virtual switch to support outbound and inbound network communication (created during the installation process)

2
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -38,7 +38,7 @@ Microsoft Connected Cache (MCC) for Internet Service Providers is currently in p
## Microsoft Connected Cache for Enterprise and Education (early preview)
> [!NOTE]
> We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. Learn more at [Microsoft Connected Cache for Enterprise and Education Overview](mcc-ent-edu-overview.md).

82
windows/deployment/index.yml
View File

@ -1,4 +1,4 @@
### YamlMime:Hub
### YamlMime:Landing
title: Deploy and update Windows # < 60 chars; shows at top of hub page
summary: Learn about deploying and updating Windows client devices in your organization. # < 160 chars
@ -6,7 +6,7 @@ summary: Learn about deploying and updating Windows client devices in your organ
metadata:
title: Windows client deployment documentation # Required; browser tab title displayed in search results. Include the brand. < 60 chars.
description: Learn about deploying and updating Windows client devices in your organization. # Required; article description that is displayed in search results. < 160 chars.
ms.topic: hub-page
ms.topic: landing-page
ms.service: windows-client
ms.subservice: itpro-deploy
ms.collection:
@ -15,16 +15,16 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 01/18/2024
ms.date: 04/01/2024
localization_priority: medium
# common graphics: https://review.learn.microsoft.com/content-production-service/internal/image-gallery?branch=main
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
productDirectory:
title: Get started
items:
- title: Plan
imageSrc: /media/common/i_overview.svg
landingContent:
- title: Plan
linkLists:
- linkListType: concept
links:
- text: Plan for Windows 11
url: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
@ -39,8 +39,9 @@ productDirectory:
- text: Plan for volume activation
url: volume-activation/plan-for-volume-activation-client.md
- title: Prepare
imageSrc: /media/common/i_tasks.svg
- title: Prepare
linkLists:
- linkListType: get-started
links:
- text: Prepare for Windows 11
url: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
@ -55,8 +56,9 @@ productDirectory:
- text: Prepare for imaging with Configuration Manager
url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
- title: Deploy
imageSrc: /media/common/i_deploy.svg
- title: Deploy
linkLists:
- linkListType: deploy
links:
- text: Deploy Windows with Autopilot
url: /mem/autopilot/tutorial/autopilot-scenarios
@ -71,12 +73,9 @@ productDirectory:
- text: Check release health
url: update/check-release-health.md
additionalContent:
sections:
- title: Solutions
items:
- title: Windows Autopilot
- title: Windows Autopilot
linkLists:
- linkListType: how-to-guide
links:
- text: Overview
url: /mem/autopilot/windows-autopilot
@ -87,7 +86,9 @@ additionalContent:
- text: Learn more about Windows Autopilot >
url: /mem/autopilot
- title: Windows Autopatch
- title: Windows Autopatch
linkLists:
- linkListType: how-to-guide
links:
- text: What is Windows Autopatch?
url: windows-autopatch/overview/windows-autopatch-overview.md
@ -98,7 +99,9 @@ additionalContent:
- text: Learn more about Windows Autopatch >
url: windows-autopatch/index.yml
- title: Windows Update for Business
- title: Windows Update for Business
linkLists:
- linkListType: how-to-guide
links:
- text: What is Windows Update for Business?
url: update/waas-manage-updates-wufb.md
@ -109,7 +112,9 @@ additionalContent:
- text: Windows Update for Business reports overview
url: update/wufb-reports-overview.md
- title: Optimize and cache content
- title: Optimize and cache content
linkLists:
- linkListType: how-to-guide
links:
- text: What is Delivery Optimization?
url: do/waas-delivery-optimization.md
@ -120,7 +125,9 @@ additionalContent:
- text: Learn more about Delivery Optimization >
url: do/index.yml
- title: In-place upgrade and imaging
- title: In-place upgrade and imaging
linkLists:
- linkListType: how-to-guide
links:
- text: Upgrade Windows using Configuration Manager
url: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
@ -131,7 +138,9 @@ additionalContent:
- text: Resolve Windows upgrade errors
url: upgrade/resolve-windows-upgrade-errors.md
- title: Licensing and activation
- title: Licensing and activation
linkLists:
- linkListType: how-to-guide
links:
- text: Plan for volume activation
url: volume-activation/plan-for-volume-activation-client.md
@ -144,10 +153,12 @@ additionalContent:
- text: Windows commercial licensing overview
url: /windows/whats-new/windows-licensing
- title: More resources
items:
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
- title: Release and lifecycle
- title: More resources
linkLists:
- linkListType: reference
# Release and lifecycle
links:
- text: Windows release health dashboard
url: /windows/release-health
@ -155,26 +166,17 @@ additionalContent:
url: /windows/whats-new/feature-lifecycle
- text: Lifecycle FAQ - Windows
url: /lifecycle/faq/windows
- title: Windows hardware
- linkListType: download
# Windows hardware
links:
- text: Download and install the Windows ADK
url: /windows-hardware/get-started/adk-install
- text: Deployment tools
url: /windows-hardware/manufacture/desktop/boot-and-install-windows
# - text:
# url:
# - text:
# url:
- title: Community
- linkListType: whats-new
# Community
links:
- text: Windows IT pro blog
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
- text: Windows office hours
url: https://aka.ms/windows/officehours
# - text:
# url:
# - text:
# url:

2
windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
View File

@ -82,7 +82,7 @@ sections:
- question: |
Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
answer: |
Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md).
- question: |
Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?

14
windows/deployment/update/check-release-health.md
View File

@ -13,7 +13,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/08/2023
ms.date: 04/04/2024
---
# How to check Windows release health
@ -85,6 +85,18 @@ You can sign up for email notifications about Windows known issues and informati
> [!Note]
> When a single known issue affects multiple versions of Windows, you'll receive only one email notification, even if you've selected notifications for multiple versions. Duplicate emails won't be sent.
## Working with the Windows updates API in Microsoft Graph
<!--8884260-->
If you'd like to develop an alternative way to get information on known issues documented within the Windows release health section in the admin center, you can use the Windows updates API in [Microsoft Graph](/graph/api/overview).
The Windows updates API has current and historical known issues data for any supported Windows product. You can check if an issue is confirmed, and if a resolution is available before calling support or spending time troubleshooting.
The Windows updates API also has product lifecycle information. For instance, you can search for end of servicing dates for all supported Windows versions and editions you manage in your organization. For more information on how to access these known issue and lifecycle data, see [Microsoft Graph product resource type](/graph/api/resources/windowsupdates-product).
> [!Note]
> These Windows data sets are currently under the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?view=graph-rest-beta&preserve-view=true).
## Status definitions
In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows:

6
windows/deployment/update/deployment-service-expedited-updates.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/29/2023
ms.date: 04/05/2024
---
# Deploy expedited updates with Windows Update for Business deployment service
@ -55,10 +55,10 @@ All of the [prerequisites for the Windows Update for Business deployment service
## List catalog entries for expedited updates
Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=1` and ordering by `ReleaseDateTimeshows` displays the most recent update that can be deployed as expedited.
Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security and nonsecurity<!--8891502--> quality updates that can be deployed as expedited updates by the deployment service. Using `$top=2` and ordering by `ReleaseDateTimeshows` displays the most recent updates that can be deployed as expedited.
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=1
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=2
```
The following truncated response displays a **Catalog ID** of `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5` for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update:

105
windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
View File

@ -1,6 +1,6 @@
---
title: Activate using Active Directory-based activation
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
description: Learn how active directory-based activation is implemented as a role service that relies on Active Directory Domain Services (ADDS) to store activation objects.
ms.reviewer: nganguly
manager: aaroncz
author: frankroj
@ -8,135 +8,140 @@ ms.author: frankroj
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: how-to
ms.collection:
- highpri
- tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
- ✅ Microsoft Office
---
# Activate using Active Directory-based activation
**Applies to:**
- Windows
- Windows Server
- Office
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
> Looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/).
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using `adprep.exe` on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
Active Directory-based activation is implemented as a role service that relies on Active Directory Domain Services (ADDS) to store activation objects. Active Directory-based activation requires updating the forest schema with `adprep.exe` on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They'll stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) is activated automatically and transparently. Domain-joined computers stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts ADDS automatically, receives the activation object, and is activated without user intervention.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console, or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console, or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the ADDS forest. The activation object is created by submitting a Key Management Service (KMS) host key to Microsoft, as shown in Figure 10.
The process proceeds as follows:
1. Do *one* of the following tasks:
- Install the Volume Activation Services server role on a domain controller. Then add a KMS host key by using the Volume Activation Tools Wizard.
- Install the Volume Activation Services server role on a domain controller, then add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain schema level to Windows Server 2012 R2 or later. Then add a KMS host key by using the VAMT.
- Extend the domain schema level to Windows Server 2012 R2 or later, then add a KMS host key by using the VAMT.
2. Microsoft verifies the KMS host key, and an activation object is created.
1. Microsoft verifies the KMS host key, and an activation object is created.
3. Client computers are activated by receiving the activation object from a domain controller during startup.
1. Client computers are activated by receiving the activation object from a domain controller during startup.
> [!div class="mx-imgBorder"]
> ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg)
**Figure 10**. The Active Directory-based activation flow
For environments in which all computers are running a supported OS version, and they're joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers. You may be able to remove any KMS hosts from your environment.
For environments where all computers are domain joined and running a supported OS version, Active Directory-based activation is the best option for activating client computers and servers. Active Directory-based activation might allow removal of any KMS hosts from the environment. If an environment contains one of the following items:
If an environment will continue to contain earlier versions of volume licensed operating systems and applications, or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status.
- Earlier versions of volume licensed operating systems and applications
- Workgroup computers outside the domain
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain. They'll periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
a KMS host is still needed to maintain activation status.
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object can't be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, Windows will change the status to "not activated" and the computer will try to activate with KMS.
Clients that are activated with Active Directory-based activation maintain their activated state for up to 180 days since the last contact with the domain. They periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
When a reactivation event occurs, the client queries ADDS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and the GVLK match, then reactivation occurs. If the ADDS object can't be retrieved, client computers use KMS activation. If the computer is removed from the domain and the computer or the Software Protection service is restarted, Windows changes the status to **Not Activated** and the computer tries to activate with KMS.
## Step-by-step configuration: Active Directory-based activation
> [!NOTE]
> You must be a member of the local **Administrators** group on all computers mentioned in these steps. You also need to be a member of the **Enterprise Administrators** group, because setting up Active Directory-based activation changes forest-wide settings.
>
> The administrator following these steps must be a member of the local **Administrators** group on all computers mentioned in these steps. Additionally, they also need to be a member of the **Enterprise Administrators** group, because setting up Active Directory-based activation changes forest-wide settings.
To configure Active Directory-based activation on a supported version of Windows Server, complete the following steps:
1. Use an account with **Domain Administrator** and **Enterprise Administrator** credentials to sign in to a domain controller.
2. Launch **Server Manager**.
1. Launch **Server Manager**.
3. Add the **Volume Activation Services** role, as shown in Figure 11.
1. Add the **Volume Activation Services** role, as shown in Figure 11.
![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg)
**Figure 11**. Adding the Volume Activation Services role
4. Select the **Volume Activation Tools**, as shown in Figure 12.
1. Select the **Volume Activation Tools**, as shown in Figure 12.
![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg)
**Figure 12**. Launching the Volume Activation Tools
5. Select the **Active Directory-Based Activation** option, as shown in Figure 13.
1. Select the **Active Directory-Based Activation** option, as shown in Figure 13.
![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg)
**Figure 13**. Selecting Active Directory-Based Activation
6. Enter your KMS host key and optionally specify a display name, as shown in Figure 14.
1. Enter the organization's KMS host key and optionally specify a display name, as shown in Figure 14.
![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg)
![Entering the organization's KMS host key.](../images/volumeactivationforwindows81-15.jpg)
**Figure 14**. Entering your KMS host key
**Figure 14**. Entering the organization's KMS host key
7. Activate your KMS host key by phone or online, as shown in Figure 15.
1. Activate the organization's KMS host key by phone or online, as shown in Figure 15.
![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg)
![Choosing how to activate the product.](../images/volumeactivationforwindows81-14.jpg)
**Figure 15**. Choosing how to activate your product
**Figure 15**. Choosing how to activate the product
> [!NOTE]
> To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
> To activate a KMS Host Key/Customer Specific Volume License Key (CSVLK) for Microsoft Office, the version-specific Office Volume License Pack needs to be installed on the server where the Volume Activation Server Role is installed.
>
> - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164).
>
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342).
>
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
>
> - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446)
> - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446).
>
> For more information, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory).
8. After activating the key, select **Commit**, and then select **Close**.
1. After activating the key, select **Commit**, and then select **Close**.
## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps:
To verify the Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that's configured by volume licensing.
1. After configuring Active Directory-based activation, start a computer running an edition of Windows configured by volume licensing.
2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK. Run the `slmgr.vbs /ipk` command and specifying the GLVK as the new product key.
1. If the computer was previously configured with a MAK key, replace the MAK key with the GVLK. Run the `slmgr.vbs /ipk` command and specifying the GVLK as the new product key.
3. If the computer isn't joined to your domain, join it to the domain.
1. If the computer isn't joined to the organization's domain, join it to the domain.
4. Sign in to the computer.
1. Sign in to the computer.
5. Open Windows Explorer, right-click **Computer**, and then select **Properties**.
1. Open Windows Explorer, right-click **Computer**, and then select **Properties**.
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
1. Scroll down to the **Windows activation** section, and verify that this client is activated.
> [!NOTE]
> If you're using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that hasn't already been activated by KMS. The `slmgr.vbs /dlv` command also indicates whether KMS has been used.
>
> If using both KMS and Active Directory-based activation, it might be difficult to determine is a client was activated with KMS or by Active Directory-based activation. During the test, consider disabling KMS, or ensure to use a client computer not already activated by KMS. The `slmgr.vbs /dlv` command also indicates if KMS was used.
>
> To manage individual activations or apply multiple (mass) activations, use the [VAMT](./volume-activation-management-tool.md).
## Related articles
## Related content
[Volume Activation for Windows 10](volume-activation-windows-10.md)
- [Volume Activation for Windows](volume-activation-windows.md).

22
windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
View File

@ -8,7 +8,7 @@ author: frankroj
manager: aaroncz
ms.author: frankroj
ms.localizationpriority: medium
ms.date: 10/16/2023
ms.date: 03/29/2024
ms.topic: how-to
ms.collection:
- highpri
@ -55,7 +55,7 @@ KMS can be activated on client versions of Windows by using the `slmgr.vbs`. To
cscript.exe slmgr.vbs /ipk <KMS_Key>
```
1. Once the KMS key has been installed, it needs to be activated using one of the following methods:
1. Once the KMS key is installed, it needs to be activated using one of the following methods:
- To activate online, in the elevated Command Prompt window, run the following command:
@ -85,11 +85,11 @@ KMS can be activated on client versions of Windows by using the `slmgr.vbs`. To
## Key Management Service in Windows Server
Installing a KMS host key on a computer running Windows Server allows you to activate computers running the same or earlier versions of Windows Server. Additionally, it also allows activation of client versions of Windows.
Installing a KMS host key on a computer running Windows Server allows activation of computers running the same or earlier versions of Windows Server. Additionally, it also allows activation of client versions of Windows.
> [!IMPORTANT]
>
> You can't install a client KMS key into the KMS in Windows Server.
> A client KMS key can't be installed into the KMS in Windows Server.
### Configure KMS in Windows Server
@ -125,7 +125,7 @@ Installing a KMS host key on a computer running Windows Server allows you to act
1. In the **Introduction to Volume Activation Tools**/**Introduction** page, select the **Next >** button.
1. In the **Select Volume Activation Method**/**Activation Type** page, select the **Key Management Service (KMS)** option, and specify the computer that acts as the KMS host. This computer can be the server on which the KMS role was installed, or another server/client computer. After the server/computer has been specified, select the **Next >** button.
1. In the **Select Volume Activation Method**/**Activation Type** page, select the **Key Management Service (KMS)** option, and specify the computer that acts as the KMS host. This computer can be the server on which the KMS role was installed, or another server/client computer. After the server/computer is specified, select the **Next >** button.
1. In the **Manage KMS Host**/**Product Key Management** page, enter in the KMS host key in the text box under **Install your KMS host key**, and then select the **Commit** button.
@ -165,27 +165,27 @@ KMS volume activation can be verified from the KMS host server or from the clien
> [!NOTE]
>
> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that doesn't first try to activate itself by using Active Directory-based activation. For example, a client computer that is a workgroup computer that isn't joined to a domain.
> If Active Directory-based activation was configured before configuring KMS activation, a client computer must be used that doesn't first try to activate itself by using Active Directory-based activation. For example, a client computer that is a workgroup computer that isn't joined to a domain.
To verify that KMS volume activation works, complete the following steps:
1. On the KMS host, open the event log and confirm that DNS publishing is successful.
2. On a client computer, open an elevated Command Prompt window and run the command:
1. On a client computer, open an elevated Command Prompt window and run the command:
```cmd
cscript.exe slmgr.vbs /ato
```
The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
The `/ato` command causes the operating system to attempt activation by using whichever key is installed in the operating system. The response should show the license state and detailed Windows version information.
3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command
1. On a client computer or the KMS host, open an elevated Command Prompt window and run the command
```cmd
cscript.exe slmgr.vbs /dlv
```
The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client hasn't been activated.
The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client isn't activated.
For more information about the use and syntax of the script `slmgr.vbs`, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
@ -193,6 +193,6 @@ For more information about the use and syntax of the script `slmgr.vbs`, see [Sl
>
> Clients require RPC over TCP/IP connectivity to the KMS host to successfully activate. For more information, see [Key Management Services (KMS) activation planning: Network requirements](/windows-server/get-started/kms-activation-planning#network-requirements) and [Remote Procedure Call (RPC) errors troubleshooting guidance](/troubleshoot/windows-client/networking/rpc-errors-troubleshooting).
## Related articles
## Related content
- [Key Management Services (KMS) activation planning](/windows-server/get-started/kms-activation-planning).

141
windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
View File

@ -1,141 +0,0 @@
---
title: Activate clients running Windows 10 (Windows 10)
description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
ms.subservice: itpro-fundamentals
---
# Activate clients running Windows 10
**Applies to:**
- Windows 11
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
If activation or reactivation is required, the following sequence occurs:
1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
2. If the computer isn't a member of a domain or if the volume activation object isn't available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer's GVLK.
3. The computer tries to activate against Microsoft servers if it's configured with a MAK.
If the client isn't able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
## How Key Management Service works
KMS uses a client-server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
### Key Management Service activation thresholds
You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold aren't activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
When KMS clients are waiting for the KMS to reach the activation threshold, they'll connect to the KMS host every two hours to get the current activation count. They'll be activated when the threshold is met.
In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it's activated. If a computer running Windows 10 receives an activation count of 25 or more, it's activated.
### Activation count cache
To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30 day period begins again. If a KMS client computer doesn't renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
### Key Management Service connectivity
KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
### Key Management Service activation renewal
KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails, the client computer retries every two hours. After a client computer's activation is renewed, the activation validity interval begins again.
### Publication of the Key Management Service
The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update isn't available or the KMS host doesn't have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
### Client discovery of the Key Management Service
By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. All currently supported versions of Windows and Windows Server provide these priority and weight parameters.
If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated, and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
### Domain Name System server configuration
The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
### Activating the first Key Management Service host
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host doesn't communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
### Activating subsequent Key Management Service hosts
Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization's KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
## How Multiple Activation Key works
A MAK is used for one-time activation with Microsoft's hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization's exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
You can activate computers by using a MAK in two ways:
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that don't maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg)
**Figure 16**. MAK independent activation
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It's also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg)
**Figure 17**. MAK proxy activation with the VAMT
A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation doesn't meet the KMS activation threshold.
You can use a MAK for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. Switching from KMS to a MAK is useful for moving a computer off the core network to a disconnected environment.
### Multiple Activation Key architecture and activation
MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
## Activating as a standard user
Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 don't require administrator privileges for activation, but this change doesn't allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as "rearm."
## Related articles
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

158
windows/deployment/volume-activation/activate-windows-clients-vamt.md Normal file
View File

@ -0,0 +1,158 @@
---
title: Activate clients running Windows
description: Activate clients running Windows after configuring Key Management Service (KMS) or Active Directory-based activation.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Activate clients running Windows
> [!TIP]
>
> Looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/).
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
After Key Management Service (KMS) or Active Directory-based activation is configured in a network, activating a client running Windows is easy. If the computer is configured with a Generic Volume License Key (GVLK), IT or the user don't need to take any action. It just works.
Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
If activation or reactivation is required, the following sequence occurs:
1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object meets the following requirements:
- Matches the edition of the software that is installed
- Has a matching GVLK
then the computer is activated (or reactivated). The computer doesn't need to activate again for 180 days although the operating system attempts reactivation at shorter, regular intervals.
1. If the computer isn't a member of a domain or if the volume activation object isn't available, the computer issues a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer's GVLK.
1. The computer tries to activate against Microsoft servers if it's configured with a MAK.
If the client isn't able to activate itself successfully, it periodically tries again. The frequency of the retry attempts depends on the current licensing state and whether the client computer successfully activated in the past. For example, if the client computer previously used Active Directory-based activation to activate, it periodically tries to contact the domain controller at each restart.
## How Key Management Service works
KMS uses a client-server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
### Key Management Service activation thresholds
Physical computers and virtual machines can activate by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers. This minimum is called the activation threshold. KMS clients will be activated only after this threshold is met. Each KMS host counts the number of computers that requested activation until the threshold is met.
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold aren't activated. For example, if the first two computers that contact the KMS host are running a currently supported version of Windows client, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine running a currently supported version of Windows client, it receives an activation count of 3, and so on. None of these computers are activated because an activation count of 25 or more must be reached.
When KMS clients are waiting for the KMS to reach the activation threshold, they connect to the KMS host every two hours to get the current activation count. They're activated once the threshold is met.
In our example, if the next computer that contacts the KMS host is running a currently supported version of Windows Server, it receives an activation count of 4 since activation counts are cumulative. If a computer running a currently supported version of Windows Server receives an activation count that is 5 or more, it's activated. If a computer running a currently supported version of Windows client receives an activation count of 25 or more, it's activated.
### Activation count cache
To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30 day period begins again. If a KMS client computer doesn't renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed sooner than 30 days.
The type of client computer that is attempting to activate sets the total size of the cache. For example, if a KMS host receives activation requests only from servers, the cache holds only 10 client IDs, twice the required threshold of 5. However, if a client computer running Windows client contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
### Key Management Service connectivity
KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action. However, the KMS hosts and client computers can be manually configured based on network configuration and security requirements.
### Key Management Service activation renewal
KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails, the client computer retries every two hours. After a client computer's activation is renewed, the activation validity interval begins again.
### Publication of the Key Management Service
The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update isn't available or the KMS host doesn't have rights to publish the resource records, one of the following actions needs to be taken:
- The DNS records must be published manually.
- Client computers must be configured to connect to specific KMS hosts.
### Client discovery of the Key Management Service
By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers. This feature allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows specifying which KMS host the client computers should try first and balances traffic among multiple KMS hosts. All currently supported versions of Windows and Windows Server provide these priority and weight parameters.
If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688, although the default port can be changed. After a client computer establishes a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold, the client computer is activated, and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
### Domain Name System server configuration
The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on:
- A DNS server that is running Microsoft software.
- DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136).
For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record. This requirement needs to occur in each DNS domain that contains the KMS service (SRV) resource records.
### Activating the first Key Management Service host
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host doesn't communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
### Activating subsequent Key Management Service hosts
Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After a KMS host is activated, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, additional activations can be requested for an organization's KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
## How Multiple Activation Key works
A MAK is used for one-time activation with Microsoft's hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization's exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
Computers can be activated by using a MAK in two ways:
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that don't maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg)
**Figure 16**. MAK independent activation
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. MAK proxy activation can be configured by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It's also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg)
**Figure 17**. MAK proxy activation with the VAMT
MAK is recommended for:
- Computers that rarely or never connect to the corporate network.
- Environments in which the number of computers that require activation doesn't meet the KMS activation threshold.
MAK can be used for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. MAK can also be used on a computer that was originally configured to use KMS activation. Switching from KMS to a MAK is useful for moving a computer off the core network to a disconnected environment.
### Multiple Activation Key (MAK) architecture and activation
MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
In MAK proxy activation, the VAMT:
- Installs a MAK product key on a client computer.
- Obtains the installation ID from the target computer.
- Sends the installation ID to Microsoft on behalf of the client.
- Obtains a confirmation ID.
The tool then activates the client computer by installing the confirmation ID.
## Activating as a standard user
Currently supported versions of Windows don't require administrator privileges for activation. However, an administrator account is still required for other activation or license-related tasks, such as "rearm."
## Related content
- [Volume Activation for Windows](volume-activation-windows.md).

8
windows/deployment/volume-activation/add-manage-products-vamt.md
View File

@ -1,19 +1,19 @@
---
title: Add and Manage Products (Windows 10)
description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
title: Add and Manage Products
description: Add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, the products that are installed in the network can be managed.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
---
# Add and manage products
This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network.
This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, the products that are installed in the network can be managed.
## In this Section

81
windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
View File

@ -1,5 +1,5 @@
---
title: Appendix Information sent to Microsoft during activation (Windows 10)
title: Appendix Information sent to Microsoft during activation
description: Learn about the information sent to Microsoft during activation.
ms.reviewer: nganguly
manager: aaroncz
@ -8,73 +8,78 @@ author: frankroj
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Appendix: Information sent to Microsoft during activation
**Applies to:**
> [!TIP]
>
> Looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/).
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
When a computer running a currently supported version of Windows is activated, the following information is sent to Microsoft:
**Looking for retail activation?**
- The Microsoft product code (a five-digit code that identifies the Windows product being activated).
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
- A channel ID or site code that identifies how the Windows product was originally obtained. For example, a channel ID or site code identifies whether the product was:
When you activate a computer running Windows 10, the following information is sent to Microsoft:
- Originally purchased from a retail store.
- Obtained as an evaluation copy.
- Obtained through a volume licensing program.
- Preinstalled by a computer manufacturer.
- The Microsoft product code (a five-digit code that identifies the Windows product you're activating)
- A channel ID or site code that identifies how the Windows product was originally obtained
- The date of installation and whether the installation was successful.
For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
- Information that helps confirm that the Windows product key isn't altered.
- The date of installation and whether the installation was successful
- Information that helps confirm that your Windows product key hasn't been altered
- Computer make and model.
- Computer make and model
- Version information for the operating system and software.
- Version information for the operating system and software
- Region and language settings.
- Region and language settings
- A unique number called a *globally unique identifier* (GUID), which is assigned to the computer.
- A unique number called a *globally unique identifier*, which is assigned to your computer
- Product key (hashed) and product ID.
- Product key (hashed) and product ID
- BIOS name, revision number, and revision date.
- BIOS name, revision number, and revision date
- Volume serial number (hashed) of the hard disk drive.
- Volume serial number (hashed) of the hard disk drive
- The result of the activation check
- The result of the activation check.
This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
- The activation exploit's identifier
- The identifier of the activation exploit.
- The activation exploit's current state, such as cleaned or quarantined
- The current state of the activation exploit, such as cleaned or quarantined.
- Computer manufacturer's identification
- Computer manufacturer's identification.
- The activation exploit's file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
- The file name and hash of the activation exploit in addition to a hash of related software components that might indicate the presence of an activation exploit.
- The name and a hash of the contents of your computer's startup instructions file
- The name and a hash of the contents of the computer's startup instructions file.
- If your Windows license is on a subscription basis, information about how your subscription works
- If the Windows license is on a subscription basis, information about how the subscription works.
Standard computer information is also sent, but your computer's IP address is only kept temporarily.
Standard computer information is also sent, but the computer's IP address is only kept temporarily.
## Use of information
Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft doesn't use the information to contact individual consumers.
For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
Microsoft uses the information to confirm a properly licensed copy of the software. Microsoft doesn't use the information to contact individual consumers.
## Related articles
For more information, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
## Related content
- [Volume Activation for Windows](volume-activation-windows.md).

10
windows/deployment/volume-activation/install-configure-vamt.md
View File

@ -1,5 +1,5 @@
---
title: Install and Configure VAMT (Windows 10)
title: Install and Configure VAMT
description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
ms.reviewer: nganguly
manager: aaroncz
@ -7,7 +7,7 @@ ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
---
@ -22,8 +22,8 @@ This section describes how to install and configure the Volume Activation Manage
|-------|------------|
|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers in the network to work with VAMT. |
## Related articles
## Related content
- [Introduction to VAMT](introduction-vamt.md)
- [Introduction to VAMT](introduction-vamt.md).

14
windows/deployment/volume-activation/install-vamt.md
View File

@ -7,7 +7,7 @@ ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 10/13/2023
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
appliesto:
@ -22,11 +22,11 @@ appliesto:
This article describes how to install the Volume Activation Management Tool (VAMT). VAMT is installed as part of the Windows Assessment and Deployment Kit (ADK) for Windows.
>[!IMPORTANT]
> [!IMPORTANT]
>
> VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you don't have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
> VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer but administrator privileges aren't available, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
>[!NOTE]
> [!NOTE]
>
> The VAMT Microsoft Management Console snap-in ships as an x86 package.
@ -50,9 +50,9 @@ This article describes how to install the Volume Activation Management Tool (VAM
1. In the **Specify SQL Server install location** screen under **INSTALL LOCATION \*:**, specify an install location or use the default path, and then select the **Install** button.
1. Once the installation is complete, in the **Installation Has completed successfully!** page, under **INSTANCE NAME**, note the instance name for the installation. The instance name will be used later in the [Configure VAMT to connect to SQL Server Express or full SQL Server](#configure-vamt-to-connect-to-sql-server-express-or-full-sql-server) section.
1. Once the installation is complete, in the **Installation Has completed successfully!** page, under **INSTANCE NAME**, note the instance name for the installation. The instance name is used later in the [Configure VAMT to connect to SQL Server Express or full SQL Server](#configure-vamt-to-connect-to-sql-server-express-or-full-sql-server) section.
1. Once the instance name has been noted, select the **Close** button, and then select the **Yes** button to confirm exiting the installer.
1. Once the instance name is noted, select the **Close** button, and then select the **Yes** button to confirm exiting the installer.
## Install VAMT using the ADK
@ -84,7 +84,7 @@ This article describes how to install the Volume Activation Management Tool (VAM
1. Next to **Database:**, add a name for the database.
1. Once the database server and database names have been entered, select the **Connect** button.
1. Once the database server and database names are entered, select the **Connect** button.
1. Select the **Yes** button to create the database.

4
windows/deployment/volume-activation/manage-activations-vamt.md
View File

@ -1,12 +1,12 @@
---
title: Manage Activations (Windows 10)
title: Manage Activations
description: Learn how to manage activations and how to activate a client computer by using various activation methods.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
---

6
windows/deployment/volume-activation/manage-product-keys-vamt.md
View File

@ -1,19 +1,19 @@
---
title: Manage Product Keys (Windows 10)
title: Manage Product Keys
description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
---
# Manage Product Keys
This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product, or products you select in the VAMT database.
This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After a product key is added to VAMT, that product key can be installed on a product, or products selected in the VAMT database.
## In this Section

4
windows/deployment/volume-activation/manage-vamt-data.md
View File

@ -1,12 +1,12 @@
---
title: Manage VAMT Data (Windows 10)
title: Manage VAMT Data
description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
---

37
windows/deployment/volume-activation/monitor-activation-client.md
View File

@ -1,5 +1,5 @@
---
title: Monitor activation (Windows 10)
title: Monitor activation
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
@ -9,34 +9,31 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: article
ms.subservice: itpro-fundamentals
ms.date: 11/07/2022
ms.date: 03/29/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Monitor activation
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
> Looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/).
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
The success of the activation process for a computer running Windows can be monitored in several ways. The most popular methods include:
- Using the Volume Licensing Service Center website to track use of MAK keys.
- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it's available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
- Using Windows Management Instrumentation (WMI) to view licensing status. WMI makes licensing status available to non-Microsoft or custom tools that can access WMI. Windows PowerShell can also be used to access WMI information.
- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
@ -44,8 +41,8 @@ You can monitor the success of the activation process for a computer running Win
- See [Troubleshooting activation error codes](/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
- The VAMT provides a single site from which to manage and monitor volume activations. This feature is explained in the next section.
- The Volume Activation Management Tool (VAMT) provides a single site from which to manage and monitor volume activations. This feature is explained in the next section.
## Related articles
## Related content
[Volume Activation for Windows 10](volume-activation-windows-10.md)
- [Volume Activation for Windows](volume-activation-windows.md).

221
windows/deployment/volume-activation/plan-for-volume-activation-client.md
View File

@ -1,6 +1,6 @@
---
title: Plan for volume activation (Windows 10)
description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
title: Plan for volume activation
description: Product activation is the process of validating software with the manufacturer after it's installed on a specific computer.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
@ -9,33 +9,30 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: article
ms.subservice: itpro-fundamentals
ms.date: 11/07/2022
ms.date: 03/29/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Plan for volume activation
**Applies to:**
- Windows 11
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
> Looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/).
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and hasn't been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
*Product activation* is the process of validating software with the manufacturer after it's installed on a specific computer. Activation confirms that the product is genuine and not a fraudulent copy. Activation also confirms that the product key or serial number is valid and isn't compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they can't be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft doesn't use this information to identify or contact the user or the organization.
During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information might include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they can't be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft doesn't use this information to identify or contact the user or the organization.
>[!NOTE]
>
>The IP address is used only to verify the location of the request, because some editions of Windows (such as "Starter" editions) can only be activated within certain geographical target markets.
## Distribution channels and activation
@ -44,8 +41,9 @@ In general, Microsoft software is obtained through three main channels: retail,
### Retail activations
The retail activation method hasn't changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
For retail activation, each purchased copy comes with one unique product key, often referred to as a retail key. The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
Other distribution scenarios also exist. Product key cards are available to activate products that are preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys might come with media that contains software, they can come as a software shipment, or they might be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
### Original equipment manufacturer
@ -57,75 +55,75 @@ OEM activation is valid as long as the customer uses the OEM-provided image on t
Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft. There's a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
- Have the license preinstalled through the OEM
- Have the license preinstalled through the OEM.
- Purchase a fully packaged retail product.
- Purchase a fully packaged retail product
The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. Before the upgrade rights obtained through volume licensing can be exercised, an existing retail or OEM operating system license is needed for each computer running currently supported versions of Windows.
The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and Visual Studio Online. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and Visual Studio Codespace. These volume licenses might contain specific restrictions or other changes to the general terms applicable to volume licensing.
> [!NOTE]
> Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
>
> Some editions of the operating system, such as Windows Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
## Activation models
For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps.
For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department don't need to take any activation steps.
With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose:
With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps track and manage keys. For each retail activation, the following options can be chosen:
- Online activation
- Online activation.
- Telephone activation.
- VAMT proxy activation.
- Telephone activation
Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation with retail keys is sometimes used when an IT department wants to centralize retail activations. VAMT can also be used when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, the best method or combination of methods must be determined to use in the environment. For currently supported versions of Windows Pro and Enterprise, one of the following three models can be chosen:
- VAMT proxy activation
Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
- MAKs
- KMS
- Active Directory-based activation
- Multiple Activation Keys (MAK).
- KMS.
- Active Directory-based activation.
> [!NOTE]
> Token-based activation for Windows Enterprise (including LTSC) and Windows Server is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
>
> Token-based activation for Windows Enterprise (including LTSC) and Windows Server is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact the Microsoft Account Team or service representative.
### Multiple activation key
A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they don't meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also
allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that doesn't have enough computers to use the KMS.
A Multiple Activation Key (MAK) is commonly used in small or mid-sized organizations that have a volume licensing agreement, but don't meet the requirements to operate a KMS. MAK can also be used if a simpler approach is preferred. A MAK also allows permanent activation of:
- Computers that are isolated from the KMS.
- Computers that are part of an isolated network that doesn't have enough computers to use the KMS.
To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation.
In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can help with tracking the number of activations that have been performed with each key and how many remain.
Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft.
In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can help with tracking the number of performed activations with each key and how many activations remain.
Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases. However, the number of activations that are available can be increased with the MAK by calling Microsoft.
### Key Management Service
With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that doesn't require a dedicated system and can easily be cohosted on a system that provides other services.
Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
Volume editions of currently supported versions of Windows and Windows Server automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
The KMS requires a minimum number of computers, either physical computers or virtual machines, in a network environment. The organization must have at least five computers to activate currently supported versions of Windows Server and at least 25 computers to activate client computers running currently supported versions of Windows client. These minimums are referred to as *activation thresholds*.
Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. It will be rare that more than two KMS hosts are used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations often deploy two KMS hosts to ensure availability. The KMS can be hosted on a client computer or on a server. Setting up KMS is discussed later in this guide.
### Active Directory-based activation
Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer doesn't need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
Active Directory-based activation is similar to activation by using the KMS, but the activated computer doesn't need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running currently supported versions of Windows or Windows Server queries ADDS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it's impractical to connect to a KMS, or wouldn't reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company's domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it's impractical to connect to a KMS, or wouldn't reach the KMS activation threshold. Rather than use MAK, Active Directory-based activation provides a way to activate computers running currently supported versions of Windows and Windows Server as long as the computers can contact the company's domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere where there's already a domain presence.
## Network and connectivity
A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur.
A modern business network has many nuances and interconnections. This section examines evaluating the organization's network and the connections that are available to determine how volume activations occur.
### Core network
Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that isn't a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the majority of the business network.
The organization's core network is that part of the network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet. However, Internet connectivity isn't a requirement to use the KMS or Active Directory-based activation after the KMS server or ADDS is configured and active. The organization's core network likely consists of many network segments. In many organizations, the core network makes up most of the business network.
In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that aren't joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
In the core network, a centralized KMS solution is recommended. Active Directory-based activation can also be used, but in many organizations, KMS might still be required to computers that aren't joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in the organization are running currently supported versions of Windows.
A typical core network that includes a KMS host is shown in Figure 1.
@ -135,19 +133,29 @@ A typical core network that includes a KMS host is shown in Figure 1.
### Isolated networks
In a large network, it's all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
In a large network, some segments might be isolated, either for security reasons or because of geography or connectivity issues.
#### Isolated for security
Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
A network segment isolated from the core network by a firewall or disconnected from other networks is sometimes called a *high-security zone*. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
If the isolated network can access the core network by using outbound requests on TCP port 1688, and it's allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
If the isolated network can:
If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
- Access the core network by using outbound requests on TCP port 1688
- Allowed to receive remote procedure calls (RPCs)
If the isolated network can't communicate with the core network's KMS server, and it can't use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
activation can be performed by using the KMS in the core network, avoiding the need to reach additional activation thresholds.
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they're placed in the isolated network.
If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as:
- Using Lightweight Directory Access Protocol (LDAP) for queries
- Using Domain Name Service (DNS) for name resolution
then this scenario is a good opportunity to use Active Directory-based activation for currently supported versions of Windows and Windows Server.
If the isolated network can't communicate with the core network's KMS server, and it can't use Active Directory-based activation, a KMS host can be set up in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it won't reach the KMS activation threshold. In that case, MAKs can be used for activation.
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option, but VAMT proxy activation might also be possible. MAKs can also be used to activate new computers during setup, before they're placed in the isolated network.
![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg)
@ -155,104 +163,115 @@ If the network is fully isolated, MAK-independent activation would be the recomm
#### Branch offices and distant networks
From mining operations to ships at sea, organizations often have a few computers that aren't easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
From mining operations to ships at sea, organizations often have a few computers that aren't easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. There are several options in these situations:
- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
- **Active Directory-based activation**. In any site where the client computers are running currently supported versions of Windows, Active Directory-based activation is supported, and it can be activated by joining the domain.
- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS, perhaps through a virtual private network (VPN) to the core network, that KMS can be used. Using the existing KMS means that the activation threshold only needs to be met on that server.
- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
### Disconnected computers
Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this branch office an "isolated network," where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
Some users might be in remote locations or might travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. This branch office can be considered an "isolated network," where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on how often the computers connect to the core network.
If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it doesn't support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
Active Directory-based activation can be used on computers when they meet the following conditions:
- The computer is joined to the domain.
- The computer is running a currently supported version of Windows or Windows Server.
- The computer connects to the domain at least once every 180 days, either directly or through a VPN.
Otherwise for computers that rarely or never connect to the network, MAK independent activation should be used either via the telephone or the Internet.
### Test and development labs
Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they can't activate immediately.
Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Currently supported editions of Windows that include volume licensing operate normally, even if they can't activate immediately.
If you've ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they'll be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network, and use the methods described earlier in this guide.
In labs that have a high turnover of computers and a few KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
If the test or development copies of the operating system are within the license agreement, the lab computers might not need to be activated if they're rebuilt frequently. If the lab computers need to be activated, treat the lab as an isolated network, and use the methods described earlier in this guide.
In labs that have a high turnover of computers and a few KMS clients, the KMS activation count must be monitored. The time that the KMS caches the activation requests might need to be adjusted. The default is 30 days.
## Mapping your network to activation methods
## Mapping the network to activation methods
Now it's time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you've collected the information you need to determine which activation methods will work best for you. You can fill in information in Table 1 to help you make this determination.
By evaluating network connectivity and the numbers of computers at each site, the information needed to determine which activation methods work best can be determined. This information can be filled in Table 1 to help make this determination.
**Table 1**. Criteria for activation methods
|Criterion |Activation method |
|----------|------------------|
|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days<div class="alert">**Note**<br>The core network must meet the KMS activation threshold.</div> |KMS (central) |
|Number of computers that don't connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK |
|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) |
|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) |
|Number of computers in isolated networks where the KMS activation threshold isn't met |MAK |
|Number of computers in test and development labs that won't be activated |None|
|Number of computers that don't have a retail volume license |Retail (online or phone) |
|Number of computers that don't have an OEM volume license |OEM (at factory) |
|Total number of computer activations<div class="alert">**Note**<br>This total should match the total number of licensed computers in your organization.</div> |
| Criterion | Activation method |
|---|---|
| Number of domain-joined computers that will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. | Active Directory-based activation |
| Number of computers in the core network that will connect at least every 180 days, either directly or through VPN. The core network must meet the KMS activation threshold. | KMS (central) |
| Number of computers that don't connect to the network at least once every 180 days, or if no network meets the activation threshold. | MAK |
| Number of computers in semi-isolated networks that have connectivity to the KMS in the core network. | KMS (central) |
| Number of computers in isolated networks where the KMS activation threshold is met. | KMS (local) |
| Number of computers in isolated networks where the KMS activation threshold isn't met. | MAK |
| Number of computers in test and development labs that won't be activated. | None |
| Number of computers that don't have a retail volume license. | Retail (online or phone) |
| Number of computers that don't have an OEM volume license. | OEM (at factory) |
| Total number of computer activations. This total should match the total number of licensed computers in the organization. | |
## Choosing and acquiring keys
When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways:
When it's know which keys are needed, the keys must be obtained. Generally speaking, volume licensing keys are collected in two ways:
- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
- Contact your [Microsoft activation center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
- Contact the [Microsoft activation center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
### KMS host keys
A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is referred to as the *KMS host key*, but it's formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is referred to as the *KMS host key*, but it's formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Some documentation and Internet references use the term KMS key, but CSVLK is the proper name for current documentation and management tools.
A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You'll need a KMS host key for any KMS that you want to set up and if you're going to use Active Directory-based activation.
A KMS host running a currently supported version of Windows Server can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in ADDS, as described later in this guide. A KMS host key is needed for any KMS that is set up. Additionally, it needs to be determined if Active Directory-based activation will be used.
### Generic volume licensing keys
When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you're creating. GVLKs are also referred to as KMS client setup keys.
If computers are activated with KMS or Active Directory-based activation when using custom installation media or an image to install Windows, install a generic volume license key (GVLK) when creating the custom installation media or image. The GVLK should match the edition of Windows being installed.
Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK won't activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK doesn't work unless a valid KMS host key can be found. GVLKs are the only product keys that don't need to be kept confidential.
Installation media from Microsoft for Enterprise editions of the Windows operating system might already contain the GVLK. One GVLK is available for each type of installation. The GVLK doesn't activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK doesn't work unless a valid KMS host key can be found. GVLKs are the only product keys that don't need to be kept confidential.
Typically, you won't need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it's being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS client setup keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)).
Typically, a GVLK doesn't need to be manually entered unless a computer is:
- Activated with a MAK or a retail key.
- Being converted to a KMS activation or to Active Directory-based activation.
If the GVLK for a particular client edition needs to be located, see [Key Management Services (KMS) client activation and product keys](/windows-server/get-started/kms-client-activation-keys).
### Multiple activation keys
You'll also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
MAK keys with the appropriate number of activations available are also needed. The number of times a MAK has been used can be seen on the Volume Licensing Service Center website or in the VAMT.
## Selecting a KMS host
The KMS doesn't require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
The KMS doesn't require a dedicated server. It can be cohosted with other services, such as ADDS domain controllers and read-only domain controllers.
KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running currently supported versions of Windows Server can activate any Windows client or server operating system that supports volume activation. A KMS host that is running a currently supported version of Windows client can only activate computers running a currently supported version of Windows client.
A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure.
A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS might not be needed. Most organizations can use as few as two KMS hosts for their entire infrastructure.
The flow of KMS activation is shown in Figure 3, and it follows this sequence:
1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
1. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment doesn't support DNS dynamic update protocol.)
1. The KMS host updates resource records in DNS to allow clients to locate the KMS host. Manually adding DNS records is required if the environment doesn't support DNS dynamic update protocol.
4. A client configured with a GVLK uses DNS to locate the KMS host.
1. A client configured with a GVLK uses DNS to locate the KMS host.
5. The client sends one packet to the KMS host.
1. The client sends one packet to the KMS host.
6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs aren't stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
1. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs aren't stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
1. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that requested activation from this KMS host.
8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold hasn't yet been met, the client will try again.
1. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold isn't met, the client tries again.
![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg)
**Figure 3**. KMS activation flow
## Related articles
## Related content
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
- [Volume Activation for Windows](volume-activation-windows.md).

23
windows/deployment/volume-activation/update-product-status-vamt.md
View File

@ -1,39 +1,40 @@
---
title: Update Product Status (Windows 10)
title: Update Product Status
description: Learn how to use the Update license status function to add the products that are installed on the computers.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
---
# Update product status
After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
After computers are added to the Volume Activation Management Tool (VAMT) database, the **Update license status** function needs to be used to add the products that are installed on the computers. The **Update license status** can also be used at any time to retrieve the most current license status for any products in the VAMT database.
To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
> [!NOTE]
The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
> The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
## Update the license status of a product
1. Open VAMT.
2. In the **Products** list, select one or more products that need to have their status updated.
1. In the **Products** list, select one or more products that need to have their status updated.
3. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials different from the ones you used to log into the computer.
1. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if updating products that require administrator credentials different from the ones used to log into the computer.
4. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**.
1. If supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**.
VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product appears in the product list view in the center pane.
> [!NOTE]
If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
>
> If a previously discovered Microsoft Office product is uninstalled from the remote computer, updating its licensing status causes the entry to be deleted from the **Office** product list view that results in the total number of discovered products being smaller. However, the Windows installation of the same computer isn't deleted and is always be shown in the **Windows** products list view.
## Related articles
## Related content
- [Add and Manage Products](add-manage-products-vamt.md)
- [Add and Manage Products](add-manage-products-vamt.md).

58
windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
View File

@ -1,5 +1,5 @@
---
title: Use the Volume Activation Management Tool (Windows 10)
title: Use the Volume Activation Management Tool
description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys.
ms.reviewer: nganguly
manager: aaroncz
@ -7,49 +7,47 @@ ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Use the Volume Activation Management Tool
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
> Looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/).
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It's a standard Microsoft Management Console snap-in, and it can be installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
Volume, retail, and Multiple Activation Keys (MAK) activation process for Windows, Office, and select other Microsoft products can be automated and centrally managed using VAMT. The VAMT can manage volume activation by using MAK or Key Management Service (KMS). It's a standard Microsoft Management Console snap-in.
The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
For currently supported versions of Windows Server, VAMT can be installed directly from Server Manager by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
For currently supported versions of Windows client, VAMT can be installed as part of the Windows Assessment and Deployment Kit (Windows ADK). The Windows ADK is a free download. For more information, including links to download the Windows ADK, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
## Activating with the Volume Activation Management Tool
You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
VAMT can be used to complete the activation process in products by using MAK and retail keys. Computers can be activated either individually or in groups. The VAMT enables two activation scenarios:
- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Online activation**. Online activation enables activation over the Internet any products that are installed with MAK, KMS host, or retail product keys. One or more connected computers can be activated within a network. This process requires each product communicate activation information directly to Microsoft.
- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that don't have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
- **Proxy activation**. This activation method enables volume activation for products that are installed on client computers that don't have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
When this method is used, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where the organization has a mix of retail, MAK, and KMS-based activations.
## Tracking products and computers with the Volume Activation Management Tool
The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
The VAMT provides an overview of the activation and licensing status of computers across an organization's network, as shown in Figure 18. Several prebuilt reports are also available to help proactively manage licensing.
![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg)
@ -57,7 +55,7 @@ The VAMT provides an overview of the activation and licensing status of computer
## Tracking key usage with the Volume Activation Management Tool
The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it's and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
The VAMT makes it easier to track the various keys that are issued to an organization. Each key can be entered into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it's and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg)
@ -67,17 +65,17 @@ The VAMT makes it easier to track the various keys that are issued to your organ
The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
- **Adding and removing computers**. VAMT can be used to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
- **Discovering products**. VAMT can be used to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
For more information, see:
- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md)
- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md)
- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md).
- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md).
## Related articles
## Related content
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
- [Volume Activation for Windows](volume-activation-windows.md).

14
windows/deployment/volume-activation/vamt-requirements.md
View File

@ -1,12 +1,12 @@
---
title: VAMT Requirements (Windows 10)
description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
title: VAMT Requirements
description: In this article, learn about the product key and system requirements for Volume Activation Management Tool (VAMT).
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
---
@ -36,9 +36,9 @@ The following table lists the system requirements for the VAMT host computer.
| External Drive | Removable media (Optional) |
| Display | 1024x768 or higher resolution monitor |
| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](/powershell/scripting/install/installing-powershell).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
| Operating System | Currently supported versions of [Windows client](/windows/release-health/supported-versions-windows-client) and [Windows Server](/windows/release-health/windows-server-release-info). |
| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell, which is included with all currently supported versions of Windows.</li></ul> |
## Related articles
## Related content
- [Install and configure VAMT](install-configure-vamt.md)
- [Install and configure VAMT](install-configure-vamt.md).

14
windows/deployment/volume-activation/vamt-step-by-step.md
View File

@ -1,28 +1,28 @@
---
title: VAMT Step-by-Step Scenarios (Windows 10)
title: VAMT Step-by-Step Scenarios
description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
---
# VAMT step-by-step scenarios
This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; it describes here some of the most common to get you started.
This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios. To get started, some of the most common scenarios are described here.
## In this section
|Article |Description |
|-------|------------|
|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network. Additionally, it also describes how to instruct these products to contact Microsoft over the Internet for activation. |
|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. |
|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of currently supported versions of Windows and Microsoft Office use KMS for activation. |
## Related articles
## Related content
- [Introduction to VAMT](introduction-vamt.md)
- [Introduction to VAMT](introduction-vamt.md).

7
windows/deployment/volume-activation/volume-activation-management-tool.md
View File

@ -7,15 +7,16 @@ ms.author: frankroj
ms.service: windows-client
ms.subservice: itpro-fundamentals
author: frankroj
ms.date: 11/07/2022
ms.date: 03/29/2024
ms.topic: overview
---
# Volume Activation Management Tool (VAMT) technical reference
The Volume Activation Management Tool (VAMT) lets you automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail-activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version.
The Volume Activation Management Tool (VAMT) allows automation and central management of the retail-activation process for Windows, Office, and select other Microsoft products. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version.
> [!IMPORTANT]
>
> VAMT is designed to manage volume activation for all currently supported versions of Windows, Windows Server, and Office.
VAMT is only available in an EN-US (x86) package.
@ -26,7 +27,7 @@ VAMT is only available in an EN-US (x86) package.
|------|------------|
|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
|[Active Directory-based activation overview](active-directory-based-activation-overview.md) |Describes Active Directory-based activation scenarios. |
|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers in the network. |
|[Add and manage products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
|[Manage product keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
|[Manage activations](manage-activations-vamt.md) |Describes how to activate a client computer by using various activation methods. |

78
windows/deployment/volume-activation/volume-activation-windows-10.md
View File

@ -1,78 +0,0 @@
---
title: Volume Activation for Windows 10
description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
ms.subservice: itpro-fundamentals
---
# Volume Activation for Windows 10
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for volume licensing information?
>
> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://www.microsoft.com/download/details.aspx?id=11091)
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [Visual Studio Online](https://visualstudio.microsoft.com/msdn-platforms/).
Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation.
This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation.
Because most organizations won't immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it doesn't discuss the tools that are provided with earlier operating system versions.
Volume activation -and the need for activation itself- isn't new, and this guide doesn't review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide](/previous-versions/tn-archive/dd878528(v=technet.10)).
To successfully plan and implement a volume activation strategy, you must:
- Learn about and understand product activation.
- Review and evaluate the available activation types or models.
- Consider the connectivity of the clients to be activated.
- Choose the method or methods to be used with each type of client.
- Determine the types and number of product keys you'll need.
- Determine the monitoring and reporting needs in your organization.
- Install and configure the tools required to support the methods selected.
Keep in mind that the method of activation doesn't change an organization's responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
## Related articles
- [Plan for volume activation](plan-for-volume-activation-client.md)
- [Activate using Key Management Service](activate-using-key-management-service-vamt.md)
- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md)
- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md)
- [Monitor activation](monitor-activation-client.md)
- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md)
- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md)

62
windows/deployment/volume-activation/volume-activation-windows.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Volume Activation for Windows
description: Learn how to use volume activation to deploy & activate Windows.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 03/29/2024
ms.topic: article
ms.subservice: itpro-fundamentals
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Volume Activation for Windows
> [!TIP]
>
> Looking for volume licensing information?
>
> - [Download the Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
>
> Looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/).
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows.
*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [Visual Studio Codespace](https://visualstudio.microsoft.com/msdn-platforms/).
Volume activation is a solution that automates and manages product activation on computers running Windows that are licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation.
This guide provides information and step-by-step guidance to help choose a volume activation method that suits an environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation.
The following items are needed to successfully plan and implement a volume activation strategy:
- Learn about and understand product activation.
- Review and evaluate the available activation types or models.
- Consider the connectivity of the clients to be activated.
- Choose the method or methods to be used with each type of client.
- Determine the types and number of product keys needed.
- Determine the monitoring and reporting needs in the organization.
- Install and configure the tools required to support the methods selected.
Keep in mind that the method of activation doesn't change an organization's responsibility to the licensing requirements. Ensure that all software used in an organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
## Related content
- [Plan for volume activation](plan-for-volume-activation-client.md).
- [Activate using Key Management Service](activate-using-key-management-service-vamt.md).
- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md).
- [Activate clients running Windows](activate-windows-clients-vamt.md).
- [Monitor activation](monitor-activation-client.md).
- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md).
- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md).

5
windows/deployment/wds-boot-support.md
View File

@ -61,6 +61,5 @@ If you currently use WDS with **boot.wim** from installation media for end-to-en
## Also see
[Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)<br>
[Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)<br>
- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)
- [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)

8
windows/deployment/windows-10-poc.md
View File

@ -22,10 +22,7 @@ This guide contains instructions to configure a proof of concept (PoC) environme
> [!NOTE]
> Microsoft also offers a pre-configured lab using an evaluation version of Configuration Manager. For more information, see [Windows and Office deployment and management lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab).
This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
The proof of concept (PoC) deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that aren't familiar with these tools, and you want to set up a PoC environment. Don't use the instructions in this guide in a production setting. They aren't meant to replace the instructions found in production deployment guidance.
@ -1044,4 +1041,5 @@ Use the following procedures to verify that the PoC environment is configured pr
## Next steps
- [Windows 10 deployment scenarios](windows-deployment-scenarios.md).
- [Windows 10 deployment scenarios](windows-deployment-scenarios.md)
- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)

18
windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
View File

@ -79,24 +79,6 @@ These policies control the minimum target version of Windows that a device is me
| Included groups | Modern Workplace Devices-Windows Autopatch-Test | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad |
| Excluded groups | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices |
#### Windows 11 testing
To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment.
##### Windows 11 deployment setting
| Setting name | Test |
| ----- | ----- |
| Name | Windows 11 |
| Rollout options | Immediate start |
##### Windows 11 assignments
| Setting name | Test |
| ----- | ----- |
| Included groups | Modern Workplace - Windows 11 Pre-Release Test Devices |
| Excluded groups | None |
## Conflicting and unsupported policies
Deploying any of the following policies to a Windows Autopatch device makes that device ineligible for management since the device prevents us from delivering the service as designed.

4
windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac.md
View File

@ -11,7 +11,7 @@ ms.date: 12/01/2022
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need to use [Microsoft's Trusted Signing service](/azure/trusted-signing/), a publicly issued code signing certificate or an internal CA. If you've purchased a code signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
@ -20,7 +20,7 @@ If you have an internal CA, complete these steps to create a code signing certif
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA256.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.

9
windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md
View File

@ -75,7 +75,7 @@ When finished, the tool saves the files to your desktop. You can view the `*.cdf
## Sign your catalog file
Now that you've created a catalog file for your app, you're ready to sign it.
Now that you've created a catalog file for your app, you're ready to sign it. We recommend using [Microsoft's Trusted Signing service](/azure/trusted-signing/) for catalog signing. Optionally, you can manually sign the catalog using Signtool using the following instructions.
### Catalog signing with SignTool.exe
@ -336,13 +336,16 @@ Some of the known issues using Package Inspector to build a catalog file are:
- Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start). Then use fsutil.exe to read that starting location. Replace "RegKeyValue" in the following command with the value from the reg key:<br>
`fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
- The above command should return an error if the older USNs don't exist anymore due to overflow
- You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help
- You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help.
- **CodeIntegrity - Operational event log is too small to track all files created by the installer**
- To diagnose whether Eventlog size is the issue, after running through Package Inspector:
- Open Event Viewer and expand the **Application and Services//Microsoft//Windows//CodeIntegrity//Operational**. Check for a 3076 audit block event for the initial installer launch.
- To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values
- To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values.
- **Installer or app files that change hash each time the app is installed or run**
- Some apps generate files at run time whose hash value is different every time. You can diagnose this issue by reviewing the hash values in the 3076 audit block events (or 3077 enforcement events) that are generated. If each time you attempt to run the file you observe a new block event with a different hash, the package doesn't work with Package Inspector.
- **Files with an invalid signature blob or otherwise "unhashable" files**
- This issue arises when a signed file was modified in a way that invalidates the file's PE header. A file modified in this way is unable to be hashed according to the Authenticode spec.
- Although these "unhashable" files can't be included in the catalog file created by PackageInspector, you should be able to allow them by adding a hash ALLOW rule to your policy that uses the file's flat file hash.

2
windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection.md
View File

@ -38,6 +38,6 @@ For more information on using signed policies, see [Use signed policies to prote
Some ways to obtain code signing certificates for your own use, include:
- Use Microsoft's [Trusted Signing service](/azure/trusted-signing/).
- Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).
- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning).

31
windows/security/security-foundations/certification/validations/fips-140-windows-server-2019.md
View File

@ -1,7 +1,7 @@
---
title: FIPS 140 validated modules for Windows Server 2019
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows Server 2019.
ms.date: 2/1/2024
ms.date: 4/5/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
@ -14,6 +14,19 @@ The following tables list the completed FIPS 140 validations of cryptographic mo
## Windows Server 2019
Builds: 10.0.17763.10021 and 10.0.17763.10127. Validated Edition: Datacenter Core
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-4688]|[#4688][certificate-4688]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-4484]|[#4484][certificate-4484]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-4602]|[#4602][certificate-4602]|FIPS Approved: RSA and SHS|
|[Cryptographic Primitives Library][sp-4687]|[#4687][certificate-4687]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: ECDH and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-4670]|[#4670][certificate-4670]|AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: ECDH|
|[Secure Kernel Code Integrity][sp-4640]|[#4640][certificate-4640]|FIPS Approved: RSA and SHS|
|[Virtual TPM][sp-4686]|[#4686][certificate-4686]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4545]|[#4545][certificate-4545]|FIPS Approved: AES, RSA, and SHS; Other Allowed: NDRNG|
Build: 10.0.17763.107. Validated Editions: Standard Core, Datacenter Core
|Cryptographic Module (linked to Security Policy document)|Version|CMVP Certificate #|Validated Algorithms|
@ -41,6 +54,14 @@ Build: 10.0.17763.107. Validated Editions: Standard Core, Datacenter Core
[certificate-3644]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3644
[certificate-3651]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3651
[certificate-3690]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3690
[certificate-4484]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4484
[certificate-4545]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4545
[certificate-4602]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4602
[certificate-4640]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4640
[certificate-4670]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4670
[certificate-4686]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4686
[certificate-4687]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4687
[certificate-4688]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4688
<!-- Security Policies -->
@ -52,3 +73,11 @@ Build: 10.0.17763.107. Validated Editions: Standard Core, Datacenter Core
[sp-3644]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf
[sp-3651]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf
[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf
[sp-4484]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4484.pdf
[sp-4545]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4545.pdf
[sp-4602]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4602.pdf
[sp-4640]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4640.pdf
[sp-4670]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4670.pdf
[sp-4686]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4686.pdf
[sp-4687]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4687.pdf
[sp-4688]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4688.pdf