deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into updatedocfx2

Browse Source
This commit is contained in:
Angela Fleischmann 2022-11-08 10:39:44 -07:00 committed by GitHub
commit a0d72ef119
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
259 changed files with 1699 additions and 1296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/networkqospolicy-csp.md
View File

@ -40,7 +40,7 @@ The following actions are supported:
> - Azure AD Hybrid joined devices.
> - Devices that use both GPO and CSP at the same time.
>
> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004.
> The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703.
The following example shows the NetworkQoSPolicy configuration service provider in tree format.
```

23
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -45,20 +45,20 @@ ms.date: 08/01/2022
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) <sup>Insider</sup>
- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) <sup>12</sup>
- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)<sup>10</sup>
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>11</sup>
- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>
- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) <sup>Insider</sup>
- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) <sup>Insider</sup>
- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) <sup>12</sup>
- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) <sup>12</sup>
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) <sup>9</sup>
- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) <sup>9</sup>
- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#mixedreality-manualdowndirectiondisabled) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) <sup>9</sup>
- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) <sup>Insider</sup>
- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) <sup>Insider</sup>
- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) <sup>Insider</sup>
- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) <sup>12</sup>
- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) <sup>12</sup>
- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) <sup>12</sup>
- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) <sup>10</sup>
- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) <sup>9</sup>
- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) <sup>9</sup>
@ -98,11 +98,11 @@ ms.date: 08/01/2022
- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) <sup>9</sup>
- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) <sup>Insider</sup>
- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) <sup>Insider</sup>
- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) <sup>Insider</sup>
- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) <sup>Insider</sup>
- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) <sup>Insider</sup>
- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) <sup>12</sup>
- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) <sup>12</sup>
- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) <sup>12</sup>
- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) <sup>12</sup>
- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) <sup>12</sup>
- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
@ -147,6 +147,7 @@ Footnotes:
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2)
- 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1)
- 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
- 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2)
- Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider).
## Related topics

21
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -113,8 +113,7 @@ Steps to use this policy correctly:
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
> [!NOTE]
> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
@ -160,7 +159,7 @@ Int value
<hr/>
<!--Description-->
This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-fi.
This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-Fi.
By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
@ -341,10 +340,7 @@ Supported value is Integer.
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
You may want to configure a different time server for your device fleet. IT admins can use thi policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy.
You may want to configure a different time server for your device fleet. IT admins can use this policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy.
This policy setting specifies a set of parameters for controlling the Windows NTP Client. Refer to [Policy CSP - ADMX_W32Time - Windows Client Management](/windows/client-management/mdm/policy-csp-admx-w32time#admx-w32time-policy-configure-ntpclient) for supported configuration parameters.
@ -394,9 +390,6 @@ value="0"/>
<!--/SupportedSKUs-->
> [!NOTE]
> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
@ -609,8 +602,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
This policy setting specifies whether the Windows NTP Client is enabled.
@ -642,9 +633,6 @@ This policy setting specifies whether the Windows NTP Client is enabled.
<!--/SupportedSKUs-->
> [!NOTE]
> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
@ -678,8 +666,7 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Skip
<!--/SupportedSKUs-->
> [!NOTE]
> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):

2
windows/configuration/wcd/wcd-networkqospolicy.md
View File

@ -21,7 +21,7 @@ Use to create network Quality of Service (QoS) policies. A QoS policy performs a
| --- | :---: | :---: | :---: | :---: |
| All settings | | ✔️ | | |
1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**.
1. In **Available customizations**, select **NetworkQoSPolicy**, enter a friendly name for the account, and then click **Add**.
2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure.
| Setting | Description |

2
windows/deployment/do/mcc-enterprise.md
View File

@ -241,7 +241,7 @@ Files contained in the mccinstaller.zip file:
1. Enable Nested Virtualization
```powershell
Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
```
2. Enable Mac Spoofing
```powershell

45
windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
View File

@ -2,18 +2,18 @@
title: Activate by Proxy an Active Directory Forest (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Activate by Proxy an Active Directory Forest
You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain.
You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that doesn't have Internet access. ADBA enables certain volume products to inherit activation from the domain.
> [!IMPORTANT]
> ADBA is only applicable to *Generic Volume License Keys (GVLKs)* and *KMS Host key (CSVLK)*. To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
@ -26,28 +26,29 @@ In a typical proxy-activation scenario, the VAMT host computer distributes a pro
## Requirements
Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements:
- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup.
- There's an instance of VAMT that is installed on a computer that has Internet access. If you're performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup.
- VAMT has administrative permissions to the Active Directory domain.
**To perform an Active Directory forest proxy activation**
### To perform an Active Directory forest proxy activation
1. Open VAMT.
2. In the left-side pane, click the **Active Directory-Based Activation** node.
3. In the right-side **Actions** pane, click **Proxy activate forest** to open the **Install Product Key** dialog box.
4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate.
5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device.
7. Click **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
9. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
10. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
11. In the **Acquire confirmation IDs for file** dialog box, browse to where the .cilx file you exported from the isolated workgroup host computer is located. Select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs.
12. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Click **OK** to close the message.
13. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup.
14. Open VAMT and then click the **Active Directory-Based Activation** node in the left-side pane.
15. In the right-side **Actions** pane, click **Apply confirmation ID to Active Directory domain**, browse to the .cilx file and then click **Open**.
1. Open VAMT.
2. In the left-side pane, select the **Active Directory-Based Activation** node.
3. In the right-side **Actions** pane, select **Proxy activate forest** to open the **Install Product Key** dialog box.
4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate.
5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you select **Install Key**, the name can't be changed.
6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then select **Open**. If you're activating an AD forest in an isolated workgroup, save the `.cilx` file to a removable media device.
7. Select **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
8. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
9. In the right-side **Actions** pane, select **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
10. In the **Acquire confirmation IDs for file** dialog box, browse to where the `.cilx` file you exported from the isolated workgroup host computer is located. Select the file, and then select **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs.
11. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Select **OK** to close the message.
12. Remove the storage device that contains the `.cilx` file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup.
13. Open VAMT and then select the **Active Directory-Based Activation** node in the left-side pane.
14. In the right-side **Actions** pane, select **Apply confirmation ID to Active Directory domain**, browse to the `.cilx` file and then select **Open**.
VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
## Related topics
## Related articles
- [Add and Remove Computers](add-remove-computers-vamt.md)

50
windows/deployment/volume-activation/activate-forest-vamt.md
View File

@ -2,11 +2,11 @@
title: Activate an Active Directory Forest Online (Windows 10)
description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
@ -15,33 +15,41 @@ ms.technology: itpro-fundamentals
You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
**Important**  
ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
> [!IMPORTANT]
> ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
## Requirements
Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
- VAMT is installed on a host computer that has Internet access.
- VAMT has administrative permissions to the Active Directory domain.
- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
**To perform an online Active Directory forest activation**
- VAMT is installed on a host computer that has Internet access.
1. Open VAMT.
2. In the left-side pane, click the **Active Directory-Based Activation** node.
3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
5. If required, enter a new Active Directory-Based Activation Object name
- VAMT has administrative permissions to the Active Directory domain.
**Important**  
If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
6. Click **Install Key**.
7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
### To perform an online Active Directory forest activation
The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
1. Open VAMT.
## Related topics
2. In the left-side pane, select the **Active Directory-Based Activation** node.
3. In the right-side **Actions** pane, select **Online activate forest** to open the **Install Product Key** dialog box.
4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
5. If necessary, enter a new Active Directory-Based Activation Object name.
> [!IMPORTANT]
> If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
6. Select **Install Key**.
7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
## Related articles
- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
- [Add and Remove Computers](add-remove-computers-vamt.md)

26
windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
View File

@ -1,40 +1,36 @@
---
title: Activate using Active Directory-based activation
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
manager: dougeby
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: frankroj
ms.author: frankroj
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 09/16/2022
ms.date: 11/07/2022
ms.topic: how-to
ms.collection: highpri
---
# Activate using Active Directory-based activation
**Applies to supported versions of**
- Windows
- Windows Server
- Office
(*Applies to: Windows, Windows Server, Office*)
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Product activation for Windows](https://support.microsoft.com/windows/product-activation-for-windows-online-support-telephone-numbers-35f6a805-1259-88b4-f5e9-b52cccef91a0)
> - [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227)
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using *adprep.exe* on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using `adprep.exe` on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They'll stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console, or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
The process proceeds as follows:
1. Do _one_ of the following tasks:
1. Do *one* of the following tasks:
- Install the Volume Activation Services server role on a domain controller. Then add a KMS host key by using the Volume Activation Tools Wizard.
@ -134,6 +130,6 @@ To verify your Active Directory-based activation configuration, complete the fol
>
> To manage individual activations or apply multiple (mass) activations, use the [VAMT](./volume-activation-management-tool.md).
## See also
## Related articles
[Volume Activation for Windows 10](volume-activation-windows-10.md)

64
windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
View File

@ -1,12 +1,12 @@
---
title: Activate using Key Management Service (Windows 10)
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
description: How to activate using Key Management Service in Windows 10.
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.date: 10/16/2017
ms.date: 11/07/2022
ms.topic: article
ms.collection: highpri
ms.technology: itpro-fundamentals
@ -14,32 +14,26 @@ ms.technology: itpro-fundamentals
# Activate using Key Management Service
**Applies to**
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
**Looking for retail activation?**
There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/)
- [Get Help Activating Microsoft Windows 7 or Windows 8.1 ](https://go.microsoft.com/fwlink/p/?LinkId=618644)
There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
- Host KMS on a computer running Windows 10
- Host KMS on a computer running Windows Server 2012 R2
- Host KMS on a computer running Windows 10
- Host KMS on a computer running Windows Server 2012 R2
- Host KMS on a computer running an earlier version of Windows
Check out [Windows 10 Volume Activation Tips](/archive/blogs/askcore/windows-10-volume-activation-tips).
## Key Management Service in Windows 10
## Key Management Service in Windows 10
Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
@ -55,11 +49,11 @@ To activate, use the slmgr.vbs command. Open an elevated command prompt and run
3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
4. Run `slmgr.vbs /atp \<confirmation ID\>`.
For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)).
For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)).
## Key Management Service in Windows Server 2012 R2
## Key Management Service in Windows Server 2012 R2
Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
> [!NOTE]
> You cannot install a client KMS key into the KMS in Windows Server.
@ -67,9 +61,9 @@ Installing a KMS host key on a computer running Windows Server allows you to act
This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
> [!NOTE]
> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10).
> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10).
### Configure KMS in Windows Server 2012 R2
### Configure KMS in Windows Server 2012 R2
1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
2. Launch Server Manager.
@ -115,26 +109,26 @@ Now that the KMS host is configured, it will begin to listen for activation requ
## Verifying the configuration of Key Management Service
You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
> [!NOTE]
> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
To verify that KMS volume activation works, complete the following steps:
1. On the KMS host, open the event log and confirm that DNS publishing is successful.
2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
2. On a client computer, open a Command Prompt window, type `Slmgr.vbs /ato`, and then press ENTER.
The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
3. On a client computer or the KMS host, open an elevated Command Prompt window, type `Slmgr.vbs /dlv`, and then press ENTER.
The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
## Key Management Service in earlier versions of Windows
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
2. Request a new KMS host key from the Volume Licensing Service Center.
@ -143,6 +137,6 @@ If you have already established a KMS infrastructure in your organization for an
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
## See also
## Related articles
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

104
windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
View File

@ -1,59 +1,61 @@
---
title: Activate clients running Windows 10 (Windows 10)
description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Activate clients running Windows 10
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
**Looking for retail activation?**
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
If activation or reactivation is required, the following sequence occurs:
1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computers GVLK.
3. The computer tries to activate against Microsoft servers if it is configured with a MAK.
If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
If activation or reactivation is required, the following sequence occurs:
1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
2. If the computer isn't a member of a domain or if the volume activation object isn't available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer's GVLK.
3. The computer tries to activate against Microsoft servers if it's configured with a MAK.
If the client isn't able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
## How Key Management Service works
KMS uses a clientserver topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
KMS uses a client-server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
### Key Management Service activation thresholds
You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold aren't activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
When KMS clients are waiting for the KMS to reach the activation threshold, they'll connect to the KMS host every two hours to get the current activation count. They'll be activated when the threshold is met.
In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it's activated. If a computer running Windows 10 receives an activation count of 25 or more, it's activated.
### Activation count cache
To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30 day period begins again. If a KMS client computer doesn't renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
### Key Management Service connectivity
@ -61,63 +63,67 @@ KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients u
### Key Management Service activation renewal
KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computers activation is renewed, the activation validity interval begins again.
KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails, the client computer retries every two hours. After a client computer's activation is renewed, the activation validity interval begins again.
### Publication of the Key Management Service
The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update isn't available or the KMS host doesn't have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
### Client discovery of the Key Management Service
By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated, and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
### Domain Name System server configuration
The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
### Activating the first Key Management Service host
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host doesn't communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
### Activating subsequent Key Management Service hosts
Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organizations KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization's KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
## How Multiple Activation Key works
A MAK is used for one-time activation with Microsofts hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organizations exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
A MAK is used for one-time activation with Microsoft's hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization's exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
You can activate computers by using a MAK in two ways:
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that don't maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg)
**Figure 16**. MAK independent activation
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It's also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg)
**Figure 17**. MAK proxy activation with the VAMT
A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation doesn't meet the KMS activation threshold.
You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
You can use a MAK for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. Switching from KMS to a MAK is useful for moving a computer off the core network to a disconnected environment.
### Multiple Activation Key architecture and activation
MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
## Activating as a standard user
Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 don't require administrator privileges for activation, but this change doesn't allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as "rearm."
## See also
## Related articles
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
 
 
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

27
windows/deployment/volume-activation/active-directory-based-activation-overview.md
View File

@ -2,39 +2,38 @@
title: Active Directory-Based Activation Overview (Windows 10)
description: Enable your enterprise to activate its computers through a connection to their domain using Active Directory-Based Activation (ADBA).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 12/07/2018
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Active Directory-Based Activation overview
Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the companys domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain.
Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company's domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it's distributed throughout the domain.
## ADBA scenarios
You might use ADBA if you only want to activate domain joined devices.
If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used.
If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. Reactivating licenses isn't necessary When ADBA is used.
ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values.
Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage.
ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. ADBA is simpler than using the DNS service to load balance by configuring priority and weight values.
Some VDI solutions also require that new clients activate during creation before they're added to the pool. In this VDI scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage.
## ADBA methods
VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods:
- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name.
- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
## Related topics
- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name.
- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
## Related articles
- [How to Activate an Active Directory Forest Online](./activate-forest-vamt.md)
- [How to Proxy Activate an Active Directory Forest](./activate-forest-by-proxy-vamt.md)
 
 

17
windows/deployment/volume-activation/add-manage-products-vamt.md
View File

@ -2,26 +2,23 @@
title: Add and Manage Products (Windows 10)
description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Add and Manage Products
# Add and manage products
This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network.
## In this Section
|Topic |Description |
|------|------------|
|Article |Description |
|-------|------------|
|[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. |
|[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. |
|[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. |

84
windows/deployment/volume-activation/add-remove-computers-vamt.md
View File

@ -2,59 +2,73 @@
title: Add and Remove Computers (Windows 10)
description: The Discover products function on the Volume Activation Management Tool (VAMT) allows you to search the Active Directory domain or a general LDAP query.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Add and Remove Computers
# Add and remove computers
You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function.
Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md).
Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
## To add computers to a VAMT database
1. Open VAMT.
2. Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box.
3. In the **Discover products** dialog box, click **Search for computers in the Active Directory** to display the search options, then click the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query.
- To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names click the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- To search by individual computer name or IP address, click **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing.
- To search for computers in a workgroup, click **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names click the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks.
4. Click **Search**.
5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane.
1. Open VAMT.
2. Select **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box.
3. In the **Discover products** dialog box, select **Search for computers in the Active Directory** to display the search options, then select the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query.
- To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names select the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- To search by individual computer name or IP address, select **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. VAMT supports both IPv4 and IPV6 addressing.
- To search for computers in a workgroup, select **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names select the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks.
4. Select **Search**.
5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
To cancel the search, select **Cancel**. When the search is complete, the names of the newly discovered computers appear in the product list view in the center pane.
![VAMT, Finding computers dialog box.](images/dep-win8-l-vamt-findingcomputerdialog.gif)
**Important**  
This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
> [!IMPORTANT]
> This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
## To add products to VAMT
1. In the **Products** list, select the computers that need to have their product information added to the VAMT database.
2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
4. Click **Filter**. VAMT displays the filtered list in the center pane.
5. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
1. In the **Products** list, select the computers that need to have their product information added to the VAMT database.
**Note**  
2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
4. Select **Filter**. VAMT displays the filtered list in the center pane.
5. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials different from the ones you used to log into the computer. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**.
6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
> [!NOTE]
If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
## To remove computers from a VAMT database
You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database.
You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, select **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database.
## Related topics
## Related articles
- [Add and Manage Products](add-manage-products-vamt.md)

39
windows/deployment/volume-activation/add-remove-product-key-vamt.md
View File

@ -2,35 +2,40 @@
title: Add and Remove a Product Key (Windows 10)
description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Add and Remove a Product Key
# Add and remove a product key
Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
## To Add a Product Key
## To add a product key
1. Open VAMT.
2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
3. Click **Add product keys** to open the **Add Product Keys** dialog box.
4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
- To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
- To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
1. Open VAMT.
**Note**  
If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
## Remove a Product Key
3. Select **Add product keys** to open the **Add Product Keys** dialog box.
- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
## Related topics
- To add product keys manually, select **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and select **Add Key(s)**.
- To import a Comma Separated Values (CSV) file containing a list of product keys, select **Select a product key file to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**.
> [!NOTE]
> If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
## Remove a product key
- To remove a product key from the list, select the key in the list and select **Delete** on the **Selected Items** menu in the right-side pane. Select **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database won't affect the activation state of any products or computers on the network.
## Related articles
- [Manage Product Keys](manage-product-keys-vamt.md)

77
windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
View File

@ -2,56 +2,63 @@
title: Appendix Information sent to Microsoft during activation (Windows 10)
description: Learn about the information sent to Microsoft during activation.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
author: aczechowski
manager: aaroncz
ms.author: frankroj
author: frankroj
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.date: 11/07/2022
ms.topic: article
---
# Appendix: Information sent to Microsoft during activation
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
When you activate a computer running Windows 10, the following information is sent to Microsoft:
- The Microsoft product code (a five-digit code that identifies the Windows product you're activating)
- A channel ID or site code that identifies how the Windows product was originally obtained
- The Microsoft product code (a five-digit code that identifies the Windows product you're activating)
- A channel ID or site code that identifies how the Windows product was originally obtained
For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
- The date of installation and whether the installation was successful
- Information that helps confirm that your Windows product key hasn't been altered
- Computer make and model
- Version information for the operating system and software
- Region and language settings
- A unique number called a *globally unique identifier*, which is assigned to your computer
- Product key (hashed) and product ID
- BIOS name, revision number, and revision date
- Volume serial number (hashed) of the hard disk drive
- The result of the activation check
- The date of installation and whether the installation was successful
- Information that helps confirm that your Windows product key hasn't been altered
- Computer make and model
- Version information for the operating system and software
- Region and language settings
- A unique number called a *globally unique identifier*, which is assigned to your computer
- Product key (hashed) and product ID
- BIOS name, revision number, and revision date
- Volume serial number (hashed) of the hard disk drive
- The result of the activation check
This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
- The activation exploit's identifier
- The activation exploit's current state, such as cleaned or quarantined
- Computer manufacturer's identification
- The activation exploit's file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
- The name and a hash of the contents of your computer's startup instructions file
- If your Windows license is on a subscription basis, information about how your subscription works
- The activation exploit's identifier
- The activation exploit's current state, such as cleaned or quarantined
- Computer manufacturer's identification
- The activation exploit's file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
- The name and a hash of the contents of your computer's startup instructions file
- If your Windows license is on a subscription basis, information about how your subscription works
Standard computer information is also sent, but your computer's IP address is only kept temporarily.
@ -60,6 +67,6 @@ Standard computer information is also sent, but your computer's IP address is on
Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft doesn't use the information to contact individual consumers.
For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
## See also
## Related articles
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

44
windows/deployment/volume-activation/configure-client-computers-vamt.md
View File

@ -2,21 +2,22 @@
title: Configure Client Computers (Windows 10)
description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly.
ms.reviewer:
manager: dougeby
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: frankroj
ms.author: frankroj
ms.prod: windows-client
ms.date: 04/30/2020
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Configure Client Computers
# Configure client computers
To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers:
- An exception must be set in the client computer's firewall.
- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) won't allow remote administrative operations.
Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
@ -28,11 +29,16 @@ Organizations where the VAMT will be widely used may benefit from making these c
Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
1. Open Control Panel and double-click **System and Security**.
2. Click **Windows Firewall**.
3. Click **Allow a program or feature through Windows Firewall**.
4. Click the **Change settings** option.
2. Select **Windows Firewall**.
3. Select **Allow a program or feature through Windows Firewall**.
4. Select the **Change settings** option.
5. Select the **Windows Management Instrumentation (WMI)** checkbox.
6. Click **OK**.
6. Select **OK**.
> [!WARNING]
> By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
@ -44,11 +50,15 @@ Enable the VAMT to access client computers across multiple subnets using the **W
![VAMT Firewall configuration for multiple subnets.](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
1. Open the Control Panel and double-click **Administrative Tools**.
2. Click **Windows Firewall with Advanced Security**.
2. Select **Windows Firewall with Advanced Security**.
3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel.
@ -56,10 +66,12 @@ Enable the VAMT to access client computers across multiple subnets using the **W
5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box.
- On the **General** tab, select the **Allow the connection** checkbox.
- On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
- On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically allocated ports. Limiting the range of dynamically allocated ports is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
For more info, see [How to configure RPC dynamic port allocation to work with firewalls](/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang).
@ -71,6 +83,7 @@ Enable the VAMT to access client computers across multiple subnets using the **W
On the client computer, create the following registry key using regedit.exe.
1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
2. Enter the following details:
- **Value Name: LocalAccountTokenFilterPolicy**
@ -85,12 +98,15 @@ On the client computer, create the following registry key using regedit.exe.
There are several options for organizations to configure the WMI firewall exception for computers:
- **Image.** Add the configurations to the master Windows image deployed to all clients.
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
- **Script.** Execute a script using Microsoft Configuration Manager or a third-party remote script execution facility.
- **Script.** Execute a script using Microsoft Configuration Manager or a third-party remote script execution facility.
- **Manual.** Configure the WMI firewall exception individually on each client.
The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
## Related topics
## Related articles
- [Install and Configure VAMT](install-configure-vamt.md)

24
windows/deployment/volume-activation/import-export-vamt-data.md
View File

@ -2,12 +2,12 @@
title: Import and export VAMT data
description: Learn how to use the VAMT to import product-activation data from a file into SQL Server.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.technology: itpro-fundamentals
author: aczechowski
ms.date: 05/02/2022
author: frankroj
ms.date: 11/07/2022
ms.topic: how-to
---
@ -16,10 +16,12 @@ ms.topic: how-to
You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a computer information list (`.cilx` or `.cil`) file into SQL Server. Also use VAMT to export product-activation data into a `.cilx` file. A `.cilx` file is an XML file that stores computer and product-activation data.
You can import data or export data during the following scenarios:
- Import and merge data from previous versions of VAMT.
- Export data to perform proxy activations.
> [!Warning]
> [!WARNING]
> Editing a `.cilx` file through an application other than VAMT can corrupt the `.cilx` file. This method isn't supported.
## Import VAMT data
@ -27,8 +29,11 @@ You can import data or export data during the following scenarios:
To import data into VAMT, use the following process:
1. Open VAMT.
2. In the right-side **Actions** pane, select **Import list** to open the **Import List** dialog box.
3. In the **Import List** dialog box, navigate to the `.cilx` file location, choose the file, and select **Open**.
4. In the **Volume Activation Management Tool** dialog box, select **OK** to begin the import. VAMT displays a progress message while the file is being imported. Select **OK** when a message appears and confirms that the import has completed successfully.
## Export VAMT data
@ -36,14 +41,23 @@ To import data into VAMT, use the following process:
Exporting VAMT data from a VAMT host computer that's not internet-connected is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a `.cilx` file:
1. In the left-side pane, select a product you want to export data for, or select **Products** if the list contains data for all products.
2. If you want to export only part of the data in a product list, in the product-list view in the center pane, select the products you want to export.
3. In the right-side **Actions** pane on, select **Export list** to open the **Export List** dialog box.
4. In the **Export List** dialog box, select **Browse** to navigate to the `.cilx` file.
5. Under **Export options**, select one of the following data-type options:
- Export products and product keys
- Export products only
- Export proxy activation data only. Selecting this option makes sure that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No personally identifiable information (PII) is contained in the exported `.cilx` file when this selection is checked.
6. If you've selected products to export, select the **Export selected product rows only** check box.
7. Select **Save**. VAMT displays a progress message while the data is being exported. Select **OK** when a message appears and confirms that the export has completed successfully.
## Related articles

20
windows/deployment/volume-activation/install-configure-vamt.md
View File

@ -2,30 +2,28 @@
title: Install and Configure VAMT (Windows 10)
description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Install and Configure VAMT
# Install and configure VAMT
This section describes how to install and configure the Volume Activation Management Tool (VAMT).
## In this Section
## In this section
|Topic |Description |
|------|------------|
|Article |Description |
|-------|------------|
|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
## Related topics
## Related articles
- [Introduction to VAMT](introduction-vamt.md)
 
 

52
windows/deployment/volume-activation/install-kms-client-key-vamt.md
View File

@ -2,39 +2,49 @@
title: Install a KMS Client Key (Windows 10)
description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Install a KMS Client Key
You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you're converting a MAK-activated product to KMS activation.
**Note**  
By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
> [!NOTE]
> By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
**To install a KMS Client key**
1. Open VAMT.
2. In the left-side pane click **Products** to open the product list view in the center pane.
3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
5. Click **Filter**. VAMT displays the filtered list in the center pane.
6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
7. The **Install Product Key** dialog box displays the keys that are available to be installed.
8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
## To install a KMS Client key
1. Open VAMT.
2. In the left-side pane, select **Products** to open the product list view in the center pane.
3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
5. Select **Filter**. VAMT displays the filtered list in the center pane.
6. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
7. The **Install Product Key** dialog box displays the keys that are available to be installed.
8. Select the **Automatically select an AD or KMS client key** option and then select **Install Key**.
VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
## Related topics
## Related articles
- [Perform KMS Activation](kms-activation-vamt.md)

51
windows/deployment/volume-activation/install-product-key-vamt.md
View File

@ -2,12 +2,12 @@
title: Install a Product Key (Windows 10)
description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
@ -16,26 +16,35 @@ ms.technology: itpro-fundamentals
You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
**To install a Product key**
1. Open VAMT.
2. In the left-side pane, click the product that you want to install keys onto.
3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
5. Click **Filter**.
6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
## To install a Product key
1. Open VAMT.
2. In the left-side pane, select the product that you want to install keys onto.
3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
5. Select **Filter**.
6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
7. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you've selected the product key you want to install, select **Install Key**. Only one key can be installed at a time.
9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
**Note**  
Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right
Volume License Key for Windows](/previous-versions/tn-archive/ee939271(v=technet.10)).
> [!NOTE]
> Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right Volume License Key for Windows](/previous-versions/tn-archive/ee939271(v=technet.10)).
## Related topics
## Related articles
- [Manage Product Keys](manage-product-keys-vamt.md)

36
windows/deployment/volume-activation/install-vamt.md
View File

@ -1,35 +1,38 @@
---
title: Install VAMT (Windows 10)
description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.date: 03/11/2019
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Install VAMT
This topic describes how to install the Volume Activation Management Tool (VAMT).
This article describes how to install the Volume Activation Management Tool (VAMT).
## Install VAMT
## Installing VAMT
You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
>[!IMPORTANT]
>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator. 
>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
>[!NOTE]
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
### Requirements
- [Windows Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
- Latest version of the [Windows 10 ADK](/windows-hardware/get-started/adk-install)
- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
- Alternatively, any supported **full** SQL instance
### Install SQL Server Express / alternatively use any full SQL instance
@ -42,7 +45,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
4. Enter an install location or use the default path, and then select **Install**.
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png)
@ -50,7 +53,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
1. Download the latest version of [Windows 10 ADK](/windows-hardware/get-started/adk-install).
If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
If an older version is already installed, it's recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
@ -58,7 +61,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
4. Accept the license terms.
5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. If desired, you can select additional features to install as well.
6. On the completion page, select **Close**.
@ -72,15 +75,10 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
For remote SQL Server, use `servername.yourdomain.com`.
## Uninstall VAMT
To uninstall VAMT using the **Programs and Features** Control Panel:
1. Open **Control Panel** and select **Programs and Features**.
1. Open **Control Panel** and select **Programs and Features**.
2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
2. Select **Assessment and Deployment Kit** from the list of installed programs and select **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.

20
windows/deployment/volume-activation/introduction-vamt.md
View File

@ -2,12 +2,12 @@
title: Introduction to VAMT (Windows 10)
description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.technology: itpro-fundamentals
author: aczechowski
ms.date: 09/16/2022
author: frankroj
ms.date: 11/07/2022
ms.topic: overview
---
@ -18,7 +18,7 @@ The Volume Activation Management Tool (VAMT) enables network administrators and
> [!NOTE]
> VAMT can be installed on, and can manage, physical or virtual instances. VAMT can't detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
## <a href="" id="bkmk-managingmak"></a>Managing MAK and retail activation
## Managing MAK and retail activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
@ -26,23 +26,25 @@ You can use a MAK or a retail product key to activate Windows, Windows Server, o
- **Proxy activation**: This activation method enables you to perform volume activation for products installed on client computers that don't have internet access. The VAMT host computer distributes a MAK, KMS host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs internet access. You can also activate products installed on computers in a workgroup that's isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the internet-connected VAMT host.
## <a href="" id="bkmk-managingkms"></a>Managing KMS activation
## Managing KMS activation
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the KMS. VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by volume license editions of Windows, Windows Server, and Office.
VAMT treats a KMS host key (CSVLK) product key identically to a retail-type product key. The experience for product key entry and activation management are identical for both these product key types.
## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise environment
## Enterprise environment
VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments: core network, secure zone, and isolated lab.
![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg)
- In the core network environment, all computers are within a common network managed by Active Directory Domain Services (AD DS).
- The secure zone represents higher-security core network computers that have extra firewall protection.
- The isolated lab environment is a workgroup that is physically separate from the core network, and its computers don't have internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab.
## <a href="" id="bkmk-userinterface"></a>VAMT user interface
## VAMT user interface
The following screenshot shows the VAMT graphical user interface:
@ -58,7 +60,7 @@ VAMT provides a single, graphical user interface for managing activations, and f
- **Managing product keys**: You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
- **Managing activation data**: VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
- **Managing activation data**: VAMT stores activation data in an SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
## Next steps

73
windows/deployment/volume-activation/kms-activation-vamt.md
View File

@ -2,45 +2,62 @@
title: Perform KMS Activation (Windows 10)
description: The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Perform KMS Activation
# Perform KMS activation
The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products.
The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products.
## Requirements
Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements:
- KMS host is set up and enabled.
- KMS clients can access the KMS host.
- VAMT is installed on a central computer with network access to all client computers.
- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
- KMS host is set up and enabled.
- KMS clients can access the KMS host.
- VAMT is installed on a central computer with network access to all client computers.
- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure client computers](configure-client-computers-vamt.md).
## To configure devices for KMS activation
**To configure devices for KMS activation**
1. Open VAMT.
2. If necessary, set up the KMS activation preferences. If you dont need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2.
3. To set up the preferences, on the menu bar click **View**, then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
4. Under **Key Management Services host selection**, select one of the following options:
- **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation.
- **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation.
- **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments which do not use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host.
5. Click **Apply**, and then click **OK** to close the **Volume Activation Management Tool Preferences** dialog box.
6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
7. Click **Filter**. VAMT displays the filtered list in the center pane.
8. In the right-side pane, click **Activate** in the **Selected Items** menu, and then click **Volume activate**.
9. Click a credential option. Choose **Alternate credentials** only if you are activating products that require administrator credentials different from the ones you are currently using.
10. If you are supplying alternate credentials, at the prompt, type the appropriate user name and password and click **OK**.
1. Open VAMT.
2. If necessary, set up the KMS activation preferences. If you don't need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2.
3. To set up the preferences, on the menu bar select **View**, then select **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
4. Under **Key Management Services host selection**, select one of the following options:
- **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer, and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation.
- **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer, and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation.
- **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments that don't use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host.
5. Select **Apply**, and then select **OK** to close the **Volume Activation Management Tool Preferences** dialog box.
6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
7. Select **Filter**. VAMT displays the filtered list in the center pane.
8. In the right-side pane, select **Activate** in the **Selected Items** menu, and then select **Volume activate**.
9. Select a credential option. Choose **Alternate credentials** only if you're activating products that require administrator credentials different from the ones you're currently using.
10. If you're supplying alternate credentials, at the prompt, type the appropriate user name and password and select **OK**.
VAMT displays the **Volume Activation** dialog box until it completes the requested action. When the process is finished, the updated activation status of each product appears in the product list view in the center pane.
 

58
windows/deployment/volume-activation/local-reactivation-vamt.md
View File

@ -2,43 +2,53 @@
title: Perform Local Reactivation (Windows 10)
description: An initially activated a computer using scenarios like MAK, retail, or CSLVK (KMS host), can be reactivated with Volume Activation Management Tool (VAMT).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Perform Local Reactivation
# Perform local reactivation
If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer.
Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key.
**Note**  
During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft.
> [!NOTE]
> During the initial proxy activation, the CID is bound to a digital "fingerprint", which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft.
## To Perform a Local Reactivation
## To perform a local reactivation
1. Open VAMT. Make sure that you're connected to the desired database.
2. In the left-side pane, select the product you want to reactivate to display the products list.
3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
5. Select **Filter**. VAMT displays the filtered list in the center pane.
6. In the right-side pane, select **Activate**, and then select **Apply Confirmation ID**.
7. Select a credential option. Choose **Alternate credentials** only if you're reactivating products that require administrator credentials different from the ones you're currently using.
8. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name, and password and select **OK**.
**To perform a local reactivation**
1. Open VAMT. Make sure that you are connected to the desired database.
2. In the left-side pane, click the product you want to reactivate to display the products list.
3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
5. Click **Filter**. VAMT displays the filtered list in the center pane.
6. In the right-side pane, click **Activate**, and then click **Apply Confirmation ID**.
7. Click a credential option. Choose **Alternate credentials** only if you are reactivating products that require administrator credentials different from the ones you are currently using.
8. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
VAMT displays the **Apply Confirmation ID** dialog box.
10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID.
11. If you are activating a product that requires administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** check box.
12. Click **OK**.
9. If you're using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID.
## Related topics
10. If you're activating a product that requires administrator credentials different from the ones you're currently using, select the **Use Alternate Credentials** check box.
11. Select **OK**.
## Related article
- [Manage Activations](manage-activations-vamt.md)

15
windows/deployment/volume-activation/manage-activations-vamt.md
View File

@ -2,11 +2,11 @@
title: Manage Activations (Windows 10)
description: Learn how to manage activations and how to activate a client computer by using various activation methods.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
@ -17,14 +17,11 @@ This section describes how to activate a client computer, by using various activ
## In this Section
|Topic |Description |
|------|------------|
|Article |Description |
|-------|------------|
|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that don't have Internet access. |
|[Perform KMS Activation](kms-activation-vamt.md) |Describes how to perform volume activation using the Key Management Service (KMS). |
|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to activate an Active Directory forest, online. |
|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that isn't connected to the Internet. |

18
windows/deployment/volume-activation/manage-product-keys-vamt.md
View File

@ -2,25 +2,23 @@
title: Manage Product Keys (Windows 10)
description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Manage Product Keys
This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product, or products you select in the VAMT database.
## In this Section
|Topic |Description |
|------|------------|
|Article |Description |
|-------|------------|
|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |

13
windows/deployment/volume-activation/manage-vamt-data.md
View File

@ -2,11 +2,11 @@
title: Manage VAMT Data (Windows 10)
description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
@ -16,7 +16,8 @@ ms.technology: itpro-fundamentals
This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
## In this Section
|Topic |Description |
|------|------------|
|Article |Description |
|-------|------------|
|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |

47
windows/deployment/volume-activation/monitor-activation-client.md
View File

@ -1,40 +1,43 @@
---
title: Monitor activation (Windows 10)
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
description: Understand the most common methods to monitor the success of the activation process for a computer running Windows.
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-fundamentals
ms.date: 11/07/2022
---
# Monitor activation
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
- Using the Volume Licensing Service Center website to track use of MAK keys.
- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](/previous-versions//ff793433(v=technet.10)).)
- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
- See [Troubleshooting activation error codes](/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
## See also
- Using the Volume Licensing Service Center website to track use of MAK keys.
- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options](/previous-versions//ff793433(v=technet.10)).
- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it's available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
- See [Troubleshooting activation error codes](/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
- The VAMT provides a single site from which to manage and monitor volume activations. This feature is explained in the next section.
## Related articles
[Volume Activation for Windows 10](volume-activation-windows-10.md)

72
windows/deployment/volume-activation/online-activation-vamt.md
View File

@ -2,51 +2,63 @@
title: Perform Online Activation (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Perform Online Activation
# Perform online activation
You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
## Requirements
Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
- VAMT is installed on a central computer that has network access to all client computers.
- Both the VAMT host and client computers have Internet access.
- The products that you want to activate are added to VAMT.
- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking
**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
- VAMT is installed on a central computer that has network access to all client computers.
## To Perform an Online Activation
- Both the VAMT host and client computers have Internet access.
**To perform an online activation**
1. Open VAMT.
2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
4. Click **Filter**. VAMT displays the filtered list in the center pane.
5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
- The products that you want to activate are added to VAMT.
- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
The product keys that are installed on the client products must have a sufficient number of remaining activations. If you're activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This action retrieves the number of remaining activations for the MAK from Microsoft. This step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
## To perform an online activation
1. Open VAMT.
2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
4. Select **Filter**. VAMT displays the filtered list in the center pane.
5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
6. Select **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane isn't displayed, select the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
7. Point to **Online activate**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password.
8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
**Note**  
Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
**Note**
You can use online activation to select products that have different key types and activate the products at the same time.
> [!NOTE]
> Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
## Related topics
- [Manage Activations](manage-activations-vamt.md)
> [!NOTE]
> You can use online activation to select products that have different key types and activate the products at the same time.
## Related articles
- [Manage activations](manage-activations-vamt.md)

213
windows/deployment/volume-activation/plan-for-volume-activation-client.md
View File

@ -2,36 +2,32 @@
title: Plan for volume activation (Windows 10)
description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-fundamentals
ms.date: 11/07/2022
---
# Plan for volume activation
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
**Looking for retail activation?**
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and hasn't been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization.
During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they can't be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft doesn't use this information to identify or contact the user or the organization.
>[!NOTE]
>The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets.
>The IP address is used only to verify the location of the request, because some editions of Windows (such as "Starter" editions) can only be activated within certain geographical target markets.
## Distribution channels and activation
@ -39,69 +35,78 @@ In general, Microsoft software is obtained through three main channels: retail,
### Retail activations
The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
The retail activation method hasn't changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
### Original equipment manufacturer
Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required.
Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware/BIOS of the computer. This activation occurs before the computer is sent to the customer, and no additional actions are required.
OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled.
### Volume licensing
Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
- Have the license preinstalled through the OEM.
- Purchase a fully packaged retail product.
Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft. There's a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
- Have the license preinstalled through the OEM
- Purchase a fully packaged retail product
The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
**Note**  
Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
> [!NOTE]
> Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
## Activation models
For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps.
With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose:
- Online activation
- Telephone activation
- VAMT proxy activation
Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
- MAKs
- KMS
- Active Directory-based activation
- Online activation
**Note**  
Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
- Telephone activation
- VAMT proxy activation
Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
- MAKs
- KMS
- Active Directory-based activation
> [!NOTE]
> Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
### Multiple activation key
A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also
allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS.
A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they don't meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also
allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that doesn't have enough computers to use the KMS.
To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation.
In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain.
In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can help with tracking the number of activations that have been performed with each key and how many remain.
Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft.
### Key Management Service
With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services.
With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that doesn't require a dedicated system and can easily be cohosted on a system that provides other services.
Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely will more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. It will be rare that more than two KMS hosts are used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
### Active Directory-based activation
Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer doesn't need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the companys domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it's impractical to connect to a KMS, or wouldn't reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company's domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
## Network and connectivity
@ -109,11 +114,11 @@ A modern business network has many nuances and interconnections. This section ex
### Core network
Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network.
Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that isn't a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the majority of the business network.
In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that aren't joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
A typical core network that includes a KMS host is shown in Figure 1.
A typical core network that includes a KMS host is shown in Figure 1.
![Typical core network.](../images/volumeactivationforwindows81-01.jpg)
@ -121,106 +126,124 @@ A typical core network that includes a KMS host is shown in Figure 1.
### Isolated networks
In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
In a large network, it's all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
**Isolated for security**
#### Isolated for security
Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
If the isolated network can access the core network by using outbound requests on TCP port 1688, and it's allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
If the isolated network cannot communicate with the core networks KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
If the isolated network can't communicate with the core network's KMS server, and it can't use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they're placed in the isolated network.
![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg)
**Figure 2**. New KMS host in an isolated network
**Figure 2**. New KMS host in an isolated network
**Branch offices and distant networks**
From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
#### Branch offices and distant networks
From mining operations to ships at sea, organizations often have a few computers that aren't easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
### Disconnected computers
Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this branch office an "isolated network," where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it doesn't support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
### Test and development labs
Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately.
If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide.
In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they can't activate immediately.
If you've ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they'll be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network, and use the methods described earlier in this guide.
In labs that have a high turnover of computers and a few KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
## Mapping your network to activation methods
Now its time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination.
Now it's time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you've collected the information you need to determine which activation methods will work best for you. You can fill in information in Table 1 to help you make this determination.
**Table 1**. Criteria for activation methods
|Criterion |Activation method |
|----------|------------------|
|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days<p><strong>Note</strong><br>The core network must meet the KMS activation threshold. |KMS (central) |
|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK |
|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days<div class="alert">**Note**<br>The core network must meet the KMS activation threshold.</div> |KMS (central) |
|Number of computers that don't connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK |
|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) |
|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) |
|Number of computers in isolated networks where the KMS activation threshold is not met |MAK |
|Number of computers in test and development labs that will not be activated |None|
|Number of computers that do not have a retail volume license |Retail (online or phone) |
|Number of computers that do not have an OEM volume license |OEM (at factory) |
|Total number of computer activations<p><strong>Note</strong><br>This total should match the total number of licensed computers in your organization. |
|Number of computers in isolated networks where the KMS activation threshold isn't met |MAK |
|Number of computers in test and development labs that won't be activated |None|
|Number of computers that don't have a retail volume license |Retail (online or phone) |
|Number of computers that don't have an OEM volume license |OEM (at factory) |
|Total number of computer activations<div class="alert">**Note**<br>This total should match the total number of licensed computers in your organization.</div> |
## Choosing and acquiring keys
When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways:
- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
- Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
- Contact your [Microsoft activation center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
### KMS host keys
A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is referred to as the *KMS host key*, but it's formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation.
A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You'll need a KMS host key for any KMS that you want to set up and if you're going to use Active Directory-based activation.
### Generic volume licensing keys
When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys.
When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you're creating. GVLKs are also referred to as KMS client setup keys.
Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK will not activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential.
Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK won't activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK doesn't work unless a valid KMS host key can be found. GVLKs are the only product keys that don't need to be kept confidential.
Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)).
Typically, you won't need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it's being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS client setup keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)).
### Multiple activation keys
You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
You'll also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
## Selecting a KMS host
The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
The KMS doesn't require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure.
The flow of KMS activation is shown in Figure 3, and it follows this sequence:
The flow of KMS activation is shown in Figure 3, and it follows this sequence:
1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.)
4. A client configured with a GVLK uses DNS to locate the KMS host.
5. The client sends one packet to the KMS host.
6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment doesn't support DNS dynamic update protocol.)
4. A client configured with a GVLK uses DNS to locate the KMS host.
5. The client sends one packet to the KMS host.
6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs aren't stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold hasn't yet been met, the client will try again.
![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg)
**Figure 3**. KMS activation flow
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
## Related articles
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

77
windows/deployment/volume-activation/proxy-activation-vamt.md
View File

@ -1,55 +1,68 @@
---
title: Perform Proxy Activation (Windows 10)
description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that do not have Internet access.
description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that don't have Internet access.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Perform Proxy Activation
You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key.
You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that don't have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key.
In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access.
**Note**  
For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet. 
> [!NOTE]
> For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet.
## Requirements
Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements:
- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup.
- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products have not been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key.
- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall.
- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
- There's an instance of VAMT that is installed on a computer that has Internet access. If you're performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup.
- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products haven't been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key.
- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall.
- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure client computers](configure-client-computers-vamt.md).
The product keys that are installed on the client products must have a sufficient number of remaining activations. If you're activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This action retrieves the number of remaining activations for the MAK from Microsoft. This step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
## To Perform Proxy Activation
**To perform proxy activation**
1. Open VAMT.
1. Open VAMT.
2. If necessary, install product keys. For more information see:
- [Install a Product Key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK).
- [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys.
3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
5. Click **Filter**. VAMT displays the filtered list in the center pane.
6. In the right-side pane, click **Activate** and then click **Proxy activate** to open the **Proxy Activate** dialog box.
7. In the **Proxy Activate** dialog box click **Apply Confirmation ID, apply to selected machine(s) and activate**.
8. If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox.
9. Click **OK**.
10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials.
2. If necessary, install product keys. For more information, see:
**Note**  
- [Install a product key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK).
- [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys.
3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
5. Select **Filter**. VAMT displays the filtered list in the center pane.
6. In the right-side pane, select **Activate** and then select **Proxy activate** to open the **Proxy Activate** dialog box.
7. In the **Proxy Activate** dialog box select **Apply Confirmation ID, apply to selected machine(s) and activate**.
8. If you're activating products that require administrator credentials different from the ones you're currently using, select the **Use Alternate Credentials** checkbox.
9. Select **OK**.
10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you'll be prompted to enter the credentials.
> [!NOTE]
You can use proxy activation to select products that have different key types and activate the products at the same time.

44
windows/deployment/volume-activation/remove-products-vamt.md
View File

@ -2,31 +2,39 @@
title: Remove Products (Windows 10)
description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Remove Products
# Remove products
To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
**To delete one or more products**
1. Click a product node in the left-side pane.
2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
4. Click **Filter**. VAMT displays the filtered list in the center pane.
5. Select the products you want to delete.
6. Click **Delete** in the **Selected Items** menu in the right-side pane.
7. On the **Confirm Delete Selected Products** dialog box, click **OK**.
## To delete one or more products
1. Select a product node in the left-side pane.
2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
4. Select **Filter**. VAMT displays the filtered list in the center pane.
5. Select the products you want to delete.
6. Select **Delete** in the **Selected Items** menu in the right-side pane.
7. On the **Confirm Delete Selected Products** dialog box, select **OK**.
## Related articles
## Related topics
- [Add and Manage Products](add-manage-products-vamt.md)
 
 

72
windows/deployment/volume-activation/scenario-kms-activation-vamt.md
View File

@ -2,44 +2,58 @@
title: Scenario 3 KMS Client Activation (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Scenario 3: KMS Client Activation
# Scenario 3: KMS client activation
In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This type of activation can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You don't have to enter a key to activate a product as a GVLK, unless you're converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
The procedure that is described below assumes the following:
- The KMS Service is enabled and available to all KMS clients.
- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
The procedure that is described below assumes the following configuration:
## Activate KMS Clients
- The KMS Service is enabled and available to all KMS clients.
1. Open VAMT.
2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
- **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
- **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
- **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
4. In the left-side pane, in the **Products** node, click the product that you want to activate.
5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
7. Click **Filter**. VAMT displays the filtered list in the center pane.
8. Select the products that you want to activate.
9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
## Activate KMS clients
1. Open VAMT.
2. To set the KMS activation options, on the menu bar select **View**. Then select **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
- **Find a KMS host automatically using DNS**. This setting is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
- **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
- **Use specific KMS host**. Select this option for environments that don't use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
4. In the left-side pane, in the **Products** node, select the product that you want to activate.
5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
7. Select **Filter**. VAMT displays the filtered list in the center pane.
8. Select the products that you want to activate.
9. Select **Activate** in the **Selected Items** menu in the right-side **Actions** pane, select **Activate**, point to **Volume activate**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password.
10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
## Related topics
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
 
 
## Related articles
- [VAMT step-by-step scenarios](vamt-step-by-step.md)

193
windows/deployment/volume-activation/scenario-online-activation-vamt.md
View File

@ -2,11 +2,11 @@
title: Scenario 1 Online Activation (Windows 10)
description: Achieve network access by deploying the Volume Activation Management Tool (VAMT) in a Core Network environment.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
@ -14,119 +14,146 @@ ms.technology: itpro-fundamentals
# Scenario 1: Online Activation
In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types:
- Multiple Activation Key (MAK)
- Windows Key Management Service (KMS) keys:
- KMS Host key (CSVLK)
- Generic Volume License Key (GVLK), or KMS client key
- Retail
- Multiple Activation Key (MAK)
- Windows Key Management Service (KMS) keys:
- KMS Host key (CSVLK)
- Generic Volume License Key (GVLK), or KMS client key
- Retail
The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
![VAMT firewall configuration for multiple subnets.](images/dep-win8-l-vamt-makindependentactivationscenario.jpg)
## In This Topic
- [Install and start VAMT on a networked host computer](#bkmk-partone)
- [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo)
- [Connect to VAMT database](#bkmk-partthree)
- [Discover products](#bkmk-partfour)
- [Sort and filter the list of computers](#bkmk-partfive)
- [Collect status information from the computers in the list](#bkmk-partsix)
- [Add product keys and determine the remaining activation count](#bkmk-partseven)
- [Install the product keys](#bkmk-parteight)
- [Activate the client products](#bkmk-partnine)
## Step 1: Install and start VAMT on a networked host computer
## <a href="" id="bkmk-partone"></a>Step 1: Install and start VAMT on a networked host computer
1. Install VAMT on the host computer.
1. Install VAMT on the host computer.
2. Click the VAMT icon in the **Start** menu to open VAMT.
2. Select the VAMT icon in the **Start** menu to open VAMT.
## <a href="" id="bkmk-parttwo"></a>Step 2: Configure the Windows Management Instrumentation firewall exception on target computers
## Step 2: Configure the Windows Management Instrumentation firewall exception on target computers
- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
**Note**  
To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
> [!NOTE]
> To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
## <a href="" id="bkmk-partthree"></a>Step 3: Connect to a VAMT database
## Step 3: Connect to a VAMT database
1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located.
2. Click **Connect**.
3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md)
1. If you aren't already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located.
## <a href="" id="bkmk-partfour"></a>Step 4: Discover products
2. Select **Connect**.
1. In the left-side pane, in the **Products** node Products, click the product that you want to activate.
2. To open the **Discover Products** dialog box, click **Discover products** in the **Actions** menu in the right-side pane.
3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query:
- To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
- To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing.
- To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
4. Click **Search**.
3. If you're already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, select **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md)
## Step 4: Discover products
1. In the left-side pane, in the **Products** node Products, select the product that you want to activate.
2. To open the **Discover Products** dialog box, select **Discover products** in the **Actions** menu in the right-side pane.
3. In the **Discover Products** dialog box, select **Search for computers in the Active Directory** to display the search options, and then select the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query:
- To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names select the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
- To search by individual computer name or IP address, select **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. VAMT supports both IPv4 and IPV6 addressing.
- To search for computers in a workgroup, select **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, select the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
4. Select **Search**.
When the search is complete, the products that VAMT discovers appear in the product list view in the center pane.
## <a href="" id="bkmk-partfive"></a>Step 5: Sort and filter the list of computers
## Step 5: Sort and filter the list of computers
You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
2. To sort the list further, you can click one of the column headings to sort by that column.
3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
You can sort the list of products so that it's easier to find the computers that require product keys to be activated:
## <a href="" id="bkmk-partsix"></a>Step 6: Collect status information from the computers in the list
1. On the menu bar at the top of the center pane, select **Group by**, and then select **Product**, **Product Key Type**, or **License Status**.
2. To sort the list further, you can select one of the column headings to sort by that column.
3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by product name, product key type, or license status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
5. Select **Filter**. VAMT displays the filtered list in the product list view in the center pane.
## Step 6: Collect status information from the computers in the list
To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
**To collect status information from the selected computers**
- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**.
- To select a block of consecutively listed computers, select the first computer that you want to select, and then select the last computer while pressing the **Shift** key.
- To select computers that aren't listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
### To collect status information from the selected computers
- In the right-side **Actions** pane, select **Update license status** in the **Selected Items** menu and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials that are different from the ones that you used to sign into the computer. Otherwise, select **Current Credentials** and continue to step 2. If you're supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then select **OK**.
- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
**Note**
If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
> [!NOTE]
> If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
## <a href="" id="bkmk-partseven"></a>Step 7: Add product keys and determine the remaining activation count
## Step 7: Add product keys and determine the remaining activation count
1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys:
- To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add Key(s)**.
- To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
1. Select the **Product Keys** node in the left-side pane, and then select **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys:
- To add product keys manually, select **Enter product key(s) separated by line breaks**, enter one or more product keys, and then select **Add Key(s)**.
- To import a Comma Separated Values File (CSV) that contains a list of product keys, select **Select a product key file to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**.
The keys that you have added appear in the **Product Keys** list view in the center pane.
**Important**  
If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
> [!IMPORTANT]
> If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
## <a href="" id="bkmk-parteight"></a>Step 8: Install the product keys
## Step 8: Install the product keys
1. In the left-side pane, click the product that you want to install keys on to.
2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive).
3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time.
6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
1. In the left-side pane, select the product that you want to install keys on to.
2. If necessary, sort and filter the list of products so that it's easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#step-5-sort-and-filter-the-list-of-computers).
3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
4. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you're installing a MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you aren't installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you've selected the product key that you want to install, select **Install Key**. Only one key can be installed at a time.
6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
The same status appears under the **Status of Last Action** column in the product list view in the center pane.
**Note**  
Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10))
> [!NOTE]
> Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10))
## <a href="" id="bkmk-partnine"></a>Step 9: Activate the client products
## Step 9: Activate the client products
1. Select the individual products that you want to activate in the list-view pane.
2. On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option.
3. If you are activating product keys using your current credential, click **Current credential** and continue to step 5. If you are activating products that require an administrator credential that is different from the one you are currently using, click the **Alternate credential** option.
4. Enter your alternate user name and password and click **OK**.
5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed.
1. Select the individual products that you want to activate in the list-view pane.
**Note**  
Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network.
RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
2. On the menu bar, select **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also select **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option.
3. If you're activating product keys using your current credential, select **Current credential** and continue to step 5. If you're activating products that require an administrator credential that is different from the one you're currently using, select the **Alternate credential** option.
4. Enter your alternate user name and password and select **OK**.
5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed.
> [!NOTE]
> Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network.
> RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
## Related articles
## Related topics
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)

240
windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
View File

@ -2,11 +2,11 @@
title: Scenario 2 Proxy Activation (Windows 10)
description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
@ -19,148 +19,198 @@ In this scenario, the Volume Activation Management Tool (VAMT) is used to activa
## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab
1. Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012.
2. Click the VAMT icon in the **Start** menu to open VAMT.
1. Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012.
## Step 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers
2. Select the VAMT icon in the **Start** menu to open VAMT.
- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
## Step 2: Configure the Windows Management Instrumentation Firewall Exception on target computers
**Note**  
To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
## Step 3: Connect to a VAMT Database
> [!NOTE]
> To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
1. If the host computer in the isolated lab workgroup is not already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup.
2. Click **Connect**.
3. If you are already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md)
## Step 3: Connect to a VAMT database
## Step 4: Discover Products
1. If the host computer in the isolated lab workgroup isn't already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup.
1. In the left-side pane, in the **Products** node, click the product that you want to activate.
2. To open the **Discover Products** dialog box, click **Discover products** in the right-side pane.
3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query:
- To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported.
- To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
- To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks.
4. Click **Search**.
2. Select **Connect**.
3. If you're already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, select **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md)
## Step 4: Discover products
1. In the left-side pane, in the **Products** node, select the product that you want to activate.
2. To open the **Discover Products** dialog box, select **Discover products** in the right-side pane.
3. In the **Discover Products** dialog box, select **Search for computers in the Active Directory** to display the search options, and then select the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query:
- To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, select the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- To search by individual computer name or IP address, select **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported.
- To search for computers in a workgroup, select **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, select the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (`*`) wildcard. For example, typing `a*` will display only those computer names that start with the letter **a**.
- To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks.
4. Select **Search**.
The **Finding Computers** window appears and displays the search progress as the computers are located.
When the search is complete, the products that VAMT discovers appear in the list view in the center pane.
## Step 5: Sort and Filter the List of Computers
## Step 5: Sort and filter the list of computers
You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
You can sort the list of products so that it's easier to find the computers that require product keys to be activated:
1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
2. To sort the list further, you can click one of the column headings to sort by that column.
3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
1. On the menu bar at the top of the center pane, select **Group by**, and then select **Product**, **Product Key Type**, or **License Status**.
## Step 6: Collect Status Information from the Computers in the Isolated Lab
2. To sort the list further, you can select one of the column headings to sort by that column.
3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- To filter the list by computer name, enter a name in the **Computer Name** box.
- To filter the list by product name, product key type, or license status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
5. Select **Filter**. VAMT displays the filtered list in the product list view in the center pane.
## Step 6: Collect status information from the computers in the Isolated lab
To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
- To select computers that are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
- To select a block of consecutively listed computers, select the first computer that you want to select, and then select the last computer while pressing the **Shift** key.
- To select computers that aren't listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
**To collect status information from the selected computers**
- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**.
- In the right-side **Actions** pane, select **Update license status** in the **Selected Items** menu and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, select **Current Credentials** and continue to step 2.If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then select **OK**.
- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
**Note**
If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
> [!NOTE]
> If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
## Step 7: Add Product Keys
1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
2. In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys:
- To add a single product key, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add key(s)**.
- To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
1. Select the **Product Keys** node in the left-side pane, and then select **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
2. In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys:
- To add a single product key, select **Enter product key(s) separated by line breaks**, enter one or more product keys, and then select **Add key(s)**.
- To import a Comma Separated Values File (CSV) that contains a list of product keys, select **Select a product key to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**.
The keys that you have added appear in the **Product Keys** list view in the center pane.
## Step 8: Install the Product Keys on the Isolated Lab Computers
1. In the left-side pane, in the **Products** node click the product that you want to install keys onto.
2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and Filter the List of Computers](#step-5-sort-and-filter-the-list-of-computers).
3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Only one key can be installed at a time.
6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
1. In the left-side pane, in the **Products** node select the product that you want to install keys onto.
2. If necessary, sort and filter the list of products so that it's easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#step-5-sort-and-filter-the-list-of-computers).
3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
4. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you're installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you aren't installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you've selected the product key that you want to install, select **Install Key**. Only one key can be installed at a time.
6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
The same status appears under the **Status of Last Action** column in the product list view in the center pane.
**Note**  
Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10))
> [!NOTE]
> Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10))
**Note**  
Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
> [!NOTE]
> Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
## Step 9: Export VAMT Data to a .cilx File
## Step 9: Export VAMT data to a `.cilx` file
In this step, you export VAMT from the workgroups host computer and save it in a .cilx file. Then you copy the .cilx file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it is critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products.
In this step, you export VAMT from the workgroup's host computer and save it in a `.cilx` file. Then you copy the `.cilx` file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it's critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products.
1. Select the individual products that successfully received a product key in Step 8. If needed, sort and filter the list to find the products.
2. In the right-side **Actions** pane, click **Export list** to open the **Export List** dialog box.
3. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file, or enter the name of the .cilx file to which you want to export the data.
4. Under **Export options**, select one of the following data-type options:
- Export products and product keys.
- Export products only.
- Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is selected. This option should be used when an enterprises security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the .cilx file that is transferred to the Core Network VAMT host.
5. If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box.
6. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
7. If you exported the list to a file on the host computers hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device.
1. Select the individual products that successfully received a product key in Step 8. If needed, sort and filter the list to find the products.
**Important**  
Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the .cilx file. Therefore, the .cilx file must be re-imported into the SQL Server database on the isolated lab workgroups VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Step 10) can be correctly assigned to the computers in the isolated lab group.
2. In the right-side **Actions** pane, select **Export list** to open the **Export List** dialog box.
## Step 10: Acquire Confirmation IDs from Microsoft on the Internet-Connected Host Computer
3. In the **Export List** dialog box, select **Browse** to navigate to the `.cilx` file, or enter the name of the `.cilx` file to which you want to export the data.
1. Insert the removable media into the VAMT host that has Internet access.
2. Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
3. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
4. In the **Acquire confirmation IDs for file** dialog box, browse to the location of the .cilx file that you exported from the isolated lab host computer, select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs.
5. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Click **OK** to close the message.
4. Under **Export options**, select one of the following data-type options:
## Step 11: Import the .cilx File onto the VAMT Host within the Isolated Lab Workgroup
- Export products and product keys.
1. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab.
2. Open VAMT and verify that you are connected to the database that contains the computer with the product keys that you are activating.
3. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
4. In the **Import list** dialog box, browse to the location of the .cilx file that contains the CIDs, select the file, and then click **Open**.
5. Click **OK** to import the file and to overwrite any conflicting data in the database with data from the file.
6. VAMT displays a progress message while the data is being imported. Click **OK** when a message appears and confirms that the data has been successfully imported.
- Export products only.
- Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported `.cilx` file when this selection is selected. This option should be used when an enterprise's security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the `.cilx` file that is transferred to the Core Network VAMT host.
5. If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box.
6. Select **Save**. VAMT displays a progress message while the data is being exported. Select **OK** when a message appears and confirms that the export has completed successfully.
7. If you exported the list to a file on the host computer's hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device.
> [!IMPORTANT]
> Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the `.cilx` file. Therefore, the `.cilx` file must be re-imported into the SQL Server database on the isolated lab workgroup's VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Step 10) can be correctly assigned to the computers in the isolated lab group.
## Step 10: Acquire confirmation IDs from Microsoft on the internet connected host computer
1. Insert the removable media into the VAMT host that has Internet access.
2. Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
3. In the right-side **Actions** pane, select **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
4. In the **Acquire confirmation IDs for file** dialog box, browse to the location of the `.cilx` file that you exported from the isolated lab host computer, select the file, and then select **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs.
5. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Select **OK** to close the message.
## Step 11: Import the `.cilx` file onto the VAMT host within the Isolated lab workgroup
1. Remove the storage device that contains the `.cilx` file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab.
2. Open VAMT and verify that you're connected to the database that contains the computer with the product keys that you're activating.
3. In the right-side **Actions** pane, select **Import list** to open the **Import List** dialog box.
4. In the **Import list** dialog box, browse to the location of the `.cilx` file that contains the CIDs, select the file, and then select **Open**.
5. Select **OK** to import the file and to overwrite any conflicting data in the database with data from the file.
6. VAMT displays a progress message while the data is being imported. Select **OK** when a message appears and confirms that the data has been successfully imported.
## Step 12: Apply the CIDs and Activate the Isolated Lab Computers
1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products.
2. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products.
VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
2. In the right-side **Selected Items** menu, select **Activate**, select **Apply Confirmation ID**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password.
VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
The same status appears under the **Status of Last Action** column in the product list view in the center pane.
## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab
If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers has not changed, VAMT can reactivate those computers using the CIDs that are stored in the database.
1. Redeploy products to each computer, using the same computer names as before.
2. Open VAMT.
3. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers hasn't changed, VAMT can reactivate those computers using the CIDs that are stored in the database.
VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
1. Redeploy products to each computer, using the same computer names as before.
2. Open VAMT.
3. In the right-side **Selected Items** menu, select **Activate**, select **Apply Confirmation ID**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password.
VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
The same status appears under the **Status of Last Action** column in the product list view in the center pane.
**Note**  
Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network.
RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
> [!NOTE]
> Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network.
**Note**  
Reapplying the same CID conserves the remaining activations on the MAK.
RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 won't enter RFM.
> [!NOTE]
> Reapplying the same CID conserves the remaining activations on the MAK.
## Related articles
## Related topics
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)

32
windows/deployment/volume-activation/update-product-status-vamt.md
View File

@ -2,34 +2,38 @@
title: Update Product Status (Windows 10)
description: Learn how to use the Update license status function to add the products that are installed on the computers.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Update Product Status
# Update product status
After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
**Note**  
> [!NOTE]
The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
## Update the license status of a product
1. Open VAMT.
2. In the **Products** list, select one or more products that need to have their status updated.
3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
1. Open VAMT.
2. In the **Products** list, select one or more products that need to have their status updated.
3. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials different from the ones you used to log into the computer.
4. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**.
VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
**Note**  
If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
## Related topics
> [!NOTE]
If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
## Related articles
- [Add and Manage Products](add-manage-products-vamt.md)

64
windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
View File

@ -2,49 +2,46 @@
title: Use the Volume Activation Management Tool (Windows 10)
description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Use the Volume Activation Management Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be
installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It's a standard Microsoft Management Console snap-in, and it can be installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
## Activating with the Volume Activation Management Tool
You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that don't have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
## Tracking products and computers with the Volume Activation Management Tool
The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg)
@ -52,7 +49,7 @@ The VAMT provides an overview of the activation and licensing status of computer
## Tracking key usage with the Volume Activation Management Tool
The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it's and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg)
@ -60,16 +57,19 @@ The VAMT makes it easier to track the various keys that are issued to your organ
## Other Volume Activation Management Tool features
The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
For more information, see:
- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md)
- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md)
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
 
 
- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md)
- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md)
## Related articles
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

86
windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
View File

@ -2,11 +2,11 @@
title: Use VAMT in Windows PowerShell (Windows 10)
description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
@ -15,61 +15,87 @@ ms.technology: itpro-fundamentals
The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool.
**To install PowerShell 3.0**
- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](/powershell/scripting/install/installing-powershell).
## Configuring VAMT in Windows PowerShell
**To install the Windows Assessment and Deployment Kit**
- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
### Install PowerShell 3.0
**To prepare the VAMT PowerShell environment**
- To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**.
VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](/powershell/scripting/install/installing-powershell).
**Important**
If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are supported for the x86 architecture only. You must use an x86 version of Windows PowerShell to import the VAMT module, which are available in these directories:
- The x86 version of PowerShell is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
- The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe
- For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located.
### Install the Windows Assessment and Deployment Kit**
In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
### Prepare the VAMT PowerShell environment
To open PowerShell with administrative credentials, select **Start** and enter `PowerShell` to locate the program. Right-click **Windows PowerShell**, and then select **Run as administrator**. To open PowerShell in Windows 7, select **Start**, select **All Programs**, select **Accessories**, select **Windows PowerShell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
> [!IMPORTANT]
> If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are only supported for x86 architecture. You must use an x86 version of Windows PowerShell to import the VAMT module
The x86 versions of Windows PowerShell are available in the following directories:
- PowerShell:
`C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe`
- PowerShell ISE:
`C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe`
For all supported operating systems, you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, enter:
For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type:
``` powershell
cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0”
cd "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0"
```
- Import the VAMT PowerShell module. To import the module, type the following at a command prompt:
### Import the VAMT PowerShell module
To import the VAMT PowerShell module, enter the following command at a PowerShell command prompt:
``` powershell
Import-Module .\VAMT.psd1
```
Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`.
## To Get Help for VAMT PowerShell cmdlets
where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, enter `get-help about_profiles`.
## To get help for VAMT PowerShell cmdlets
You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you're interested in. To view all of the Help content for a VAMT cmdlet, enter:
You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type:
``` powershell
get-help <cmdlet name> -all
```
For example, type:
For example, enter:
``` powershell
get-help get-VamtProduct -all
```
**Warning**
The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](/powershell/module/vamt).
> [!WARNING]
> The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the `-online` option with the `get-help` cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](/powershell/module/vamt).
**To view VAMT PowerShell Help sections**
### View VAMT PowerShell help sections
1. To get the syntax to use with a cmdlet, enter the following command at a PowerShell command prompt:
1. To get the syntax to use with a cmdlet, type the following at a command prompt:
``` powershell
get-help <cmdlet name>
```
For example, type:
For example, enter:
``` powershell
get-help get-VamtProduct
```
2. To see examples using a cmdlet, type:
2. To see examples using a cmdlet, enter:
``` powershell
get-help <cmdlet name> -examples
```
For example, type:
For example, enter:
``` powershell
get-help get-VamtProduct -examples
```

42
windows/deployment/volume-activation/vamt-known-issues.md
View File

@ -2,11 +2,11 @@
title: VAMT known issues (Windows 10)
description: Find out the current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 12/17/2019
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.custom:
- CI 111496
@ -19,7 +19,9 @@ ms.technology: itpro-fundamentals
The current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1, include:
- VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state.
- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. You must update the product status again to obtain the edition information.
- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information isn't shown for each product in the center pane. You must update the product status again to obtain the edition information.
- The remaining activation count can only be retrieved for Multiple Activation Key (MAKs).
## Workarounds for adding CSVLKs for Windows 10 activation to VAMT 3.1
@ -28,11 +30,11 @@ Another known issue is that when you try to add a Windows 10 Key Management Serv
![VAMT error message.](./images/vamt-known-issue-message.png)
This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
This issue occurs because VAMT 3.1 doesn't contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
### Method 1
Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
Don't add the CSVLK to the VAMT 3.1 tool. Instead, use the ` slmgr.vbs /ipk <CSVLK>` command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the `Slmgr.vbs` tool, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
### Method 2
@ -40,20 +42,32 @@ On the KMS host computer, perform the following steps:
1. Download the hotfix from [July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/3172614/).
1. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
2. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
1. To extract the contents of the update, run the following command:
3. To extract the contents of the update, run the following command:
```console
``` syntax
expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
```
1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
4. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
```console
``` syntax
expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
```
1. In the C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716 folder, copy the pkeyconfig-csvlk.xrm-ms file. Paste this file into the C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig folder.
5. In the
`C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716`
folder, copy the
`pkeyconfig-csvlk.xrm-ms`
file. Paste this file into the
`C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig`
folder.
1. Restart VAMT.
6. Restart VAMT.

23
windows/deployment/volume-activation/vamt-requirements.md
View File

@ -2,20 +2,20 @@
title: VAMT Requirements (Windows 10)
description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# VAMT Requirements
# VAMT requirements
This topic includes info about the product key and system requirements for VAMT.
This article includes info about the product key and system requirements for VAMT.
## Product Key Requirements
## Product key requirements
The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
@ -24,7 +24,7 @@ The Volume Activation Management Tool (VAMT) can be used to perform activations
|<ul><li>Multiple Activation Key (MAK)</li><li>Key Management Service (KMS) host key (CSVLK)</li><li>KMS client setup keys (GVLK)</li></ul> |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
|Retail product keys |Obtained at time of product purchase. |
## System Requirements
## System requirements
The following table lists the system requirements for the VAMT host computer.
@ -37,7 +37,8 @@ The following table lists the system requirements for the VAMT host computer.
| Display | 1024x768 or higher resolution monitor |
| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](/powershell/scripting/install/installing-powershell).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](/powershell/scripting/install/installing-powershell).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
## Related topics
- [Install and Configure VAMT](install-configure-vamt.md)
## Related articles
- [Install and configure VAMT](install-configure-vamt.md)

21
windows/deployment/volume-activation/vamt-step-by-step.md
View File

@ -2,28 +2,27 @@
title: VAMT Step-by-Step Scenarios (Windows 10)
description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
ms.date: 04/25/2017
author: frankroj
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# VAMT Step-by-Step Scenarios
# VAMT step-by-step scenarios
This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; it describes here some of the most common to get you started.
## In this Section
## In this section
|Topic |Description |
|------|------------|
|Article |Description |
|-------|------------|
|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. |
|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
## Related articles
- [Introduction to VAMT](introduction-vamt.md)
 
 

8
windows/deployment/volume-activation/volume-activation-management-tool.md
View File

@ -1,12 +1,12 @@
---
title: VAMT technical reference
description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.technology: itpro-fundamentals
author: aczechowski
ms.date: 09/16/2022
author: frankroj
ms.date: 11/07/2022
ms.topic: overview
ms.custom: seo-marvel-apr2020
---

51
windows/deployment/volume-activation/volume-activation-windows-10.md
View File

@ -2,35 +2,32 @@
title: Volume Activation for Windows 10
description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: aczechowski
author: frankroj
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.date: 11/07/2022
ms.topic: article
ms.technology: itpro-fundamentals
---
# Volume Activation for Windows 10
> Applies to
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
> [!TIP]
> Are you looking for volume licensing information?
>
>- Windows 10
>- Windows Server 2012 R2
>- Windows Server 2012
>- Windows Server 2016
>- Windows Server 2019
> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104)
**Looking for volume licensing information?**
> [!TIP]
> Are you looking for information on retail activation?
>
> - [Activate Windows](https://support.microsoft.com/help/12440/)
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104)
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://support.microsoft.com/help/12440/windows-10-activate)
This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [MSDN Subscriptions](https://visualstudio.microsoft.com/msdn-platforms/).
@ -38,25 +35,31 @@ Volume activation is a configurable solution that helps automate and manage the
This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation.
Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions.
Because most organizations won't immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it doesn't discuss the tools that are provided with earlier operating system versions.
Volume activation -and the need for activation itself- is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
Volume activation -and the need for activation itself- isn't new, and this guide doesn't review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)).
If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)).
To successfully plan and implement a volume activation strategy, you must:
- Learn about and understand product activation.
- Review and evaluate the available activation types or models.
- Consider the connectivity of the clients to be activated.
- Choose the method or methods to be used with each type of client.
- Determine the types and number of product keys you will need.
- Determine the types and number of product keys you'll need.
- Determine the monitoring and reporting needs in your organization.
- Install and configure the tools required to support the methods selected.
Keep in mind that the method of activation does not change an organizations responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
Keep in mind that the method of activation doesn't change an organization's responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
## Additional information
## Related articles
- [Plan for volume activation](plan-for-volume-activation-client.md)
- [Activate using Key Management Service](activate-using-key-management-service-vamt.md)

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -29,7 +29,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
## More about licenses
Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch:
Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch:
| License | ID | GUID number |
| ----- | ----- | ------|

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -14,6 +14,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Hybrid Azure AD joined Key Trust Deployment

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning
## Provisioning

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
View File

@ -10,6 +10,7 @@ ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
ms.technology: itpro-security
---
# Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory
appliesto:

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization

3
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
@ -84,7 +85,7 @@ The certificate template is configured to supersede all the certificate template
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials.
Sign-in to the certificate authority or management workstations with _enterprise administrator_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Expand the parent node from the navigation pane.

11
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
@ -27,7 +28,7 @@ Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 C
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
Hybrid Azure AD-joined devices needs one Group Policy setting:
Hybrid Azure AD-joined devices need one Group Policy setting:
* Enable Windows Hello for Business
### Configure Domain Controllers for Automatic Certificate Enrollment
@ -123,13 +124,13 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
#### Use biometrics
Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.
The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint.
The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows doesn't provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition but disallowing fingerprint recognition.
### PIN Complexity
@ -150,7 +151,7 @@ Windows provides eight PIN Complexity Group Policy settings that give you granul
## Add users to the Windows Hello for Business Users group
Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business . You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
### Section Review
> [!div class="checklist"]
@ -174,4 +175,4 @@ Users must receive the Windows Hello for Business group policy settings and have
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. Configure Windows Hello for Business policy settings (*You are here*)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)

1
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Configure Hybrid Azure AD joined Windows Hello for Business key trust settings

1
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -12,6 +12,7 @@ ms.collection:
ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
ms.technology: itpro-security
---
# Windows Hello for Business Deployment Prerequisite Overview

95
windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
View File

@ -15,22 +15,23 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
If your environment has an existing instance of Active Directory Federation Services, then youll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
If your environment has an existing instance of Active Directory Federation Services, then youll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade.
A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
## Update Windows Server 2016
@ -43,19 +44,19 @@ Sign-in the federation server with _local admin_ equivalent credentials.
## Enroll for a TLS Server Authentication Certificate
Key trust Windows Hello for Business on-premises deployments need a federation server for device registration and key registration. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
Key trust Windows Hello for Business on-premises deployments need a federation server for device registration and key registration. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
You can, however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
You can, however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
When creating a wildcard certificate, it is recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
Be sure to enroll or import the certificate into the AD FS servers computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
Be sure to enroll or import the certificate into the AD FS servers computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
### Internal Server Authentication Certificate Enrollment
@ -68,7 +69,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png)
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished.
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished.
9. Click **Enroll**.
A server authentication certificate should appear in the computers Personal certificate store.
@ -80,17 +81,17 @@ The Active Directory Federation Service (AD FS) role provides the following serv
* Key registration
>[!IMPORTANT]
> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
Windows Hello for Business depends on proper device registration. For on-premises key trust deployments, Windows Server 2016 AD FS handles device and key registration.
Windows Hello for Business depends on proper device registration. For on-premises key trust deployments, Windows Server 2016 AD FS handles device and key registration.
Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
1. Start **Server Manager**. Click **Local Server** in the navigation pane.
1. Start **Server Manager**. Click **Local Server** in the navigation pane.
2. Click **Manage** and then click **Add Roles and Features**.
3. Click **Next** on the **Before you begin** page.
4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**.
5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**.
7. Click **Next** on the **Select features** page.
8. Click **Next** on the **Active Directory Federation Service** page.
9. Click **Install** to start the role installation.
@ -107,16 +108,16 @@ Before you continue with the deployment, validate your deployment progress by re
## Device Registration Service Account Prerequisite
The service account used for the device registration server depends on the domain controllers in the environment.
The service account used for the device registration server depends on the domain controllers in the environment.
>[!NOTE]
>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
### Windows Server 2012 or later Domain Controllers
Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security.
Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA, have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security.
GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
#### Create KDS Root Key
@ -126,14 +127,14 @@ Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
### Windows Server 2008 or 2008 R2 Domain Controllers
Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis.
Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use or create a normal user account as a service account where you are responsible for changing the password on a regular basis.
#### Create an AD FS Service Account
Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
1. Open **Active Directory Users and Computers**.
2. Right-click the **Users** container, Click **New**. Click **User**.
3. In the **New Object User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
3. In the **New Object User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box.
5. Click **Next** and then click **Finish**.
@ -144,19 +145,19 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2016, 2012 R2 or later Domain Controllers
Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
6. Select the federation service name from the **Federation Service Name** list.
7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**.
7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**.
9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
10. On the **Review Options** page, click **Next**.
11. On the **Pre-requisite Checks** page, click **Configure**.
@ -164,11 +165,11 @@ Sign-in the federation server with _Domain Admin_ equivalent credentials. These
### Windows Server 2008 or 2008 R2 Domain Controllers
Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
@ -176,7 +177,7 @@ Sign-in the federation server with _Domain Admin_ equivalent credentials. These
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
6. Select the federation service name from the **Federation Service Name** list.
7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.
8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.
* In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
10. On the **Review Options** page, click **Next**.
@ -194,7 +195,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
2. Click the **Users** container in the navigation pane.
3. Right-click **KeyAdmins** in the details pane and click **Properties**.
4. Click the **Members** tab and click **Add…**
5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
6. Click **OK** to return to **Active Directory Users and Computers**.
7. Change to server hosting the AD FS role and restart it.
@ -231,11 +232,11 @@ Before you continue with the deployment, validate your deployment progress by re
## Additional Federation Servers
Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
### Server Authentication Certificate
Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
### Install Additional Servers
@ -243,16 +244,16 @@ Adding federation servers to the existing AD FS farm begins with ensuring the se
## Load Balance AD FS Federation Servers
Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
### Install Network Load Balancing Feature on AD FS Servers
Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
1. Start **Server Manager**. Click **Local Server** in the navigation pane.
1. Start **Server Manager**. Click **Local Server** in the navigation pane.
2. Click **Manage** and then click **Add Roles and Features**.
3. Click **Next** On the **Before you begin** page.
4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation
@ -260,33 +261,33 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
### Configure Network Load Balancing for AD FS
Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
Sign-in a node of the federation farm with _Admin_ equivalent credentials.
1. Open **Network Load Balancing Manager** from **Administrative Tools**.
1. Open **Network Load Balancing Manager** from **Administrative Tools**.
![NLB Manager user interface.](images/hello-nlb-manager.png)
2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png)
4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png)
7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png)
8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
9. In Port Rules, click Edit to modify the default port rules to use port 443.
9. In Port Rules, click Edit to modify the default port rules to use port 443.
![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png)
### Additional AD FS Servers
1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png)
## Configure DNS for Device Registration
Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. Youll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. Youll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
1. Open the **DNS Management** console.
2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
@ -302,7 +303,7 @@ Sign-in the domain controller or administrative workstation with domain administ
## Configure the Intranet Zone to include the federation service
The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication.
The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication.
### Create an Intranet Zone Group Policy
@ -315,7 +316,7 @@ Sign-in the domain controller or administrative workstation with _Domain Admin_
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**.
8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**.
9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor.
9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor.
### Deploy the Intranet Zone Group Policy object
@ -342,4 +343,4 @@ Before you continue with the deployment, validate your deployment progress by re
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)

5
windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Configure Windows Hello for Business Policy settings - Key Trust
@ -76,13 +77,13 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
### Use biometrics
Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.
The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint.
The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition.
### PIN Complexity

1
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Validate Active Directory prerequisites - Key Trust

1
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Validate and Deploy Multifactor Authentication (MFA)

21
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -15,20 +15,21 @@ appliesto:
- ✅ <b>Windows 11</b>
- ✅ <b>On-premises deployment</b>
- ✅ <b>Key trust</b>
ms.technology: itpro-security
---
# Validate and Configure Public Key Infrastructure - Key Trust
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
## Deploy an enterprise certificate authority
This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
### Lab-based public key infrastructure
The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
Sign in using **Enterprise Admin** equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
>[!NOTE]
>Never install a certificate authority on a domain controller in a production environment.
@ -56,7 +57,7 @@ Domain controllers automatically request a domain controller certificate (if pub
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
Sign in to a certificate authority or management workstations with **Domain Admin** equivalent credentials.
1. Open the **Certificate Authority** management console.
@ -64,7 +65,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprises needs.
@ -83,7 +84,7 @@ Many domain controllers may have an existing domain controller certificate. The
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
Sign in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
@ -109,7 +110,7 @@ The certificate template is configured to supersede all the certificate template
Windows clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
Sign in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
@ -140,7 +141,7 @@ The certificate authority only issues certificates based on published certificat
The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
Sign in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
@ -156,7 +157,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
Sign in to the certificate authority or management workstations with **Enterprise Admin** equivalent credentials.
1. Open the **Certificate Authority** management console.
@ -204,7 +205,7 @@ Domain controllers automatically request a certificate from the domain controlle
### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
Sign in to domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc).

1
windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
View File

@ -15,6 +15,7 @@ ms.date: 2/15/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# Manage Windows Hello for Business in your organization

1
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -15,6 +15,7 @@ appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Holographic for Business</b>
ms.technology: itpro-security
---
# Windows Hello for Business Overview

1
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -14,6 +14,7 @@ ms.date: 09/16/2020
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# Planning a Windows Hello for Business Deployment

1
windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
View File

@ -13,6 +13,7 @@ ms.date: 08/19/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# Prepare people to use Windows Hello

1
windows/security/identity-protection/hello-for-business/hello-videos.md
View File

@ -13,6 +13,7 @@ ms.date: 07/26/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# Windows Hello for Business Videos
## Overview of Windows Hello for Business and Features

3
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -1,6 +1,6 @@
---
title: Why a PIN is better than an online password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
@ -15,6 +15,7 @@ ms.date: 10/23/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# Why a PIN is better than an online password

3
windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
View File

@ -10,6 +10,7 @@ ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 11/14/2018
ms.technology: itpro-security
---
# What is a Microsoft-compatible security key?
@ -26,6 +27,6 @@ A security key **MUST** implement the following features and extensions from the
| #</br> | Feature / Extension trust</br> | Why is this required? </br> |
| --- | --- | --- |
| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key |
| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface|
| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface|
| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode |
| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) |

1
windows/security/identity-protection/hello-for-business/passwordless-strategy.md
View File

@ -13,6 +13,7 @@ ms.date: 05/24/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# Password-less strategy

1
windows/security/identity-protection/hello-for-business/reset-security-key.md
View File

@ -10,6 +10,7 @@ ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 11/14/2018
ms.technology: itpro-security
---
# How to reset a Microsoft-compatible security key?
> [!Warning]

1
windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
View File

@ -11,6 +11,7 @@ ms.topic: article
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# How Windows Hello for Business works in Windows devices

1
windows/security/identity-protection/hello-for-business/webauthn-apis.md
View File

@ -13,6 +13,7 @@ ms.date: 09/15/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# WebAuthn APIs for passwordless authentication on Windows
<!--MAXADO-6021798-->

1
windows/security/identity-protection/index.md
View File

@ -12,6 +12,7 @@ ms.date: 02/05/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# Identity and access management

1
windows/security/identity-protection/password-support-policy.md
View File

@ -11,6 +11,7 @@ author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.date: 11/20/2019
ms.technology: itpro-security
---
# Technical support policy for lost or forgotten passwords

1
windows/security/identity-protection/remote-credential-guard.md
View File

@ -14,6 +14,7 @@ ms.date: 01/12/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
ms.technology: itpro-security
---
# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard

1
windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Card and Remote Desktop Services

1
windows/security/identity-protection/smart-cards/smart-card-architecture.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Card Architecture

1
windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Certificate Propagation Service

1
windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Certificate Requirements and Enumeration

1
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -18,6 +18,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Card Troubleshooting

1
windows/security/identity-protection/smart-cards/smart-card-events.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Card Events

1
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Card Group Policy and Registry Settings

1
windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
View File

@ -17,6 +17,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# How Smart Card Sign-in Works in Windows

1
windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Card Removal Policy Service

1
windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Cards for Windows Service

1
windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Card Tools and Settings

1
windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
View File

@ -16,6 +16,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# Smart Card Technical Reference

1
windows/security/identity-protection/user-account-control/how-user-account-control-works.md
View File

@ -18,6 +18,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# How User Account Control works

1
windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
View File

@ -18,6 +18,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# User Account Control Group Policy and registry key settings

1
windows/security/identity-protection/user-account-control/user-account-control-overview.md
View File

@ -18,6 +18,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# User Account Control

1
windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
View File

@ -17,6 +17,7 @@ appliesto:
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
ms.technology: itpro-security
---
# User Account Control security policy settings

1
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
View File

@ -12,6 +12,7 @@ ms.date: 04/19/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
ms.technology: itpro-security
---
# Deploy Virtual Smart Cards

1
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
View File

@ -12,6 +12,7 @@ ms.date: 04/19/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
ms.technology: itpro-security
---
# Evaluate Virtual Smart Card Security

1
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
View File

@ -12,6 +12,7 @@ ms.date: 04/19/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
ms.technology: itpro-security
---
# Get Started with Virtual Smart Cards: Walkthrough Guide

1
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
View File

@ -12,6 +12,7 @@ ms.date: 10/13/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
ms.technology: itpro-security
---
# Virtual Smart Card Overview

1
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
View File

@ -12,6 +12,7 @@ ms.date: 04/19/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
ms.technology: itpro-security
---
# Tpmvscmgr

1
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
View File

@ -12,6 +12,7 @@ ms.date: 04/19/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
ms.technology: itpro-security
---
# Understanding and Evaluating Virtual Smart Cards

1
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
View File

@ -12,6 +12,7 @@ ms.date: 10/13/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
ms.technology: itpro-security
---
# Use Virtual Smart Cards

1
windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -11,6 +11,7 @@ ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# How to configure Diffie Hellman protocol over IKEv2 VPN connections

1
windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -10,6 +10,7 @@ ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections

1
windows/security/identity-protection/vpn/vpn-authentication.md
View File

@ -11,6 +11,7 @@ ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
ms.technology: itpro-security
---
# VPN authentication options

Some files were not shown because too many files have changed in this diff Show More