Scribd
Upload
304 views15 pages

Understanding Volume Activation Services - Part 1 (KMS and MAK) - Secure Infrastructure Blog

Uploaded by

ish himpal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
304 views15 pages

Understanding Volume Activation Services - Part 1 (KMS and MAK) - Secure Infrastructure Blog

Uploaded by

ish himpal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

Secure Infrastructure Blog


by the Secure Infrastructure team at Microsoft

Understanding Volume Activation Services – Part 1 (KMS


and MAK)
 Omer Eldan  KMS, Windows  January 13, 2019 6 Minutes

Windows Activation and KMS have been around for many years – and still – a lot of people don’t understand the
basics of Windows activation, what are the di erences between KMS and MAK, and how to choose the best
Volume Activation method that meets the organization’s needs.

In this blog post, we’ll shed some light on these subjects and explain how to deploy and use Volume Activation
services correctly.
This will be the rst part in the series.

Series:
Part 1 – KMS and MAK

Part 2 – Active Directory-Based Activation

Part 3 – Microsoft O ce Activation and Troubleshooting

So… What is KMS?


KMS, like MAK, is an activation method for Microsoft products, including Windows and O ce.
KMS stands for Key Management Service. The KMS server, called ‘KMS host’, is installed on a server in your local
network. The KMS clients connect to the KMS host for activation of both Windows and O ce.

Prerequisites

A KMS host running on Windows Server 2019/2016/2012R2 can activate all Windows versions, including
Windows Server 2019 and Windows 10 all the way down to Windows Server 2008R2 and Windows 7. Semi-

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 1/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

Annual and Long-Term Service Channel (LTSC) are both supported by the KMS.

Pay attention that Windows Server 2016 and Windows Server 2012R2 will require to install the following KB’s in
order activate the newest Windows 10 Enterprise LTSC and Windows Server 2019:

For Windows Server 2016:


1. KB4132216 – Servicing stack update, May 18 (Information, Download).
2. KB4467684 – November Cumulative Update or above (Information, Download).

For Windows Server 2012R2:


1. KB3173424 – Servicing stack update (Information, Download).
2. KB4471320 – December 2018 Monthly Rollup (Information, Download).

In order to activate clients, the KMS uses a KMS host key. This key can be obtained from the Microsoft VLSC
(Volume Licensing Service Center) website. By installing that key, you are con guring the server to act as a KMS
host.
Because KMS host key of newer Windows version can be used to activate older Windows versions, you should
only obtain and install the latest KMS host key available in VLSC.
Also, note that KMS host key for Windows server can be used to activate Windows clients – so you can (and
should) use one KMS host key to rule them all.

Now that you understand those facts, you know you should look for ‘Windows Server 2019’ version in VLSC and
obtain the KMS host key for that version. Once again, this key will let you activate any Windows server and
Windows client version in your environment.

Deploying the KMS host

After getting the KMS host key from VLSC, you’ll need to install it. For that, we’ll use the Volume Activation
Tools feature, available on Windows Server 2012R2 and above.
https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 2/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

You can install the Volume Activation Tools feature using the Server Manager (Remote Server Administration
Tools -> Role Administration Tools -> Volume Activation Tools) or by using the following PowerShell command:
Install-WindowsFeature RSAT-VA-Tools.

Run the tool right from Server Manager -> Tools or by typing ‘vmw’ in your PowerShell screen.
Volume Activation Tools lets you choose between Active Directory-Based Activation (will be covered in the
second post) and Key Management Service (KMS). For now, we’ll choose to the KMS activation method.

After selecting the activation method, you’ll be asked to provide the KMS host key obtained from the VLSC.

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 3/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

Choose your preferred activation method (by phone or online using the internet) to activate the KMS host key
for the selected product.

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 4/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

In the ‘Con guration’ step, pay attention to the following settings:

1. Volume license activation interval (Hours) – determines how often the KMS client attempts activation
before it is activated. The default is 2 hours.

2. Volume license renewal interval (Days) – determines how often the KMS client attempts reactivation with
KMS (after it has been activated). The default is 7 days.
By default, Windows activates by the KMS host for 180 days. After 7 days, when there are 173 days left for
the volume activation to be expired, the client attempts reactivation against the KMS host and gets a new
180 days activation period.

3. KMS TCP listening port – By default, the KMS host is listening on port 1688 (TCP). You can change the port if
needed using this setting.

4. KMS rewall exceptions – Creating the relevant rewall exceptions for the Private/Domain/Public pro les.

5. DNS Records – By selecting ‘Publish’, the Volume Activation Tools wizard creates the _vlmcs SRV record
(e.g _vlmcs._tcp.contoso.com). Windows uses this SRV record to automatically nd the KMS server address.

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 5/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

Reviewing KMS client settings


By now, you should be running a KMS host con gured with KMS a host key for Windows Server 2019.

Any Windows client that con gured to use ‘KMS Client Channel‘ will be activated against the new KMS host
automatically within 2 hours (as this is the ‘KMS Activation Interval‘ default value).
The ‘KMS Client Channel’ determined by the product key used in the client. By default, computers that are
running volume-licensed editions are KMS clients with no additional con guration needed.
In case you’ll be required to convert a computer from a MAK or retail edition to a KMS client, you can override
the currently installed product key and replace it with an applicable KMS client key that suitable for your
Windows version. Pay attention that the selected key should exactly match the Windows version you’re using,
otherwise it won’t work.
These KMS clients keys, also known as Generic Volume License Keys (GVLK), are public and can be found in the
KMS Client Setup Keys page.

From the client perspective, you can use the slmgr.vbs script to manage and view the license con guration.
For a start, you can run ‘slmgr.vbs /dli’ to display the license information currently applied on the client.
You can see in the screenshot that a KMS client channel is being used.

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 6/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

If required, use ‘slmgr.vbs /ipk PRODUCTKEY’ (e.g slmgr.vbs /ipk WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY) to


replace the current product key with a new one (KMS client channel in this example).

In order to initiate an activation attempt, you can use the ‘slmgr.vbs /ato’, which will immediately try to activate
Windows.
The KMS host will respond to the activation request with the count of how many computers have already
contacted the KMS host for activation. Computers that receive a count below the activation threshold are not
activated.
The activation threshold is di erent for Windows clients and servers:

Clients will activate if the count is 25 or higher

Servers will activate if the count is 5 or higher.

You can nd the full list of slmgr.vbs command-line options right here.

When to use KMS

Compared to MAK, KMS should be your preferable activation method as long as you meet the activation
threshold and the (very) basic requirements for deploying KMS (which are DNS and TCP/IP connectivity between
the clients and the KMS host).
Saying that we’ll see in part 2 why Active Directory-Based Activation is actually even better than KMS for most
scenarios.

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 7/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

What is MAK?
MAK (Multiple Activation Key) is another activation method for Microsoft products, including Windows and
O ce.
Unlike KMS, MAK activation is used for a one-time activation against Microsoft’s hosted activation services.
This means that MAK does not require any server or services within your network – the activation request
approved by Microsoft servers either online or by phone (for isolated environments that can’t reach the
internet).

Just like KMS, the MAK keys can be found in your VLSC portal. Each MAK has a prede ned number of allowed
activations, and each activation occurrence will incrementally increase the number of used activation for that
MAK.
In the screenshot above, you can see that 3 activations (out of 300 allowed activation/seats) were completed
using a MAK for Windows Server 2016 Standard.

How to use MAK

Using MAC for activation is very simple.


First, you’ll have to go to VLSC and obtain the suitable MAK for your product (like Windows Server 2016
Standard).
then, open Command Prompt (cmd) in elevated mode and run the following commands:

1. Install your MAK key using ‘slmgr.vbs /ipk MAKProductKey’ (e.g slmgr.vbs /ipk ABCDE-123456-ABCDE-
123456-ABCDE).

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 8/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

2. Activate Windows using ‘slmgr.vbs /ato’. The following message should appear:

3. To view the activation details you can use the ‘slmgr /dli’ command.

When to use it

MAK activation method should be used only for computers that never connect to the corporate network and
for environments where the number of physical computers does not meet the KMS activation threshold and
Active Directory-based activation could not be used for some reason.

Summary
In the rst part of the series we learned about KMS and MAK, and we understood the purpose of each activation
method.
As a thumb rule, you should always try to stick with KMS activation as long as it possible.
When KMS is not an option (usually due to lack of connectivity to the corporate network), consider using a MAK.

Remember that one KMS host key can be used to activate all of your Windows versions includes servers and
clients. Grab the latest version from your VLSC and you’re good to go.
If you encounter problems when trying to activate, check that your KMS server is available and running, and
use slmgr.vbs tool to get more details about your client’s activation status.

Tagged: Key Management Service, MAK, VLSC, Windows, Windows Activation

19 thoughts on “Understanding Volume Activation Services – Part 1 (KMS


and MAK)”

Johann Booysen (@Joe_Booysen)


June 25, 2019 at 1:28 pm

Hi there, good guide. I’m trying to understand some of the points made. I currently run the KMS service on Server
2012R2, in the post you mentioned that you should always use the latest KMS key, in this instance Server 2019. It refuses

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 9/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

to take this key, only 2016. After everything is set up, in the management tool, should I add the same key there under
“Product Keys”? Mine is blank.

Log in to Reply

Omer Eldan
June 25, 2019 at 8:15 pm

Hi Johann,
Thank you for the feedback. I’m glad you nd it useful.

Regarding your question:


Did you install the required KBs as mentioned in the post (KB3173424 and KB4471320)?

Log in to Reply

Johann Booysen (@Joe_Booysen)


June 25, 2019 at 10:25 pm

Yes sir, installed both and restarted the KMS server. I tried it now again, with the same error. Do I add the same key again
like in my OP?

Log in to Reply

Omer Eldan
July 22, 2019 at 1:54 pm

Hi Johann,

I just added a new Windows Server 2019 KMS key using a Volume Activation Tools on a Windows Server 2012
R2.
After installing the KBs I mentioned in the post, the new key was recognized by the server without any issue.

Please make sure that the KBs are installed on the server running the Volume Activation Tools.

Log in to Reply

Shelley Della-Valle
July 16, 2019 at 1:35 pm

Hello. I’m looking for a suitable way to change our currently MAK activated Windows 10 Pro n machines to Enterprise. Is
this something KMS can do? From ym testing so far, it seems to license it only as the version currently “installed”. It
doesn’t change the version unless I use a MAK key.

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 10/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

Thank you for this information. It’s di cult to nd actual information on how the keys work!

Log in to Reply

Omer Eldan
July 21, 2019 at 9:32 am

Hi Shelley,

Thank you for your feedback. I’m glad to hear you nd this blog post useful 🙂

Regarding your question:


KMS can be used to activate Windows 10 Pro N. Please select the relevant KMS client key from here:
https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys.

Then run ‘slmgr /SelectedKMSClientKey’ to replace the current MAK key and ‘slmgr /ato’ to activate against the
KMS server.

Log in to Reply

ezxcess
August 7, 2019 at 9:49 am

On Windows Server 2012 R2, can we activate MS O ce 2012 clients through Volume Activation Tools (KMS Host)?

Log in to Reply

ezxcess
August 7, 2019 at 9:50 am

Sorry I meant to ask MS O ce 2010 clients activation

Log in to Reply

Omer Eldan
August 7, 2019 at 9:58 am

Hi,

Yes – you can use KMS on Windows Server 2012 R2 to activate Microsoft O ce 2010.
Active Directory-Based Activation though is not supported.

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 11/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

Regards,
Omer

ToDesce
September 8, 2019 at 7:35 am

Awesome blog you have here but I was wondering if you knew of any message boards that cover the same topics
discussed in this article?

Log in to Reply

Omer Eldan
September 8, 2019 at 9:01 am

Thank you for the feedback 🙂


I don’t know about a speci c message board, but feel free to ask whatever you want here in comments.

Log in to Reply

JIV (@je _in_van)


September 30, 2019 at 11:15 pm

I was trying to activate a new Windows 2016 Standard Server installation o an existing Windows 2012 R2 KMS host.
Imported the new keys but despite being up to date with all the patches and stu , it still wasn’t activating. Something in
your article made me look at my set up and I tried activating the existing KMS host with the new 2016 CSVLK key instead
of the existing one.

Bingo, that seemed to do the trick!

Log in to Reply

Josué Duarte (@Josue_Duarte)


October 22, 2019 at 9:28 pm

Great article! Thanks a lot!

Log in to Reply

Torres Castillo Pancho


October 28, 2019 at 7:41 pm

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 12/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

estoy intentando activar clientes con windows 7, tengo server 2016 ya activado con kms: ¿ya con eso es su ciente para
activar clientes con windows 7? o como puedo dar de alta la clave de windows 7 kms? gracias.

Log in to Reply

Omer Eldan
October 29, 2019 at 12:23 am

Here is your question translated to English for those who don’t know Spanish like me 🙂

I am trying to activate clients with windows 7, I have server 2016 already activated with kms: is that enough to
activate clients with windows 7? or how can I register the windows 7 kms key? Thank you.

The answer to your question is simply YES.


You can use a Windows Server 2016 KMS server with a 2016 KMS server key to activate Windows 7 clients.
No need to activate additional KMS server keys.

Log in to Reply

Santhosh Kumar R (@Santhos78714770)


November 2, 2019 at 4:42 pm

How to move volume activation services from one host to another host

Log in to Reply

Omer Eldan
November 2, 2019 at 10:02 pm

Hello Santhosh,

You can move Volume Activation Services by installing a new KMS server and remove your old one.

Make sure that your old KMS server is no longer has a _VLMCS srv record.

Also, please consider using ADBA (Active Directory-Based Activation) to replace you old KMS server.

Good luck 🙂

Log in to Reply

Santhosh Kumar R (@Santhos78714770)


November 5, 2019 at 11:31 am

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 13/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog

Could you please explain this “ADBA (Active Directory-Based Activation) to replace you old KMS server”. So that i can
implement this i our environment

Log in to Reply

Omer Eldan
November 5, 2019 at 11:59 am

Hi Santhosh,

You can nd all the information about ADBA and how to implement it in Part 2 of this blog post:
https://blogs.technet.microsoft.com/meamcs/2019/01/20/understanding-volume-activation-services-part-2-active-
directory-based-activation/

Enjoy your reading! 🙂

Log in to Reply

You must log in to post a comment.

Search This Blog

Search …

Categories
Active Directory
ATA/ATP

Azure
Azure Sentinel

BI and Analytics
Failover Clustering

GroupPolicy
Hyper-V

Identity
Intune

KMS
O ce365

OMS
Performance

PowerShell
Security

soft skills
System Center

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 14/15
5/1/2020 Understanding Volume Activation Services – Part 1 (KMS and MAK) – Secure Infrastructure Blog
Uncategorized

Windows
WSUS

WVD

Follow Blog via Email

Enter your email address to follow this blog and receive noti cations of new posts by email.

Email Address

Follow

About
Contact Us
Disclaimer

https://secureinfra.blog/2019/01/13/understanding-volume-activation-services-part-1-kms-and-mak/ 15/15

You might also like