Office 2010 recently hit the RTM milestone and is now available for download via a couple of different channels.  For admins looking at deploying it, one of the biggest changes they will see relates to license keys & activation.  For previous office deployments, enterprises would establish a volume license agreement with Microsoft and then they would receive a volume license key (VLK).  They would then download a volume license (VL) edition of office, create a custom answer file, using the custom installation wizard or the Office customization tool depending on the version, run the setup with the answer file and be done.

For Office 2010 the process changes a little. The good news is that if you have deployed Vista or Windows 7, your pretty much set as Office now uses Volume Activation 2.0.  For those who haven’t though, a little time will need to be spent preparing your environments for Volume Activation.


The first question that needs to be answered is whether you will be using KMS or a MAK key. First let’s translate the acronyms into real words. KMS stands for Key Management Service while MAK stands for Multiple Activation Key. Now what’s the difference? MAK is like the traditional VLK, the difference being that the MAK still requires an initial activation that can be done over the internet, over the phone, or by using the Volume Activation Management Tool. The alternative is to use a KMS key.  The KMS key can be thought of a little like DHCP.  Activation clients discover a KMS host and get a license that is good for 180 days.  After 7 days the client will check back in with server and get it’s lease renewed.  If the client can’t contact the KMS host after 180 days then it falls back into an unlicensed state and the user will be notified that they need to activate their copy of office.

The decision on KMS vs MAK is going to hinge on a couple of factors.

  1. Network connectivity – KMS requires that a client is able to contact the KMS host once every 180 days over TCP port 1688 (the port can be changed).
  2. Activation limits – KMS requires a minimum of 5 clients to contact the KMS host before activation is successful.

The rule of thumb is generally if you have less than 50 machines to activate, go for MAK, more than 50 then go for KMS.

KMS Setup

If you decide to go down the KMS path then you will need decide what sort of machine will act as your KMS host.  The recommendation is that if you already have a KMS host deployed, then you should deploy the office KMS onto the same machine. This however raises a new concern.  The supported platforms for the office KMS host are

    • Windows Server 2003 or with any service packs
    • Volume license editions of Windows 7
    • Windows Server 2008 R2

You may notice that there are a couple of omissions from that list, primarily Windows Server 2008 or Windows Vista.  The deployment guide specifically states that neither of them are supported, irrespective of the service pack deployed.  So this may force some organisations to either transition their existing KMS to a new machine, or alternatively deploy a new KMS host.  The reality of this though is that it is a fairly minor process.

    1. Download the Office 2010 KMS Host License Pack
    2. Run the executable to install the KMS host server
    3. Enter your KMS license key and activate over the internet
    4. enable a firewall exception for TCP 1688

And your good to go.  Well you are provided that your machine has internet access and your DNS supports SRV records and dynamic updates.

If your machine doesn’t have internet access you will need to activate the key over the phone, so to do that

    1. open a command prompt and run the following command to get your installation ID (the guid is the activation ID for Office 2010)
      cscript slmgr.vbs /dti bfe7a195-4f8f-4f0b-a622-cf13c7d16864
    2. Then run this command to get the phone number for your region
      slui.exe 4
    3. Choose the option to activate your KMS key and enter the installation ID you got in Step 1. You will now get your 48 digit activation code, so it’s probably a good idea to write it down.  Also don’t make the mistake of using the installation ID you see in step 2.  It’s the windows installation ID and won’t help.
    4. To finish the process, return to the command prompt and enter the command below, replacing ############ with the activation code you got in step 3
      cscript slmgr.vbs /atp ############ bfe7a195-4f8f-4f0b-a622-cf13c7d16864

The other component I mentioned above was DNS. KMS clients can discover KMS hosts in one of two ways.

    1. Check for registry keys (here is the source)
      • SKU-specific value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\AppID\SKUID\KeyManagementServiceName REG_SZ registry value
      • AppID-specific value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\AppID\KeyManagementServiceName REG_SZ registry value
      • Global value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\KeyManagementServiceName REG_SZ registry value
      • SKU-specific cached KMS host (This is the cached identity of the host used in the last successful KMS activation.)
    2. DNS SRV records and specifically an SRV record in the format of where is the domain to which the client belongs.

If you only have a single KMS host in your environment and DNS that supports dynamic updates, then you are done.  If you have multiple DNS domains or multiple KMS hosts then there are a couple of extra steps you need to be aware of.

      • Multiple KMS Hosts – Only the first KMS will successfully register as the SRV record will be owned by that server, so you need to create a new security group and add all the KMS hosts to that group, then change the permissions on the SRV record so that the group has permissions to modify the SRV record
      • Multiple DNS domains – By default the KMS host will only register an SRV record in the domain to which it belongs, so you need to create a multi string registry value name DnsDomainPublishList under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform key then restart the Software Licensing Service to get it to create the SRV records.  If you then look in the Application event log you should see an event ID 12294 indicating that the records have been successfully created. (for more details on this look here)

MAK Setup

MAK setup is really a bit of a misnomer as there is not much in the way of infrastructure required for MAK activation.

The simplest method of using MAK activation is to manually install office, enter the key then manually activate.

Obviously this won’t scale too well, so the next option is to create a custom install. To do this create a deployment share (i.e. copy the install CD to a network location) and then run the office customisation tool by running setup.exe /admin and then entering the MAK key on the licensing screen under the Enter another product key section (by default office 2010 is configured to look for a KMS server).

You would then install office and when it is opened for the first time, the timer for the activation grace period is started.  The user will then get 25 days before they are prompted to activate their copy of office.

This is a screenshot of what a user will see (have a look at this blog post by Ted Way from the office engineering team to get more on this process).


For MAK activation, there are three options, activate via the internet, over the phone, or through proxy activation. Unlike KMS which requires a one time activation per KMS host, MAK activation requires that each and every copy of office connect to the Microsoft activation servers.  Each MAK key has a specific number of activations associated with it.  If there is a significant change to the hardware on the machine, then Office will need to be reactivated. When the client reactivates, then this will also decrement the activations available for that key.

For the activation methods, internet & phone are both self explanatory, proxy is not quite.  Proxy activation refers to the use of the Volume Activation Management Tool or VAMT. The VAMT is used to query a machine, via WMI, for its unique ID (Client Machine ID or CMID) and the machine that is running the VAMT is then used to contact the Microsoft activation servers on behalf of the client.  This means that you can have machines that are located on an isolated subnet, but still activate them.  Using the VAMT you can also export the list of CMIDs to a file which can then be activated on another machine.

Volume activation tools

Office 2010 also includes a couple of new tools that can be used to manage activation on a client machine.


OSPREARM.EXE is used to rearm an office installation prior to imaging a machine for deployment.  Rearming is effectively the process of resetting the timer that office activation uses to work out when the grace period has expired and to notify the user.  If you don’t rearm your office installation prior to imaging, the first time a user opens office on an imaged machine, they will receive an activation notification.


OSPP.VBS is the Office Software Protection Platform script and is the office equivalent of SLMGR.VBS of the Windows Software Licensing Management Tool.  Running this script from an elevated command prompt gives you the ability to do a whole bunch of things, the big ones being

  • activate office
  • show activation status & keys
  • install or remove activation keys
  • manage KMS host settings

So that’s the basics of Office 2010 volume activation. To get the full story check out these links