Category: Volume Activation

Windows Admin Center:


You can install Windows Admin Center on the following Windows operating systems:

Version Installation mode
Windows 10, version 1709 or newer Desktop mode
Windows Server Semi-Annual Channel Gateway mode
Windows Server 2016 Gateway mode
Windows Server 2019 Gateway mode

Desktop mode: Launch from the Start Menu and connect to the Windows Admin Center gateway from the same computer on which it’s installed (i.e. https://localhost:6516)

Gateway mode: Connect to the Windows Admin Center gateway from a client browser on a different machine (i.e.

Reference articles and help to activate Windows (wks and server editions) in enterprise:

Manage activations:


Download the latest Windows ADK (Assessement and Deployment Kit):



Recommended infrastructure for small companies (<25 persons):

Network switch manageable: 1Gb per port minimum. Cisco catalyst, Netgear, Zyxel, HPE

UTM appliance (FWnextgen, VPN, IDS/IPS):

Antivirus / security agents :

  • Windows defender (default recommended)
  • EDR client software (crowdstrike / carbon black)
  • Microsoft sysmon

Windows server standard/essentials:

Windows server essentials:

Windows computer:

Windows home prohibited (cannot join a windows domain!)

Windows XP is not supported.

Windows 10 professional recommended. 8 GB RAM, dual-core, SSD 512 GB, Wifi, 15″ screen minimum.

(to benefit of the latest security features, and to be able to join a windows domain: Estimated price for a Windows 10 Pro: 157 Euros (vat included)

Recommended: Microsoft volume license (OPEN):

Resellers: ,

To change the Office 2010/2013 installed with a MAK key to the corporate KMS office key, the following commands will be needed and can be scripted:


Reference for Office 2016:

For Office 2010: Run the following ospp.vbs from this folder c:\program files (x86)\Microsoft Office\Office14

For Office 2013: Run the following ospp.vbs from this folder c:\program files (x86)\Microsoft Office\Office15

For Office 2016: Run the following ospp.vbs from this folder c:\program files (x86)\Microsoft Office\Office16

Here are the needed steps in the script.

0. cscript ospp.vbs     ; to display the list of ospp.vbs options

1. cscript ospp.vbs /inpkey:<kms product key>

The required KMS Office 2013 GVLK key you get here:

The required KMS Office 2016 GVLK key you get here:

2. cscript ospp.vbs /sethst:<>

This is needed if you want set your kms server name manually

3.  cscript ospp.vbs /act

This step activates you Office Installation.


The RD session host server is installed properly

The RD licensing server service is also configured properly

however, I cannot access the RD server from a client computer, because a dialog box appear “The remote session was disconnected because there are no Remote desktop license servers available to provide a license”



TCP 135 + RPC dynamic ports must be opened between the new RDS Server and the RDS licensing service server


when specifing a RDS licensing service server, use are obliged to use the real server name because a DNS alias is not supported


Let’s assume we have three KMS servers for redundancy. How to fine tune the SRV records creation and priority?

Note: KMS clients should not be updating _vlmsc records, only KMS host machines should be doing.

by default a KMS server publish on DNS: Slmgr.vbs /sdns  ; Enables automatic DNS publishing by the KMS host.

DNS SRV settings fine tuning (examples):   SRV service location:
priority       = 10 (default is 0)  ; 10 is the first priorty
weight         = 75 (default is 0) ; 75% of client requests are load balanced to this kms server
port           = 1688
svr hostname   =   SRV service location:
priority       = 10 (default is 0)
weight         = 25 (default is 0) ; 25% of client requests are load balanced to this kms server
port           = 1688
svr hostname   =   SRV service location:
priority       = 20 (default is 0) ; 20 is less prioritary than 10
weight         = 75 (default is 0)  ; 75% of requests are load balanced on this third kms server
port           = 1688
svr hostname   =

When configured correctly, the first kms1 server, register dynamically the SRV record to the right DNS. To avoid to reset the values to 0, after SRV records fine tuning, you must disable DNS publishing on all KMS Servers: by doing this: Slmgr.vbs /cdns

The aim of this post is to explain how to detect KMS hosts installed by mistakes.

Since the new activation mechanism introduces by MS since Vista, most of sysadmins have many difficulties to understand the difference between Product Activation and Licenses management. Also, very often, sysadmins uses KMS host keys instead of KMS client keys or MAK keys.

When a computer running Vista up to W2k8 r2 is installed, often by mistakes, they are installed with a bad key and typically in this post, they are installed with a KMS host key. The problem is, by default, when a computer try to activate a KMS host against the MS online clearinghouse, the limit of max KMS hosts is 6. Also a KMS host try to create a SRV record in his current DNS namespace (

If there are KMS hosts installed and activated by mistakes, there are no WAY to ask to MS the list of KMS hosts. We can request to extend the limit by sending an email to Or we can use the VAMT v2 utility to perform audits and correct the problems.

So, after several years explaining how to activate MS computers to many sysadmins, I wrote a powershell script to get _vlmcs SRV records on a list of DNS namespace (input file dns-namespace-list.csv). This script requires dnsshell to work properly:

# Get KMS SRV records on a list of domains
# Created   : 10/01/2012
# Updated   : 02/02/2012
# Author    : jdalbera
# Comments  : This script scans a list of domains for SRV records that may
# indicate they may be running KMS host.
# It writes the results to a text file
Write-Host ""
Write-Host "------------------------------------------"
Write-Host " Get KMS SRV records on a list of domains "
Write-Host "------------------------------------------"
Write-Host ""
$domainscsvlist = '.\dns-namespace-list.csv'
$date = Get-Date -Format ddMMyyyy
$log = ".\logs\KMS-getVLMCSRecords-$date.txt"
Import-Module dnsshell
$domains = Import-Csv $domainscsvlist
foreach ($row in $domains)
      $domaintotest = $row.namespace
      $vlmcscheck = Get-Dns _vlmcs._tcp.$domaintotest srv | select -ExpandProperty answer
      $vlmcslist = Get-Dns _vlmcs._tcp.$domaintotest srv | select -ExpandProperty answertostring | ft
      if ($vlmcscheck -ne $null)
                  Write-host VLMCS SRV Records found for $domaintotest
                  $domaintotest | Out-File -append $log
                  "_vlmcs._tcp.$domaintotest" | Out-File -append $log
                  $vlmcslist | Out-File -append $log
                  Write-Host No records found for $domaintotest
                  "No records found for $domaintotest" | Out-File -append $log
      Write-Host "---------------------------------------------------------------"
      $vlmcscheck = $null
Write-Host "*****************"
Write-Host " Checks complete "
Write-Host "*****************"
Write-Host ""

Here are the two most important web links about Office 2010 and volume activation:

Office 2010 recently hit the RTM milestone and is now available for download via a couple of different channels.  For admins looking at deploying it, one of the biggest changes they will see relates to license keys & activation.  For previous office deployments, enterprises would establish a volume license agreement with Microsoft and then they would receive a volume license key (VLK).  They would then download a volume license (VL) edition of office, create a custom answer file, using the custom installation wizard or the Office customization tool depending on the version, run the setup with the answer file and be done.

For Office 2010 the process changes a little. The good news is that if you have deployed Vista or Windows 7, your pretty much set as Office now uses Volume Activation 2.0.  For those who haven’t though, a little time will need to be spent preparing your environments for Volume Activation.


The first question that needs to be answered is whether you will be using KMS or a MAK key. First let’s translate the acronyms into real words. KMS stands for Key Management Service while MAK stands for Multiple Activation Key. Now what’s the difference? MAK is like the traditional VLK, the difference being that the MAK still requires an initial activation that can be done over the internet, over the phone, or by using the Volume Activation Management Tool. The alternative is to use a KMS key.  The KMS key can be thought of a little like DHCP.  Activation clients discover a KMS host and get a license that is good for 180 days.  After 7 days the client will check back in with server and get it’s lease renewed.  If the client can’t contact the KMS host after 180 days then it falls back into an unlicensed state and the user will be notified that they need to activate their copy of office.

The decision on KMS vs MAK is going to hinge on a couple of factors.

  1. Network connectivity – KMS requires that a client is able to contact the KMS host once every 180 days over TCP port 1688 (the port can be changed).
  2. Activation limits – KMS requires a minimum of 5 clients to contact the KMS host before activation is successful.

The rule of thumb is generally if you have less than 50 machines to activate, go for MAK, more than 50 then go for KMS.

KMS Setup

If you decide to go down the KMS path then you will need decide what sort of machine will act as your KMS host.  The recommendation is that if you already have a KMS host deployed, then you should deploy the office KMS onto the same machine. This however raises a new concern.  The supported platforms for the office KMS host are

    • Windows Server 2003 or with any service packs
    • Volume license editions of Windows 7
    • Windows Server 2008 R2

You may notice that there are a couple of omissions from that list, primarily Windows Server 2008 or Windows Vista.  The deployment guide specifically states that neither of them are supported, irrespective of the service pack deployed.  So this may force some organisations to either transition their existing KMS to a new machine, or alternatively deploy a new KMS host.  The reality of this though is that it is a fairly minor process.

    1. Download the Office 2010 KMS Host License Pack
    2. Run the executable to install the KMS host server
    3. Enter your KMS license key and activate over the internet
    4. enable a firewall exception for TCP 1688

And your good to go.  Well you are provided that your machine has internet access and your DNS supports SRV records and dynamic updates.

If your machine doesn’t have internet access you will need to activate the key over the phone, so to do that

    1. open a command prompt and run the following command to get your installation ID (the guid is the activation ID for Office 2010)
      cscript slmgr.vbs /dti bfe7a195-4f8f-4f0b-a622-cf13c7d16864
    2. Then run this command to get the phone number for your region
      slui.exe 4
    3. Choose the option to activate your KMS key and enter the installation ID you got in Step 1. You will now get your 48 digit activation code, so it’s probably a good idea to write it down.  Also don’t make the mistake of using the installation ID you see in step 2.  It’s the windows installation ID and won’t help.
    4. To finish the process, return to the command prompt and enter the command below, replacing ############ with the activation code you got in step 3
      cscript slmgr.vbs /atp ############ bfe7a195-4f8f-4f0b-a622-cf13c7d16864

The other component I mentioned above was DNS. KMS clients can discover KMS hosts in one of two ways.

    1. Check for registry keys (here is the source)
      • SKU-specific value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\AppID\SKUID\KeyManagementServiceName REG_SZ registry value
      • AppID-specific value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\AppID\KeyManagementServiceName REG_SZ registry value
      • Global value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\KeyManagementServiceName REG_SZ registry value
      • SKU-specific cached KMS host (This is the cached identity of the host used in the last successful KMS activation.)
    2. DNS SRV records and specifically an SRV record in the format of where is the domain to which the client belongs.

If you only have a single KMS host in your environment and DNS that supports dynamic updates, then you are done.  If you have multiple DNS domains or multiple KMS hosts then there are a couple of extra steps you need to be aware of.

      • Multiple KMS Hosts – Only the first KMS will successfully register as the SRV record will be owned by that server, so you need to create a new security group and add all the KMS hosts to that group, then change the permissions on the SRV record so that the group has permissions to modify the SRV record
      • Multiple DNS domains – By default the KMS host will only register an SRV record in the domain to which it belongs, so you need to create a multi string registry value name DnsDomainPublishList under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform key then restart the Software Licensing Service to get it to create the SRV records.  If you then look in the Application event log you should see an event ID 12294 indicating that the records have been successfully created. (for more details on this look here)

MAK Setup

MAK setup is really a bit of a misnomer as there is not much in the way of infrastructure required for MAK activation.

The simplest method of using MAK activation is to manually install office, enter the key then manually activate.

Obviously this won’t scale too well, so the next option is to create a custom install. To do this create a deployment share (i.e. copy the install CD to a network location) and then run the office customisation tool by running setup.exe /admin and then entering the MAK key on the licensing screen under the Enter another product key section (by default office 2010 is configured to look for a KMS server).

You would then install office and when it is opened for the first time, the timer for the activation grace period is started.  The user will then get 25 days before they are prompted to activate their copy of office.

This is a screenshot of what a user will see (have a look at this blog post by Ted Way from the office engineering team to get more on this process).


For MAK activation, there are three options, activate via the internet, over the phone, or through proxy activation. Unlike KMS which requires a one time activation per KMS host, MAK activation requires that each and every copy of office connect to the Microsoft activation servers.  Each MAK key has a specific number of activations associated with it.  If there is a significant change to the hardware on the machine, then Office will need to be reactivated. When the client reactivates, then this will also decrement the activations available for that key.

For the activation methods, internet & phone are both self explanatory, proxy is not quite.  Proxy activation refers to the use of the Volume Activation Management Tool or VAMT. The VAMT is used to query a machine, via WMI, for its unique ID (Client Machine ID or CMID) and the machine that is running the VAMT is then used to contact the Microsoft activation servers on behalf of the client.  This means that you can have machines that are located on an isolated subnet, but still activate them.  Using the VAMT you can also export the list of CMIDs to a file which can then be activated on another machine.

Volume activation tools

Office 2010 also includes a couple of new tools that can be used to manage activation on a client machine.


OSPREARM.EXE is used to rearm an office installation prior to imaging a machine for deployment.  Rearming is effectively the process of resetting the timer that office activation uses to work out when the grace period has expired and to notify the user.  If you don’t rearm your office installation prior to imaging, the first time a user opens office on an imaged machine, they will receive an activation notification.


OSPP.VBS is the Office Software Protection Platform script and is the office equivalent of SLMGR.VBS of the Windows Software Licensing Management Tool.  Running this script from an elevated command prompt gives you the ability to do a whole bunch of things, the big ones being

  • activate office
  • show activation status & keys
  • install or remove activation keys
  • manage KMS host settings

So that’s the basics of Office 2010 volume activation. To get the full story check out these links