4. Recovering from a Nongenuine State
When a KMS or MAK key is
lost or exploited heavily, the key can be marked nongenuine by Microsoft
and from that point on becomes invalid for activation.
When evidence of system
tampering is detected, the system goes into a nongenuine state. If the
computer has altered system files, the best way to recover is to
initiate a system file check by using sfc /scannow
or by reinstalling the operating system. If a KMS host is marked
nongenuine because of a compromised product key, replace the KMS key on
all KMS hosts configured with that specific key, using the VAMT for
example. You should then force reactivation of the KMS clients by
running slmgr.vbs /ato, or you could just allow the clients to reactivate according to their activation renewal schedule.
If the original key is
compromised on a MAK-activated computer, install a new MAK key and
reactivate. You can do this on each computer individually or by using
the VAMT.
Before a computer can recover
from a validation failure, you must first determine why the computer
failed validation and then take appropriate recovery steps. When
troubleshooting activation, examine the Application event log. The
reason for the validation failure is listed in event ID 8209.
5. Understanding the Windows Software Licensing Management Tool
In Windows Vista and higher, slmgr.vbs
is provided with the OS. The Windows Software Licensing Management
(SLMGR) tool covers all aspects of client activation; it's used to
install the KMS host but can also be used to configure clients.
By starting slmgr.vbs without any parameters, you are provided with five screens presenting all the options that the slmgr.vbs script has to offer. The options are detailed in Table 2.
Table 2. slmgr.vbs options
| General options | Description |
|---|
| /ipk<Product Key> | Installs the product key (replaces the existing key). |
| /ato [Activation ID] | Activates Windows. |
| /dli [Activation ID | All] | Displays license information (default is the current license). |
| /dlv [Activation ID | All] | Displays detailed license information (default is the current license). |
| /xpr [Activation ID] | Expiration date for the current license state. |
| Advanced options | Description |
|---|
| /cpky | Clears product key from the Registry (prevents disclosure attacks). |
| /ilc <License file> | Installs the license. |
| /rilc | Reinstalls system license files. |
| /rearm | Resets the licensing status of the machine. |
| /upk [Activation ID] | Uninstalls the product key. |
| /dti [Activation ID] | Displays the installation ID for offline activation. |
| /atp <Confirmation ID> [Activation ID] | Activates the product with the user-provided confirmation ID. |
| KMS client options | Description |
|---|
/skms <Name[:Port] | : port>
[Activation ID] [Activation ID]
| Sets
the name and/or the port for the KMS computer this machine will use.
The IPv6 address must be specified in the format [hostname]:port. |
| /ckms [Activation ID] | Clears the name of the KMS computer used (sets the port to the default). |
| /skhc | Enables KMS host caching. |
| /ckhc | Disables KMS host caching. |
| Token-based activation options | Description |
|---|
| /lil | Lists installed token-based Activation Issuance licenses. |
| /ril <ILID> <ILvID> | Removes installed token-based Activation Issuance license. |
| /ctao | Clears token-based Activation Only flag (default). |
| /stao | Sets token-based Activation Only flag. |
| /Itc | Lists token-based Activation Certificates. |
/fta <Certificate Thumbprint>
[<PIN>]
| Forces token-based activation. |
| KMS options | Description |
|---|
| /sprt <Port> | Sets TCP port KMS will use to communicate with clients. |
| /sai <Activation Interva1> | Sets
interval (minutes) for unactivated clients to attempt KMS connection.
The activation interval must be between 15 minutes (min) and 30 days
(max) although the default (2 hours) is recommended. |
| /sri <Renewa1 Interva1> | Sets
renewal interval (minutes) for activated clients to attempt KMS
connection. The renewal interval must be between 15 minutes (min) and 3 0
days (max) although the default (7 days) is recommended. |
| /sdns | Enables DNS publishing by KMS (default). |
| /cdns | Disables DNS publishing by KMS. |
| /spri | Sets KMS priority to normal (default). |
| /cpri | Sets KMS priority to low. |
6. Configuring Windows Firewall Settings When Using SLMGR Remotely
Client computers connect to the
KMS host for activation by using anonymous Remote Procedure Calls
utilizing TCP port 1688. After establishing a TCP session with the KMS
host, the client sends a single request packet and the KMS host responds
with the activation count. If the count is equal to or greater than the
activation threshold for that operating system, the client will be
activated and the session is closed.
The KMS client uses this same process for activation renewal requests. The communication each way is 250 bytes.
Because slmgr.vbs uses Windows Management Instrumentation (WMI), you must configure your firewall software to allow WMI traffic:
Open the Administrative Tools folder and click Windows Firewall With Advanced Security.
When you use KMS within a single subnet, allow the Windows Management Instrumentation (WMI) exception.
If
you have multiple subnets, allow the connection for Windows Management
Instrumentation (ASync-In), Windows Management Instrumentation
(DCOM-In), and Windows Management Instrumentation (WMI-In).
Additionally, allow remote access in the scope.
By
default, Windows Firewall Exceptions in the Private and Public profiles
only apply exceptions to traffic originating on the local subnet. To
expand the exception so that it applies to multiple subnets, change the
exception settings in Windows Firewall with Advanced Security or, if
joined to an AD DS domain, choose the Domain Profile.
7. Allowing Standard Users to Perform Activation
If you want to allow standard
users to activate their operating system, you must add a new Registry
key. Create a DWORD Registry value named UserOperations with the value 1 in the following Registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows NT\CurrentVersion\
SoftwareProtectionPlatform
After you have created
this Registry key, users will no longer need administrative rights for
some operations, such as installing a product key, installing a license,
or rearming. This means that a standard user can convert a KMS client
to use MAK activation, activate a computer manually, and replace the
current installed MAK with a new MAK.
No administrator permissions
are needed to activate Office 2010 when using KMS. Normally activating
Office 2010 using MAK requires administrator permissions. You can modify
this behavior by adding a Registry key. Create a DWORD Registry value
named UserOperations with the value 1 in the HKEY_LOCAL_MACHINE\Software\Microsoft\ OfficeSoftwareProtectionP1atform\registry subkey.
8. Controlling Activation Notifications and Timing
You can turn off software
licensing notifications by adding the following new Registry key. Create
a DWORD Registry value named NotificationDisabled with the value 1 in
the following Registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows NT\CurrentVersion\
SoftwareProtectionP1atform\Activation
This will disable all
software licensing notifications. You should keep in mind, though, that
this setting will be ignored if the grace period has expired.
You can modify the default values for activation timing by using slmgr.vbs or by using Registry settings.
When you want to modify the intervals using the SLMGR, you should use the following settings:
By using slmgr.vbs /sai <interva1>,
you can modify the activation setting that specifies the retry interval
after the client unsuccessfully accesses the KMS server; by default,
this interval is set to 120 minutes, but you can change it to between 15
and 43,200 minutes (which is equal to 30 days).
By using slmgr.vbs /sri <interva1>,
you can modify the renewal interval. The interval is set in minutes.
The default value is 10,080 minutes (which is equal to 7 days), but you
can change it to between 15 and 43,200 minutes.
9. Using Group Policy to Control Activation Behavior
You can control
configuration and property data for Volume Activation using WMI and the
Windows Registry, which can be controlled centrally by using Group
Policy preferences. (Using Group Policy, you can also control the
appearance of the black desktop during the notifications state; you can
modify these settings in User Configuration, but its impact is much more
than just suppressing the black desktop and therefore is not
recommended.)
For both the KMS client and
the KMS server, the following Registry settings can be modified. The
settings can be found under this Registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionP1atform
Activation\AlternateURL
This is a REG_SZ value in
which you can supply a URL to an alternate location where users are
redirected after clicking the link "Learn more about activation online."
Activation\NotificationDisabled
This is a DWORD value, which when set to 1 will hide all notifications about activation.
UserOperations
This is a DWORD value that
when set to 1 enables standard users to perform activation and rearm of
machines, as well as install product keys.
VLActivationlnterval
This is a DWORD value
that sets the activation interval, which by default is set to 120
minutes but can be set to 15 minutes minimal and 43,200 minutes maximal.
VLRenewallnterval
This is a DWORD value
that sets the renewal interval, which by default id set to 10,800
minutes but can be set to 15 minutes minimal and 43,200 minutes maximal.
For the KMS server, the following Registry settings apply:
Activation\Manual
This is a DWORD value that when set to 1 disables automatic activation.
DisableDNSPublishing
This is a DWORD value that when set to 1 disables the publishing to DNS.
DnsDomainPublishList
This is a MULTI_SZ value that contains additional domain names in which you can register DNS SRV RRs.
EnableKmsLowPriority
This is a DWORD value that can be set when contention from KMS in a co-hosted environment must be minimized.
KeyManagementServiceListeningPort
This is a REG_SZ value that can be used to modify the default port, which is set to 1688.
KeyManagementServiceVersion
This REG_SZ value is set so that the machine can be found by the KMS management pack for MOM.
For the KMS client, the following Registry settings can be set:
KeyManagementServiceName
This is a REG_SZ value that is set in order to force the client to a specific KMS host.
KeyManagementServicePort
This is a REG_SZ value that sets the TCP port that the KMS client uses on the KMS host.
