Geek of All Trades: The Rule of 3

When it comes to demystifying Windows 7 licensing practices, it helps to remember the “Rule of 3.”

Greg Shields

Licenses—they’ve long been the bane of software distribution. Ask 10 different vendors about their licensing terms, and you’ll probably get 10 different answers. Ask Microsoft about its licensing terms, and you’ll probably still get 10 different answers.

Microsoft licensing seemed simple back in the good old days. Of course, back then we weren’t doing much in the way of automation. At one of my first “real” jobs, we were tasked with building Windows desktops—manually, in the basement, with no windows. Having entered that license string into hundreds of desktops, I remember it by heart: 17197-0023101 …

Licensing and activation for all Microsoft products—specifically Windows—is an entirely different game. Licenses come in all shapes and sizes, with just as many activation options. While the automation options might seem immediately obvious, figuring out which works best for your small business or environment can be more of a challenge.

Three Channels for Acquiring Licenses

Let’s take a look at these options in the hope of demystifying the whole licensing and activation process. Your options for automating these processes depend heavily on how you purchase the licenses in the first place. Microsoft recognizes three basic channels.

The first channel is retail licensing. This refers to licenses acquired through a retail store. While these are perhaps the simplest in concept, they can be the most complicated to manage as they increase in number. Each retail license is unique, meaning each lets you install Windows on a single, identified computer. There are no volume license automations for retail license management, so maintaining the mapping between license string and computer can quickly become an administrative nightmare.

The second channel is original equipment manufacturer (OEM) licensing. This is only slightly different than the first. OEMs (hardware vendors) associate these licenses with the firmware built into each computer. OEM licensing involves less administrative effort than retail licensing because the manufacturer handles most of the licensing activities.

However, OEM licenses are notorious for creating downstream issues, mostly during a computer’s next upgrade or refresh. Here’s the rub: activated OEM licenses only work with their specific OEM-provided image when it comes time for a refresh or upgrade. You can create customized images, but only when those images start their lives from the original image provided by the hardware manufacturer.

You should think twice about using OEM or retail licenses. The administrative headache involved with managing the retail license-to-computer mapping often costs more in time than the extra cash for volume licenses. In my consulting experience, I’ve seen more migrations, upgrades and Physical-to-Virtuals (P2Vs) crash from OEM license limitations. Volume licenses are more expensive, but for good reason.

That’s why the third channel—volume licensing—is the most appropriate channel for business. The end result is the same: you license and activate Windows. However, the methods in which volume licensing and activation occur are far more straightforward. To obtain volume licenses, you set up a Volume License Agreement, a process that typically involves a Microsoft partner.

3 Options to Activate Volume Licenses

Should you opt for volume licensing, you’ll need to determine which of its three activation options makes the most sense. This is where most of the confusion around volume licensing exists. The three different options are designed to support licensing across a range of network scenarios. Sometimes, though, you’ll need some combination of these three within the same organization. There are two key characteristics that generally determine the best option: network connectivity and the number of requesting hosts.

The first option directs requesting hosts to a Windows Server running the Key Management Service (KMS). KMS servers are designed for environments with more than 25 Windows clients or five Windows Servers, all of which have regular network connectivity to the KMS server.

This non-configurable number of hosts is called the activation threshold. A KMS server won’t begin activating any hosts until it meets this threshold. Thus, if your environment doesn’t meet the minimum number of hosts, you won’t be using KMS. The same holds true if requesting hosts won’t have network connectivity to a KMS host. That lack of network connectivity also prevents you from using KMS.

If you don’t meet the minimum requirements for KMS, you’ll need to choose between multiple activation key (MAK) Independent Activation and MAK Proxy Activation. These are just fancy names for, “I’ll enter my license key on each host individually,” versus, “I’ll use the Volume Activation Management Tool (VAMT) to do it.”

MAK Independent Activation is almost indistinguishable from entering retail license keys. The only difference is you have a single license key that will successfully activate on a predetermined number of computers. That number will be determined by how many licenses you purchase as part of your Volume Licensing Agreement.

The third option—MAK Proxy Activation—serves as a kind of halfway point between using a KMS server and manually entering keys. It uses the VAMT, a standalone application that’s part of the Microsoft Windows Automated Installation Kit (WAIK).

As a standalone application, the VAMT comes in handy when you have a large number of computers to activate, but limited or absent network connectivity. Some examples of this include a prototypical test or demo environment, as well as high-security areas.

3 Steps to Configure KMS

Enabling KMS on an available server makes the most sense in a classic office environment. Desktops and laptops in that environment tend to have the necessary connectivity to back-office servers. One of these can operate as your KMS server.

This option is arguably the most simple. Volume licensing versions of Microsoft Windows are equipped with a preinstalled volume licensing setup key. That key requires activation from a KMS host to fully license the Windows instance. With a little up-front work, you can make this activation process happen entirely in the background, essentially automating much of the licensing process.

Here’s how it works: Hosts requiring activation find their KMS server by querying DNS. They’re looking for specific service resource records (SRV RRs) in their DNS domain. The KMS host automatically manages those SRV RRs when using Dynamic DNS. You can also manage them manually when Dynamic DNS isn’t present. Check the Configuring DNS TechNet Library page to learn more about manually updating DNS with these records.

Configuring a Windows Server as a KMS host requires entering the following two commands and adding an exception to the Windows Firewall (when necessary). You have to run these two commands from the path C:\Windows\System32. The first installs the KMS host key (either Microsoft or your Microsoft partner should provide that key); the second command activates the key with the Microsoft clearinghouse:

cscript slmgr.vbs /ipkxxxxx-xxxxx-xxxxx-xxxxx-xxxxx cscript slmgr.vbs /ato

You’ll need Internet connectivity for the second command line to function. Telephone support for activating the key is also available if there’s no Internet access for the KMS server. Once activated, add a Windows Firewall exception on the KMS server for the KMS. Once everything is set up, you can use this command on your KMS server to learn more about the number of requesting hosts, among other information:

cscript slmgr.vbs /dlv

3 Gotchas to Watch

In keeping with the “Rule of Three” theme, here are three important gotchas you’ll want to pay careful attention to before selecting a KMS host:

  1. Keep in mind that the default port used by KMS is TCP/1688. You can configure that port using the same slmgr.vbs command with a few different switches. If you do change this port, make sure your firewalls are also configured appropriately.
  2. Be mindful of running KMS atop a virtual machine (VM). While you can install the KMS host on a VM, any migration of that VM to a different virtual host might trigger a KMS host reactivation. The KMS service can detect when changes occur to underlying hardware. Any changes in underlying hardware force a reactivation. KMS hosts are limited to nine reactivations before you’ll need to make some extra effort (and a few phone calls to Microsoft).
  3. There are some situations where even Microsoft suggests foregoing the activation process altogether. This is particularly true in environments with extremely rapid turnover, such as lab or demo environments. OS instances here are refreshed in less than 120 days.

Consider this note, from Chapter 11 of “Windows 7 Resource Kit” (Microsoft Press, 2009):

Lab environments usually have large numbers of VMs, and computers in labs are reconfigured frequently. First, determine whether the computers in test and development labs need activation. The initial 30-day grace period of a computer running Windows 7 or Windows Server 2008 R2 can be reset three times without activating it. Therefore, if you are rebuilding lab computers within 120 days, these computers need not be activated.

3 Cheers for Licensing

Licensing is one of those funny facets of IT that for many might seem more complicated than it is. When you lay out all the options, they almost seem less interesting. Just remember “The Rule of 3,” and you’ll never get confused about Windows activation again.

Greg Shields

Greg Shields, MVP, is a partner at Concentrated Technology. Get more of Shields’ Jack-of-all-trades tips and tricks at