• Article

Plan volume activation of Office 2010

 

Applies to: Office 2010

Topic Last Modified: 2012-11-29

Banner stating end of support date for Office 2010 with link to more info

You can plan the deployment of Office Activation Technologies for volume activation of Microsoft Office 2010 by using KMS key activation, MAK key activation, or both. Before you read this article, we recommend that you read Volume activation overview for Office 2010. We also highly recommend that you read the Windows Volume Activation Planning Guide (https://go.microsoft.com/fwlink/p/?LinkId=183040).

Important

This information applies to volume-licensed editions of Office 2010. It does not apply to Office Professional Plus for Office 365, which is licensed through subscription.
Office 2010 is supported on Windows 8 and Windows Server 2012.

In this article:

  • Plan a deployment

  • Review activation methods

  • Plan a KMS deployment

  • Plan a MAK activation

Plan a deployment

If you are planning a Windows deployment of Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2, you will probably have the same considerations for Windows as for Office 2010. To help determine which activation method — Key Management Service (KMS) or Multiple Activation Key (MAK) or both — to use for Windows, see the Windows Volume Activation Planning Guide (https://go.microsoft.com/fwlink/p/?LinkId=183040). Most likely, Office 2010 will use the same method.

A volume activation deployment includes the following steps:

  1. Learn about product activation.

  2. Review available activation models.

  3. Evaluate client connectivity.

  4. Map the physical computer or virtual machine to an activation method.

  5. Determine product key needs.

  6. Determine monitoring and reporting needs.

Most of the information is covered in the Windows Volume Activation Planning Guide (https://go.microsoft.com/fwlink/p/?LinkId=183040). This article provides an overview of the technology.

When you plan for Office Activation Technologies, think about the following information:

  • The KMS activation threshold for Office 2010 is five computers. This means that Office 2010 client computers will become activated only after five or more client computers have requested activation.

  • There is no need to enter a product key for Office 2010 KMS clients. You only need to enter a KMS host key on your KMS host computer.

  • If you decide to use MAK, enter the product key either through the Office Customization Tool (OCT) or the Config.xml file. After Office 2010 installation, the product key can be changed by using the Volume Activation Management Tool (VAMT) 2.0 or the Office Software Protection Platform script (ospp.vbs). For more information about ospp.vbs, see Tools to configure client computers in Office 2010.

For a visual representation of the volume activation methods for Office 2010 and typical network scenarios, see Volume Activation of Microsoft Office 2010 (https://go.microsoft.com/fwlink/p/?LinkId=188811).

Volume Activation of Microsoft Office 2010 Model

Review activation methods

Office Activation Technologies provide two activation methods:

  • Key Management Service (KMS)   A server-client model in which a computer serves as the KMS host, which requires a KMS host key to be installed and activated. This establishes a local activation service in your environment. Office 2010 client computers connect to the local Office 2010 KMS host for activation.

  • Multiple Activation Key (MAK)   With a MAK key, Office 2010 client computers activate online by using the Microsoft hosted activation servers or by telephone.

The kind of key installed determines the activation method. All Office 2010 volume license editions have the KMS client key pre-installed. You do not have to enter a product key if you are deploying KMS clients. If you want to use MAK activation, you have to enter the correct MAK key.

A combination of KMS and MAK can also be used. For example, Office 2010 running on desktops has the KMS client key installed, whereas Office 2010 running on portable computers has the MAK key installed.

The model chosen depends on the size, network infrastructure, connectivity, and security requirements. You can choose to use only one or a combination of these activation models. Typically, the same activation method for a particular instance of Windows would be used for Office. For more information about how to decide which activation method to use, see the Windows Volume Activation Planning Guide (https://go.microsoft.com/fwlink/p/?LinkId=183040).

Key Management Service (KMS)

KMS is a server-client model in which a computer serves as the KMS host. KMS activation requires TCP/IP connectivity. By default, KMS hosts use DNS to publish the KMS service, and client computers connect to the KMS host for activation by using anonymous remote procedure calls (RPCs) through TCP communications port 1688, which is the default port number when you enable the firewall on a KMS host. You can use the default settings, which require little or no administrative action, or manually configure KMS hosts and clients based on network configuration and security requirements.

To be licensed, the KMS client must be activated. The following table describes the license state of the Office 2010 KMS client with respect to activation.

License state Description

Licensed

By default, the KMS client attempts activation with the KMS host one time every seven days. (The number of days is configurable.) This design allows the maximum possible time for the client to be in the licensed state. Once the KMS client is successfully activated, it remains in the licensed state for 180 days. When in the licensed state, users do not see any notification dialog boxes prompting them to activate. After 180 days, the activation attempt process resumes. If activation is continually successful, the entire activation experience is transparent to the end-user.

Out-of-tolerance

If activation does not occur during the 180-day period, Office 2010 goes into the out-of-tolerance state for 30 days. Users then see notifications requesting activation.

Unlicensed notification

If activation does not occur during the out-of tolerance state, Office 2010 goes into the unlicensed notification state. Users then see notifications requesting activation and a red title bar.

The KMS host must be installed with a KMS host key and activated before accepting KMS activation requests from KMS clients. For information about how to set up a KMS host, see Prepare and configure the KMS host in Deploy volume activation of Office 2010.

importantImportant
The KMS host key for Office 2010 is not specific to a particular operating system. It is designed to be used on any of the operating systems supported as an Office 2010 KMS host, including both 32-bit and 64-bit editions:

Publication of the KMS service

The KMS service uses service (SRV) resource records (RRs) in DNS to store and communicate the locations of KMS hosts. KMS hosts use dynamic updates, if available, to publish the KMS SRV RRs. If dynamic updates are not available or if the KMS host does not have permissions to publish the RRs, you must publish the DNS records manually or configure client computers to connect to specific KMS hosts. This might require changing permissions on DNS to let more than one KMS host publish SRV records.

Note

DNS changes might take time to propagate to all DNS hosts, depending on the complexity and topology of the network.

Client discovery of KMS

The first time that a KMS client queries DNS for KMS information, it randomly selects a KMS host from the list of SRV RRs that DNS returns. The address of a DNS server that contains the SRV RRs can be listed as a suffixed entry on KMS clients, which allows advertisement of SRV RRs for KMS in one DNS server and KMS clients that have other primary DNS servers to find it.

You can add priority and weight parameters to the DnsDomainPublishList registry value for KMS hosts on Volume License editions of Windows 7 or Windows Server 2008 R2. Doing so enables you to establish KMS host priority groupings and weighting within each group, which specifies the order in which to use KMS hosts and balances traffic among multiple KMS hosts. If you are using priority and weight parameters, we recommend that KMS caching be disabled on the client. This allows the client to query DNS every time that activation is attempted, which will honor the priority and weight parameters, instead of directly contacting the cached KMS host that last resulted in successful activation.

If the KMS host that a client selects does not respond, the KMS client removes that KMS host from its list of SRV RRs and randomly selects another KMS host from the list. If the priority and weight parameters are set, the KMS client will use them while finding another KMS host. Otherwise, KMS hosts are selected randomly. After a KMS host responds, the KMS client caches the name of the KMS host and uses it for subsequent activation and renewal attempts if caching is enabled. If the cached KMS host does not respond on a subsequent renewal, the KMS client discovers a new KMS host by querying DNS for KMS SRV RRs.

KMS activation thresholds

The minimum requirement for Office 2010 KMS activation is a KMS host and at least five KMS clients in a network environment. Five or more computers that are running Office 2010 volume editions must contact the KMS host within 30 days for their activation requests to be successful. When five clients have connected to a KMS host, clients that later connect to the KMS host receive responses that allow the clients to be activated. Due to the re-activation schedule, the original five clients also become activated when they request activation from the KMS host again.

After initializing KMS, the KMS activation infrastructure is self-maintaining. The KMS service can be co-hosted with other services. A single KMS host can support hundreds of thousands of KMS clients. Most organizations can deploy merely two KMS hosts for their entire infrastructure (one main KMS host and one backup host for redundancy).

KMS activation renewal

KMS activations are valid for 180 days. This is called the activation validity interval. To remain activated, KMS clients must renew their activation by connecting to the KMS host at least one time every 180 days. By default, KMS client computers attempt to renew their activation every seven days. After a client’s activation is renewed, the activation validity interval begins again.

Use KMS for computers that are running Windows and Office 2010 client products

When you use KMS to activate computers that are running both Windows and Office 2010, you have the following options for Office 2010:

  • Use the same KMS host on a computer that is running Windows Server 2003 (Standard, Enterprise, and Datacenter editions [32-bit and 64-bit] only), Volume License editions of Windows 7 or Windows Server 2008 R2 (recommended).

  • Use separate KMS hosts for computers that are running Windows and Office 2010.

Important

If you already have a KMS host that is set up to activate Windows products, you still have to install the Office 2010 KMS host license files, enter the Office 2010 KMS host key, and activate the key. To do this, go to the Microsoft Office 2010 KMS Host License Pack (https://go.microsoft.com/fwlink/p/?LinkID=169244) Web site, and then download and run KeyManagementServiceHost.exe.

The following operating systems are supported as an Office 2010 KMS host:

If you are already using a computer that is running as your Windows KMS host and you want to co-host the Office 2010 KMS host, follow the steps in Prepare and configure the KMS host in Deploy volume activation of Office 2010.

Multiple Activation Key (MAK)

A MAK key is used for one-time activation with the Microsoft hosted activation services. Each MAK key has a predetermined number of allowed activations. This number is based on Volume Licensing agreements and may not match the organization’s exact license count. Each activation that uses a MAK key with the Microsoft hosted activation service counts toward the activation limit. Once Office 2010 is activated, no re-activation is required unless the hardware changes significantly.

There are two ways to activate computers by using a MAK key:

  • MAK Independent Activation   MAK independent activation requires that each computer independently connect and be activated with Microsoft, either over the Internet or by telephone. MAK independent activation is best suited for computers in an organization that do not maintain a connection to the corporate network.

  • MAK Proxy Activation by using VAMT 2.0   This enables a centralized activation request on behalf of multiple computers that have one connection to Microsoft. MAK Proxy activation is configured by using VAMT 2.0. MAK Proxy activation is appropriate for environments in which security concerns might restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that do not have this connectivity.

MAK architecture

MAK activation requires that a MAK key is installed on a client computer and instructs that computer to activate itself against Microsoft hosted activation servers over the Internet. In MAK Proxy activation, a MAK key must be installed on the client computer by any of the methods previously described. VAMT 2.0 obtains the installation ID (IID) from the target computer, sends the IID to Microsoft on behalf of the client, and obtains a confirmation ID (CID). The tool then activates the client by installing the CID. The CID is saved and can be used later, for example, to activate test computers that have been re-imaged after 90 days.

VAMT 2.0

VAMT 2.0 is a Microsoft Management Console (MMC) snap-in that allows a graphical user interface (GUI) to easily manage Windows and Office 2010 client products, including Microsoft Project 2010 and Microsoft Visio 2010, with volume license keys installed. You may specify a group of products to activate by using Active Directory Domain Services (AD DS), workgroup names, IP addresses, computer names, or a generic LDAP query. Only VAMT 2.0 and later versions support Office 2010 in addition to Windows.

VAMT 2.0 enables you to easily transition computers between MAK and KMS activation methods by clicking the target computer and installing the appropriate key.

VAMT 2.0 also enables you to trigger activation on a remote computer. If the target computer has a MAK key installed, that computer sends an activation request to the Microsoft activation servers. If a KMS client key is installed, the target computer sends an activation request to the KMS host.

The tool also supports the collection of activation requests from several computers and then sends them to Microsoft hosted activation servers in bulk. This is called MAK proxy activation through VAMT 2.0, and the target computers must have MAK keys installed. For proxy activation only, VAMT distributes the activation confirmation codes from Microsoft hosted activation servers to the computers that requested activation. Because VAMT also stores these confirmation codes locally, it can reactivate a previously activated computer after it is reimaged without having to contact Microsoft.

For detailed information about VAMT 2.0, see Product Activation Using Volume Activation Management Tool 2.0 (https://go.microsoft.com/fwlink/p/?LinkID=207804).

Plan a KMS deployment

The KMS service does not require a dedicated server. The KMS service can be co-hosted on a server that also hosts KMS for Windows. Specifically, you can configure a computer that is running Windows Server 2003 with KMS 1.1 or a later version installed, Volume License editions of Windows 7, or Windows Server 2008 R2 to act as a single KMS host that responds to both Windows and Office 2010 KMS client activation requests. This works as long as the appropriate Office 2010 KMS host licenses are installed and a valid KMS host key is installed, and the key is activated against Microsoft hosted activation servers. You can install Office 2010 KMS host licenses by running the Microsoft Office 2010 KMS Host License Pack (https://go.microsoft.com/fwlink/p/?LinkID=169244).

Important

KMS hosts that were set up by using the Office 2010 Beta release cannot be used to activate client computers that are running the final released version of Office 2010. To activate these client computers, you can either run the release version of Microsoft Office 2010 KMS Host License Pack (https://go.microsoft.com/fwlink/p/?LinkID=169244) and enter the KMS host key on the same KMS host, or set up a new KMS server only for activating the final release version of Office 2010.

Plan DNS server configuration

The default KMS auto-publishing feature requires SRV RR and dynamic update support. Microsoft DNS or any other DNS server that supports SRV RRs, as documented in Internet Engineering Task Force (IETF) Request for Comments (RFC) 2782, and dynamic updates, as documented in RFC 2136 can support KMS client default behavior and KMS SRV RR publishing. Berkeley Internet Domain Name (BIND) versions 8.x and 9.x support both SRV records and dynamic update, for example.

The KMS host must be configured so that it has the credentials needed to create and update SRV, A (IPv4), and AAAA (IPv6) RRs on the dynamic update servers, or the records must be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS and add all KMS hosts to that group. For Microsoft DNS, ensure that this security group is given full control over the _VLMCS._TCP record on each DNS domain that will contain the KMS SRV RRs.

Activate the KMS host

The KMS host must activate with Microsoft hosted activation servers through the Internet or by telephone. Once the KMS host is activated, it does not communicate any additional information to Microsoft. For more information, see Prepare and configure the KMS host in Deploy volume activation of Office 2010.

Prepare KMS clients

By default, Volume License editions of Office 2010 are preinstalled with the KMS client key. This makes them KMS clients, without additional configuration required. KMS clients can locate a KMS host automatically by querying DNS for SRV RRs that publish the KMS service. If the network environment does not use SRV RRs, you can manually assign a KMS client to use a specific KMS host by configuring the following registry key:

HKLM\Software\Microsoft\OfficeSoftwareProtectionPlatform

The KMS host name is specified by KeyManagementServiceName (REG_SZ), and the port is specified by KeyManagementServicePort (REG_SZ). These registry keys can also be set through the ospp.vbs script. For more information about ospp.vbs, see Tools to configure client computers in Office 2010.

Activate as a standard user

Office 2010 does not require administrator permissions for KMS activation. However, volume editions require administrator permissions for MAK activation. Administrators can enable users who have non-administrator permissions to activate with MAK by setting the appropriate registry key in the deployments or in the master image:

HKEY_LOCAL_MACHINE\Software\Microsoft\OfficeSoftwareProtectionPlatform\UserOperations = 1

This registry key can also be set through the ospp.vbs script. For more information about ospp.vbs, see Tools to configure client computers in Office 2010.

Plan a MAK activation

MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of physical computers needing activation does not meet the Office 2010 KMS activation threshold (five computers). MAK can be used for individual computers or with an image that can be installed by using Microsoft or third-party deployment solutions. MAK can also be used on a computer that was originally configured to use KMS activation, which is useful for moving a computer off the core network to a disconnected environment.

For more information about how to install a MAK key, see Deploy volume activation of Office 2010.

No authenticated proxy server support

Activation over the Internet will be blocked if the proxy server requires user authentication. In Microsoft Internet Security and Acceleration (ISA) Server, this setting is named basic authentication. Because activation requests do not present the user's credentials to the proxy server, we recommend that you do not use basic authentication with ISA Server or other proxy servers. For more information, see Microsoft Knowledge Base article 921471: Activation fails when you try to activate Windows Vista or Windows Server 2008 over the Internet (https://go.microsoft.com/fwlink/p/?LinkId=183044).