Activation in Disconnected Environments Using Volume Activation Management Tool 2.0

Product activation of operating systems in disconnected networks, such as branch offices and high-security zones within a production environment, may seem challenging. High-security zones are network segments air-gapped or separated by a firewall that limits or prevents communication to and from other network segments. If you manage systems in such an environment, you may be wondering about product activation options.

You have several alternatives for activation in disconnected environments. These are explained in a white paper, Volume Activation in Disconnected Environments. In this document, we cover one of these options in depth. This method uses Multiple Activation Keys (MAKs) and the Volume Activation Management Tool (VAMT) 2.0. VAMT is a free tool that Microsoft provides to centrally manage and automate product activation for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008R2, and Office 2010 client suites and applications, Visio 2010 and Project 2010 clients.

The diagram below shows a schematic of various MAK activation methods. The systems in the isolated lab are activated using the process covered in this document. We'll walk through the steps you would follow to activate computers in any disconnected environment.

Ff686875.Core network_Isolated lab diagram(en-us,TechNet.10).gif

Figure 1. Diagram of MAK activation using VAMT

On This Page

Activation Process Overview

In our example we use MAKs, but you can also activate a Key Management Service (KMS) host or retail systems using product keys obtained through various programs such as volume licensing, MSDN and Microsoft Partner Network, using this process.

The activation process uses proxy activation with two VAMT consoles. The first console is in the disconnected environment, e.g. an isolated lab. The second console is in a connected environment that has internet access, e.g. the core network.  A MAK is installed in the systems in the disconnected environment, and data is saved to a Computer Information List (CIL) on the first VAMT console. The CIL is an XML file format where VAMT stores activation information. The CIL is exported to removable media, transported to and imported in the second VAMT console. The admin requests Confirmation IDs (CIDs) from the Microsoft hosted activation service. The received CIDs are saved to the CIL, and transported on removable media back to the first VAMT console. The CIDs are then deposited on the systems in the disconnected environment, completing the activation process.

The diagram below shows the process that we'll walk through. Some of the steps outlined in this document would be performed for any proxy activation. For an overview of proxy activation, see Product Activation Using VAMT 2.0.


Figure 2. Process flow of VAMT proxy activation in disconnected environment

Phase 1 Steps: Disconnected Environment

The initial phase involves steps in the disconnected environment, with the VAMT console in the disconnected environment. The first four steps are performed in any proxy activation.

1.     Configure the VAMT client systems to enable WMI through the Windows Firewall.

2.     Add computers to the CIL and discover installed products.

3.     Add the MAK to VAMT.

4.     Install the MAK on client systems.

5.     Save the full CIL, for example “IsolatedLabGroup.CIL”. You will use this full CIL in Phase 3.

6.     Optionally, save a separate CIL that excludes PII if policy prevents such data from leaving the secure environment, for example“IsolatedLabGroupSecureExport.CIL”.

7.     Copy the CIL to be transported to removable media.

Phase 2 Steps: Connected Environment

This phase involves steps taken with the VAMT console in the connected environment. Steps 10 and 11 are performed in any proxy activation.

8.     Transport the CIL to the VAMT console in the connected environment.

9.     Import the CIL on removable media into the VAMT in the connected environment.

10.   Request CIDs from Microsoft hosted activation service.

11.   Microsoft hosted activation service returns the CIDs.

12.   After confirming in the CIL that all products have received CIDs, save the CIL with a new name, for example “IsolatedLabGroupSecureExportwithCID.CIL”.

13.   Copy the CIL to removable media.

Phase 3 Steps: Disconnected Environment

The final phase involves steps back in the disconnected environment, using the VAMT console in the disconnected environment. Step 19 is performed in any proxy activation.

14.   Transport the CIL back to the VAMT console in the disconnected environment.

15.   Copy the IsolatedLabGroupSecureExportwithCID.CIL file from the removable media onto a drive on the VAMT console in the disconnected environment.

16.   Open the original full CIL “IsolatedLabGroup.CIL”. You need the original full CIL file so you can match the CIDs with the proper products.

17.   Import the new CIL with the CIDs into the VAMT console in the disconnected environment. This will start the merge process that matches the CIDs to the IIDs of the products.

18.   Save the new merged CIL, for example “IsolatedLabGroupwithCID.CIL”.

19.   Apply the CIDs and activate the disconnected systems.

More Using VAMT 2.0 Guidance

Check out the other Using VAMT 2.0 documents:

  • Product Activation Using VAMT 2.0
  • Manage Product Keys Using VAMT 2.0
  • Reporting Activation Information Using VAMT 2.0

You can watch video demos of several VAMT tasks at Several of these demos use VAMT 1.2 but the process is the same using VAMT 2.0. The Helpfile in the VAMT 2.0 download has detailed information on how to perform many tasks using the tool.