You might find yourself in a situation where you want all your computers to activate using Active Directory based activation except for your Azure VM’s, they should use the Azure KMS server.
By default, when Active Directory based activation is enabled all computers on your domain will use Active Directory based activation.
By using the command cscript c:Windowssystem32slmgr.vbs /dlv we can see that this host has been activated by AD activation:
The /dli option displays the current license information.
But we can change the default behavior on our Azure VM’s.
Azure public cloud should use the following KMS server: kms.core.windows.net:1688
One way to do this could be by using SCCM compliance Settings.
First, we need a Collection in SCCM to hold all Azure computers, this can again be done in a lot of ways, but let’s use an easy one where we select all computers with the Virtual Machine Type equals to Azure.
This type equals the value of 2 when selecting the criteria on the collection.
And finally the full query used:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.VirtualMachineType = 2
Now that we have all the Azure computers in the collection, we can create the compliance settings.
Create Configuration Item:
Name the Configuration Item:
Select the versions og Windows you want to support:
Select New to create new settings:
Name the setting, select Setting type Script, Data type Boolean and click on Add Script (Discovery script).
Make sure Windows PowerShell is selected and then enter the following script code:
if((cscript “$env:SystemRootsystem32slmgr.vbs” -dli all) -match “Registered KMS machine name: kms.core.windows.net:1688”) {
Write-Host $True }
else {
Write-Host $False }
The above script will return True if the computer has been activated with the Azure KMS server otherwise it will return False.
Click on Add Script (Remediation script).
Again make sure Windows PowerShell is selected and then enter the following script code:
cscript “$env:SystemRootsystem32slmgr.vbs” /skms kms.core.windows.net:1688
cscript “$env:SystemRootsystem32slmgr.vbs” /act-type 2
cscript “$env:SystemRootsystem32slmgr.vbs” /ato
The options used are:
/skms <Name[:Port] | : port> [Activation ID]
Set the name and/or the port for the KMS computer this machine will use. IPv6 address must be specified in the format [hostname]:port
/act-type [Activation-Type] [Activation ID]
Set activation type to 1 (for AD) or 2 (for KMS) or 3 (for Token) or 0 (for all).
/ato [Activation ID]
Activate Windows
The above script will change the KMS server used, change to Active Directory activation and the activate Windows again with the new KMS server.
Click on the Compliance Rules tab and New:
Name the Rule, set Rule type to Value, set The setting must comply with the following rule to Equals True, and select the option Run the specified remediation script when this setting is noncompliant.
Click OK to confirm:
Press Summary:
Press Next and then Close:
Next step is to create a Configuration Baseline:
Name the baseline, select Add and Configuration Items.
Select the Configuration Item just created and click Add.
Then click OK two time to confirm:
Deploy the Baseline just created:
Select remediate noncompliant rules when supported, the Azure collection we created and a schedule after your choice.
We can force the evaluation on one computer to test our baseline:
The expected result should be that the computer is now activated with Azure KMS server:
