Recently I logged into my RMS server and had a somewhat unpleasant surprise. While I am sure that I had done the production activation on this server I noticed in the event logs and on the properties of my system that Windows was not activated yet. I still had three days left to activate my server and while it did not represent an issue to activate it I realized that if this one had not yet been activated what other servers in my environment had not!

For background, Windows Server 2008 Product activation gives you a 60 day grace period to activate the system. After the 60 days it goes into a notification critical state where you can still log on and the system performs normally however the background goes to black (which I make as my default configuration regardless so that classifies under ironic) and only critical updates are applied (also my default configuration so also ironic).

For additional background, see for Windows Server 2008 Activation and for Windows Server 2008 R2 Activation.

What’s really strange in this situation is that this server had already been activated which I know for a fact because it has been functional for more than 60 days and there were still 3 days left on the countdown – weird any way you look at it. In our environment we are Internet restricted on servers so Windows activation needed to occur via phone instead of via the network. That may be involved in how we got to this situation, but who knows. So what to do about it? What if this isn’t the only server in the environment that was about to go to a state that it needed to be activated. Go Go Operations Manager 2007 R2! 🙂

What I found was that in the application log there were multiple events from the source of “Security-Licensing-SLC”. With some digging I found three of them that were useful:

8196 – Out of the grace period

8200 – About to be out of the grace period

1003 – Windows activation is solid/life is good

So using these events it was straight-forward to create a management pack with two different monitors. One goes Critical when it finds an event number of 8196 from the source that matches a wildcard of *Security-Lic* for the source. Originally I configured this to look for the source Security-Licensing-SLC but it would not work (maybe too many characters, maybe the – throws it off, no clue why).

I ended up using the authoring console to create a test management pack which had three different monitors:

1) A top level aggregate monitor targeted under Windows Computer –> Configuration

2) A lower level simple event monitor under the aggregate monitor which checked for the warning event of 8200 (and creates a warning alert), and went to healthy status on event 1003

2) A lower level simple event monitor under the aggregate monitor which checked for the critical event of 8196 (and creates a critical alert), and went to healthy status on event 1003

These are shown in the authoring console in the graphic below:


This is what it looks like in Health Explorer on an activated Windows Server system:
HealthCheck showing Licensing

This sample MP is available for download at (

Summary: Quick test MP available above to determine if your servers are about to fail or have failed activation. Going forward this looks like good functionality to add to the existing Vista and Server 2008 MP’s.