How to set up and configure the Key Management System (KMS)

Posted on Christian By Christian No Comments on How to set up and configure the Key Management System (KMS)
KMS server setup

Key Management Service (KMS), like Multiple Activation Key (MAK) activates Microsoft products such as Windows and Office. You should install the KMS server, also known as the KMS host on a server inside your local network. Note that, KMS clients connect directly to the KMS host to activate both Windows etc. In this guide, we shall discuss how to set up and configure the Key Management System (KMS). Please, see how to enable Amazon S3 default bucket encryption using S3 Console, and how to Fix SMB Freezes That Break Backups on Critical Linux Servers.

You should also be aware that, it is possible to use the KMS host key for Windows server to also activate Windows clients. Therefore, with this information, it it necessary we use a single KMS host key to rule them all, and must install the latest KMS host key available in VLSC. Please, see how to configure Active Directory-Based Activation (ADBA) for Windows.

Note: The that KMS can be hosted either on a client version of Windows or on Windows Server. To activate clients, the KMS host requires a KMS host key. This can be obtained from the Microsoft 365 admin center since the VLSC is retired. By installing this key, you configure the server to function as a KMS host.

Compared to Multiple Activation Key (MAK), KMS is the preferable activation method as long as you meet the activation threshold and the basic requirements for deployment which includes and not limited to having a proper DNS records and TCP/IP connectivity between the clients and the KMS host.

How to activate, check activation status and troubleshoot Windows common activation errors [Part 1], and a recent update to this error: Error code 0x8007232B: Can’t activate Windows on this device as we can’t connect to your organization’s activation server, make sure you are connected to your organization network and try again [Part 2].

Multiple Activation Key (MAK)

MAK is another method for activating Microsoft products such as Windows and Office. Unlike Key Management Service (KMS). MAK performs a one-time activation directly with Microsoft’s hosted activation servers.

This approach eliminates the need for any activation server or service inside your network. When you activate with MAK. Microsoft’s servers validate the request either online or by phone (for systems that cannot connect to the internet). In simple terms, you use MAK when you want to activate products manually without relying on an internal KMS setup.

Just like KMS, the MAK keys can be found in your VLSC portal. Each MAK has a predefined number of allowed activations, and each activation occurrence will incrementally increase the number of used activation for that MAK.

Please, see how to fix Logon Failure: User has not been granted the requested logon type, and the Server Certificate could not be updated: Private key does not match.

KMS Planning

Below are some considerations that we should take into consideration when planning the deployment of a Key Management Services (KMS) activation

  • The KMS Server (host) must reside on your LAN (local area network).
  • Similar to WDS and WSUS, KMS hosts do not need a dedicated server as it can co-exist with other services. You are free to have it running on a dedicated server if you wish.
  • KMS can be deployed on supported windows server and client operating systems as mentioned earlier.

Note: A KMS host running on a Windows Server operating system can activate computers running both server and client operating systems. But, a KMS host running on a Windows client operating system can only activate computers also running client operating systems.

To deploy Key Management Service (KMS). You must activate your KMS host with Microsoft using a Microsoft Customer Specific Volume License Key (CSVLK). Commonly referred to as the KMS host key, this key establishes trust between the host and Microsoft.

The Volume Licensing Service Center (VLSC) has been retired, and all its functionalities are now available through the Microsoft 365 admin center. To activate clients, a KMS host requires a KMS host key, which can be obtained directly from the Microsoft 365 admin center. Therefore, it is not possible e to use the Volume Licensing Service Center (VLSC).

Please, see how to “convert Windows Server Datacenter to Standard: Install Windows Server via iDRAC Virtual Media“, and “how to manage Windows Product key with Software Licensing Manager“.

KMS Operational Requirements

Microsoft requires a minimum number of computers referred to as the activation threshold before the KMS host can activate clients. A KMS client only activates once this threshold is reached. To track this, the KMS host counts the computers that request activation on the network. In my lab, I do not have the number of PC to meet this threshold. But follow along as you will have enough knowledge to plan, and run KMS in your Lab or production environment.

The host always tracks the most recent connections. When a client or server contacts the host. It records the machine ID, updates the count, and returns the current total. If the count meets the threshold, activation succeeds. Windows clients need at least 25 active connections, while Windows servers and volume editions of Microsoft Office require just 5. The host only counts unique requests made within the last 30 days, and it stores details for up to 50 of the most recent connections.

When the KMS activation threshold is not met. The following error code 0xC004F038 will be prompted when clients try to activate. For Windows clients, the KMS host must receive activation requests from at least 25 unique computers (or 5 for Windows Server) before activation begins. Once this minimum count is reached, the KMS server will start activating all eligible clients automatically.

Once activated, KMS licenses remain valid for 180 days (the activation validity interval). To stay active, clients must renew before that period ends. By default, each client automatically tries to renew every seven days. Each successful renewal resets the 180-day validity window.

A single KMS host can manage unlimited clients. But for reliability, Microsoft recommends running at least two KMS hosts in larger environments. Two are enough to cover the entire infrastructure in case one host goes down.

When you activate the first KMS host. The Customer Specific Volume License Key (CSVLK) you use can activate up to five additional hosts, giving you a total of six per key. You can also reactivate the same host up to nine times with the same key. If your organization needs more than six KMS hosts for example, if you run multiple data centers or offices. You can request a CSVLK activation exception from Microsoft to cover those additional hosts.

Note: Computers that are running volume licensing editions of Windows Server and Windows client are by default KMS clients with no extra configuration needed. Also, if you are converting a computer from a KMS host, MAK, or retail edition of Windows to a KMS client, installing the applicable KMS client setup key is necessary.

Please, see how to add additional CC400W Cameras to Synology Surveillance Station, how to Update Veeam Backup for Proxmox Plugin to support PVE 9.0, and How to update Proxmox VE 9.0 now Supported by Veeam.

Deployment Requirements

By default, both KMS hosts and clients rely on DNS for communication. The KMS host automatically publishes the details clients need through DNS dynamic updates, making it easy for them to locate and connect.

In most cases, you can keep these defaults. But if your network or security policies require it, you can manually configure the hosts and clients. A KMS host listens on TCP port 1688 by default.

Keep in mind that your KMS server may need the latest Windows Updates to activate newer client versions. If you run into activation errors, make sure the server has the required updates listed under the Activation Versions section on the official Microsoft Learn site.

Setup a Key Management Services host

As earlier mentioned, a KMS host doesn’t have to be a dedicated server. But there is nothing wrong if you decide to use a dedicated server. As long as the server is running a supported Windows Server or Windows client operating system.

You can install and run KMS alongside other roles and services, such as Active Directory Domain Services (AD DS), WSUS, Microsoft Endpoint configuration Manager, WDS, file/print services, or other applications.

Please, see how to Convert Windows Server Essentials or Evaluation to Retail Edition, and how to fix “Error 0x8007232B: Can’t activate Windows on this device as we can’t connect to your organization’s activation server“.

Method 1: Installing the Volume Activation Services server role

Option 1: Installing and configure a KMS host employs the steps below. The first step requires you to install the Volume Activation Services role and this can be done via PowerShell with the command below.

Install-WindowsFeature -Name VolumeActivation -IncludeManagementTools
PowerShell to install VolumeActivation

Next you will be required to configure the Windows firewall to allow KMS to receive network traffic. You can allow this traffic for any network profiles, which is the default setting, or for any combination of Domain, Private, and Public network profiles.

By default, a KMS host is configured to use Transmission Control Protocol (TCP) on port 1688. To do this, run the command below to to allow network traffic for only the Domain and Private network profiles

Set-NetFirewallRule -Name SPPSVC-In-TCP -Profile Domain,Private -Enabled True

Please, see how to fix Logon Failure: User has not been granted the requested logon type, and Server Certificate could not be updated: Private key does not match.

Option 2: Install Volume Activation Services

To do this, sign in your your Windows Server and if the Server Manager is not automatically launched. Please fire it up. Please, see how to reinstall Server Manager and disable Server Manager at startup for all users and login users.

When launched, click on Manage as shown below. If you would like to setup ADBA instead, please take a look at this guide on how to set up Active Directory Based Activation.

Server manager

Next, select Add Roles and Features. The Add Roles and Features Wizard window opens.

Add roles and features

On the Before you begin page, click skip or next as you wish to proceed.

Before you begin

Select Role select Role-based or feature-based installation, and then select the Next  button

Role and feature based installation

Select your destination server. This is only useful if you have multiple servers. But we have just one and it is selected by default.

Select servers

Next, select the Volume Activation Services role

Volume activation services

When selected, you will be prompted to add additional features as shown below

Add features

As you can see below. The Volume Activation Services has been selected.

Volume action services selected

On the features page, you can skip.

Features

In the Volume Activation Services page, please hit the next button to proceed.

services

In the Confirmation page, click on the Install button.

install volume activation services

When the installation completes, close the wizard as shown below.

installed volume activation services

Please, see how to Upgrade Veeam Backup and Replication v12.3.x to 12.3.2, how to Veeam Agent for AIX: Initial Deploy/UUID Error, and how to Backup and Restore Proxmox VE virtual machines with Veeam.

Volume Activation Tools wizard: Configure KMS in Windows Server

Next, we will be using the Volume Activation Tools wizard to configure the KMS host (server). To do this, launch the Volume Activation Tools wizard by running the following command below. Alternatively, click on Tools and select Volume Activation Tools.

vmw.exe
Luanch Volume activation services tool

On the introduction page, select Next.

Introduction to volume activation

For the activation type, select Key Management Service (KMS). For the server, enter localhost to configure the local server. If you want to configure a different server, enter its host name. Select Next.

KMS

Enter your KMS host key, and click on Commit.

Install KMS host key

Note: As shared above, the Volume Licensing Service Center (VLSC) has been retired. All its functionalities are now available through the Microsoft 365 admin center. To activate clients, a KMS host requires a KMS host key, which can be obtained directly from the Microsoft 365 admin center.

Shortly, the product key will be installed. But because I do not have a KMS host key, I am stuck and cannot proceed further.

Installing Product key on PC
After the product key is installed, select Next to activate the product

After the activation finishes successfully, the KMS host configuration appears. If the configuration settings meet your requirements. Select Close to exit the wizard. The system creates DNS records, and you can start activating KMS clients.

Note: Note: By default, KMS hosts publish Service (SRV) resource records in your Domain Name System (DNS). As a result, KMS clients can automatically discover the KMS host and activate without the need for any configuration on the KMS client. You can disable automatic publishing and create the records manually. These steps are needed for automatic activation if the DNS service doesn’t support dynamic updates.

You can now start activating KMS clients. However, a network must first have a minimum number of computers (called the activation threshold) as mentioned earlier. See method 2 below for the steps to activate clients via KMS.

Note: If your DNS service doesn’t support dynamic updates. You must manually create the resource records in order to publish the KMS host. If not, you can manually create the SRV record pointing to the KMS host on port 1688 with the following details below. If you need to create SRV records manually to publish the KMS host, see he following article from Microsoft.

Please, see how to fix Error 0x87E10BC6 on a PC running Windows non-core Edition, how to Protect your Windows Devices with MFA with SystoLOCK, and how to set up Microsoft PKI (ADCS) for SystoLOCK via PowerShell.

Verify that the KMS Host can activate Clients/Servers

6: Test a KMS Client. To test a KMS client on a Windows client or server, launch the elevated Command Prompt. Next, replace the “HOSTNAME” with your KMS server FQDN. Here is a working example of how to do this: how to Fix Error 0x87E10BC6 on a PC running Windows non-core Edition.

slmgr.vbs /skms HOSTNAME:1688

The /ato command causes the operating system to attempt activation by using whichever key is installed in the operating system. The response should show the license state and detailed Windows version information.

slmgr.vbs /ato
kms activation
kms activation

Next, run the command below to see the client activated through KMS.

slmgr.vbs /dlv
KMS activation details
The /dlv command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client isn’t activated

Note: For completeness, I will touch on MAK. The MAK activation method should be used only for computers that never connect to the corporate network, for environments where the number of physical computers does not meet the KMS activation threshold, or in cases where Active Directory-Based Activation cannot be used.

Additionally, MAK can be appropriate for PCs that are reaching end-of-life, being retired, or running unsupported operating systems, where network-based activation methods are no longer feasible.

Here is how to check Windows activation status and change your product key, how to convert Windows Server Datacenter to Standard: Install Windows Server via iDRAC Virtual Media. Also, see how to convert Windows Server Essentials or Evaluation to Retail Edition.

FAQs

Can I use a GVLK to set up a KMS host?

No. The GVLKs (Generic Volume License Keys) are only for KMS clients, not for KMS hosts.
To configure a KMS host, you must use a CSVLK (Customer Specific Volume License Key) obtained from your Volume Licensing agreement.

What is the purpose of a GVLK?

A GVLK allows Windows and Office clients to locate and activate automatically through a KMS host or Active Directory–Based Activation (ADBA).

Note that the GVLK (Generic Volume License Key) are sometimes called the KMS client key. They are the public, generic keys Microsoft publishes. You put a GVLK on the client machine so it will request activation from a KMS host on the network. GVLKs are safe to use for testing. Windows volume editions come with the correct GVLK preinstalled by default.

What happens if I install the Volume Activation Services role but don’t configure it correctly?

Nothing major breaks immediately, but the KMS service won’t function. If the role is installed without a valid KMS host key (CSVLK) or proper DNS registration (_VLMCS._tcp record), clients cannot activate through it. This means that they will stay in the grace period or show activation errors.

Can I install KMS without the CSVLK (KMS host key)?

No, the CSVLK (Customer Specific Volume License Key) is the key you install on a machine that will act as the KMS host. If you want to run your own KMS host you do need one (from VLSC or Microsoft).

I hope you found this article useful on how to set up and configure the Key Management System (KMS). Please, feel free to leave a comment below.

5/5 - (1 vote)
Windows Server Tags:, , , , , , , , ,

Related Posts

More Related Articles

Screenshot 2020 05 19 at 18.54.21 Unable to find File Explorer in the Group Policy Editor when resolving the security tab missing under properties Windows Server
hero windowsadmincenter Failed to create a scheduled task: There is no disconnected command associated with the runspace Windows Server
OpenSSL on Windows How to Install OpenSSL on Windows Computers Windows
Enable TPM and ecure boot on HyperV to run windoows 11 How to run Windows 11 on HyperV Virtualization
Recovery keys in AD 1 Backup existing and new BitLocker Recovery Keys to Active Directory Windows Server
xvy Fix Error 0xc1420127: The specified image in the specified wim is already mounted for read and write access Windows Server

Leave a Reply