KMS Server Setup Guide — Windows & Office Activation for Enterprise (2026)
KMS (Key Management Service) is Microsoft's volume activation technology that lets enterprises activate Windows and Office installations automatically across their network using a single KMS host key. Instead of entering product keys on every machine, client computers contact your internal KMS server every 180 days to renew their activation — no internet connection required for clients.
Table of Contents
What is KMS and How It Works
Key Management Service (KMS) is a client-server activation model built into Windows. A single KMS host server holds a Volume License Key (KMS host key) from Microsoft. Client machines on your network contact this server to activate their Windows or Office installation — no individual product keys needed on each client.
KMS Architecture
The KMS activation flow works as follows:
- KMS Host Setup: You install the Volume Activation Services role on a Windows Server and enter your KMS host key. The server activates itself with Microsoft over the internet (one-time).
- DNS Registration: The KMS host registers a SRV record in DNS (
_vlmcs._tcp) so clients can discover it automatically. - Client Discovery: Windows and Office clients query DNS for the
_vlmcs._tcpSRV record to find the KMS host. - Activation Request: The client sends an activation request to the KMS host over TCP port 1688.
- Activation Grant: If the KMS host has met its activation threshold (minimum number of clients), it grants the activation. The client is activated for 180 days.
- Renewal: The client attempts to renew activation every 7 days. If it cannot reach the KMS host for 180 days, activation expires and the client enters reduced functionality mode.
This architecture means your KMS server must be available on the network, but clients do not need internet access for activation. The only machine that contacts Microsoft is the KMS host itself, and only during initial setup.
KMS vs MAK vs ADBA — Comparison
Microsoft offers three volume activation methods. KMS is the most common for enterprises, but MAK and ADBA each have valid use cases.
| Feature | KMS | MAK (Multiple Activation Key) | ADBA (AD-Based Activation) |
|---|---|---|---|
| Activation target | Clients contact KMS host | Each client contacts Microsoft | Domain-joined machines auto-activate |
| Internet required (client) | No | Yes (or phone activation) | No |
| Activation duration | 180 days (renews every 7 days) | Permanent | 180 days (renews on domain login) |
| Minimum client threshold | 25 for Windows, 5 for Office | None | None |
| Infrastructure required | KMS host server + DNS | None | Active Directory (Windows Server 2012+) |
| Best for | 25+ workstations, air-gapped networks | Small environments, isolated machines | Domain-joined environments, Windows 8+ |
| Office activation | Yes (Office 2016+ LTSC/Volume) | Yes | No (Windows only) |
| Workgroup machines | Yes (configure KMS host via registry) | Yes | No (requires domain join) |
For most enterprises with 25 or more Windows machines, KMS is the recommended approach. If you also need to activate Office LTSC volume licenses, KMS is the only automated option. For reference on Windows product keys used with KMS, see our Windows 10 & 11 product keys guide.
Prerequisites
Before setting up a KMS host, ensure you have the following:
- Windows Server 2022 or 2025: The KMS host role can run on any edition (Standard or Datacenter). Older servers (2016, 2019) also work but can only activate clients up to their own OS generation unless updated.
- KMS host key: Obtain this from the Microsoft Volume Licensing Service Center (VLSC). You need a separate KMS host key for Windows and for Office.
- TCP port 1688: Open between clients and the KMS host. This is the default KMS communication port.
- DNS infrastructure: The KMS host must be able to register SRV records in DNS, or you must create them manually.
- Internet access on the KMS host (initial setup only): The KMS host must contact Microsoft to activate itself. After initial activation, internet access is no longer required.
- Minimum client count: KMS will not activate clients until the threshold is met — 25 unique computers for Windows, 5 for Office.
Step-by-Step: Install KMS Host on Windows Server 2022/2025
Step 1: Open Server Manager
Log in to your Windows Server as a local administrator. Open Server Manager from the Start menu or taskbar.
Step 2: Add the Volume Activation Services Role
- Click Manage > Add Roles and Features.
- Click Next through the wizard until you reach Server Roles.
- Check Volume Activation Services.
- Accept the feature dependencies when prompted.
- Click Next through the remaining pages and click Install.
- Wait for installation to complete. Do not close the wizard yet.
Step 3: Launch the Volume Activation Tools Wizard
After installation, click the notification flag in Server Manager and select Volume Activation Tools. Alternatively, search for VMWA.msc or run it from Tools > Volume Activation Tools in Server Manager.
Step 4: Select KMS as the Activation Type
In the Volume Activation Tools wizard:
- Select Key Management Service (KMS).
- Click Next.
- Enter the server name (use the local server name or
localhost). - Click Next.
Alternative: Install via PowerShell
If you prefer the command line:
Install-WindowsFeature -Name VolumeActivation -IncludeManagementTools
This installs the Volume Activation Services role and the management tools in one command.
Step-by-Step: Activate the KMS Host
Step 1: Install the KMS Host Key
In the Volume Activation Tools wizard (continuing from the install steps), enter your KMS host key from VLSC. Click Commit.
Via command line:
slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
Replace the X's with your actual KMS host key.
Step 2: Activate the KMS Host Online
Click Activate in the wizard, or run:
slmgr /ato
The KMS host contacts Microsoft's activation servers over the internet. If successful, you see a confirmation message. This is a one-time process.
Step 3: Activate via Phone (If No Internet)
If the KMS host has no internet access:
- Run
slmgr /dtito generate an Installation ID. - Call the Microsoft activation phone number for your country.
- Provide the Installation ID to the automated system or support agent.
- Receive a Confirmation ID.
- Run
slmgr /atp CONFIRMATION_IDto complete activation.
Step 4: Verify KMS Host Activation
Run the following command to verify the KMS host is activated and check its status:
slmgr /dlv
Look for License Status: Licensed and note the Current count field, which shows how many unique clients have contacted this KMS host.
Step 5: Install Office KMS Host Key (If Activating Office)
If you also need to activate Office volume editions, you need a separate Office KMS host key and the Office Volume License Pack:
- Download the Microsoft Office Volume License Pack for your Office version from VLSC.
- Run the installer on the KMS host server.
- Enter the Office KMS host key when prompted.
- Activate with
slmgr /ato.
For a complete list of Office product keys and activation methods, see our Office 365 product keys guide.
Step-by-Step: Configure DNS SRV Records
KMS clients discover the KMS host by querying DNS for a specific SRV record. If your KMS host has permission to update DNS dynamically, this happens automatically. Otherwise, create the record manually.
Automatic DNS Registration
By default, the KMS host attempts to register a _vlmcs._tcp SRV record in DNS. Verify it was created:
nslookup -type=srv _vlmcs._tcp.yourdomain.com
If the record exists, you should see output showing the KMS host's hostname and port 1688.
Manual DNS SRV Record Creation
If automatic registration fails, create the SRV record manually in DNS Manager:
- Open DNS Manager on your DNS server.
- Navigate to your forward lookup zone (e.g.,
contoso.com). - Right-click the zone and select Other New Records > Service Location (SRV).
- Configure the following values:
- Service:
_vlmcs - Protocol:
_tcp - Port:
1688 - Host: FQDN of your KMS server (e.g.,
kms.contoso.com) - Priority:
0 - Weight:
0
- Service:
- Click OK to create the record.
Verify the SRV Record
From a client machine, run:
nslookup -type=srv _vlmcs._tcp.yourdomain.com
You should see the KMS host FQDN and port 1688 in the response.
Step-by-Step: Configure Clients for KMS Activation
If DNS SRV records are configured correctly, most Windows clients will find and activate with the KMS host automatically. However, you may need to configure clients manually in some scenarios.
Automatic Activation (Domain-Joined Clients)
Domain-joined Windows machines with a Volume License edition (Pro, Enterprise, Education) automatically query DNS for the KMS SRV record. No manual configuration is needed. Simply ensure the client has a Generic Volume License Key (GVLK) installed.
Verify the installed key on a client:
slmgr /dlv
If the client shows "VOLUME_KMSCLIENT channel," it is configured for KMS activation.
Install the GVLK on a Client
If a client is not configured for KMS activation, install the appropriate GVLK. For example, for Windows 11 Enterprise:
slmgr /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
For a complete list of GVLKs for all Windows editions, see our Windows product keys guide and the Windows Server 2025/2022 product keys guide.
Manually Point a Client to the KMS Host
If DNS SRV discovery is not available (e.g., workgroup machines), manually specify the KMS host:
slmgr /skms kms.contoso.com:1688
Then force an activation attempt:
slmgr /ato
Configure KMS Host via Group Policy
For domain-joined machines where you want to override DNS discovery, use Group Policy:
- Open Group Policy Management and create or edit a GPO.
- Navigate to:
Computer Configuration > Policies > Administrative Templates > Windows Components > Software Protection Platform - Enable Set KMS Machine Name and enter the KMS host FQDN.
- Enable Set KMS Machine Port and enter
1688. - Link the GPO to the appropriate OU.
Configure Office Clients for KMS
Office volume editions (Office LTSC 2021, 2024) discover the KMS host via the same DNS SRV record. If manual configuration is needed, use the Office Software Protection Platform script:
cd "C:\Program Files\Microsoft Office\Office16"
cscript ospp.vbs /sethst:kms.contoso.com
cscript ospp.vbs /setprt:1688
cscript ospp.vbs /act
KMS Activation Thresholds
KMS has minimum client thresholds that must be met before the host will start granting activations. This is a deliberate design to prevent KMS abuse in small environments.
| Product | Minimum Threshold | Notes |
|---|---|---|
| Windows Client (10/11) | 25 unique computers | Must be physical or unique virtual machines |
| Windows Server | 5 unique computers | Servers count toward the threshold but have their own lower minimum |
| Office (LTSC/Volume) | 5 unique computers | Office threshold is independent of the Windows threshold |
How the Threshold Works
- Each unique computer that contacts the KMS host increments the count by 1.
- The KMS host tracks clients by their Client Machine ID (CMID), which is a unique GUID generated per machine.
- The count must reach the threshold before any client gets activated. Until then, clients receive error
0xC004F038(count below threshold). - Once the threshold is met, all pending clients are activated on their next renewal attempt (within 7 days).
- The count decreases over time as inactive clients drop off (after 30 days of no contact).
Tip for lab environments: If you have fewer than 25 physical machines, you can create lightweight VMs to meet the threshold. Each VM needs a unique CMID and must contact the KMS host at least once.
Monitoring KMS Activations
Regular monitoring ensures your KMS infrastructure is healthy and clients are activating successfully.
Check KMS Host Status
Run on the KMS host:
slmgr /dlv
Key fields to check:
- License Status: Should be "Licensed"
- Current count: Number of unique clients in the KMS cache. Must be above the threshold for activation to work.
- Listening on Port: Should show 1688 (or your custom port)
- KMS activation expiry: When the KMS host's own activation expires (renews automatically if internet-connected)
Check KMS Client Status
Run on a client machine:
slmgr /dlv
Look for:
- License Status: "Licensed" means activated, "Notification" means activation failed
- Volume activation expiration: Shows when the 180-day activation expires
- KMS machine name: Shows which KMS host the client is using
- KMS machine extended PID: Unique identifier of the KMS host
View the KMS Event Log
KMS events are logged in the Windows Event Log:
Event Viewer > Applications and Services Logs > Key Management Service
Key events:
- Event ID 12288: Successful activation request received
- Event ID 12289: Activation renewal request received
- Event ID 12290: Activation request failed
PowerShell Monitoring Script
Use this PowerShell one-liner to check the current KMS count:
Get-WmiObject -Query "SELECT * FROM SoftwareLicensingService" | Select-Object KeyManagementServiceCurrentCount
Troubleshooting Common KMS Issues
Error 0xC004F038 — Count Below Threshold
Cause: Fewer than 25 unique Windows clients (or 5 for Office/Server) have contacted the KMS host.
Fix: Add more machines to the network, or create VMs to meet the threshold. Verify the count with slmgr /dlv on the KMS host.
Error 0xC004F074 — No KMS Host Found
Cause: The client cannot find a KMS host via DNS or the manually configured address.
Fix:
- Verify the DNS SRV record:
nslookup -type=srv _vlmcs._tcp.yourdomain.com - Verify the client can reach the KMS host on port 1688:
Test-NetConnection kms.contoso.com -Port 1688 - If using manual configuration, verify the KMS host address:
slmgr /dlv(check "KMS machine name" field)
Error 0xC004F069 — Product Key Not Found
Cause: The client does not have a GVLK installed. This happens with retail or OEM editions of Windows.
Fix: Install the correct GVLK for the client's Windows edition using slmgr /ipk <GVLK>.
Error 0xC004F042 — KMS Host Key Blocked
Cause: Microsoft has blocked the KMS host key, usually due to excessive activations or suspected misuse.
Fix: Contact Microsoft Volume Licensing support. You may need a replacement key from VLSC.
Clients Activate but Deactivate After 180 Days
Cause: Clients cannot reach the KMS host to renew. Common after network changes, firewall updates, or if the KMS host is decommissioned.
Fix: Verify the KMS host is online, port 1688 is open, and DNS SRV records are correct. Run slmgr /ato on a client to force a renewal attempt.
KMS Host Not Registering DNS SRV Record
Cause: The KMS host does not have permission to update DNS dynamically, or DNS dynamic updates are disabled.
Fix:
- Ensure the KMS host's computer account has permission to create SRV records in DNS.
- Or create the SRV record manually (see the DNS configuration section above).
- Force a re-registration:
net stop sppsvc && net start sppsvc
Office Not Activating via KMS
Cause: The Office Volume License Pack is not installed on the KMS host, or the Office KMS host key is not activated.
Fix: Install the Office Volume License Pack matching your Office version. Enter and activate the Office KMS host key separately from the Windows key.
Firewall Rules Needed
KMS uses a single port for all communication. Configure these rules on both the KMS host and any network firewalls between clients and the host.
| Rule | Direction | Protocol | Port | Purpose |
|---|---|---|---|---|
| KMS host inbound | Inbound | TCP | 1688 | Accept activation requests from clients |
| KMS client outbound | Outbound | TCP | 1688 | Client connects to KMS host |
| KMS host to Microsoft (initial only) | Outbound | TCP | 443 | KMS host activation with Microsoft (one-time) |
Windows Firewall Rule via PowerShell
Create the inbound rule on the KMS host:
New-NetFirewallRule -DisplayName "KMS Inbound" -Direction Inbound -Protocol TCP -LocalPort 1688 -Action Allow -Profile Domain,Private
Verify Port Connectivity
From a client machine, test connectivity to the KMS host:
Test-NetConnection kms.contoso.com -Port 1688
If TcpTestSucceeded is True, the firewall is correctly configured.
Frequently Asked Questions
Can KMS work across subnets?
Yes. KMS uses standard TCP/IP on port 1688, so it works across any routed subnet. As long as clients can resolve the KMS host via DNS and reach it on port 1688, activation works regardless of subnet boundaries. No broadcast traffic is involved.
Can you run KMS on a virtual machine?
Yes. Running KMS on a VM is fully supported and is the most common deployment. The VM can be on Hyper-V, VMware, or any hypervisor. Ensure the VM is highly available (e.g., on a cluster) since clients that cannot reach the KMS host for 180 days will lose activation.
Can KMS run on a Docker container?
No. KMS requires the Volume Activation Services Windows Server role, which is not supported in Windows Server Core containers or Linux containers. You must run KMS on a full Windows Server installation (Server with Desktop Experience or Server Core, but not a container).
Can one KMS host activate both Windows and Office?
Yes. A single KMS host can activate Windows clients and Office volume editions simultaneously. You install separate KMS host keys for each product (one for Windows, one for Office). The thresholds are tracked independently — 25 for Windows clients, 5 for Office.
What happens if the KMS host goes offline?
Clients that are already activated continue to function normally. Activation is valid for 180 days, and clients attempt renewal every 7 days. If the KMS host is offline for less than 180 days, clients will simply renew when it comes back. If it exceeds 180 days, clients enter reduced functionality mode (notifications, no lockout in modern Windows).
Can KMS activate Windows 11?
Yes. Windows 11 uses the same KMS infrastructure as Windows 10. The GVLK keys are different per edition. Your KMS host must be running a Windows Server version that supports Windows 11 activation — Windows Server 2022 or later is recommended.
Can I have multiple KMS hosts for redundancy?
Yes. Deploy multiple KMS hosts and register multiple DNS SRV records with different priorities. Clients will fail over to the backup KMS host if the primary is unavailable. Each KMS host maintains its own client count independently.
How do I migrate KMS to a new server?
- Set up the new KMS host with the same KMS host key.
- Activate the new host.
- Update the DNS SRV record to point to the new server.
- Decommission the old server after clients have transitioned (allow 7+ days).
The new KMS host starts with a client count of zero. The count rebuilds as clients contact the new host on their next renewal cycle.
Related Resources
- Windows 10 & 11 Product Keys — All Editions, Generic & KMS
- Office 365 Product Keys — All Versions
- Windows Server 2025/2022 Product Keys
- Server Support Services — MedhaCloud
✓ Microsoft Solutions Partner | Enterprise Server Management | 24/7 Support
Need help with KMS setup or volume licensing?
MedhaCloud provides enterprise server support including KMS deployment, volume activation troubleshooting, Windows Server upgrades, and ongoing infrastructure management. We handle the complexity so your IT team can focus on business priorities. Get a free consultation →
Our Microsoft-certified team delivers seamless migrations with zero downtime.
Expert Migration ServicesTopics
Sreenivasa Reddy G
Founder & CEO • 15+ years
Sreenivasa Reddy is the Founder and CEO of Medha Cloud, recognized as "Startup of the Year 2024" by The CEO Magazine. With over 15 years of experience in cloud infrastructure and IT services, he leads the company's vision to deliver enterprise-grade cloud solutions to businesses worldwide.
