Windows Licensing Reference

Key Management Service

KMS — client–server activation protocol for Microsoft volume-licensed products

The Key Management Service (KMS) is a Microsoft activation technology that allows organizations to activate volume-licensed editions of Windows and Office against a host located inside their own network, rather than against Microsoft's activation servers on the public internet. A KMS host accepts activation requests from KMS clients over TCP port 1688 and returns a signed response that grants the client a 180-day activation.

KMS is one of four volume activation methods documented by Microsoft, alongside Multiple Activation Key (MAK), Active Directory-Based Activation (AD-BA), and Token-Based Activation. It is the default activation path for domain-joined volume editions of Windows when a KMS host is published in DNS.

See also: KMS Host Configuration, GVLK Keys, KMS Activation Renewal.

History

KMS was introduced with Windows Vista and Windows Server 2008 as the centrepiece of Volume Activation 2.0, replacing the earlier Volume License Key (VLK) model used by Windows XP and Windows Server 2003. Under the older VLK scheme, a single 25-character key could activate an unlimited number of installations without contacting a Microsoft service. With Volume Activation 2.0, every volume installation of Windows requires activation, either through a KMS host or through a Multiple Activation Key.

Volume Activation 3.0, introduced with Windows 8 and Windows Server 2012, added Active Directory-Based Activation and broadened the set of platforms that could host KMS. From Windows Server 2012 R2 onward the KMS host role is delivered through the Volume Activation Servicesserver role rather than through manual slmgr.vbs commands.

Technical details

A KMS host is a Windows Server installation (or, in limited scenarios, a Windows client) configured with a KMS Host key obtained from the Microsoft 365 admin center or the legacy Volume Licensing Service Center (VLSC). The host activates against Microsoft exactly once and thereafter responds to local activation requests. KMS host keys are version-bound; a Windows Server 2022 KMS Host key activates clients up to and including Windows 11 and Windows Server 2022.

Client behaviour is controlled by registry values under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform. The values KeyManagementServiceName, KeyManagementServicePort, andKeyManagementServiceLookupDomain override DNS auto-discovery when present. The underlying activation API is exposed by the sppsvc service through the SoftwareLicensingService WMI provider in the root\CIMV2 namespace.

Protocol

KMS clients contact the KMS host using the Activation 2.0 Protocol (Microsoft specification [MS-KMS]), layered on top of RPC and using TCP port 1688by default. Clients discover the host through a DNS SRV record of the form _vlmcs._tcp.<domain>, or through an explicit host name configured with slmgr.vbs /skms host:port.

Each activation request carries a Client Machine ID (CMID), a hashed identifier that allows the host to count distinct clients. The host maintains a rolling cache equal to twice the activation threshold (50 entries for client SKUs, 10 for server and Office). Each successful activation refreshes the client's CMID at the top of the cache; CMIDs that fall out of the window age off and no longer contribute to the count.

Activation thresholds

A KMS host returns an activation response only once a minimum number of distinct clients have contacted it within the count window:

Client SKUActivation threshold
Windows client (Pro / Enterprise / Education)25
Windows Server5
Microsoft Office (volume editions)5

Until the threshold is met, clients receive a count response but remain in the 30-day Out-of-Box Grace or Out-of-Tolerance Grace period and continue to retry every two hours. Once activated, the renewal interval is seven days and the licence is valid for 180 days from the last successful renewal.

Common issues

  • Count below threshold (0xC004F038). Reported when fewer than 25 distinct clients (or 5 for server / Office) have contacted the host. The current count is shown by slmgr.vbs /dlv on the host. Counts climb only as new clients contact the host; re-activating the same client does not increase the count.
  • DNS SRV record missing. Clients fall back to broadcast or fail with 0xC004F074 when _vlmcs._tcp.<domain> is absent. Publication can be re-asserted with slmgr.vbs /sdns on the host.
  • Firewall blocks TCP 1688. Windows Firewall ships a built-in inbound rule named Key Management Service that must be enabled on the host.
  • Client SKU unsupported by host (0xC004F015 / 0xC004F042). The installed KMS Host key is older than the client SKU; a newer Host key from the volume licensing portal is required.
  • Time skew. The Activation 2.0 Protocol rejects requests when client and host clocks differ by more than four hours; domain time synchronization is mandatory.

References

  1. Activate using Key Management Servicehttps://learn.microsoft.com/en-us/windows-server/get-started/activation-key-management-services
  2. Plan for volume activationhttps://learn.microsoft.com/en-us/windows/deployment/volume-activation/plan-for-volume-activation-client
  3. Volume Activation overviewhttps://learn.microsoft.com/en-us/windows/deployment/volume-activation/volume-activation-windows-10
  4. [MS-KMS]: Key Management Service Protocolhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kms/1ab09b40-e30c-457c-bd2a-23e1287c1bd5
  5. KMS client setup keyshttps://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys