Volume Activation Methods

KMS, MAK, Active Directory-Based Activation, and Token-Based Activation

Microsoft Volume Licensing supports four documented activation methods for volume-licensed products: Key Management Service (KMS), Multiple Activation Key(MAK), Active Directory-Based Activation (AD-BA), and Token-Based Activation. Each is intended for a different operational scenario, and an organization may use more than one in parallel across its estate.

The choice of method is driven by network topology, the connectivity profile of the devices, the required level of audit, and the size of the deployment. All four methods are administered through the same Software Protection Platform; the difference is the source of the activation response.

History

KMS and MAK were introduced together with Volume Activation 2.0 in Windows Vista and Windows Server 2008. Active Directory-Based Activation was added in Volume Activation 3.0 with Windows 8 and Windows Server 2012. Token-Based Activation is a smart-card / X.509 certificate mechanism documented for high-assurance environments such as US Department of Defense networks, and is restricted to specific volume SKUs.

Technical details

KMS and AD-BA grant a 180-day activation that is renewed on a 7-day cycle. MAK consumes a one-time unit from a pool of activations associated with a specific key. Token-Based Activation grants an activation valid for the lifetime of the supplied X.509 certificate. All four methods install a product key (GVLK for KMS / AD-BA, a unique 25-character key for MAK, a smart-card certificate for Token) and converge on the same SoftwareLicensingProduct state machine.

Comparison

Method	Activation against	Renewal	Threshold	Typical use
KMS	Local KMS host (TCP 1688)	Every 7 days; 180-day validity	25 clients / 5 servers / 5 Office	Large fleets on the corporate network
MAK	Microsoft activation service (online or phone)	One-time	None; consumes from a pool	Devices that rarely connect to the corporate network
AD-BA	Active Directory forest object	Every 7 days; 180-day validity	None	Domain-joined Windows 8+/Server 2012+
Token-Based	X.509 certificate (smart card or file)	Per certificate validity	N/A	Isolated, high-assurance environments

Selection guidance

AD-BA is the simplest method for a forest of Windows 8+/Server 2012+ machines. It requires no listening service and no DNS SRV record beyond the standard AD locator records.
KMS is the historical default and is required when down-level Windows 7 / Server 2008 R2 systems are still in scope.
MAK is used for devices that operate off-network for long periods (laptops in the field, disconnected lab equipment). Activations are consumed from a pool and visible in the VLSC / Microsoft 365 admin center reports.
Token-Based Activation is reserved for environments that cannot use KMS or AD-BA, typically due to strict isolation requirements.

Common issues

Mixed AD-BA and KMS in the same forest. AD-BA activates at boot, before KMS client logic runs; slmgr.vbs /dlv will show the AD-BA result rather than KMS.
MAK pool exhausted (0xC004C008). Additional activations must be requested from Microsoft through the volume licensing portal.
Workgroup machines and AD-BA. AD-BA requires domain membership; workgroup machines must use KMS or MAK.

References

Plan for volume activation — https://learn.microsoft.com/en-us/windows/deployment/volume-activation/plan-for-volume-activation-client
Active Directory-Based Activation — https://learn.microsoft.com/en-us/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client
Activate using Key Management Service — https://learn.microsoft.com/en-us/windows-server/get-started/activation-key-management-services
OfficialKMSAuto — third-party KMS implementations overview — https://officialkmsauto.com/
Volume activation overview — https://learn.microsoft.com/en-us/windows/deployment/volume-activation/volume-activation-windows-10