KMS seems to be one of those things that is sometimes quite poorly understood – and many existing blog articles or pieces of documentation seem to gloss over important details (IMO). So, below is my attempt.
Concepts
MAK – Multiple Activation Key
This type of key is intended to be used on multiple computers, but must be entered manually, via VAMT or in an SCCM task sequence. The activation process occurs once per machine either directly over the internet, via a MAK proxy or via telephone.
The MAK activation method is best suited for
Small organisations with 25 or less computers
Organisations who have certain machines which are not domain joined and/or do not connect to the business network regularly
KMS – Key Management Server(s)
A Key management server is a service which provides activation on behalf of clients. The KMS server is activated once, and in turn, clients will auto-locate and activate against the KMS service. (more about the details a bit later)
KMS Key – Key Management Server Key
This type of key is intended to be used on a Key Management Server to provide activation for clients and has a couple of important factors:
KMS requires what is called an “activation threshold”, which basically means that until you have more than 25 Windows 7/8/8.1 activations or more than 5 Windows Server 2008 R2/2012/2012 R2 activations, the KMS server is not active
To remain active, KMS clients must contact the KMS server once every 180 days. If it does not, the client will start showing activation messages.
Volume licensing
I would imagine that if you are reading this blog you are familiar with what volume licensing is. KMS and MAK are both used for volume licensing customers, you cannot activate retail or OEM operating system installs using these methods.
Decisions to be made prior to install
KMS or MAK
Many organisations we deal with use both.
If a machine is off the network for long periods of time or is not domain joined, use a MAK. (Please note that non-domain joined machines can still use a KMS, but usually there is a reason they are not domain joined, which may also mean they cannot access the KMS!)
For all the domain-joined, generally on the network machines, use KMS.
Choosing a KMS key
In my opinion, the Microsoft doco @ and makes it sound complex.
In short, go with the “highest” version of server you have available and it can then activate everything “below” it.
For example:
If you utilise the Server 2012 R2 standard key (KMS B), it can act as an activation server for 2008R2/2012/2012R2 standard and Win7/8/8.1, but it cannot activate datacentre editions.
If you utilise the Server 2012 R2 datacentre key (KMS C), it can activate other datacentre editions as well as all 2008R2/2012/2012R2 standard/datacentre and Win7/8/8.1.
“But I only want to license Windows 7 machines!” the response frequently comes back.
A KMS key will also license all products that are “lower” in the tree, so using a server 2012 R2 standard KMS key will allow you to license all windows 7 machines (as well as windows 8/8.1 and server 2008R2/2012/2012 R2)
“So why do I have a Windows 7 KMS key then?” is the next question
This is because it is an option to install a KMS on Windows 7, simple as that. This is something we would generally advise against, as most organisations that use a KMS would use it for their servers and workstations.
Choosing a KMS server – OS Version
Using the newest operating system in your environment generally means that you will not need to download additional updates or patches, so simply for that reason, we would recommend using the newest OS version you have available.
Choosing a KMS server – Server load & placement
The KMS role is a very low-load role and we have never had any issues co-locating it with other roles. One common pairing is placing the KMS role on the SCCM primary site server (for organisations of up to 5000 PC’s)
For larger organisations, we see various approaches. Some have dedicated KMS servers, some co-locate on other services.
This section is here because often people ask what the load is like and can be co-located with other roles. The short answer is, very low load service and it be co-located with anything that doesn’t need TCP 1688.
KMS publishing and load balancing
KMS, by default listens on port TCP 1688 and will (by default) publish a DNS SRV record to allow domain-joined clients to locate the KMS service. The record created is called _vlmcs
Windows 7/2008 R2 and above volume license operating systems automatically look for this DNS record.
SRV records have a weight and priority associated with them, and this, by its nature, allows multiple KMS’ to be published and administrators to use them in a round-robin scenario (same priority) or in a fault-tolerance scenario (different priorities)
It is possible to disable publishing for a KMS service, but this is not something we have ever done – and we are not quite sure of a scenario where this would be helpful (but this doesn’t meant there isn’t one!)
Patching KMS to support Windows 10
In order to support Windows 10, you will need to patch your 2008R2, 2012 or 2012R2 KMS server as per
Office KMS
Office 2010 and 2013 have KMS add-on packs, that can be installed on an existing KMS server, these are available at:
Office 2010 KMS Host –
Office 2013 KMS Host –
Office 2016 KMS Host –
Installing KMS + Office KMS step by step
These steps remain the same whether you are installing on Windows 2008 R2, 2012 or 2012 R2.
Decide which server will host your KMS. We recommend utilising the latest server version you have access to and the highest “edition” (at the time of writing, this is Server 2012 R2 Datacentre)
Logon to the server and open an elevated command prompt (this process will fail if you do not elevate the command prompt!)
C:
Cd windows\system32
Cscript slmgr.vbs /ipk <your product key, with the dashes>
Cscript slmgr.vbs /ato
You now have a KMS server
To verify the install and look at the number of currently activated machines
Cscript slmgr.vbs /dlv
To install the Office KMS host (we will use 2013 in this example, however it is very similar to the 2010 process)
Download the KMS host update from the links above
Run the install
Enter your product key when prompted
To verify the install and look at the number of currently activated machines
Cscript slmgr.vbs /dlv all
Look for the appropriate office 15 (or 14) section
Common questions
Question: I want to move my KMS server, how do I move the activation database etc.?
Answer: There is no activation database or anything that needs to be moved. Simply create a new KMS, install the KMS key and activate. Then decommission the “old” KMS by running slmgr.vbs –upk (uninstall product key) and then either delete the “old” _vlmcs record from DNS, or use slmgr.vbs -cdns
Question: If my KMS client is off the network for more than 180 days, what do I do ?
Answer: Simply re-attach it to the network, it will find the KMS server and renew its activation. If the client will regularly be off the network for more than 180 days, it would be wise to consider using a MAK for this client.
Question: The SRV record has not registered in DNS.
Answer: Sometimes a restart of the KMS service is required. Net Stop sppsvc then net start sppsvc
Sometimes, if an existing record already exists from a previous KMS, you may need to grant permissions over the DNS record, but frankly, its easier just to delete it and restart the KMS service (command above)
Common mistakes
Mistake: Using a KMS key on a number of client machines, either because the difference between MAK and KMS wasn’t clear, or my licensing person gave me the wrong key.
This can be quite easily fixed by changing the key on the affected clients :
Part 1 – identifying affected clients
Open DNS admin, and navigate to <your domain>\_tcp
Take note of all the _vlmcs records – these are all the KMS hosts on your network
Part 2 – fixing up those clients
Install the default KMS on these machines. The default KMS keys can be found at
This can be done manually (if there is a small number) or using the VAMT if there is a larger number –
Part 3 – cleaning up
Delete the additional _vlmcs records from your DNS
Mistake: Deploying MAK keys in a task sequence, when you actually want to use a KMS.
If you want to use KMS, simply leave the product key section in your task sequence blank.
To “fix” existing clients, you will need to identify the machines with a MAK and install the default KMS key. The VAMT can be used to help identify and update these machines.
Mistake: Using the windows 10 KMS key on a server results in Error 0xC004F015
You need to use the server KMS keys on a server OS (as discussed above), please read the above article or visit
(中文参考)
(必看挺好的)
(在KMS客户端手动指定KMS服务器,会禁用KMS客户端的自动发现,建议不要采用手动指定)
By default, KMS clients which have not yet been activated will attempt to contact the KMS host every two hours. KMS clients which have successfully activated with the KMS host must renew their activation at least once every 180 days. These machines will contact the KMS host every seven days for this purpose. Any time the renewal is successful, the 180-day count resets.
An Office 2013 KMS Host can activate clients with office 2010?
But an Office 2013 KMS host can only be used to activate Office 2013, an Office 2010 KMS host can only be used to activate Office 2010.
download vamt 3.1