What Is KMS in Networking?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
KMS stands for Key Management Service. It helps companies activate Microsoft products like Windows and Office on many computers at once without needing a separate product key for each machine. This service runs on a local server, and client computers automatically activate by connecting to it periodically. It is part of Microsoft's volume activation methods, designed for medium to large organizations.
Commonly Confused With
MAK is a product key that can be used for a set number of activations, each counted individually by Microsoft. Unlike KMS, MAK does not require periodic renewal and does not need a minimum number of clients. MAK is suited for smaller organizations or devices that cannot reach the network regularly.
A small company with 10 laptops installs Windows using one MAK key. Each activation is counted against the key's limit. If they later reinstall, they use more from the pool.
ADBA is a newer activation method where the KMS host role is integrated into Active Directory Domain Services. Activated clients get a perpetual activation token (no renewal required) as long as they remain domain-joined. Unlike KMS, ADBA does not have a 180-day renewal requirement but requires a domain environment.
A large corporation with a domain-joined environment uses ADBA so that once a computer activates, it stays activated without needing to check in periodically.
Digital license is tied to a specific device's hardware and requires internet connection to Microsoft's activation servers. It is used for retail or OEM copies, not volume licensing. Unlike KMS, it is per-device and does not work on a local network without internet.
When you buy a new laptop from Best Buy, Windows activates automatically using a digital license stored in Microsoft's cloud.
Must Know for Exams
KMS is a core topic in several Microsoft certification exams, particularly those related to Windows client deployment and management, as well as Microsoft 365 identity and licensing. For the MD-100 (Windows 10/11) and MD-101 (Managing Modern Desktops) exams, KMS appears under the objective "Manage Windows activation" or similar, where you must understand the difference between KMS, MAK (Multiple Activation Key), and AD-based activation. The exam expects you to know the minimum client count (25 for Windows, 5 for Office), the activation renewal period (180 days), and the client renewal interval (7 days). You also need to understand that KMS uses DNS for automatic host discovery and that you can configure a KMS host key via the command line with slmgr /ipk [key] and slmgr /ato.
For the Microsoft 365 Certified: Enterprise Administrator Expert (MS-100/MS-101) exams, KMS is relevant to licensing topics, but often AD-based activation is preferred for domain-joined machines. However, scenarios where internet is unavailable or where hybrid environments exist still reference KMS as a valid activation method. The exam might present a scenario where a company with 1000 clients wants to ensure activation works without internet access at the edge, and the correct answer involves deploying a KMS host.
In the MS-700 (Managing Microsoft Teams) or MS-203 (Microsoft 365 Messaging) exams, KMS is less central but can appear as a prerequisite for deploying Office apps in an enterprise via Group Policy or Configuration Manager. For general IT certifications like CompTIA Network+ or Security+, KMS is a peripheral concept, it may appear in a question about network services that require DNS SRV records or in the context of software licensing compliance (Security+ domain 2.0). However, given the broad nature of "general IT certifications," the primary relevance is for Microsoft-specific exams. For learners targeting any Microsoft role-based certification, understanding KMS activation flow and troubleshooting is a must-know skill. The exam often includes multiple-choice questions asking for the correct activation method given a specific network topology or security requirement.
Simple Meaning
Imagine you work in a large office with hundreds of computers. Every computer needs a license to run Windows and Microsoft Office. If you had to buy a separate product key and type it in on each machine, it would take forever and be very easy to lose track of which keys you used. KMS is like having a single master key that unlocks all the computers in your building at once.
Here is how it works. You set up one special computer in your office called a KMS host. This host gets a single master license key from Microsoft. Then, every other computer in your network is told to look for this KMS host instead of looking up its license directly with Microsoft over the internet. When a client computer boots up, it checks in with the KMS host. The host verifies that the computer is part of the organization and then issues a temporary activation that lasts for a set period, typically 180 days.
For this arrangement to stay valid, each client computer must check in with the KMS host at least once every 180 days. If a computer goes offline for too long or never connects to the host, its activation will expire, and the software will start reminding the user to activate. This automatic renewal system is why KMS is known for being a low-maintenance, scalable solution. It is ideal for organizations that have a large number of computers to manage and want to avoid the hassle of manually activating each one.
Another way to think of it is like a gym membership. You sign up at the main desk (the KMS host), and that gives you access to the gym for six months. You need to come back and scan your card every so often to prove you are still a member. If you stop visiting, your access is eventually suspended. KMS works the same way – computers must periodically prove they are still part of the network to keep running with full features.
Full Technical Definition
Key Management Service (KMS) is a Microsoft volume activation technology that enables the activation of Microsoft products, such as Windows and Office, using a local hosted service rather than requiring individual product keys or internet-based activation for each client. KMS is designed for medium to large organizations that deploy multiple client machines, typically requiring a minimum of 25 client computers for Windows activation and five for Office activation to function.
KMS operates on a client-server model. The KMS host is a computer running Windows Server (or in some cases Windows client) that has been configured with a KMS product key (often called the KMS host key). This host registers with Microsoft over the internet or by phone to obtain a KMS host key and becomes the local activation authority. Once activated, the KMS host creates a DNS SRV record (service record) in the organization's DNS server, allowing client computers to automatically discover the KMS host using the _vlmcs._tcp DNS SRV record.
Client computers that are configured with a generic volume license key (GVLK) for their product will attempt to activate by contacting the KMS host via a remote procedure call (RPC) over TCP/IP. The KMS host returns a KMS activation token to the client, which includes a time-based validity period of 180 days by default (except for certain evaluation versions). This activation is periodically refreshed; the client attempts to renew its activation by contacting the KMS host every seven days. If the renewal is successful, the activation countdown resets to 180 days. If the client fails to reach the KMS host for 180 consecutive days, the activation expires, and the product enters a reduced functionality mode, often with notification messages and reduced feature access until reactivated.
KMS also supports activation for multiple Microsoft products on the same host. A single KMS host can provide activation keys for Windows, Office, and other Microsoft server products. The host maintains a count of unique client requests and requires a minimum activation count (called the activation threshold) before it begins issuing permanent activations. This is why the minimum client requirement exists. KMS hosts can be activated as a volume license customer via the Volume Licensing Service Center (VLSC) or Microsoft 365 Admin Center.
Security is handled through mutual authentication between client and host using public key cryptography. Each KMS host has a unique public/private key pair. When a client contacts the host, the host signs the activation token using its private key. The client verifies the signature using the host's public key (which is embedded in the client's GVLK). This prevents rogue hosts from issuing activations. KMS also supports High Availability (HA) by allowing multiple KMS hosts to be configured with the same KMS host key, creating a pool of hosts behind a load balancer or via DNS round-robin.
Real-Life Example
Think of a busy airport with many gates. Each gate is like a computer that needs to be cleared for takeoff (activated). Instead of each pilot having to call the airline's headquarters (Microsoft) individually to get clearance, the airport has a local control tower (the KMS host). All pilots are trained to radio the control tower when they are ready at the gate. The control tower has a master schedule (the KMS host key) that allows it to clear any flight that is part of the airline's fleet. Once cleared, the pilot gets a temporary flight authorization that lasts for 180 days.
Now, the pilot must check back in with the control tower every few days (every seven days) to confirm that the flight is still active and scheduled. If a plane is grounded for repairs or moves to a different airport outside the control tower's range (like leaving the network for many months), its authorization eventually expires. The airline doesn't need to talk to headquarters for every single flight; the local control tower handles the daily work. This makes the whole process faster and more efficient, especially when there are many planes (computers) to manage.
If the airline opens a new hub (another KMS host), they can install the same master key on a second control tower. Then if one tower goes offline, the other one can still clear flights. This mirrors how an IT department can set up multiple KMS hosts for redundancy. The key idea is that the local authority (KMS) reduces reliance on a single remote server and makes scaling easy. Just as a control tower can manage hundreds of flights, a single KMS host can manage thousands of computers.
Why This Term Matters
KMS is critical for organizations that manage large numbers of Microsoft clients because it drastically reduces administrative overhead and licensing complexity. Without KMS, each computer would need to have its own unique product key, which would have to be typed in or deployed individually. This is manageable for a handful of machines but becomes unworkable for hundreds or thousands. Each activate would need to connect to Microsoft's activation servers over the internet, which can be problematic in secured environments where internet access is restricted. KMS provides an internal, trusted activation source that works even in air-gapped networks, as long as the KMS host itself can reach Microsoft at least once to validate the host key.
From a compliance standpoint, KMS helps organizations stay within their licensing agreements. Because KMS activation is tied to the organization's volume license agreement, it ensures that only authorized copies of software are activated. The periodic renewal mechanism (180-day cycle) also helps prevent software from staying activated long after a computer leaves the organization, as machines that are decommissioned or recycled will eventually lose their activation. This provides a self-cleaning mechanism for the license pool.
For IT professionals, understanding KMS is essential for Microsoft certification exams (like the MCSA, MCSE, or modern Microsoft 365 role-based exams). It also helps in real-world troubleshooting. If a client computer shows a "not activated" message even though it is on the corporate network, the administrator must check DNS records, firewall rules (port 1688), and KMS host availability. Knowing how KMS works allows an administrator to diagnose activation failures quickly and ensure that the organization's software remains compliant and functional.
How It Appears in Exam Questions
In Microsoft certification exams, KMS questions typically fall into three categories: scenario-based, configuration, and troubleshooting. For scenario-based questions, you might be given a description of an organization with 200 client computers in a single location, no internet access for client machines, and a requirement to activate Windows 10. The question will ask for the most suitable activation method. The correct answer is KMS because it does not require each client to reach Microsoft directly. Distractors often include MAK (which requires internet or phone for each activation) or AD-based activation (which requires the device to be domain-joined and uses the same AD-based activation server, but the question may specifically state "no internet access" and the exam expects KMS as it works without domain membership).
Another common question type asks about minimum client counts. For example: "An administrator configures a KMS host but finds that client computers are not being activated properly. What is the most likely cause?" The answer could be that the KMS host has not yet received its initial activation count because the number of client machines is below the threshold (less than 25 for Windows). You need to know that KMS requires a minimum number of unique clients requesting activation before it starts granting valid tokens. A variant of this question might mention that after deploying Office on five machines, activation fails, but note the threshold for Office is five, so if exactly five, the KMS host may require one more request to cross the threshold (the threshold actually requires at least five, and the first activation occurs after the threshold is met; often the answer is that the host needs one more client to activate).
Troubleshooting questions often involve connectivity. For instance: "Users report that their Windows 10 devices are not activating. The administrator confirms that the KMS host is operational and the KMS host key is active. Which port should be open on the firewall between clients and the KMS host?" The answer is TCP port 1688 (the default KMS RPC port). Another troubleshooting scenario: "A company implements KMS but clients fail to discover the host automatically. What should be checked first?" The answer is DNS, specifically, the presence of the _vlmcs._tcp SRV record in the DNS zone. You may also see a question about using slmgr commands to configure a client to point to a specific KMS host (slmgr /skms hostname:port) if DNS discovery fails.
Finally, some questions ask about security: "An organization wants to prevent unauthorized computers on the network from using the KMS host. What should be configured?" The answer is to restrict the KMS host's firewall to allow only subnet ranges or to use a KMS host key that is unique to the organization. However, KMS does not have a built-in access control list, so the typical answer involves IPsec or network segmentation.
Practise KMS Questions
Test your understanding with exam-style practice questions.
Example Scenario
Scenario: You are a new IT administrator for a company called BrightTech. BrightTech has 300 computers used by employees. They all run Windows 10 Pro. The company recently signed a volume licensing agreement with Microsoft. Your supervisor asks you to set up volume activation so that when new computers are added to the network, they activate automatically without manual work. The company's environment is mostly on-premises, with no direct internet access from the client machines (they are on a separate subnet that is firewalled from the internet).
You decide to use KMS. You install a Windows Server on a dedicated machine inside the network. You obtain a KMS host key from the Volume Licensing Service Center and enter it on the server using the command slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX. Then you activate the host key against Microsoft via slmgr /ato (this step requires internet access for the KMS host only, which you have from the server subnet). The KMS host is now active.
Next, you ensure that a DNS SRV record for _vlmcs._tcp.yourdomain.com is created automatically (KMS does this by default if the server has permission to update DNS). You verify that the firewall between clients and the server allows TCP port 1688. On a test client, you install Windows 10 using an image that already has the generic volume license key (GVLK) preinstalled. When the client boots, it attempts to activate. You check the activation status with slmgr /xpr and see that the system is activated for 180 days. You then configure a Group Policy Object that sets the KMS host name for clients that might not find it via DNS, using the policy: Computer Configuration -> Administrative Templates -> Windows Components -> Software Licensing -> "Specify the KMS host name". You set it to "kms.brighttech.com".
Everything works. After a week, you add 10 more computers. They all activate automatically. You feel confident that the organization is compliant and users are not bothered with activation prompts. Six months later, you are asked to upgrade the KMS host. You prepare a new server, transfer the KMS host key, and update DNS records. Clients automatically discover the new host and continue activating without issue.
Common Mistakes
Thinking that KMS activates clients permanently.
KMS activation is valid for only 180 days. Clients must renew activation by contacting the KMS host at least once every 180 days. If they do not, they lose activation.
Understand that KMS is a renewable activation model, not a one-time activation. Ensure clients can reach the host periodically.
Assuming a KMS host can activate an unlimited number of clients without licensing fees.
While there is no hard limit on client count, the KMS host key must be obtained through a valid volume licensing agreement. Using Windows without proper licensing is illegal and non-compliant.
Always ensure your organization has the appropriate volume license agreement before deploying KMS. The KMS host key itself is licensed per agreement.
Configuring a KMS host on a client operating system (e.g., Windows 10) without proper preparation.
KMS hosts are best deployed on Windows Server editions. Windows 10 can technically act as a KMS host for some roles, but it is limited, unsupported for many products, and not recommended for production.
Use Windows Server for your KMS host. If necessary, refer to Microsoft documentation for supported host OS versions.
Forgetting to open firewall port 1688 (TCP) between clients and the KMS host.
KMS uses RPC over TCP port 1688. If this port is blocked, activation requests will fail silently. Clients will appear unactivated.
Verify that port TCP 1688 is open in both directions between the KMS host and all client subnets.
Failing to meet the minimum activation threshold (25 for Windows, 5 for Office) before KMS starts activating.
KMS will not grant valid activation tokens until it receives activation requests from at least the threshold number of unique clients. Early adoption will fail.
Deploy at least 25 client computers that are configured with GVLK before expecting successful KMS activation. You can use a test set of clients to meet the threshold.
Exam Trap — Don't Get Fooled
{"trap":"The exam may present a scenario where a small organization has 10 clients and asks for the best activation method. Many learners pick KMS because they know it is used in large setups, but the minimum threshold is 25 for Windows. The correct answer is usually MAK (Multiple Activation Key) or Active Directory-based activation (if domain-joined)."
,"why_learners_choose_it":"Learners see 'KMS' as the go-to volume activation solution and forget that it has a minimum client requirement. They assume it works for any size organization.","how_to_avoid_it":"Always note the number of clients in a scenario.
If the number is less than 25 for Windows or 5 for Office, KMS is not appropriate unless the question specifically says the organization will soon meet the threshold. Remember the thresholds: 25 for Windows, 5 for Office."
Step-by-Step Breakdown
Obtain a KMS host key from Microsoft Volume Licensing Center (VLSC)
Before deploying KMS, you must have a valid volume licensing agreement. From the VLSC portal, you download the KMS host key (like 'AAAAA-BBBBB-CCCCC-DDDDD-EEEEE'). This key is specific to your organization and the product version (e.g., Windows Server 2022). This step is the starting point, without a valid key, the KMS host cannot be activated.
Install and configure the KMS host server
Choose a Windows Server or supported host OS. Use the command slmgr /ipk <KMS host key> to install the key. Then run slmgr /ato to activate the host key against Microsoft's activation servers. The host needs temporary internet access or phone activation for this step. Once activated, the host can serve activation requests.
Publish a DNS SRV record for automatic host discovery
KMS hosts register a DNS SRV record named _vlmcs._tcp.<domain> by default. This record allows clients to find the KMS host automatically without manual configuration. If the host does not have permissions to update DNS, an administrator must manually add the record. Without this record, clients may fail to discover the host.
Ensure client systems have a Generic Volume License Key (GVLK)
Client computers must be using the GVLK for their product (e.g., Windows 10 Enterprise GVLK). These keys are publicly available from Microsoft and are built into volume licensed media. The GVLK tells the client to attempt activation via KMS. If a client uses a retail key, it will not attempt KMS activation.
Open firewall port TCP 1688 between clients and KMS host
KMS communicates over TCP port 1688. This port must be open on any firewalls between the client and the KMS host. If the port is blocked, the activation request will time out and fail. This includes host-based firewalls.
Client activation and renewal cycle
When a client boots, it tries to contact the KMS host. The client sends a request, the host validates it, and returns a 180-day activation token. The client then attempts to renew every seven days. If renewal fails for 180 days, activation expires. This dynamic cycle keeps the organization compliant without requiring manual tracking.
Practical Mini-Lesson
KMS is a critical service for any IT administrator managing Windows clients in a corporate environment. To set it up correctly, you must first understand the prerequisites. Your organization must have a Microsoft Volume Licensing agreement. You then get a KMS host key from the Volume Licensing Service Center (VLSC). This key is not the same as a client key; it is used to enable the host machine to serve activation tokens. You install this key on a Windows Server using the command slmgr /ipk <key>. Then you activate the host with slmgr /ato. Note that the host requires internet access at this point to contact Microsoft, but once activated, it can operate offline for future client activations.
After the host is activated, you need to think about network topology. The host must be reachable by clients via TCP port 1688. In a typical enterprise, you would place the KMS host in a management subnet or alongside other infrastructure servers. You should also ensure that DNS is configured to allow the automatic creation of the _vlmcs._tcp SRV record. If your DNS environment does not allow dynamic updates, you will need to add this record manually. Many administrators skip this step and then wonder why clients cannot find the host. A common workaround is to manually set the KMS host name on clients using Group Policy or slmgr /skms hostname:port.
For client machines, the critical piece is the Generic Volume License Key (GVLK). These keys are publicly known and are built into volume license media. When you deploy Windows using a volume license image, the GVLK is pre-applied. If you are using a retail or OEM image, you will need to manually install the GVLK using slmgr /ipk <GVLK> before attempting activation. Without the correct GVLK, the client will not attempt KMS activation.
In production, one common issue is the activation threshold requirement. A KMS host will not issue valid activation tokens until it has received requests from at least 25 unique clients (for Windows) or 5 unique clients (for Office). This threshold resets if the host is restarted or if the KMS host key is reactivated. Administrators sometimes test with a few clients and see failure, leading to confusion. The fix is to have enough clients request activation, sometimes by temporarily joining several test machines to the network to meet the threshold, then removing them later.
Another practical consideration is high availability. You can deploy multiple KMS hosts behind a load balancer using the same KMS host key and DNS round-robin. This ensures that if one host goes offline, clients can still activate against another. However, you must ensure that the KMS host key is installed on each host and activated. Each host independently tracks the activation count, so they all need to meet their own threshold. In environments where uptime is critical, this is a recommended setup.
Memory Tip
Remember "25 for the Win, 5 for the Office" – that is the minimum client count for KMS activation: 25 for Windows, 5 for Office. Another hook: "KMS keeps machines honest, they must check in every 180 days or lose their license."
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →CLF-C02CLF-C02 →SAA-C03SAA-C03 →N10-009CompTIA Network+ →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →SC-900SC-900 →MD-102MD-102 →SOA-C02SOA-C02 →PCAGoogle PCA →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
MS-100MS-102(current version)MS-101MS-102(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Frequently Asked Questions
Can I use KMS if my clients do not have internet access?
Yes, that is one of the main benefits. Only the KMS host needs internet access to activate its host key. Client machines can activate entirely over the local network.
What happens if a client misses its 180-day renewal deadline?
The client's activation expires. The software may enter a reduced functionality mode (like nag screens and limited personalization) until it can reactivate with the KMS host.
How many times can a client reactivate with KMS?
KMS uses a periodic renewal system, so the client can reactivate an unlimited number of times as long as it can reach the KMS host before the 180-day window expires.
Can I have more than one KMS host in my organization?
Yes. You can deploy multiple KMS hosts using the same KMS host key. Use DNS round-robin or a load balancer to distribute client requests for high availability.
Is KMS activation permanent if I never turn off the host?
No. KMS activation is time-based (180 days). Even with a continuously running host, each client must renew at least every 180 days. If a client is disconnected for 180 days, it will lose activation.
What is the default renewal interval for a KMS client?
By default, the client attempts to renew its activation with the KMS host every seven days. This keeps the 180-day timer reset regularly.
Summary
KMS, or Key Management Service, is Microsoft's solution for volume activation of Windows and Office products in organizations with many computers. It works by having a central server (the KMS host) that issues time-limited activation tokens to client machines. These tokens are valid for 180 days, and clients must renew regularly to stay activated. KMS is ideal for medium to large networks, especially when internet access for clients is limited or not available.
For IT certification candidates, mastering KMS means understanding its minimum client thresholds (25 for Windows, 5 for Office), its reliance on DNS SRV records and TCP port 1688, and its differences from MAK and Active Directory-based activation. KMS questions appear most frequently in Microsoft desktop management exams (MD-100, MD-101) and volume licensing topics. Knowing the fundamentals helps you answer scenario-based questions about activation methods and troubleshoot activation failures in real-world labs.
The takeaway: KMS is the go-to method for large-scale, offline-capable activation. It is not a permanent activation, it requires periodic check-ins. When studying, focus on the technical details: the activation flow, the renewal cycle, the threshold requirements, and the configuration commands. These elements will both help you pass exams and manage enterprise environments effectively.