page contents

About the Post

Author Information

Manually Set Key Management Server for Windows Activation

Ever get tired of Windows wanting to activate all the time and not know what to do?? Well, then I hope this information will help you resolve that issue. Most of the time, this issue is caused by a couple of things. You may have placed a firewall or altered a network routing table that now travels to another network device that does not allow TCP port 1688.

From my experience however, the main culprit has been that a change was made to the DNS settings to the client and now the activation request is being routed the wrong way. For example, the KMS server is set to listen to only internal communication from the network (Private IP address – NAT) but you are now trying to communicate to the public IP address of the KMS server which gets ignored.

Think about that for a second. Would you rather have all servers trying to activate a Windows license to contact your public KMS server or would it better to just register clients internally? I would hate to have someone activate a product that is not a part of my organization but leaves me to foot the bill for them.

Special note: By default, each Windows computer that was activated by the KMS server will contact the KMS every 7 days. Those clients will have to confirm their activation at least every 180 days. This means that you always have to keep an eye on your KMS infrastructure (KMS Server, DNS, clients, etc.) to see if everything is still working properly. If technical problems come up, then you will have to spend extra time finding the solution before end users remove your from their Christmas list and no one wants to be that person, trust me!

For more information, please see the link below:

Steps to resolve the issue!

1. Manually set the KMS server by DNS Name or IP address:

-slmgr.vbs /skmsor

2. Manually activate the system, after successfully setting the KMS server

-slmgr.vbs /ato

Example on an EC2 Windows instance:

1- Set the KMS Server

cscript windows\system32\slmgr.vbs -skms

If that does not work, then lets try using the IP address per this Microsoft KB Article:

cscript windows\system32\slmgr.vbs -skms

2- Attempt to activate (example below)

cscript windows\system32\slmgr.vbs -ato

Here is a screen shot of both commands successfully run:

Verify that the clock (time) is set to sync with (you can adjust these settings by right clicking on the clock and selecting “Adjust Date/Time” and viewing the “Internet Time” tab).

You should see two confirmation pop up messages, the first stating that you have set the key management server and the second stating that Windows has activated successfully. With those steps taken, now you can rest assure that you will not fall off any co-workers Christmas list!

Please note: Ensure that any firewalls between the machine and the KMS server are configured to allow TCP port 1688 out from the machine to the KMS server. (Most of the time that should not be an issue, but you never know, since most firewalls allow exit traffic little to no restrictions and mainly focus on incoming traffic.)

Additional troubleshoot checks:

– Enable port 1688 on Windows Firewall (Needed access)
– Use cscript to get more detailed information on any possible failures

To set your outbound TCP port 1688 for KMS with Windows Firewall, go to the control panel and then System and Security and Windows Firewall. Select Advanced Settings:

Right click on Outbound and select new rule:

Select Port and then click next:

Select TCP and Specific remote ports, then enter 1688:

Allow this connection:

Select which Profile(s) you want the rule applied too:

For the name field, let’s call it KMS:

Now you can see this rule exists and you are good to go:

Tags: , , , ,

Comments are closed.

Copy Protected by Chetan's WP-Copyprotect.