Edit

Troubleshoot Azure Windows virtual machine activation problems

  • Article
  • 4 minutes to read

If you have trouble when activating Azure Windows virtual machine (VM) that is created from a custom image, you can use the information provided in this document to troubleshoot the issue.

Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines

Azure uses different endpoints for KMS (Key Management Services) activation depending on the cloud region where the VM resides. When using this troubleshooting guide, use the appropriate KMS endpoint that applies to your region.

  • Azure public cloud regions: kms.core.windows.net:1688 or azkms.core.windows.net:1688
  • Azure China 21Vianet national cloud regions: kms.core.chinacloudapi.cn:1688 or azkms.core.chinacloudapi.cn:1688
  • Azure Germany national cloud regions: kms.core.cloudapi.de:1688
  • Azure US Gov national cloud regions: kms.core.usgovcloudapi.net:1688

Symptom

When you try to activate an Azure Windows VM, you receive an error message resembles the following sample:

Error: 0xC004F074 The Software LicensingService reported that the computer could not be activated. No Key ManagementService (KMS) could be contacted. Please see the Application Event Log for additional information.

Cause

Generally, Azure VM activation issues occur if the Windows VM is not configured by using the appropriate KMS client setup key, or the Windows VM has a connectivity problem to the Azure KMS service (kms.core.windows.net, port 1688).

Solution

Note

If you are using a site-to-site VPN and forced tunneling, see Use Azure custom routes to enable KMS activation with forced tunneling.

If you are using ExpressRoute and you have a default route published, see Can I block Internet connectivity to virtual networks connected to ExpressRoute circuits?.

Step 1 Configure the appropriate KMS client setup key

Note

For VMs running Windows 10 Enterprise multi-session (also known as Windows 10 Enterprise for Virtual Desktops) in Azure Virtual Desktop, this step is not required.

If you deploy a Windows 10 Enterprise multi-session VM, and then update the product key to another edition, you won't be able to switch the VM back to Windows 10 Enterprise multi-session, and you will need to redeploy the VM.

To determine if your VM is running multi-session, run the following command:

slmgr.vbs /dlv

If the result returns Name: Windows(R), ServerRdsh edition, then this step is not required.

For more information, please refer to: Windows 10 Enterprise multi-session FAQ

For the VM that is created from a custom image, you must configure the appropriate KMS client setup key for the VM.

  1. Run slmgr.vbs /dlv at an elevated command prompt. Check the Description value in the output, and then determine whether it was created from retail (RETAIL channel) or volume (VOLUME_KMSCLIENT) license media:

    cscript c:\windows\system32\slmgr.vbs /dlv

  2. If slmgr.vbs /dlv shows RETAIL channel, run the following commands to set the KMS client setup key for the version of Windows Server being used, and force it to retry activation:

    cscript c:\windows\system32\slmgr.vbs /ipk <KMS client setup key>

cscript c:\windows\system32\slmgr.vbs /ato

    For example, for Windows Server 2016 Datacenter, you would run the following command:

    cscript c:\windows\system32\slmgr.vbs /ipk CB7KF-BWN84-R7R2Y-793K2-8XDDG

Step 2 Verify the connectivity between the VM and Azure KMS service

  1. Download and extract the PSping tool to a local folder in the VM that does not activate.

  2. Go to Start, search on Windows PowerShell, right-click Windows PowerShell, and then select Run as administrator.

  3. Make sure that the VM is configured to use the correct Azure KMS server. To do this, run the following command:

    Invoke-Expression "$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /skms kms.core.windows.net:1688"

    The command should return: Key Management Service machine name set to kms.core.windows.net:1688 successfully.

  4. Verify by using Psping that you have connectivity to the KMS server. Switch to the folder where you extracted the Pstools.zip download, and then run the following:

    .\psping.exe kms.core.windows.net:1688

    In the second-to-last line of the output, make sure that you see: Sent = 4, Received = 4, Lost = 0 (0% loss).

    If Lost is greater than 0 (zero), the VM does not have connectivity to the KMS server. In this situation, if the VM is in a virtual network and has a custom DNS server specified, you must make sure that DNS server is able to resolve kms.core.windows.net. Or, change the DNS server to one that does resolve kms.core.windows.net.

    Notice that if you remove all DNS servers from a virtual network, VMs use Azure's internal DNS service. This service can resolve kms.core.windows.net.

    Also make sure that the outbound network traffic to KMS endpoint with 1688 port is not blocked by the firewall in the VM.

  5. Verify using Network Watcher Next Hop that the next hop type from the VM in question to the destination IP 23.102.135.246 (for kms.core.windows.net) or the IP of the appropriate KMS endpoint that applies to your region is Internet.

    If the result is VirtualAppliance or VirtualNetworkGateway, it is likely that a default route exists. Contact your network administrator and work with them to determine the correct course of action. This may be a custom route if that solution is consistent with your organization's policies.

  6. After you verify successful connectivity to kms.core.windows.net, run the following command at that elevated Windows PowerShell prompt. This command tries activation multiple times.

    1..12 | ForEach-Object { Invoke-Expression "$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /ato" ; start-sleep 5 }

    A successful activation returns information that resembles the following:

    Activating Windows(R), ServerDatacenter edition (12345678-1234-1234-1234-12345678) … Product activated successfully.

FAQ

I created a Windows Server virtual machine from Azure Marketplace. Do I need to configure a KMS key for activating the system?

No. The image in Azure Marketplace has the appropriate KMS client setup key already configured.

Does Windows activation work the same way regardless if the VM is using Azure Hybrid Use Benefit (HUB) or not?

Yes.

What happens if Windows activation period expires?

When the grace period has expired and Windows is still not activated, Windows Server 2008 R2 and later versions of Windows will show additional notifications about activating. The desktop wallpaper remains black, and Windows Update will install security and critical updates only, but not optional updates. See the Notifications section at the bottom of the Licensing Conditions page.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure community support.