A KMS (Key Management Service) host lets every qualifying Windows machine on your network activate on its own. No per-device keys, no manual steps once it’s running. This walks you through setting up and activating a Windows Server 2025 Standard KMS host key from start to finish.
If you are not sure KMS is the right model for you, read MAK vs KMS first. KMS makes sense for networks with 50+ clients (or 5+ servers) that stay connected to your network.
What you need first
- A genuine Windows Server 2025 KMS host key (the CSVLK from your volume licensing source).
- A Windows Server machine to act as the host, reachable by your clients.
- Administrator rights on that server.
- TCP port 1688 open (the KMS default).
One KMS host can handle Windows Server, Windows client editions, and Office volume products, depending on the host key you install.
Step 1: Install the KMS host key
On the server you’re using as the host, open Command Prompt as administrator and run:
slmgr /ipk <your-KMS-host-key>Swap in the 25-character key you received. You should get a message confirming the key installed.
Step 2: Activate the host with Microsoft
The host key itself needs activating once, online:
slmgr /atoIf the server has no internet, activate by phone instead. Run slmgr /dti, call the Microsoft activation line, then enter the confirmation ID with slmgr /atp <confirmation-id>. After this one-time step, the host is ready to activate clients.
Step 3: Open the firewall (TCP 1688)
KMS talks over TCP port 1688. On the host, allow it through Windows Firewall by enabling the built-in rule group:
netsh advfirewall firewall set rule group="Key Management Service" new enable=YesIf clients sit on other subnets, check that your routing and any hardware firewalls also allow 1688 through to the host.
Step 4: Confirm DNS auto-discovery
By default, clients find the host through a DNS SRV record (_VLMCS._TCP) the host publishes. In most Active Directory setups this just works. To check the record from a client:
nslookup -type=srv _vlmcs._tcp.<your-domain>Step 5: Activate your clients
Client machines that use a Generic Volume License Key (which is what volume editions of Windows and Office ship with) activate on their own once they can reach the host. To trigger or check it on a client:
slmgr /atoTo point a client at a specific host manually when you’re not using DNS auto-discovery:
slmgr /skms <kms-host-name-or-ip>:1688
slmgr /atoStep 6: Check activation status
On the host, see whether clients are checking in:
slmgr /dlvWatch the current count. KMS only starts activating once the count reaches its threshold (25 for Windows clients, 5 for servers), and the count climbs as machines check in. So on a brand new deployment, activation kicks in after enough clients have reported. On any client, check its own status with slmgr /dli.
How KMS keeps clients activated
KMS-activated machines re-check with the host every 180 days. As long as a client reaches the host inside that window, it stays activated with no manual renewal. A machine that’s off the network longer falls into a grace period and reactivates the next time it connects.
When something goes wrong
- “The count reported by your Key Management Service is insufficient.” You haven’t hit the threshold yet. Add more clients or give the count time to build.
- Clients can’t find the host. Check the DNS SRV record (Step 4) or set the host manually (Step 5), and confirm port 1688 is open.
- Error 0xC004F074 (no KMS host could be contacted). Usually a firewall or routing problem on port 1688, or the host isn’t activated. Re-check Steps 2 and 3.
- A product won’t activate. Make sure your host key supports that product group.
Need a genuine KMS host key?
We supply genuine Windows Server 2025 Standard KMS host keys with email delivery and activation help. Running a large fleet or reselling? Take a look at our wholesale and bulk volume licensing.
Still weighing centralised KMS against direct MAK activation? Our MAK vs KMS guide covers which one fits your network.
