KMS (Key Management Service) activation is essential to activate Windows operating systems in an enterprise environment. However, in October 2022, Microsoft changed the IP addresses of two KMS servers, which caused activation issues for customers in highly constrained environments.

This change impacted Azure Virtual Desktop users and caused a licensing popup to appear repeatedly on end-user desktops.

The symptoms of the KMS activation issue are an application event ID 8198, which states that Licensing Activation (slui.exe) failed with the error code 0xC00F074.

You can also see failed attempts to connect to the KMS server running via Azure Traffic Manager via the command “netstat -ano 3 | findstr “SYN_SENT” inside the virtual machine.

To check which KMS server the virtual machine is trying to use, you can go to nslookup azkms.core.windows.net.

To resolve the KMS activation issue, add a network rule to the Azure Firewall that allows port 1688 from your source subnet to the new KMS IP addresses (40.83.235.53 and 20.118.99.224) on port 1688. For example, to test if there is an Azure Firewall issue, you can run the command “test-netconnection 20.118.99.224 -port 1688”. If the test fails, you must create a network rule in the Azure Firewall.

Here is a step-by-step guide to resolving the KMS activation issue:

  1. Log in to the Azure portal and navigate to your Azure Firewall.
  2. Click on the “Rules” option in the “Settings” section.
  3. Click on the “Add” button to create a new network rule.
  4. Give your network rule a name and description.
  5. In the “Source” section, select your source subnet.
  6. In the “Destination” section, add the new KMS IP addresses (40.83.235.53 and 20.118.99.224) and select port 1688.
  7. In the “Protocol” section, select “TCP”.
  8. In the “Action” section, select “Allow”.
  9. Click the “Review + create” button to create the network rule.
  10. Review the details and click on the “Create” button.

Once you have created the network rule, test the KMS activation again by running the command “test-netconnection 20.118.99.224 -port 1688”.

If the test is successful, then the KMS activation issue has been resolved.

Run slmgr.vbs /ato to reconnect with the KMS Server

You can also see a corresponding Event ID of 12288,1003, and 8230 showing it was successful.

More details of this issue have been published by Microsoft here – Azure Windows Virtual Machine Activation: two new KMS IP addresses (…and why you should care) – Microsoft Community Hub

In conclusion, the KMS activation issue caused by the change in the KMS IP addresses is a common problem that can be quickly resolved by creating a network rule in the Azure Firewall. Then, following the steps outlined above, you can quickly and effectively resolve the issue and ensure that your Azure Virtual Desktop users have uninterrupted access to their Windows operating systems.

Thanks,

Dave Kawula MVP