{"id":519894,"date":"2022-07-03T10:44:00","date_gmt":"2022-07-03T17:44:00","guid":{"rendered":"https:\/\/jorgep.com\/blog\/?p=519894"},"modified":"2026-02-18T13:02:17","modified_gmt":"2026-02-18T20:02:17","slug":"moving-away-from-kms-server-when-moving-to-modern-device-management","status":"publish","type":"post","link":"https:\/\/jorgep.com\/blog\/moving-away-from-kms-server-when-moving-to-modern-device-management\/","title":{"rendered":"Moving away from KMS Server when moving to Modern Device Management"},"content":{"rendered":"\n<h4 class=\"wp-block-heading\"><strong>Simplifying Windows Licensing During the Shift to Intune and Azure AD<\/strong><\/h4>\n\n\n\n<p><\/p>\n\n\n\n<p>Many organizations are transitioning away from traditional, device\u2011based Windows licensing models toward a more flexible <strong>user\u2011based licensing approach<\/strong> that aligns with Microsoft\u2019s cloud\u2011first strategy. At the same time, IT environments are evolving from <strong>domain\u2011joined, on\u2011premises infrastructures<\/strong> to <strong>Intune\u2011managed, Microsoft Entra ID\u2013joined<\/strong> devices.<\/p>\n\n\n\n<p>While these changes bring clear benefits, they also expose legacy assumptions around Windows activation\u2014particularly for environments that historically relied on <strong>Key Management Services (KMS)<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Moving Away from KMS\u2011Based Activation<\/h2>\n\n\n\n<p>In traditional environments, Windows devices commonly activated through an on\u2011premises KMS server. This model worked well when devices were domain\u2011joined and had reliable network connectivity to the KMS host.<\/p>\n\n\n\n<p>As organizations retire on\u2011premises infrastructure and move devices to Entra ID join with Intune management, those same devices can no longer reach the KMS server. When this happens, devices that still have <strong>KMS client configuration (GVLKs)<\/strong> installed remain in an unactivated state.<\/p>\n\n\n\n<p>This often manifests as persistent <strong>\u201cActivate Windows\u201d<\/strong> messages\u2014especially when local or non\u2011enterprise users sign in. Importantly, this is not a failure of modern licensing, but rather a result of <strong>legacy KMS configuration preventing Windows from using alternative activation paths<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding the Modern Windows Licensing Model<\/h2>\n\n\n\n<p>It is important to separate <strong>base OS activation<\/strong> from <strong>Enterprise enablement<\/strong>, as they are often conflated.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Base OS Activation (Device\u2011Based)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows <strong>Pro<\/strong> must be activated at the device level.<\/li>\n\n\n\n<li>Activation typically occurs using:\n<ul class=\"wp-block-list\">\n<li>An <strong>OEM firmware\u2011embedded (digital) license<\/strong>, or<\/li>\n\n\n\n<li>A <strong>MAK<\/strong> (in limited or special scenarios)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise Enablement (User\u2011Based)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows <strong>Enterprise<\/strong> is enabled via <strong>subscription activation<\/strong>.<\/li>\n\n\n\n<li>When a user with a qualifying Windows Enterprise license signs in:\n<ul class=\"wp-block-list\">\n<li>Enterprise features are unlocked for that session.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>When a non\u2011licensed or local user signs in:\n<ul class=\"wp-block-list\">\n<li>The device remains activated as <strong>Windows Pro<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Windows does not change the installed OS image. Instead, the <strong>edition entitlement is dynamically enabled or disabled based on the signed\u2011in user<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<p>This model provides flexibility and compliance\u2014but <strong>only if the underlying Pro activation is healthy<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Devices Don\u2019t Automatically \u201cFall Back\u201d from KMS<\/h2>\n\n\n\n<p>A common assumption is that if a device can no longer reach a KMS server, Windows will automatically revert to the OEM Pro license. <strong>This does not reliably happen.<\/strong><\/p>\n\n\n\n<p>If a <strong>KMS client key (GVLK)<\/strong> is installed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows continues to expect KMS activation<\/li>\n\n\n\n<li>OEM activation is not attempted<\/li>\n\n\n\n<li>Subscription activation cannot occur<\/li>\n<\/ul>\n\n\n\n<p>As a result, devices remain unactivated even though a valid OEM license may still exist in firmware.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Correcting Activation Issues<\/h2>\n\n\n\n<p>To restore proper activation behavior, the legacy KMS configuration must be removed so Windows can activate using its intended base license.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key remediation steps typically include:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Removing the existing KMS client key<\/li>\n\n\n\n<li>Clearing cached licensing information<\/li>\n\n\n\n<li>Allowing Windows to re\u2011activate using the embedded OEM license<\/li>\n\n\n\n<li>Verifying successful Pro activation before relying on Enterprise subscription activation<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Important:<\/strong> In most modern OEM devices, the Windows Pro license is already embedded in firmware. In many cases, <strong>you do not need to retrieve or redeploy the OEM key manually<\/strong>\u2014Windows will automatically read it once KMS is removed.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Retrieving the Embedded OEM Product Key (Optional)<\/h2>\n\n\n\n<p>If verification is required, the embedded OEM key can be queried directly from firmware:<\/p>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\npowershell \"(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey\"<\/code><\/pre>\n\n\n\n<p>If a key is returned, the device already has a valid OEM entitlement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Useful Activation Commands<\/h2>\n\n\n\n<p>The <strong>Software Licensing Manager (slmgr.vbs)<\/strong> remains the primary tool for inspecting and correcting Windows activation state.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Command<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>slmgr \/dlv<\/code><\/td><td>Displays detailed license information, including activation channel and license status<\/td><\/tr><tr><td><code>slmgr \/upk<\/code><\/td><td>Uninstalls the currently installed product key (commonly used to remove KMS keys)<\/td><\/tr><tr><td><code>slmgr \/cpky<\/code><\/td><td>Clears the product key from the registry<\/td><\/tr><tr><td><code>slmgr \/ato<\/code><\/td><td>Forces an immediate online activation attempt<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Typical Remediation Flow<\/h2>\n\n\n\n<p>A standard remediation process for a single device might look like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slmgr \/upk\n\nslmgr \/cpky<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reboot (recommended)<\/li>\n\n\n\n<li>Allow Windows to re\u2011detect the OEM license automatically<br><em>(Manual OEM key installation is only required if activation does not occur)<\/em><\/li>\n<\/ul>\n\n\n\n<p>If needed:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slmgr \/ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX\n\nslmgr \/ato\n\nslmgr \/dlv<\/code><\/pre>\n\n\n\n<p>Once Windows Pro is activated successfully:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Local users remain on Pro<\/li>\n\n\n\n<li>Enterprise\u2011licensed users receive automatic Enterprise enablement via subscription activation<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Preventing Reintroduction of KMS<\/h2>\n\n\n\n<p>As part of this transition, organizations should ensure that KMS is not unintentionally reintroduced through:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Legacy imaging or task sequences<\/li>\n\n\n\n<li>Volume License media with GVLKs<\/li>\n\n\n\n<li>Startup scripts or scheduled tasks<\/li>\n\n\n\n<li>Residual Group Policy settings<\/li>\n\n\n\n<li>Autopilot or provisioning workflows that inject KMS keys<\/li>\n<\/ul>\n\n\n\n<p>Modern, cloud\u2011native provisioning should <strong>never require KMS<\/strong> for Windows client activation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Improving Intune and Deployment Workflows<\/h2>\n\n\n\n<p>Many organizations use this transition as an opportunity to review their broader <strong>Intune and device lifecycle strategy<\/strong>. Engaging OEMs or service providers\u2014such as Dell or Microsoft\u2014can help identify:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Activation and provisioning optimizations<\/li>\n\n\n\n<li>Autopilot and enrollment improvements<\/li>\n\n\n\n<li>Policy simplification opportunities<\/li>\n\n\n\n<li>Legacy dependency cleanup<\/li>\n<\/ul>\n\n\n\n<p>When paired with proper license remediation, these improvements help ensure a smooth and sustainable move to modern device management.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p>Retiring KMS is not just a licensing change\u2014it\u2019s a <strong>foundational requirement<\/strong> for modern, cloud\u2011managed Windows devices. By removing legacy KMS configuration and ensuring proper Pro activation, organizations enable Windows to function exactly as designed in an Intune\u2011 and Entra ID\u2011managed world.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">References<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/get-started\/activation-slmgr-vbs-options\" target=\"_blank\" rel=\"noreferrer noopener\">Slmgr.vbs Options for Obtaining Volume Activation Information | Microsoft Learn<\/a><\/li>\n\n\n\n<li>See Also my many other articles <\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">See Also<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>My other articles on\u00a0<a href=\"https:\/\/jorgep.com\/blog\/tag\/windows-autopilot\/\">Windows Autopilot<\/a>\u00a0and\u00a0<a href=\"https:\/\/jorgep.com\/blog\/tag\/modern-device-management\/\">Modern Device Management<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<div class=\"wp-block-template-part\"><style>.wp-block-kadence-advancedheading.kt-adv-heading395113_c650df-47, .wp-block-kadence-advancedheading.kt-adv-heading395113_c650df-47[data-kb-block=\"kb-adv-heading395113_c650df-47\"]{text-align:center;font-size:var(--global-kb-font-size-md, 1.25rem);line-height:60px;font-style:normal;background-color:#f5a511;}.wp-block-kadence-advancedheading.kt-adv-heading395113_c650df-47 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading395113_c650df-47[data-kb-block=\"kb-adv-heading395113_c650df-47\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading395113_c650df-47 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading395113_c650df-47[data-kb-block=\"kb-adv-heading395113_c650df-47\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<p class=\"kt-adv-heading395113_c650df-47 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading395113_c650df-47\">Subscribe to <a href=\"https:\/\/go.35s.be\/jtb\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>JorgeTechBits  newsletter<\/strong><\/a><\/p>\n<\/div>\n\n\n<div style=\"font-family: Verdana, Geneva, sans-serif; font-size: 11px;\"><b>Disclaimer<\/b>: \u00a0I work for <a href=\"https:\/\/www.dell.com\/en-us\/work\/learn\/by-service-type-deployment\">Dell Technology Services<\/a> as a Workforce Transformation Solutions Principal.\u00a0 \u00a0 It is my passion to help guide organizations\u00a0through the current technology transition specifically as it relates to <a href=\"https:\/\/www.delltechnologies.com\/en-us\/what-we-do\/workforce-transformation.htm\">Workforce Transformation<\/a>.\u00a0 Visit <a href=\"https:\/\/www.delltechnologies.com\/en-us\/index.htm\">Dell Technologies<\/a>\u00a0site for more information.\u00a0 Opinions are my own and not the views of my employer.<\/div>\n<div><\/div><br>\n","protected":false},"excerpt":{"rendered":"<p>Simplifying Windows Licensing During the Shift to Intune and Azure AD Many organizations are transitioning away from traditional, device\u2011based Windows licensing models toward a more flexible user\u2011based licensing approach that aligns with Microsoft\u2019s cloud\u2011first strategy. At the same time, IT environments are evolving from domain\u2011joined, on\u2011premises infrastructures to Intune\u2011managed, Microsoft Entra ID\u2013joined devices. While these&#8230;<\/p>\n","protected":false},"author":2,"featured_media":365026,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","ngg_post_thumbnail":0,"episode_type":"","audio_file":"","podmotor_file_id":"","podmotor_episode_id":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","itunes_episode_number":"","itunes_title":"","itunes_season_number":"","itunes_episode_type":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[681,441],"tags":[742,875,779],"class_list":["post-519894","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-moderneuc2","category-tech-talk","tag-moderneuc1","tag-windows-10-eol","tag-windows-11"],"taxonomy_info":{"category":[{"value":681,"label":"ModernEUC"},{"value":441,"label":"Tech Talk"}],"post_tag":[{"value":742,"label":"ModernEUC"},{"value":875,"label":"Windows 10 End-Of-Life"},{"value":779,"label":"Windows 11"}]},"featured_image_src_large":["https:\/\/jorgep.com\/blog\/wp-content\/uploads\/2017\/06\/Windows10Logo2.png",780,330,false],"author_info":{"display_name":"Jorge Pereira","author_link":"https:\/\/jorgep.com\/blog\/author\/jorge\/"},"comment_info":0,"category_info":[{"term_id":681,"name":"ModernEUC","slug":"moderneuc2","term_group":0,"term_taxonomy_id":691,"taxonomy":"category","description":"","parent":0,"count":261,"filter":"raw","cat_ID":681,"category_count":261,"category_description":"","cat_name":"ModernEUC","category_nicename":"moderneuc2","category_parent":0},{"term_id":441,"name":"Tech Talk","slug":"tech-talk","term_group":0,"term_taxonomy_id":451,"taxonomy":"category","description":"","parent":0,"count":671,"filter":"raw","cat_ID":441,"category_count":671,"category_description":"","cat_name":"Tech Talk","category_nicename":"tech-talk","category_parent":0}],"tag_info":[{"term_id":742,"name":"ModernEUC","slug":"moderneuc1","term_group":0,"term_taxonomy_id":752,"taxonomy":"post_tag","description":"","parent":0,"count":284,"filter":"raw"},{"term_id":875,"name":"Windows 10 End-Of-Life","slug":"windows-10-eol","term_group":0,"term_taxonomy_id":885,"taxonomy":"post_tag","description":"","parent":0,"count":12,"filter":"raw"},{"term_id":779,"name":"Windows 11","slug":"windows-11","term_group":0,"term_taxonomy_id":789,"taxonomy":"post_tag","description":"","parent":0,"count":23,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/519894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/comments?post=519894"}],"version-history":[{"count":6,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/519894\/revisions"}],"predecessor-version":[{"id":519903,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/519894\/revisions\/519903"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/media\/365026"}],"wp:attachment":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/media?parent=519894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/categories?post=519894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/tags?post=519894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}