Why did Windows activation fail on my EC2 Windows instance?

Last updated: 2021-07-13

I received a "Windows activation failed" message on my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance. How can I fix this?

Short description

Windows instances use Microsoft Key Management Service (Microsoft KMS) on Amazon Web Services (AWS) for activation. You might get a Windows activation error message if your instance can’t reach the Microsoft KMS server. Or, there might be an issue with the Microsoft KMS client configuration.

You can either use an AWS Systems Manager Automation document or follow a manual process to activate Windows.

Resolution

Activate Windows using a Systems Manager Automation document

The AWSSupport-ActivateWindowsWithAmazonLicense Automation document activates an Amazon EC2 Windows instance with a license provided by Amazon. The automation checks the current status of Windows for your instance, and then activates Windows if the status is inactive.

Note: This solution isn't applicable for Bring Your Own License (BYOL) Windows instances. To use your own license, see Microsoft licensing on AWS.

1.    Open the AWS Systems Manager console. Be sure to select the same Region as the EC2 Windows instance that requires Windows activation.

2.    Choose Automation from the navigation pane, and then choose Execute automation.

3.    In the search field, enter ActivateWindowsWithAmazonLicense. Select the AWSSupport-ActivateWindowsWithAmazonLicense Automation document, and then choose Next.

4.    For Execute automation document, choose Simple execution.

5.    For Input parameters, turn on Show interactive instance picker.

6.    Choose your EC2 instance.

Note: If you don't see your instance in the list, then the instance isn't enabled for Systems Manager. Review the prerequisites for using Systems Manager to manage your Amazon EC2 instances.

If you don't want to enable Systems Manager, or if the instance isn't available in Input parameters, then turn off Show interactive instance picker. For InstanceID, enter the ID for your impaired EC2 instance. For AllowOffline, choose True.

Important: If you set AllowOffline to True, your EC2 instance stops and restarts. Data in instance store volumes is lost. The public IP address changes if you aren’t using an Elastic IP address.

7.    Choose Execute.

8.    To monitor the execution progress, open the Systems Manger console, and then choose Automation from the navigation pane. Choose the running automation, and then review the Executed steps. To view the automation output, expand Outputs.

Activate Windows manually

1.    Update EC2Config, or run the EC2Launch initialization script.

For Windows Server 2012 R2 and earlier: Update EC2Config, and then restart the instance.

For Windows Server 2016 and later: Run the following command to set the correct route to the Microsoft KMS server:

PS C:>Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"
PS C:>Add-Routes
PS C:>Set-ActivationSettings
PS C:>slmgr /ato

If Windows still isn't activated, proceed with step 2.

2.    Microsoft KMS runs on port 1688 as TCP traffic. Be sure to add an exception to allow Microsoft KMS traffic on any firewall or security software that controls outbound connections from your instance.

3.    Set your Windows KMS setup key. First, identify the correct Microsoft KMS client setup key for your operating system version. For more information, see KMS client setup keys on the Microsoft website. Then, run the following command as administrator:

slmgr.vbs /ipk <KMSSetupKey>

4.    Set your Windows KMS machine IP address. Instances that originate from a VM import or an older EC2-Classic instance might not have the correct IP addresses for the Microsoft KMS servers. Run the following command as administrator:

slmgr.vbs /skms 169.254.169.250:1688

5.    To activate Windows, run the following command as administrator:

slmgr /ato

6.    If the preceding step fails activation, then check the network communication from the instance to the Microsoft KMS server. To do this, perform telnet to the Microsoft KMS servers from the instance. Then, open PowerShell and enter the following commands:

Test-netconnection 169.254.169.250 -Port 1688
Test-netconnection 169.254.169.251 -Port 1688

Verify that the connection status output is TcpTestSuccessed=True. If the connection status output is False, proceed to step 7.

7.    Verify that the following registry keys have the correct Microsoft KMS values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SoftwareProtectionPlatform
KeyManagementServiceName - 169.254.169.250 or 169.254.169.251
KeyManagementServicePort - 1688

8.    Rerun the test in step 6. If the connection status output is still False, then verify that the Time sync on your EC2 instance. For more information, see Set the time for a Windows instance.