Rohit shows you how
to active your EC2 Windows license
using an SSM Automation document


I get a message on my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance that says "Windows activation failed." How do I resolve this?

Windows might fail to activate for a variety of reasons. Windows instances use AWS Key Management Service (AWS KMS) for activation. You might receive a Windows activation error message if your instance can't reach the AWS KMS server.

Automated Version

The AWSSupport-ActivateWindowsWithAmazonLicense automation document activates an Amazon EC2 Windows Server instance with a license provided by Amazon. The automation checks the current status of Windows for your instance, and then activates Windows if the status is inactive.

Note: This solution can't be used with Bring Your Own License (BYOL) Windows instances. To use your own license, see Microsoft Licensing on AWS.

  1. Open the AWS Systems Manager console.
  2. Verify that you are in the Region where your EC2 instance is.
  3. Open the AWSSupport-ActivateWindowsWithAmazonLicense document.
  4. In Execution Mode, choose Execute the entire automation at once.
  5. In Input parameters, in the InstanceId field, enable Show interactive instance picker.
  6. Choose your EC2 instance.
    Note: If you don't see your instance in the list, it's not enabled for AWS Systems Manager. To configure AWS Identity and Access Management (IAM) for SSM Agent, see Create an Instance Profile for Systems Manager.
  7. (Optional) If you don't want to enable AWS Systems Manager, or the instance is not available in Input parameters, follow this step. Manually enter your instance ID in the InstanceId field, and then set the input parameter AllowOffline to True.
    Important: Your instance will stop and restart. Data in store volumes will be lost. The public IP address changes if you are not using an Elastic IP address.
  8. Choose Execute automation.
  9. To monitor the execution progress, choose the running automation, and then choose Executed steps. To view the output of the automation, expand Outputs.

Manual Version

Update the EC2Config service (Windows Server 2012 R2 and earlier): The EC2Config service adds the required network routes for your instance to reach the AWS KMS activation servers. If the EC2Config service is out of date, you might receive an activation error. You can get the latest update from the Amazon Windows EC2Config Service page. After the update, verify that the required network routes are present by running this command in a command prompt window:

route print

You should see entries listed for the IP addresses and

Run the EC2Launch initialization script (Windows Server 2016 and later): Open PowerShell on the EC2 Windows instance you want to activate, and then run these commands:

& cscript "${env:SYSTEMROOT}\system32\slmgr.vbs" /ato

Update AWS Windows drivers: Outdated drivers can also cause Windows activation problems. Be sure that you are using the latest Drivers According to Windows Version. To verify your driver version, check the Amazon EC2 console:

  1. In the navigation pane, choose Instances, and then choose your instance.
  2. Choose Actions, Instance Settings, and then choose Get System Log.

If the driver versions are outdated, follow the instructions for Upgrading PV Drivers on Your Windows AMI.

Check your firewall/security software: AWS KMS runs on port 1688 as TCP traffic. If you have security or firewall software in place that controls outbound connections from your instance, add an exception to allow the AWS KMS traffic.

Target IP address


Traffic type






Set your Windows AWS KMS setup key: When activating Windows with AWS KMS, generic keys are used based on your operating system version. Some commonly used ones are:

Operating system edition
AWS KMS client setup key
Windows Server 2012 BN3D2-R7TKB-3YPBD-8DRP2-27GG4
Windows Server 2012 R2 Datacenter W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
Windows Server 2008 R2 Standard YC6KT-GKW9T-YTKYR-T4X34-R7VHC

For more information about Windows editions and KMS client setup keys, see Appendix A: KMS Client Setup Keys on the Microsoft website. Locate the correct Windows key, open an administrator command prompt, and then run:

slmgr.vbs /ipk <KMSSetupKey>

Set your Windows AWS KMS machine IP address: If your instance originates from a VM import or an older EC2-Classic instance, the instance might not have the correct IP addresses for the AWS KMS servers. Set your AWS KMS server by running the following command in an administrator command prompt window:

slmgr.vbs /skms

Activate Windows: Open an administrator command prompt, and then run:

slmgr /ato

A successful product activation message should appear.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2014-07-03

Updated: 2018-10-30