This blog contains important information about KMS IP addresses changes that may impact Windows Virtual machine activations for customers who configured custom routes or firewall rules to allow KMS IP addresses. 

Who will be affected?

In July 2022, we announced two new KMS IP addresses, 20.118.99.224 and 40.83.235.53, in Azure Global Cloud via Azure Update - Generally available: New KMS DNS in Azure Global Cloud. We expect that most Azure Windows Virtual Machine customers will not be impacted; however, Azure Global Cloud customers who have followed trouble-shooting guides, like the ones listed below, to configure custom routes or firewall rules that allow Windows VMs to reach KMS IP address in the past, must take actions to include these two new KMS two new KMS IP addresses, 20.118.99.224 and 40.83.235.53. Otherwise, after October 3^rd, 2022, your Windows Virtual Machines will report warnings of failing to reach Windows Licensing Servers for activation.

• https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation
• https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems
• https://docs.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop

How will they be affected?

As explained in Generally available: New KMS DNS in Azure Global Cloud, most Windows Virtual Machines in Global Cloud rely on new azkms.core.windows.net for Windows Activation. The new azkms.core.windows.net is currently pointing to kms.core.windows.net. After October 3^rd, 2022, azkms.core.windows.net will point to two new IP addresses 20.118.99.224 and 40.83.235.53.

For customers who follow https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation, without taking the actions to include these two new IP addresses 20.118.99.224 and 40.83.235.53 in custom routes, your Windows Virtual Machines will not be able to connect to new KMS server for Windows Activation.

For customers who follow https://docs.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop, without taking the actions to include these two new IP addresses 20.118.99.224 and 40.83.235.53 in firewall rules, your Windows Virtual Machines will not be able to connect to new KMS server for Windows Activation.

When failing to connect to KMS server for activation, Azure Windows Virtual Machines report warnings like the following - 

“We can't activate Windows on this device as we can't connect to your organization's activation server. Make sure you're connected to your organization's network and try again. If you continue having problems with activation, contact your organization's support person. Error code: 0xC004F074.”

As explained in Key Management Services (KMS) activation planning, “KMS activations are valid for 180 days, a period known as the activation validity interval. KMS clients must renew their activation by connecting to the KMS host at least once every 180 days to stay activated. By default, KMS client computers attempt to renew their activation every seven days. After a client's activation is renewed, the activation validity interval begins again”. Within the 180-day KMS activate validity interval, customers can still access the full functionality of the Windows virtual machine. Customers should fix activation issues during the 180-day KMS activation validity interval.

Action required

To customers who follow https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation, include these two new IP addresses 20.118.99.224 and 40.83.235.53 in custom routes before October 3^rd, 2022.

To customers who follow https://docs.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop, include these two new IP addresses 20.118.99.224 and 40.83.235.53 in firewall rules before October 3^rd, 2022.

How to check

You can remote login to your Windows Virtual Machines and complete the following:

1. Open PowerShell.
2. Run the following command to confirm the connectivity to new KMS IP addresses:

test-netconnection azkms.core.windows.net -port 1688

test-netconnection 20.118.99.224 -port 1688

test-netconnection 40.83.235.53 -port 1688

3. If the connections are successful, no more action is needed.
4. If the connection(s) fails, you need to go to the “Action required” section.

Important timeline

1. After October 3^rd, 2022, most Azure Windows Virtual Machines will rely on two new KMS IP addresses 20.118.99.224 and 40.83.235.53 for Windows Activation, when azkms.core.windows.net points to these two new IP addresses.

2. After March 1^st, 2023, all Azure Windows Virtual Machines will rely on two new KMS IP addresses 20.118.99.224 and 40.83.235.53 for Windows Activation, when kms.core.windows.net points to 20.118.99.224.