This blog contains important information about KMS IP addresses changes that may impact Windows Virtual machine activations for Azure China Cloud customers who configured custom routes or firewall rules to allow KMS IP addresses. 

 

Who will be affected?

 

On September 19, 2022, we announced a new KMS DNS, azkms.core.chinacloudapi.cn and two new KMS IP addresses, 159.27.28.100 and 163.228.64.161, in Azure China Cloud via Azure Update - Generally available: New KMS DNS in Azure China Cloud. We expect that most Azure Windows Virtual Machine customers in Azure China Cloud will not be impacted. However, Azure China Cloud customers who have followed trouble-shooting guides, like the ones listed below, to configure custom routes or firewall rules that allow Windows VMs to reach KMS DNS and IP addresses in the past, must take actions to include the new DNS azkms.core.chinacloudapi.cn and the new KMS IP addresses, 159.27.28.100 and 163.228.64.161. Otherwise, after December 15th, 2022, your Windows Virtual Machines will report warnings of failing to reach Windows Licensing Servers for activation.

• https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation
• https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems
• https://docs.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop

 

How will customers be affected?

 

As explained in Generally available: New KMS DNS in Azure China Cloud, after December 15th, 2022, most Windows Virtual Machines in Azure China Cloud will rely on new azkms.core.chinacloudapi.cn for Windows Activation. azkms.core.chinacloudapi.cn will point to two new IP addresses 159.27.28.100 and 163.228.64.161.

 

For Azure China Cloud customers who follow https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation, without taking the actions to include these two new IP addresses 159.27.28.100 and 163.228.64.161 in custom routes, your Windows Virtual Machines will not be able to connect to new KMS server for Windows Activation.

 

For Azure China Cloud customers who follow https://docs.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop, without taking the actions to include these two new IP addresses 159.27.28.100 and 163.228.64.161 in firewall rules, your Windows Virtual Machines will not be able to connect to new KMS server for Windows Activation.

 

When failing to connect to KMS server for activation, Azure Windows Virtual Machines report warnings like the following - 

“We can't activate Windows on this device as we can't connect to your organization's activation server. Make sure you're connected to your organization's network and try again. If you continue having problems with activation, contact your organization's support person. Error code: 0xC004F074.”

 

As explained in Key Management Services (KMS) activation planning, “KMS activations are valid for 180 days, a period known as the activation validity interval. KMS clients must renew their activation by connecting to the KMS host at least once every 180 days to stay activated. By default, KMS client computers attempt to renew their activation every seven days. After a client's activation is renewed, the activation validity interval begins again”. Within the 180-day KMS activate validity interval, customers can still access the full functionality of the Windows virtual machine. Customers should fix activation issues during the 180-day KMS activation validity interval.

 

Action required

 

To Azure China Cloud customers who follow https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation, include these two new IP addresses 159.27.28.100 and 163.228.64.161 in custom routes before December 15th, 2022.

 

To Azure China Cloud customers who follow https://docs.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop, include these two new IP addresses 159.27.28.100 and 163.228.64.161 in firewall rules before December 15th, 2022.

 

How to check

 

You can remote login to your Windows Virtual Machines and complete the following:

1. Open PowerShell.
2. Run the following command to confirm the connectivity to new KMS IP addresses:

test-netconnection azkms.core.chinacloudapi.cn -port 1688

test-netconnection 159.27.28.100 -port 1688

test-netconnection 163.228.64.161 -port 1688

3. If the connections are successful, no more action is needed.
4. If the connection(s) fails, you need to go to the “Action required” section.

 

Important timeline

 

1. After December 15th, 2022, 2022, most Azure Windows Virtual Machines will rely on two new KMS IP addresses 159.27.28.100 and 163.228.64.161 for Windows Activation, when new DNS azkms.core.chinacloudapi.cn is rolled out in Azure China Cloud.

 

2. After March 1^st, 2023, all Azure Windows Virtual Machines will rely on two new KMS IP addresses 159.27.28.100 and 163.228.64.161 for Windows Activation, when kms.core.chinacloudapi.cn points to 159.27.28.100 and 163.228.64.161 in Azure China Cloud.