Introduction
Are you struggling to activate Windows in your cloud-first organisation? As more businesses move to Azure AD (now Microsoft Entra ID) and embrace cloud management, traditional Windows activation methods like KMS and MAK keys are becoming obsolete.
This guide is for IT admins managing cloud-only environments, looking for a streamlined solution to Windows activation without relying on legacy on-prem infrastructure. We’ll explore the modern approach, perfectly suited for devices joined to Azure AD.
The Modern Windows Activation Dilemma: Beyond KMS and MAK
If your organisation is fully cloud-native, you’ve likely asked: “How do I activate Windows on company devices when we don’t use KMS or have access to MAK keys?”
Here’s why traditional methods fall short in a cloud-only world:
- KMS (Key Management Service): Requires on-premises infrastructure, a KMS host server, and relies on network connectivity. Not ideal for remote or cloud-managed devices.
- MAK (Multiple Activation Key): Involves manual key tracking, per-device activation limits, and lacks scalability for dynamic environments.
The Cloud-Native Solution: Subscription-Based Windows Activation
For organisations fully in the cloud—no KMS server, no on-prem Active Directory, and no desire to manage individual MAK keys—the answer lies in subscription-based activation. This method is specifically designed for cloud-native environments and integrates seamlessly with your Microsoft 365 licenses.
How Subscription-Based Windows Activation Works
- License Assignment: Users are assigned a qualifying license (e.g., Microsoft 365 E3/E5/A3/A5 or Windows Enterprise E3/E5).
- Device Join Type: Devices are Azure AD-joined or Hybrid Azure AD-joined.
- User Sign-in: The user signs in to the device with their Microsoft Entra ID (Azure AD) account.
- Automatic Activation: Windows automatically upgrades from Pro to Enterprise (if applicable) and activates silently.
Key Benefits: No product keys, no KMS, and no MAK required!
- Learn More: Microsoft Docs: Subscription Activation Overview
Requirements for Subscription-Based Windows Activation
| Requirement | Details |
|---|---|
| OS | Windows 10/11 Pro pre-installed |
| Join Type | Azure AD or Hybrid Azure AD |
| License | Microsoft 365 E3/E5/A3/A5, or Windows Enterprise E3/E5 |
| Management | Intune (recommended for policy enforcement and device management) |
- Tip: Check activation status by running
slmgr /xprin Command Prompt or navigating toSettings > System > Activation.
Best Practices for Cloud-Only Deployment
Implementing subscription-based activation in a fully cloud environment is straightforward:
- Ensure Devices Run Windows 10/11 Pro: This is the base OS required for upgrade.
- Join Devices to Azure AD: During Autopilot or Out-of-Box Experience (OOBE) setup.
- Assign Microsoft 365 E3/E5 Licenses: Via the Microsoft 365 Admin Centre or Intune.
- User Signs In with Entra ID: The device will then automatically upgrade to Enterprise and activate.
Note: You typically don’t need Intune’s Edition Upgrade policy for subscription activation, as the process is automatic.
What If You Don’t Have E3, E5, A3, or A5 Licenses?
If your organisation lacks the necessary Microsoft 365 E3/E5/A3/A5 or Windows Enterprise E3/E5 licenses, subscription-based activation for Windows Enterprise isn’t an option. However, alternatives exist:
- Microsoft 365 Business Premium (for SMBs):
- Includes Windows 11 Business (based on Pro with enhanced security).
- Supports Azure AD-joined devices and Intune management.
- No KMS or MAK needed; activation occurs through Microsoft account sign-in.
- Resource: Microsoft 365 Business Premium Licensing
- Purchase Windows Enterprise E3/E5 Add-on Separately:
- Available via the Cloud Solution Provider (CSP) program or volume licensing.
- Enables subscription activation at a lower cost than full Microsoft 365 suites.
- Compatible with Azure AD-joined devices.
- Resource: Windows Enterprise E3/E5 via CSP
- Fall Back to MAK or KMS (Not Recommended for Cloud-Only):
- If your licensing only includes Volume Activation keys, you might manually enter keys.
- However, this is highly discouraged for cloud-only setups due to manual tracking, infrastructure requirements (KMS), and lack of scalability.
Understanding KMS and MAK (and Why They Don’t Fit Cloud-Only)
To fully understand the shift, let’s briefly review KMS and MAK:
Multiple Activation Key (MAK)
- How it works: One-time activation directly with Microsoft using a unique key for each device.
- Best for: Small, disconnected, or fixed environments.
- Drawbacks of Cloud-Only:
- Manual key tracking and management.
- Limited activation counts (e.g., 100 activations for 100 unique devices).
- Not scalable for dynamic, frequently reimaged environments.
- No integration with Azure AD user licenses.
- Deployment with Intune (if absolutely necessary): You can deploy a MAK key via an Intune “Edition upgrade and mode switch” configuration profile. Windows will then attempt online activation. This is an edge case and not a recommended long-term solution for cloud-native organisations.
Key Management Service (KMS)
- How it works: Requires an on-premises KMS host server that devices contact for activation. Activation is via DNS auto-discovery.
- Best for: Traditional on-premises networks with domain-joined devices.
- Why it Fails in Cloud-Only:
- Requires on-prem infrastructure: Not natively supported by Azure AD.
- Network connectivity: Devices must consistently reach the KMS server (difficult without VPN or a hybrid setup).
- Periodic renewal: Activations expire every 180 days, requiring devices to re-contact the KMS host.
- No Azure AD integration: No link to user licenses or subscription entitlements.
- Intune and KMS (Hybrid/VPN only): Intune can deploy KMS client keys or set the KMS host name via PowerShell or OMA-URI, but this still requires line-of-sight to an on-prem KMS server. This is not a cloud-only solution.
Summary: Choosing Your Windows Activation Method
| Activation Method | Best For | Cloud-Only Support | Infrastructure Needed | Reusability | Activation Type |
|---|---|---|---|---|---|
| KMS | Hybrid or on-premises orgs | ❌ No native support | KMS host, AD DNS, VPN | Yes (re-checks every 180 days) | Internal (via KMS host) |
| MAK | Small or fixed-hardware deployments | ❌ Not scalable | Internet access. No server | No (permanent per device) | Online (one-time) |
| Microsoft 365 (Subscription) | Cloud-native, scalable environments | ✅ Yes | Azure AD and Intune | Per user | Cloud (automatic) |
Conclusion
For organisations fully committed to the cloud and leveraging Azure AD for user identities, subscription-based activation is the clear winner. It seamlessly integrates with your Microsoft 365 licenses, supports modern deployment scenarios like Windows Autopilot and Intune, and eliminates the complexities of legacy activation methods.
