How to Troubleshoot Microsoft 365 Apps Activation Errors
Why This Is Happening
You open Word or Excel, and instead of getting straight to work, you're hit with a wall of text: "Product Activation Failed" or "We couldn't activate Office." Maybe it worked fine yesterday. Maybe it's been broken since day one on a new machine. Either way, I know this is frustrating , especially when it blocks your work and you have a deadline sitting two hours away.
Here's the reality: most Microsoft 365 Apps activation errors aren't caused by a broken install or an expired license. The real culprit, far more often than Microsoft's error messages suggest, is a broken or unauthorized KMS (Key Management Service) host hiding somewhere on your network , or a misconfigured DNS SRV record pointing your machine to the wrong activation server entirely.
KMS is Microsoft's volume licensing activation system. In an enterprise environment, instead of each machine calling out to Microsoft's servers directly, they call a local KMS host inside the corporate network. That host validates the licenses. When that chain breaks, when the KMS host is missing, overloaded, broadcasting incorrect records, or was set up by mistake by someone who entered the wrong product key, every Office client on your network can fail to activate simultaneously.
This particular failure mode catches IT teams off guard because the error message the end user sees ("Unlicensed Product") gives zero indication that the real problem is sitting in DNS. I've seen this exact scenario on dozens of networks: the Office install is perfectly fine, the license is valid, but a rogue KMS host, sometimes set up years ago by accident, is poisoning DNS and sending activation requests into a black hole.
What makes troubleshooting Microsoft 365 Apps activation especially tricky is the layered architecture. You've got DNS SRV records (_vlmcs._tcp), the Software Protection Service (sppsvc), the slmgr.vbs management script, and the KMS host license packs, all of which need to be aligned. Break any link in that chain and activation silently fails.
This guide cuts through all of it. We'll use the exact same diagnostic approach Microsoft's senior support engineers use internally: start with DNS discovery, identify whether unauthorized KMS hosts exist, remove them cleanly, and verify the fix. Whether you're managing five machines or five thousand, the process is the same. Browse all Microsoft fix guides →
The good news: once you know where to look, most of these Microsoft 365 Apps activation problems are completely fixable without reformatting, without reinstalling Office, and without a call to support.
The Quick Fix, Try This First
Before you go digging through registry keys and DNS Manager, run this one command. It's the fastest way to figure out whether your Microsoft 365 Apps activation problem is network-side (KMS/DNS) or machine-side (local config). Open a Command Prompt, no need for admin elevation just yet, and run this:
nslookup -type=srv _vlmcs._tcp >%temp%\kms.txtThen open that file. You'll find it at C:\Users\[YourName]\AppData\Local\Temp\kms.txt. What you're looking for is a block that looks something like this:
_vlmcs._tcp.contoso.com SRV service location:
priority = 0
weight = 0
port = 1688
svr hostname = kms-server.contoso.comIf you see one clean entry pointing to your organization's known KMS server, great. The DNS side is fine. The problem is local. Jump straight to Step 3 in this guide.
If you see multiple entries, or an entry pointing to a hostname you don't recognize, that's your smoking gun. There's an unauthorized KMS host on the network, and it's advertising itself through DNS. Your Office clients are finding it and trying to activate through it, but failing, because it either doesn't have the right license pack or was set up by accident.
If the output is empty or you get a "Non-existent domain" error, your DNS doesn't have any KMS SRV records at all. In that case, your KMS host either was never configured, or the DNS registration failed. You'll need to set up the KMS host correctly, or switch to MAK (Multiple Activation Key) licensing if KMS isn't right for your environment.
This single command has saved me hours on countless troubleshooting calls. Run it first, every time. It tells you immediately whether you're dealing with a DNS/network problem or a local machine problem, and that changes everything about your next steps.
Start your Microsoft 365 Apps troubleshooting at the DNS layer, not on the machine. This is where unauthorized KMS hosts leave their tracks. Open a standard Command Prompt (no elevation needed for this step) on any machine in the affected network.
Run the following command exactly as written:
nslookup -type=srv _vlmcs._tcp >%temp%\kms.txtOpen the resulting kms.txt file in Notepad. Read through every entry. You're checking two things: the number of entries and the hostnames listed.
In a healthy environment, you should see one (or perhaps two, for redundancy) entries pointing to a known, intentionally configured KMS server. Write down every hostname you see in the output. Then cross-reference that list against your IT asset inventory or SCCM/Intune data.
Any hostname that isn't in your authorized KMS server list is an unauthorized host. This is exactly the scenario Microsoft's documentation warns about: a machine that accidentally received a KMS host product key (instead of a standard client key) and started broadcasting as a KMS host. Your Office clients found it through DNS auto-discovery, because that's how KMS is designed to work, and have been trying to activate through it ever since.
Write down every unauthorized hostname. You'll need that list for Steps 2 and 3. If you're working in a large environment, run this nslookup command from multiple VLANs or subnets, DNS replication can mean the picture looks different depending on which DNS server responds.
If everything checks out and only your legitimate KMS server appears, skip ahead to Step 4 to troubleshoot the local machine configuration instead.
Once you have a list of suspicious hostnames from Step 1, you need to log into each of those machines (or remotely connect via RDP or PowerShell remoting) and verify what's actually running on them. This is different depending on whether you're dealing with an unauthorized Windows KMS host or an unauthorized Office KMS host.
For a suspected unauthorized Office KMS host, open an elevated Command Prompt on the machine in question and run:
cscript slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864That long GUID is the Activation ID for the Office 2010 KMS Host License Pack. If this machine has that pack installed and active, the output will show two very telling fields: Partial Product Key: XXXXX and License Status: Licensed. That's your confirmation, this machine is actively running as an Office KMS host.
For a suspected unauthorized Windows KMS host, the diagnosis is slightly different. Run:
cscript slmgr.vbs /dliRead through the license information output. If the machine is running a Windows KMS host key rather than a standard Windows client key, it will be evident in the "License Description" field. This situation typically happens when someone accidentally typed a KMS host product key during Windows setup, it's more common than you'd think, especially in environments where product keys are shared in spreadsheets.
If you need to check across multiple Office versions (2013, 2016, 2019), you can dump all license information in one shot with this command, just replace C:\path with an actual folder that exists on the machine:
slmgr.vbs /dlv All >C:\temp\kmsinfo.txtOpen that file and search for "Office." Find any Office KMS host installation entries, note the Activation ID, and you'll have everything you need to proceed.
Now the actual fix begins. If the machine from Step 2 is running as an unauthorized Windows KMS host, most likely because someone entered the wrong product key, here's how to clean it up properly.
Open an elevated Command Prompt on the machine (right-click Command Prompt → "Run as administrator"). Replace the KMS host key with a legitimate Windows client key using this command, substituting your actual 25-character Windows product key:
cscript slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxxOnce that runs, you need to restart the Software Protection Service to prevent any instability in the license manager. Don't just reboot the machine, restart the service directly so clients aren't left waiting:
net stop sppsvc
net start sppsvcNow verify the change took effect by pulling the current license information:
cscript slmgr.vbs /dliThe output should now reflect a standard Windows client edition, not a KMS host configuration. If it looks correct, move to the DNS cleanup.
Open DNS Manager on your DNS server (not on the machine you just fixed). Navigate to the appropriate forward lookup zone for your domain. Look for _vlmcs SRV records in the zone, they'll typically sit under a subfolder named _tcp. Delete every _vlmcs SRV record that points to the machine you just cleaned up. Don't delete SRV records for your legitimate KMS servers.
After the DNS record is removed, wait for replication to propagate (usually 15 minutes in a standard AD environment) and then re-run the nslookup diagnostic from Step 1 to confirm the unauthorized entry is gone.
Removing an unauthorized Office KMS host is a bit more deliberate than the Windows variant. Setting up an Office KMS host isn't something that happens by accident easily, it requires a specific Office KMS Host product key and the installation of the Microsoft Office KMS Host License Pack. So when you find one, it was probably set up intentionally at some point, just maybe not by anyone who's still around to ask about it.
Regardless, the cleanup process is straightforward. On the machine running the unauthorized Office KMS host, open an elevated Command Prompt and verify the host status one more time before making changes:
cscript slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864If you confirmed in Step 2 that this machine is licensed as an Office KMS host, proceed to uninstall the Office KMS Host License Pack. Go to Control Panel → Programs → Programs and Features. Look for an entry called "Microsoft Office 2010 KMS Host License Pack" (or the corresponding version for 2013, 2016, or 2019). Right-click it and select Uninstall.
For Office 2016 and 2019 KMS host packs, the uninstall works the same way, the interface and location are identical, just the entry name reflects the version. If you're not sure which version pack is installed, run the full dump command from Step 2 and search the output for "KMS Host."
After uninstalling, restart the Software Protection Service again:
net stop sppsvc
net start sppsvcThen head back to DNS Manager and remove the _vlmcs SRV records tied to this machine, exactly as described in Step 3. Run the nslookup diagnostic again to confirm the record is gone. Once it is, Office clients that were previously pointing at this host should fall back to finding your legitimate KMS server through DNS, and activate successfully.
You've cleaned up the KMS host and the DNS records. Now you need to confirm that your Office clients are actually picking up the change and activating correctly. DNS TTLs and local caches mean clients don't always notice the fix immediately, don't just wait and hope.
On any affected client machine, open an elevated Command Prompt and force Office to re-attempt KMS activation. First, check what your Office client currently believes about its license status:
cscript slmgr.vbs /dliIf the machine is still showing as unlicensed or pointing to the old KMS host, flush the DNS resolver cache to make sure stale entries aren't in play:
ipconfig /flushdnsThen re-run the nslookup SRV check to confirm the client can now see only your legitimate KMS server in DNS:
nslookup -type=srv _vlmcs._tcpIf everything looks correct in DNS, force an immediate activation attempt on the Software Protection Service:
cscript slmgr.vbs /atoA successful response will say something along the lines of "Activating Windows(R)... Product activated successfully." For Office-specific activation status, open any Office application, Word, Excel, whatever, sign in with the licensed Microsoft 365 account when prompted, or wait for the background activation to complete. You can also check activation status in File → Account inside any Office app. It should show "Product Activated" under the Product Information section.
If activation still fails at this point, the problem has shifted from a network/DNS issue to a local machine configuration problem. Proceed to the Advanced Troubleshooting section below.
Advanced Troubleshooting
When the five steps above don't fully resolve the Microsoft 365 Apps activation problem, you're usually dealing with one of three things: a Group Policy conflict, a corrupted local license cache, or an enterprise environment with multiple DNS zones creating conflicting KMS SRV records across different subnets.
Check Event Viewer for KMS Activation Errors
Open Event Viewer (eventvwr.msc) and navigate to Applications and Services Logs → Microsoft → Windows → Security-SPP → Operational. This is the Software Protection Platform log, it records every activation attempt, success, and failure with specific error codes. Look for Event IDs in the 12288–12293 range. Event ID 12288 means the client tried to contact a KMS host. Event ID 12289 means it failed. The failure reason in the event details will tell you exactly whether it's a DNS resolution failure, a connection timeout, or a license count issue (KMS requires a minimum number of qualifying clients before it grants activations).
Group Policy Overrides for KMS Host Discovery
In domain-joined environments, Group Policy can override the automatic DNS-based KMS discovery and hardcode a specific KMS host address. Open the Group Policy Management Console (GPMC) and search for policies linked to the affected machines. Look under Computer Configuration → Administrative Templates → Windows Components → Software Protection Platform. If you see a policy setting called "Set the KMS server" or similar, it may be pointing to an outdated or decommissioned KMS host. Either update the policy to point to the correct server, or disable the policy to allow automatic DNS-based discovery to take over again.
Registry-Level KMS Host Configuration
Even without Group Policy, the KMS host can be hardcoded locally in the registry. Check this key on affected machines:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatformLook for a value named KeyManagementServiceName. If it exists and points to an old or incorrect KMS server, delete or update it. Also check KeyManagementServicePort, KMS uses port 1688 by default. If this is set to something else without a deliberate reason, it can cause silent activation failures.
Multi-Zone DNS Environments
In environments with split-brain DNS or multiple internal zones, a _vlmcs SRV record in one zone might not be visible to clients resolving against a different DNS server. Run the nslookup diagnostic from Step 1 but specify each internal DNS server explicitly by IP to compare results:
nslookup -type=srv _vlmcs._tcp [dns-server-ip]Differences between servers indicate a replication issue. Check your DNS zone replication status in DNS Manager and force a zone transfer if needed.
Minimum Client Threshold for KMS Activation
One thing that trips up smaller organizations: KMS for Office requires a minimum of 5 qualifying client computers before it will activate any of them. Windows KMS requires 25. If you're in a small environment that just deployed a few machines, KMS activation will fail for everyone until that threshold is met, not because of a configuration error, but by design. In that case, MAK (Multiple Activation Key) licensing is the right choice.
slmgr.vbs /dlv All, and your Event Viewer KMS logs ready, it cuts the diagnosis time significantly.
Prevention & Best Practices
Once you've fixed a KMS activation mess, the last thing you want is to repeat it six months later. The root cause of most unauthorized KMS host problems isn't malicious, it's procedural. Someone deployed a Windows machine with the wrong product key. Someone set up an Office KMS host for a pilot that never got cleaned up. DNS records persisted long after the server was decommissioned. These are organizational process failures, not technical ones, and that means the prevention is also organizational.
The most important single change you can make: centralize product key management. Every Windows and Office product key in your environment should live in a managed key store, whether that's VLSC (Volume Licensing Service Center), a dedicated password manager with access controls, or Microsoft 365 admin center. Product keys should never circulate in email threads, spreadsheets on shared drives, or sticky notes. When keys are easy to access and hard to misuse, accidental KMS host deployments become nearly impossible.
On the technical side, schedule a recurring DNS audit, quarterly at minimum. The nslookup _vlmcs SRV check takes about 30 seconds to run and immediately shows you whether any new unauthorized KMS hosts have appeared on the network. Add it to your quarterly IT checklist alongside certificate renewal checks and backup validation.
For enterprises using SCCM or Microsoft Intune, use compliance policies to detect machines running the Software Protection Platform in KMS host mode. Both platforms can query license status and flag anomalies. Build a compliance rule that alerts when any non-designated machine registers as a KMS host, you'll catch problems within hours instead of months.
Finally, document your authorized KMS infrastructure explicitly. Keep a record that says: "Our authorized KMS hosts are kms-server-01.contoso.com (Windows KMS) and kms-office.contoso.com (Office KMS). Any other _vlmcs SRV record in DNS is unauthorized." That documentation makes the quarterly DNS audit trivially fast, you're just checking that reality matches the record.
- Run
nslookup -type=srv _vlmcs._tcpquarterly and compare results against your authorized KMS server list, takes under a minute. - Restrict access to Office KMS Host License Pack installation files, require IT ticket approval before anyone can install a KMS host pack.
- Set DNS aging and scavenging on your internal DNS zones so stale _vlmcs SRV records from decommissioned servers are automatically removed after 7 days.
- For environments under 25 Windows clients or under 5 Office clients, skip KMS entirely and use MAK activation, it's simpler and doesn't require a KMS host at all.
Frequently Asked Questions
Why does my Microsoft 365 Apps say "Unlicensed Product" even though I'm paying for a subscription?
A "Unlicensed Product" banner in Microsoft 365 Apps doesn't necessarily mean your subscription lapsed, it usually means the app couldn't verify the license with a KMS server or with Microsoft's activation servers. If you're in a corporate environment, the most common cause is a broken or missing KMS host on the network. If you're on a personal or small-business plan, it usually means you're not signed into the correct Microsoft account, or your account's license assignment got dropped during a tenant change. Start with the nslookup diagnostic in Step 1 of this guide to determine which type of problem you're dealing with.
What is a KMS host and why does it matter for Microsoft 365 Apps activation?
KMS stands for Key Management Service, it's Microsoft's volume licensing activation system for enterprise environments. Instead of each machine contacting Microsoft's activation servers directly over the internet, they contact a local KMS host inside your network. That host validates the licenses in bulk. If the KMS host is missing, unreachable, incorrectly configured, or has been replaced by an unauthorized machine broadcasting on the same DNS record, Office clients can't activate, even if the underlying license is completely valid. For most organizations with 5+ Office installs, KMS is how activation works behind the scenes whether the IT team is actively managing it or not.
How do I find out which KMS host my machine is trying to use?
Open an elevated Command Prompt and run cscript slmgr.vbs /dlv. Look for the "KMS machine IP address" field in the output, it will show you the IP and port that your machine last contacted (or attempted to contact) for KMS activation. Cross-reference that IP against your authorized KMS server list. You can also run nslookup -type=srv _vlmcs._tcp to see which KMS hosts DNS is advertising to your machine. The two should match, if your machine is contacting an IP that doesn't appear in the DNS results, it may have a hardcoded KMS host set in the registry.
Can I accidentally set up a KMS host without knowing it?
For Windows KMS hosts, yes, surprisingly easily. If someone enters a Windows KMS host product key (which starts with a different pattern than standard client keys) during Windows setup or runs slmgr.vbs /ipk with the wrong key, that machine will start acting as a KMS host and register a _vlmcs SRV record in DNS automatically. For Office KMS hosts, it's harder, you need both the right product key AND to separately install the Office KMS Host License Pack. But both scenarios do happen in the wild, usually when product keys are shared informally and someone installs the wrong one.
My nslookup shows multiple KMS hosts, do I need to remove all of them?
Not necessarily. Multiple KMS host entries in DNS can be legitimate, some organizations set up two KMS hosts for redundancy. What matters is whether each hostname in the DNS results is an authorized KMS host in your environment. Compare every entry against your IT records. Any hostname you can't account for as a deliberately configured KMS server should be investigated using the slmgr.vbs /dlv check described in Step 2. Remove only the ones that are confirmed unauthorized, leave your legitimate redundant hosts in place.
Do these troubleshooting steps work for Office 2016 and Office 2019 KMS as well?
Yes, the diagnostic and cleanup process is nearly identical across Office KMS 2010, 2013, 2016, and 2019. The main difference is the Activation ID (the GUID used in the slmgr.vbs /dlv command). For Office 2010 the Activation ID is bfe7a195-4f8f-4f0b-a622-cf13c7d16864. For other versions, you can discover the correct Activation ID by running slmgr.vbs /dlv All >C:\temp\kmsinfo.txt and searching the resulting file for "Office", the Activation ID will appear next to each Office KMS host installation entry.