Best Practice for Windows BYOL Activation in Shared Golden Images (KMS vs MAK)

Gary Wu 0 Reputation points
2026-06-23T07:01:13.5533333+00:00

We are building reusable Windows Server golden images that will be deployed across multiple cloud accounts and environments.

Our goal is to use our organization's Microsoft Windows licenses (BYOL) rather than cloud provider supplied Windows licensing.

We are trying to determine the recommended Microsoft licensing and activation approach for this scenario.

Current Architecture

  1. Build a Windows Server golden image.
  2. Publish the image for use across multiple cloud accounts/environments.
  3. Launch potentially hundreds of instances from the same image.
  4. Instances may be deployed by different automation pipelines and in different accounts.

Questions we have

  1. For a reusable golden image that may be cloned hundreds of times, is Microsoft KMS or MAK the recommended activation model?
  2. If MAK is used:
    • How should activation counts be managed for large scale deployments?
    • Is it recommended to embed a MAK key into the image, or should it be applied after deployment?
    • What are the risks and limitations of using MAK in a shared image scenario?
    • How can we avoid avoid exhausting available activations as new instances are provisioned?
  3. If KMS is used:
    • Should the image contain any KMS configuration?
    • Is KMS configuration typically applied during image creation or after deployment?
    • What is the recommended process for ensuring all deployed instances successfully activate against the organization's KMS infrastructure?
    • Are there any considerations for multi-account or multi-cloud deployments?
  4. For a BYOL image that is shared across multiple accounts/environments, what is Microsoft's recommended practice for handling Windows activation while remaining compliant with licensing requirements?
  5. Are there any Microsoft licensing or compliance concerns with embedding activation keys directly into a reusable golden image that may be deployed many times?
  6. What is Microsoft's recommended approach for tracking Windows Server license consumption in a large-scale BYOL environment?
  7. How should organizations determine:
  • How many licenses are currently in use?
    • How many additional servers can be deployed before additional licenses are required?
    • Whether deployed instances remain compliant with Microsoft licensing requirements?
  1. If instances are frequently created and destroyed (ephemeral workloads), how should license usage and compliance be managed?

We are looking for Microsoft's recommended architecture and operational model for large scale Windows image deployments rather than cloud-provider-specific implementation details.

Thanks in advance for your help!

Windows for business | Windows Server | Devices and deployment | Licensing and activation
0 comments No comments

1 answer

Sort by: Most helpful
  1. Harry Phan 23,835 Reputation points Independent Advisor
    2026-06-23T07:52:11.08+00:00

    Hi Gary,

    For large-scale BYOL deployments with reusable Windows Server golden images, Microsoft’s recommended approach is to use KMS activation rather than MAK. KMS is designed for environments where hundreds or thousands of instances may be spun up and destroyed, since activation is handled automatically against your organization’s KMS host without consuming finite activation counts. MAK keys, by contrast, are limited-use and quickly become impractical in ephemeral or high-scale scenarios because each activation consumes one of the available counts, and embedding MAK keys in a shared image risks exhausting activations and creating compliance issues.

    With KMS, you should not embed the key directly into the image. Instead, configure the image to use the default KMS client setup key for the relevant Windows Server edition. Upon deployment, each instance will attempt activation against your KMS host. The KMS host itself must be reachable from all accounts and environments, which may require network peering or VPN connectivity if you are spanning multiple clouds or accounts. Activation configuration is typically applied during image creation so that instances automatically activate once they can reach the KMS infrastructure.

    From a compliance perspective, embedding MAK keys in a golden image is discouraged because it obscures license tracking and risks over-deployment. KMS allows you to centrally manage license consumption, since compliance is tied to your licensed core counts and CALs rather than per-instance activations. For tracking, organizations should rely on Microsoft License Compliance tools such as the Volume Licensing Service Center (VLSC) and Software Asset Management processes to determine how many Windows Server licenses are in use and ensure deployments remain within entitlement. Ephemeral workloads are covered under your licensed capacity, so compliance is measured by the number of cores licensed rather than transient instance counts.

    Harry.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.