Hi Gary,
For large-scale BYOL deployments with reusable Windows Server golden images, Microsoft’s recommended approach is to use KMS activation rather than MAK. KMS is designed for environments where hundreds or thousands of instances may be spun up and destroyed, since activation is handled automatically against your organization’s KMS host without consuming finite activation counts. MAK keys, by contrast, are limited-use and quickly become impractical in ephemeral or high-scale scenarios because each activation consumes one of the available counts, and embedding MAK keys in a shared image risks exhausting activations and creating compliance issues.
With KMS, you should not embed the key directly into the image. Instead, configure the image to use the default KMS client setup key for the relevant Windows Server edition. Upon deployment, each instance will attempt activation against your KMS host. The KMS host itself must be reachable from all accounts and environments, which may require network peering or VPN connectivity if you are spanning multiple clouds or accounts. Activation configuration is typically applied during image creation so that instances automatically activate once they can reach the KMS infrastructure.
From a compliance perspective, embedding MAK keys in a golden image is discouraged because it obscures license tracking and risks over-deployment. KMS allows you to centrally manage license consumption, since compliance is tied to your licensed core counts and CALs rather than per-instance activations. For tracking, organizations should rely on Microsoft License Compliance tools such as the Volume Licensing Service Center (VLSC) and Software Asset Management processes to determine how many Windows Server licenses are in use and ensure deployments remain within entitlement. Ephemeral workloads are covered under your licensed capacity, so compliance is measured by the number of cores licensed rather than transient instance counts.
Harry.