This may sound obvious, but it actually happened to my friend. He was running a PyKMS server that was Internet-facing, but on a different port (not 1688). He would manually set the KMS host on his machines to his home IP address and port so he could keep activated. Only a week or so ago, he got a C&D letter from someone at Microsoft, forwarded to him by his ISP. It said that Microsoft had "become aware" of a KMS server running on his IP address, including the random port he chose, which "could be used to illegally activate Windows". The letter was quite ominous and actually said he was "required" to contact a specific person at Microsoft, with contact information, to "discuss the situation." Naturally, he closed down Internet-facing access to the KMS server and decided instead to investigate VPN solutions for activation. Nobody ever did follow up, so perhaps Microsoft was just having someone available just in case someone actually needed help understanding how and why to secure KMS. However, this got me a little nervous so I did some digging, and in fact it's true: Windows 10 systems report the IP address and port of the KMS server they are activating against to Microsoft. It's called "KMS Client AVS Validation". Microsoft calls it part of their "telemetry" services, but obviously they're doing quite a bit more with this data than "using it in a non-personally-identifiable way to improve services." Obviously, don't open your KMS server to the Internet and use a VPN is the best solution. However, and I make NO GUARANTEES about this, but there is another possible way - there's a Group Policy setting under Computer->Policies->Admin Templates->Software Protection Platform->Turn off KMS Client AVS Validation. Setting this to True indicates that the computer "will not report activation state" to Microsoft. Interestingly Microsoft is pretty determined to keep this quiet, as I can't find any actual examples online of C&D letters for KMS servers, nor is there any real discussion of the AVS Validation option anywhere. I'm guessing the GP option exists for policy compliance, e.g. if a business or organization is not allowed to send information about its network to any outside entity? My assumption is that Microsoft simply "tests" any non-private IP addresses that are being reported as KMS servers, and if they find one is responding affirmatively to the Internet, they go through the appropriate channels to contact the owner. Of course though, even though anyone who's using a KMS hack is probably using either a localhost-based hack or a hacked server on the LAN, Microsoft is likely still aware that it's happening, and they'd have your source IP address from the telemetry report. In either case, if you are choosing to use KMS hacks, be very, very cautious. Microsoft may be watching.