When streaming a Windows machine the Windows license can be managed by a Key Management System (KMS). Citrix describes it as follows “KMS volume licensing utilizes a centralized activation server that runs in the datacenter, and servers as a local activation point (opposed to having each system activate with Microsoft over the internet).”
To ensure KMS is working correctly the Windows machine needs to be prepared for KMS, this involves setting the right license key and “re-arming” the license. Citrix has done a pretty good job describing different scenarios in CTX128276 and explaining which actions to take, but there are more steps involved.
In this article I’ll explain what steps you can take to build a PVS vDisk where licensed are managed by KMS and how to troubleshoot some known caveats.
How to prepare your image
Creating a Citrix PVS vDisk for Windows machines that are licensed by a Key Management System (KMS) consists of the following eight steps:
1) Create vDisk
Build your image as you normally would (install your OS, applications and apply the required configuration) and upload the using the imaging wizard. Build a new image and select the Key Management Service (KMS) in the Microsoft Volume Licensing dialog.
After the vDisk is created and the target device is assigned to the new vDisk reboot the machine. Boot from Network (or the Boot Device Manager via ISO or VHD) so the machine will mount the vDisk in private mode.
After you logon with a user (with administrative privileges) the files are converted from volume C: to the vDisk, in other words: the content of the C: drive is copied to the vDisk on the PVS server.
After the content is copied click Finish to continue to the shell.
2) Cleanup windows activation
To start with a clean setup we can cleanup the Windows activation. Run a command prompt with elevated privileges (run as administrator) and issue the following commands:
Net Stop SpPSvc Del C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat Net Start SpPSvc
3) Install KMS product key (Windows)
Now we need to ensure that Windows has a KMS product key (instead of a OEM or VLK). From an elevated command prompt: Run the Software Licensing Management Tool (SlMgr) and install the KMS product key (/IPK) for your Windows version.
SlMgr /IPK <ProductKey>
See the tables attached to this article for the KMS client key for your Windows version
4) Activate Windows
To verify that the license key is a KMS license key and the license can be activated by a KMS server we can test the activation. Run the Software Licensing Management Tool (SlMgr) and activate Windows (/ATO).
Verbose information about the licensing can be retrieved with the Software Licensing Management Tool.
As you can see the License Status is Licensed. If you have any other result first troubleshoot that (see Microsoft TechNet – How to troubleshoot the Key Management Service (KMS)).
5) Re-arm Windows license
Since we’re going to distribute this vDisk to multiple machines we need to reset it to a non-activated state using the rearm command. Run the Software Licensing Management Tool (SlMgr) and reset the licensing status of the machine (/ReArm).
Do // NOT // reboot the machine
If you have exceeded the maximum of 3 allowed rearms an error message is thrown “Error: 0xC004D307 The maximum allowed number of re-arms has been exceeded. You must re-install the OS before trying to re-arm again”. This can be solved by setting the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\SkipRearm = 0x1 (REG_DWORD).
6) Install KMS product key (Office)
In case you’ve installed Microsoft Office and need to license it via KMS, nearly the same steps are required. Run the Office Software Protection Platform (OsPP.vbs) and install the product key (/InPKey) for your Office version.
cscript.exe ospp.vbs /InPKey:<ProductKey>
See the tables attached to this article for the KMS client key for your Office version
You can verify if Office generated a Client Machine ID (CMID) by running the Office Software Protection Platform tool with /dcmid.
cscript.exe ospp.vbs /dcmid
7) Re-arm Office license
Just like Windows, Office also needs to be to reset to a non-activated state using the rearm command. Run the Office Software Protection Plafrom Rearm (OSPPREARM) tool from the x86 location.
C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE or C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
8) Put vDisk in Standard mode
Shut down the target device and wait until the vDisk changes from locked (1) to unlocked (0).
Set Access Mode
Open the properties of the vDisk and set the Access Mode to “Standard Image (multi-device, read-only access)” and verify that Key “Management Service (KMS)” is selected at the Microsoft Volume Licensing tab.
What’s important to know is that the Citrix PVS Stream Service at the moment will mount the vDisk, execute a KmsPrep – or KmsReset if this has been done before – and then unmount it again. This only happens if you change the Access Mode from Private to Standard. If the Access Mode is already in Standard and KMS is selected, the image is NOT updated.
As Citrix describes in Managing Microsoft KMS Volume Licensing “Note: When preparing or updating a KMS configured vDisk that will be copied or cloned, it is important to complete the final KMS configuration task, which is to change the vDisk mode from Private Image Mode to Shared Image Mode, before copying or cloning the vDisk to other Provisioning Servers. Also, both the .pvp and .vhd file must be copied to retain the properties and KMS configuration of the original vDisk”
In case the following error is thrown “An unexpected MAP error occurred – Failed to map vDisk, no Driver” there are two possible problem. 1) The drivers are not installed correctly or 2) the account configured at the Streaming service had insufficient privileges.
1) Drivers are not installed correctly
The first problem is easy to detect and solve. Try to mount the vDisk (right-click on the vDisk > Mount vDisk) from the Provisioning Services Console on the PVS server. If that does not work the drivers are not correctly installed. Go to C:\Program Files\Citrix\Provisioning Services\drivers, right-click on cfsdep2.inf and click Install.
2) Insufficient privileges
If you’re able to mount the vDisk from the Provisioning Service Console then the Citrix PVS Stream Service has insufficient privileges. The account configured to run the Citrix PVS Stream Service needs to have the Perform volume maintenance tasks (SE_MANAGE_VOLUME_NAME) privilege. The reason this privileges is required is because the Citrix PVS Stream service need to mount the vDisk in order to execute the KmsPrep / KmsReset. See CTX132995 for details.
By default only the local Administrators group has the SE_MANAGE_COLUME_NAME privilege assigned. The problem can be solved by making the AD account, or NETWORK SERVICE when log on as “Local System account” is used, member of the local Administrators group. If you don’t want to add NETWORK SERVICE to the local Administrators group – which I don’t recommend – the privilege can be assigned in the security policy: Windows Settings > Security Settings > Local Polies > User Rights Assignment > Perform volume maintenance tasks
Verify license activation
Boot another target device, a different machine then where you created the image/vDisk, and login with an administrative account.
Open an command prompt with elevated privileges and retrieve verbose information about the licensing with the Software Licensing Management Tool.
Initially the machine is not licensed, instead the license status is “Additional grace period (KMS license expired or hardware out of tolerance”.
During boot the Software Protection Service (Security-SPP) notices that hardware has changed. Besides different hardware is the Client Machine ID (CMID) is changed, this is expected as each machine needs a unique ID.
In the Application log in the Event Viewer you’ll find an event from Security-SPP with ID 1040 informing that “Hardware has changed from previous boot”, immediately followed by ID 1025 “Grace period has been started. Grace days=30 Grace type=1” and ID 1024 “The hardware has changed”
After 30 minutes (up to 2 hours) the client will sent an activation request to the KMS server. Sure enough the KMS server will grant the license and the client is licensed. In the event log an event is raised by Security-SPP with ID 12288 when an activation is requested, ID 12289 when a response is received and finally ID 1003 when the license status check is completed.
Again open an command prompt with elevated privileges and retrieve verbose information about the licensing with the Software Licensing Management Tool.
The license is no longer in grace period, it is now licensed.
The KMS keys are provided by Microsoft, it’s not a secret. For your convenience I listed all known products keys in tables below.
|Standard without Hyper-V
|Enterprise without Hyper-V
|Datacenter without Hyper-V
|For Itanium-Based Systems
|Server 2008 R2
|For Itanium-based Systems
|Core Single Language
|Core Country Specific
Source: Microsoft TechNet
|Office Professional Plus
|Office Professional Plus
- Citrix eDocs – Configuring Microsoft KMS Volume Licensing
- CTX128276 – Configuring Key Management System (KMS) Licensing for Windows and Office 2010 and 2013 in Different Scenarios
- CTX – Console Error When Standard Mode Disk is prepared for KMS Activation
- Microsoft TechNet – KMS Activation Timing and Discovery
- Microsoft TechNet – How to troubleshoot the Key Management Service (KMS)
- Citrix Provisioning Service (PVS) and Windows 7 KMS