When streaming a Windows machine the Windows license can be managed by a Key Management System (KMS). Citrix describes it as follows “KMS volume licensing utilizes a centralized activation server that runs in the datacenter, and servers as a local activation point (opposed to having each system activate with Microsoft over the internet).

To ensure KMS is working correctly the Windows machine needs to be prepared for KMS, this involves setting the right license key and “re-arming” the license. Citrix has done a pretty good job describing different scenarios in CTX128276 and explaining which actions to take, but there are more steps involved.

In this article I’ll explain what steps you can take to build a PVS vDisk where licensed are managed by KMS and how to troubleshoot some known caveats.

How to prepare your image

Creating a Citrix PVS vDisk for Windows machines that are licensed by a Key Management System (KMS) consists of the following eight steps:


1) Create vDisk

Build your image as you normally would (install your OS, applications and apply the required configuration) and upload the using the imaging wizard. Build a new image and select the Key Management Service (KMS) in the Microsoft Volume Licensing dialog.

Provisioning Services Imaging Wizard - Connect to FarmProvisioning Services Imaging Wizard - Select New or Existing DiskProvisioning Services Imaging Wizard - New vDiskProvisioning Services Imaging Wizard - Configure Image VolumesProvisioning Services Imaging Wizard - Microsoft Volume LicensingProvisioning Services Imaging Wizard - Existing Target DeviceProvisioning Services Imaging Wizard - New vDisk - Replace vDiskProvisioning Services Device Optimisation ToolProvisioning Services Imaging Wizard - Summary of Farm changesProvisioning Services Imaging Wizard - Select New or Existing Disk - Reboot

After the vDisk is created and the target device is assigned to the new vDisk reboot the machine. Boot from Network (or the Boot Device Manager via ISO or VHD) so the machine will mount the vDisk in private mode.

2013-08-09 11_03_32-

After you logon with a user (with administrative privileges) the files are converted from volume C: to the vDisk, in other words: the content of the C: drive is copied to the vDisk on the PVS server.

Citrix XenConvert 2.4.1 - Converting filesCitrix XenConvert 2.4.1 - Conversion finished

After the content is copied click Finish to continue to the shell.


2) Cleanup windows activation

To start with a clean setup we can cleanup the Windows activation. Run a command prompt with elevated privileges (run as administrator) and issue the following commands:

Net Stop SpPSvc
Del C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
Net Start SpPSvc

Cleanup windows activation

Source: How to rebuild the Tokens.dat or Activation Tokens file in Windows 7 | 8




3) Install KMS product key  (Windows)

Now we need to ensure that Windows has a KMS product key (instead of a OEM or VLK). From an elevated command prompt: Run the Software Licensing Management Tool (SlMgr) and install the SlMgr /IPK <ProductKey>KMS product key (/IPK) for your Windows version.

SlMgr /IPK <ProductKey>

See the tables attached to this article for the KMS client key for your Windows version



4) Activate Windows

To verify that the license key is a KMS license key and the license can be activated by a KMS server we can test the activation. SlMgr /ATORun the Software Licensing Management Tool (SlMgr) and activate Windows (/ATO).

SlMgr /ATO


Verbose information about the licensing can be retrieved with the Software Licensing Management Tool.

SlMgr /DLV

SlMgr /DLV


As you can see the License Status is Licensed. If you have any other result first troubleshoot that (see Microsoft TechNet – How to troubleshoot the Key Management Service (KMS)).




5) Re-arm Windows license

Since we’re going to distribute this vDisk to multiple machines we need to reset it to a non-activated state using the rearm command. Run the Software Licensing Management Tool (SlMgr)SlMgr /ReArm and reset the licensing status of the machine (/ReArm).

SlMgr /ReArm


Do  //  NOT  //  reboot the machine

Error: 0xC004D307 The maximum allowed number of re-arms has been exceeded. You must re-install the OS before trying to re-arm again

If you have exceeded the maximum of 3 allowed rearms an error message is thrown “Error: 0xC004D307 The maximum allowed number of re-arms has been exceeded. You must re-install the OS before trying to re-arm again”. This can be solved by setting the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\SkipRearm = 0x1 (REG_DWORD).


6) Install KMS product key (Office)

In case you’ve installed Microsoft Office and need to license it via KMS,  nearly the same steps are required. Run the Office Software Protection Platform (OsPP.vbs) and install the product key (/InPKey) for your Office version.

cscript.exe ospp.vbs /InPKey:<ProductKey>

cscript.exe ospp.vbs /InPKey:<ProductKey>

See the tables attached to this article for the KMS client key for your Office version


You can verify if Office generated a Client Machine ID (CMID) by running the Office Software Protection Platform tool with /dcmid.

cscript.exe ospp.vbs /dcmid

cscript.exe ospp.vbs /dcmid




7) Re-arm Office license

Just like Windows, Office also needs to be to reset to a non-activated state using the rearm command. Run the Office Software Protection Plafrom Rearm (OSPPREARM) tool from the x86 location.

C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE



8) Put vDisk in Standard mode
Unlock vDisk

Shut down the target device and wait until the vDisk changes from locked (1) to unlocked (0).

vDisk locked 
vDisk unlocked


Set Access Mode

Open the properties of the vDisk and set the Access Mode to “Standard Image (multi-device, read-only access)” and verify that Key “Management Service (KMS)” is selected at the Microsoft Volume Licensing tab.

vDisk properties - GeneralvDisk properties - Microsoft Volume Licensing

What’s important to know is that the Citrix PVS Stream Service at the moment will mount the vDisk, execute a KmsPrep – or KmsReset if this has been done before – and then unmount it again. This only happens if you change the Access Mode from Private to Standard. If the Access Mode is already in Standard and KMS is selected, the image is NOT updated.

As Citrix describes in Managing Microsoft KMS Volume Licensing “Note: When preparing or updating a KMS configured vDisk that will be copied or cloned, it is important to complete the final KMS configuration task, which is to change the vDisk mode from Private Image Mode to Shared Image Mode, before copying or cloning the vDisk to other Provisioning Servers. Also, both the .pvp and .vhd file must be copied to retain the properties and KMS configuration of the original vDisk”




In case the following error is thrown “An unexpected MAP error occurred – Failed to map vDisk, no Driver” there are two possible problem. 1) The drivers are not installed correctly or 2) the account configured at the Streaming service had insufficient privileges.

An unexpected MAP error occurred - Failed to map vDisk, no Driver

1) Drivers are not installed correctly


The first problem is easy to detect and solve. Try to mount the vDisk (right-click on the vDisk > Mount vDisk) from the Provisioning Services Console on the PVS server. If that does not work the drivers are not correctly installed. Go to C:\Program Files\Citrix\Provisioning Services\drivers, right-click on cfsdep2.inf and click Install.

2) Insufficient privileges


If you’re able to mount the vDisk from the Provisioning Service Console then the Citrix PVS Stream Service has insufficient privileges. The account configured to run the Citrix PVS Stream Service needs to have the Perform volume maintenance tasks (SE_MANAGE_VOLUME_NAME) privilege. The reason this privileges is required is because the Citrix PVS Stream service need to mount the vDisk in order to execute the KmsPrep / KmsReset. See CTX132995 for details.

Citrix PVS Stream Service - Log On

By default only the local Administrators group has the SE_MANAGE_COLUME_NAME privilege assigned. The problem can be solved by making the AD account, or NETWORK SERVICE when log on as “Local System account” is used, member of the local Administrators group. If you don’t want to add NETWORK SERVICE to the local Administrators group – which I don’t recommend – the privilege can be assigned in the security policy: Windows Settings > Security Settings > Local Polies > User Rights Assignment > Perform volume maintenance tasks

Perform volume maintenance tasks



Verify license activation

Boot another target device, a different machine then where you created the image/vDisk, and login with an administrative account.

Open an command prompt with elevated privileges and retrieve verbose information about the licensing with the Software Licensing Management Tool.

SlMgr /DLV

License Status: Additional grace period (KMS license expired or hardware out of tolerance

Initially the machine is not licensed, instead the license status is “Additional grace period (KMS license expired or hardware out of tolerance”.

During boot the Software Protection Service (Security-SPP) notices that hardware has changed. Besides different hardware is the Client Machine ID (CMID)  is changed, this is expected as each machine needs a unique ID.


In the Application log in the Event Viewer  you’ll find an event from Security-SPP with ID 1040 informing that “Hardware has changed from previous boot”, immediately followed by ID 1025Grace period has been started. Grace days=30 Grace type=1”  and ID 1024 “The hardware has changed”

Event 1040, Security-SPPEvent 1025, Security-SPPEvent 1024, Security-SPP

After 30 minutes (up to 2 hours) the client will sent an activation request to the KMS server. Sure enough the KMS server will grant the license and the client is licensed. In the event log an event is raised by Security-SPP with ID 12288 when an activation is requested, ID 12289 when a response is received and finally ID 1003 when the license status check is completed.

Event 12288, Security-SPPEvent 12289, Security-SPPEvent 1003, Security-SPP

Again open an command prompt with elevated privileges and retrieve verbose information about the licensing with the Software Licensing Management Tool.

SlMgr /DLV

License Status: Licensed

The license is no longer in grace period, it is now licensed.


KMS keys

The KMS keys are provided by Microsoft, it’s not a secret. For your convenience I listed all known products keys in tables below.


Microsoft Windows
Product Edition Product key
Vista Business YFKBB-PQJJV-G996G-VWGXY-2V3X8
Business N HMBQG-8H2RH-C77VX-27R82-VMQBT
Enterprise VKK3X-68KWM-X2YGT-QR4M6-4BWMV
Enterprise N VTC42-BM838-43QHV-84HX6-XJXK
7 Professional FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
Professional N MRPKT-YTG23-K7D7T-X2JMM-QY7MG
Professional E W82YF-2Q76Y-63HXB-FGJG9-GF7QX
Enterprise 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
Enterprise N YDRBP-3D83W-TY26F-D46B2-XCKRJ
Enterprise E C29WB-22CC8-VJ326-GHFJW-H9DH4
8 Professional NG4HW-VH26C-733KW-K6F98-J8CK4
Professional N XCVCF-2NXM9-723PB-MHCB7-2RYQQ
Enterprise 32JNW-9KQ84-P47T8-D8GGY-CWCK7
Server 2008 Standard TM24T-X9RMF-VWXK6-X8JC9-BFGM2
Standard without Hyper-V W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ
Enterprise YQGMW-MPWTJ-34KDK-48M3W-X4Q6V
Enterprise without Hyper-V 39BXF-X8Q23-P2WWT-38T2F-G3FPG
Datacenter 7M67G-PC374-GR742-YH8V4-TCBY3
Datacenter without Hyper-V 22XQ2-VRXRG-P8D42-K34TD-G3QQC
For Itanium-Based Systems 4DWFP-JF3DJ-B7DTH-78FJB-PDRHK
Server 2008 R2 Web 6TPJF-RBVHG-WBW2R-86QPH-6RTM4
HPC edition TT8MH-CG224-D3D7Q-498W2-9QCTX
Enterprise 489J6-VHDMP-X63PK-3K798-CPX3Y
Datacenter 74YFP-3QFB3-KQT8W-PMXWJ-7M648
For Itanium-based Systems GT63C-RJFQ3-4GMB6-BRFB9-CB83V
Server 2012 Core BN3D2-R7TKB-3YPBD-8DRP2-27GG4
Core Single Language 2WN2H-YGCQR-KFX6K-CD6TF-84YXQ
Core Country Specific 4K36P-JN4VD-GDC6V-KDT89-DYFKP
Server Standard XC9B7-NBPP2-83J2H-RHMBY-92BT4
Standard Core XC9B7-NBPP2-83J2H-RHMBY-92BT4
MultiPoint Standard HM7DN-YVMH3-46JC3-XYTG7-CYQJJ
MultiPoint Premium XNH6W-2V9GX-RGJ4K-Y8X6F-QGJ2G
Datacenter 48HP8-DN98B-MYWDG-T2DCC-8W83P
Datacenter Core 48HP8-DN98B-MYWDG-T2DCC-8W83P

Source: Microsoft TechNet


Microsoft Office
Type Version Edition Product key
Suites 2010 Office Professional Plus VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB
Office Standard V7QKV-4XVVR-XYV4D-F7DFM-8R6BM
2013 Office Professional Plus YC7DK-G2NP3-2QQC3-J6H88-GVGXT
Office Standard KBKQT-2NMXY-JJWGP-M62JB-92CD4
Stand-alone products 2010 Access V7Y44-9T38C-R2VJK-666HK-T7DDX
Sharepoint Workspace QYYW6-QP4CB-MBV6G-HYMCJ-4T3J4
InfoPath K96W8-67RPQ-62T9Y-J8FQJ-BT37T
PowerPoint RC8FX-88JRY-3PF7C-X8P67-P4VTT
Project Professional YGX6F-PGV49-PGW3J-9BTGG-VHKC6
Project Standard 4HP3K-88W3F-W2K3D-6677X-F9PGB
Publisher BFK7F-9MYHM-V68C7-DRQ66-83YTP
Visio Professional 7MCW8-VRQVK-G677T-PDJCM-Q8TCP
Visio Standard 767HD-QGMWX-8QTDB-9G3R2-KHFGJ
2013 Access NG2JY-H4JBT-HQXYP-78QH9-4JM2D
InfoPath DKT8B-N7VXH-D963P-Q4PHY-F8894
Outlook QPN8Q-BJBTJ-334K3-93TGY-2PMBT
PowerPoint 4NT99-8RJFH-Q2VDH-KYG2C-4RD4F
Project Professional FN8TT-7WMH6-2D4X9-M337T-2342K
Project Standard 6NTH3-CW976-3G3Y2-JK3TX-8QHTT
Publisher PN2WF-29XG2-T9HJ7-JQPJR-FCXK4
Visio Professional C2FG9-N6J68-H8BTJ-BW3QX-RM3B3
Visio Standard J484Y-4NKBF-W2HMG-DBMJC-PGWR7
Word 6Q7VD-NX8JD-WJ2VH-88V73-4GBJ7

Source: Office 2010, Office 2013






33 Reacties

  1. Hi Ingmar,

    The procedure you describe here is actually only needed when you want to use your vDisk to reach the required KMS count.

    If your KMS server is already activated (which it probably already is if you activate all your supporting server), the only thing you have to do in a vDisk is a slmgr /ipk for windows and a volume license install of Office.

    We’ve been doing it like this for years for all our hosted customers in our datacenters.

    1. Hi Michel,

      While this probably will work, I doubt if you’re compliant. With the rearm a unique CMID is created for each machine and thus a license claimed. Skipping this process would mean the KMS server will not claim a license for all machines, violating the license terms.

      See KB929829 – http://support.microsoft.com/kb/929829/en-us
      “To reset the activation timer and to set a unique CMID, the Rearm process must run on the destination computer. This process is used to reset the activation state.”

      PS: It’s worth mentioning there’s a threshold to qualify for KMS activation. A minimum of 5 machines for Windows Server and 25 machines for Windows Client machines.

    1. Hi Michel,

      If your environment is licensed with the SPLA per-socket use-right then yes, it might not be required to assign each machine a unique CMID. But in all other cases this is a requirement, so I would recommend everyone do so. Do you agree Michel?

      1. No, I’m not a MS licensing expert, but I highly doubt that Microsoft is going to check the count on your KMS server and base your licensing around that.

        That would also mean that if you (accidently) misconfigure your vDisk, or Citrix bugs the mechanism, you would automatically be in license violation. Seems very strange to me.

  2. Ingmar, thanks for again a great article!

    Just to respond to the discussion, Microsoft actually does use KMS output for license audits. Being in license violation is not the same as misusing KMS. Like you said, you license on host level so who cares about Windows virtual machine licensing anyway.

    Although there is little need to do proper KMS licensing when you are doing datacenter licensing on the host this is different when you are licensing by Windows instance.

    There is one thing Michel seems to forget, which is logical since he’s doing SPLA and therefore a client OS is no option.
    When you are working with stateful images like assigned VDI this will actually hurt your users since there is a license time out. In a stateless scenario this will reset but obviously this is not going to work when you are doing stateful.

  3. Hi Ingmar,

    Thanks for your article!

    I had the problem that my Windows 7 VM was not able to rearm anymore.
    I was getting the error:
    “Error: 0xC004D307 The maximum allowed number of re-arms has been exceeded. You must re-install the OS before trying to re-arm again”.

    In your article you have the following solution:
    This can be solved by setting the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\SoftwareProtectionPlatform\SkipRearm = 0×1 (REG_DWORD).

    This regkey is not right. It must be:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Software\ProtectionPlatform

    1. Hi Patrick,

      Thanks for the correction, I forgot the “CurrentVersion” key in the path, I’ve updated it.

      PS: Your path is incorrect, there’s no \ between Software and ProtectionPlatform 😉

  4. Very Helpful article.. I’m wondering if you can further explain process for updating an image created with steps above? We are copying PVP and VHD files and getting WGA errors on subsequent updates to our vdisk (looking for a product key/etc). Prior to shutting down a vdisk in private mode should we be doing a -rearm or is that only in the Master? This specific vdisk doesnt have office on it.


    1. Eric, each time you change the image from private to standard mode you should rearm the image (to ensure each machine has an unique CMID)

        1. Unfortunately I don’t understand what Citrix is trying to explain in their article. Whenever your distributing an image to multiple machines a rearm is required to ensure they receive a unique CMID. You can compare the CMID with a computer’s SID, both are a unique identifier for the computer. Since the SID is managed by PVS there’s no need to run sysprep, in newer versions PVS will probably manage the CMID as well (or so I hope!).

          1. Hello,

            I did confirm with Citrix the correct procedure if you are copying VHD and PVP files is to remove KMS licensing when doing updates and then turn it back on when finished. There is no re-arm required.

  5. Ingmar,

    Great article. There’s not much info out there that clarifies the subject the way you do here. Great work! 🙂

  6. Hi Ingmar,
    thanks for this great article. You are my hero of the day!
    I’ve been looking for a clear explanation of the thing for quite some time because the CTX article 128276 and eDocs confused me more than clearing things up.

  7. Great article and much better than the CTX doc’s. I do have one problem though. After preping the VHD on my dev server and streaming to the Prod ones everything goes as expected, until the prod servers are rebooted. They then revert to grace period and have to re-authenticate. Is this right?

    1. Hi Glenn,

      Glad you like the article and thank you for the compliment 🙂
      What do you mean with “re-authenticate”? Each machine should contact the KMS server and to request/verify it’s license. After a reboot the machine is “clean” again so this procedure should be repeated.


      1. Thanks for the reply Ingmar. Sorry i didn’t make myself clear. The production servers revert to “out of the box grace period” on reboot then I either have to run slmgr /ato or let them automatically authenticate themselves (usually within an hour or so. I’m assuming from your reply this is natural behavior

        1. Thanks Ingmar for such a nice article. We are having issue with machines not able to activate from KMS even after days and ultimately prompting to activate. Manual activation of each machine works fine. We are following these steps when we update a vDisk;

          1. Shutdown all machines.
          2. Put vDisk in Private mode.
          3. Leave KMS Vol Licensing in KMS.
          4. Power on one machine.
          5. Apply necessary updates.
          6. Shutdown the machine.
          7. Change VDisk to Standard mode.
          8. Verify vol Licensing is in KMS
          9. Power ON all Machines.

          The machines do not activate even after 20 minutes but can be activated manually.

          What step am i missing?


  8. Great article. First one who wrote that the vhd is mounted when the access mode is changed from private to standard AND the the MVL is set to KMS.

    What I still don’t understand:
    In our environment we rearm the OS and Office, shut down the device with the private image and use this vhd to overwrite another vhd (set to standard mode).
    Then we start all devices from the vhd in standard mode.
    There is no need to set the MVL to KMS on any of the disks.
    We leave it to “none”.

    This makes sense because every device will start with a random CMID.

    It works here…

    Initially I thought that the MVL set to KMS will mask the CMID during the streaming process (like it masks the host name).
    In such a case, there would be no need to rearm the OS and Office.

  9. Hi Ingmar,

    Out of interest, what version of PVS is this related to. We currently use v6.1 and have had trouble getting Office 2013 to activate correctly using the procedure above and in addition several tweaks found on the web (setting registry key NoReReg etc).



  10. Hey Ingmar, this guide works like a charm till the current versions of PVS and Office. Do you know where I have to put in the access or visio client kms keys? I mean for example installing office standard and at a day adding visio or project. The program path is the same, but other client kms key. Ospp does not accept the keys, don’t know why. Product is installed like office.

    Thanks in advance and regards

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

Deze site gebruikt Akismet om spam te verminderen. Bekijk hoe je reactie-gegevens worden verwerkt.