When streaming a Windows machine the Windows license can be managed by a Key Management System (KMS). Citrix describes it as follows “KMS volume licensing utilizes a centralized activation server that runs in the datacenter, and servers as a local activation point (opposed to having each system activate with Microsoft over the internet).”
To ensure KMS is working correctly the Windows machine needs to be prepared for KMS, this involves setting the right license key and “re-arming” the license. Citrix has done a pretty good job describing different scenarios in CTX128276 and explaining which actions to take, but there are more steps involved.
In this article I’ll explain what steps you can take to build a PVS vDisk where licensed are managed by KMS and how to troubleshoot some known caveats.
How to prepare your image
Creating a Citrix PVS vDisk for Windows machines that are licensed by a Key Management System (KMS) consists of the following eight steps:
1) Create vDisk
Build your image as you normally would (install your OS, applications and apply the required configuration) and upload the using the imaging wizard. Build a new image and select the Key Management Service (KMS) in the Microsoft Volume Licensing dialog.
After the vDisk is created and the target device is assigned to the new vDisk reboot the machine. Boot from Network (or the Boot Device Manager via ISO or VHD) so the machine will mount the vDisk in private mode.
After you logon with a user (with administrative privileges) the files are converted from volume C: to the vDisk, in other words: the content of the C: drive is copied to the vDisk on the PVS server.
After the content is copied click Finish to continue to the shell.
2) Cleanup windows activation
To start with a clean setup we can cleanup the Windows activation. Run a command prompt with elevated privileges (run as administrator) and issue the following commands:
Net Stop SpPSvc Del C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat Net Start SpPSvc
Source: How to rebuild the Tokens.dat or Activation Tokens file in Windows 7 | 8
3) Install KMS product key (Windows)
Now we need to ensure that Windows has a KMS product key (instead of a OEM or VLK). From an elevated command prompt: Run the Software Licensing Management Tool (SlMgr) and install the 
KMS product key (/IPK) for your Windows version.
SlMgr /IPK <ProductKey>
See the tables attached to this article for the KMS client key for your Windows version
4) Activate Windows
To verify that the license key is a KMS license key and the license can be activated by a KMS server we can test the activation. 
Run the Software Licensing Management Tool (SlMgr) and activate Windows (/ATO).
SlMgr /ATO
Verbose information about the licensing can be retrieved with the Software Licensing Management Tool.
SlMgr /DLV
As you can see the License Status is Licensed. If you have any other result first troubleshoot that (see Microsoft TechNet – How to troubleshoot the Key Management Service (KMS)).
5) Re-arm Windows license
Since we’re going to distribute this vDisk to multiple machines we need to reset it to a non-activated state using the rearm command. Run the Software Licensing Management Tool (SlMgr)
and reset the licensing status of the machine (/ReArm).
SlMgr /ReArm
Do // NOT // reboot the machine
If you have exceeded the maximum of 3 allowed rearms an error message is thrown “Error: 0xC004D307 The maximum allowed number of re-arms has been exceeded. You must re-install the OS before trying to re-arm again”. This can be solved by setting the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\SkipRearm = 0x1 (REG_DWORD).
6) Install KMS product key (Office)
In case you’ve installed Microsoft Office and need to license it via KMS, nearly the same steps are required. Run the Office Software Protection Platform (OsPP.vbs) and install the product key (/InPKey) for your Office version.
cscript.exe ospp.vbs /InPKey:<ProductKey>
See the tables attached to this article for the KMS client key for your Office version
You can verify if Office generated a Client Machine ID (CMID) by running the Office Software Protection Platform tool with /dcmid.
cscript.exe ospp.vbs /dcmid
7) Re-arm Office license
Just like Windows, Office also needs to be to reset to a non-activated state using the rearm command. Run the Office Software Protection Plafrom Rearm (OSPPREARM) tool from the x86 location.
C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE or C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
8) Put vDisk in Standard mode
Unlock vDisk
Shut down the target device and wait until the vDisk changes from locked (1) to unlocked (0).
Set Access Mode
Open the properties of the vDisk and set the Access Mode to “Standard Image (multi-device, read-only access)” and verify that Key “Management Service (KMS)” is selected at the Microsoft Volume Licensing tab.
What’s important to know is that the Citrix PVS Stream Service at the moment will mount the vDisk, execute a KmsPrep – or KmsReset if this has been done before – and then unmount it again. This only happens if you change the Access Mode from Private to Standard. If the Access Mode is already in Standard and KMS is selected, the image is NOT updated.
As Citrix describes in Managing Microsoft KMS Volume Licensing “Note: When preparing or updating a KMS configured vDisk that will be copied or cloned, it is important to complete the final KMS configuration task, which is to change the vDisk mode from Private Image Mode to Shared Image Mode, before copying or cloning the vDisk to other Provisioning Servers. Also, both the .pvp and .vhd file must be copied to retain the properties and KMS configuration of the original vDisk”
Error
In case the following error is thrown “An unexpected MAP error occurred – Failed to map vDisk, no Driver” there are two possible problem. 1) The drivers are not installed correctly or 2) the account configured at the Streaming service had insufficient privileges.
1) Drivers are not installed correctly
The first problem is easy to detect and solve. Try to mount the vDisk (right-click on the vDisk > Mount vDisk) from the Provisioning Services Console on the PVS server. If that does not work the drivers are not correctly installed. Go to C:\Program Files\Citrix\Provisioning Services\drivers, right-click on cfsdep2.inf and click Install.
2) Insufficient privileges
If you’re able to mount the vDisk from the Provisioning Service Console then the Citrix PVS Stream Service has insufficient privileges. The account configured to run the Citrix PVS Stream Service needs to have the Perform volume maintenance tasks (SE_MANAGE_VOLUME_NAME) privilege. The reason this privileges is required is because the Citrix PVS Stream service need to mount the vDisk in order to execute the KmsPrep / KmsReset. See CTX132995 for details.
By default only the local Administrators group has the SE_MANAGE_COLUME_NAME privilege assigned. The problem can be solved by making the AD account, or NETWORK SERVICE when log on as “Local System account” is used, member of the local Administrators group. If you don’t want to add NETWORK SERVICE to the local Administrators group – which I don’t recommend – the privilege can be assigned in the security policy: Windows Settings > Security Settings > Local Polies > User Rights Assignment > Perform volume maintenance tasks
Verify license activation
Boot another target device, a different machine then where you created the image/vDisk, and login with an administrative account.
Open an command prompt with elevated privileges and retrieve verbose information about the licensing with the Software Licensing Management Tool.
SlMgr /DLV
Initially the machine is not licensed, instead the license status is “Additional grace period (KMS license expired or hardware out of tolerance”.
During boot the Software Protection Service (Security-SPP) notices that hardware has changed. Besides different hardware is the Client Machine ID (CMID) is changed, this is expected as each machine needs a unique ID.
In the Application log in the Event Viewer you’ll find an event from Security-SPP with ID 1040 informing that “Hardware has changed from previous boot”, immediately followed by ID 1025 “Grace period has been started. Grace days=30 Grace type=1” and ID 1024 “The hardware has changed”
After 30 minutes (up to 2 hours) the client will sent an activation request to the KMS server. Sure enough the KMS server will grant the license and the client is licensed. In the event log an event is raised by Security-SPP with ID 12288 when an activation is requested, ID 12289 when a response is received and finally ID 1003 when the license status check is completed.
Again open an command prompt with elevated privileges and retrieve verbose information about the licensing with the Software Licensing Management Tool.
SlMgr /DLV
The license is no longer in grace period, it is now licensed.
KMS keys
The KMS keys are provided by Microsoft, it’s not a secret. For your convenience I listed all known products keys in tables below.
Microsoft Windows
| Product | Edition | Product key |
| Vista | Business | YFKBB-PQJJV-G996G-VWGXY-2V3X8 |
| Business N | HMBQG-8H2RH-C77VX-27R82-VMQBT | |
| Enterprise | VKK3X-68KWM-X2YGT-QR4M6-4BWMV | |
| Enterprise N | VTC42-BM838-43QHV-84HX6-XJXK | |
| 7 | Professional | FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4 |
| Professional N | MRPKT-YTG23-K7D7T-X2JMM-QY7MG | |
| Professional E | W82YF-2Q76Y-63HXB-FGJG9-GF7QX | |
| Enterprise | 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH | |
| Enterprise N | YDRBP-3D83W-TY26F-D46B2-XCKRJ | |
| Enterprise E | C29WB-22CC8-VJ326-GHFJW-H9DH4 | |
| 8 | Professional | NG4HW-VH26C-733KW-K6F98-J8CK4 |
| Professional N | XCVCF-2NXM9-723PB-MHCB7-2RYQQ | |
| Enterprise | 32JNW-9KQ84-P47T8-D8GGY-CWCK7 | |
| Enterprise N | JMNMF-RHW7P-DMY6X-RF3DR-X2BQT | |
| Server 2008 | Standard | TM24T-X9RMF-VWXK6-X8JC9-BFGM2 |
| Standard without Hyper-V | W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ | |
| Enterprise | YQGMW-MPWTJ-34KDK-48M3W-X4Q6V | |
| Enterprise without Hyper-V | 39BXF-X8Q23-P2WWT-38T2F-G3FPG | |
| HPC | RCTX3-KWVHP-BR6TB-RB6DM-6X7HP | |
| Datacenter | 7M67G-PC374-GR742-YH8V4-TCBY3 | |
| Datacenter without Hyper-V | 22XQ2-VRXRG-P8D42-K34TD-G3QQC | |
| For Itanium-Based Systems | 4DWFP-JF3DJ-B7DTH-78FJB-PDRHK | |
| Server 2008 R2 | Web | 6TPJF-RBVHG-WBW2R-86QPH-6RTM4 |
| HPC edition | TT8MH-CG224-D3D7Q-498W2-9QCTX | |
| Standard | YC6KT-GKW9T-YTKYR-T4X34-R7VHC | |
| Enterprise | 489J6-VHDMP-X63PK-3K798-CPX3Y | |
| Datacenter | 74YFP-3QFB3-KQT8W-PMXWJ-7M648 | |
| For Itanium-based Systems | GT63C-RJFQ3-4GMB6-BRFB9-CB83V | |
| Server 2012 | Core | BN3D2-R7TKB-3YPBD-8DRP2-27GG4 |
| Core N | 8N2M2-HWPGY-7PGT9-HGDD8-GVGGY | |
| Core Single Language | 2WN2H-YGCQR-KFX6K-CD6TF-84YXQ | |
| Core Country Specific | 4K36P-JN4VD-GDC6V-KDT89-DYFKP | |
| Server Standard | XC9B7-NBPP2-83J2H-RHMBY-92BT4 | |
| Standard Core | XC9B7-NBPP2-83J2H-RHMBY-92BT4 | |
| MultiPoint Standard | HM7DN-YVMH3-46JC3-XYTG7-CYQJJ | |
| MultiPoint Premium | XNH6W-2V9GX-RGJ4K-Y8X6F-QGJ2G | |
| Datacenter | 48HP8-DN98B-MYWDG-T2DCC-8W83P | |
| Datacenter Core | 48HP8-DN98B-MYWDG-T2DCC-8W83P |
Source: Microsoft TechNet
Microsoft Office
| Type | Version | Edition | Product key |
| Suites | 2010 | Office Professional Plus | VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB |
| Office Standard | V7QKV-4XVVR-XYV4D-F7DFM-8R6BM | ||
| 2013 | Office Professional Plus | YC7DK-G2NP3-2QQC3-J6H88-GVGXT | |
| Office Standard | KBKQT-2NMXY-JJWGP-M62JB-92CD4 | ||
| Stand-alone products | 2010 | Access | V7Y44-9T38C-R2VJK-666HK-T7DDX |
| Excel | H62QG-HXVKF-PP4HP-66KMR-CW9BM | ||
| Sharepoint Workspace | QYYW6-QP4CB-MBV6G-HYMCJ-4T3J4 | ||
| InfoPath | K96W8-67RPQ-62T9Y-J8FQJ-BT37T | ||
| OneNote | Q4Y4M-RHWJM-PY37F-MTKWH-D3XHX | ||
| Outlook | 7YDC2-CWM8M-RRTJC-8MDVC-X3DWQ | ||
| PowerPoint | RC8FX-88JRY-3PF7C-X8P67-P4VTT | ||
| Project Professional | YGX6F-PGV49-PGW3J-9BTGG-VHKC6 | ||
| Project Standard | 4HP3K-88W3F-W2K3D-6677X-F9PGB | ||
| Publisher | BFK7F-9MYHM-V68C7-DRQ66-83YTP | ||
| Visio Premium | D9DWC-HPYVV-JGF4P-BTWQB-WX8BJ | ||
| Visio Professional | 7MCW8-VRQVK-G677T-PDJCM-Q8TCP | ||
| Visio Standard | 767HD-QGMWX-8QTDB-9G3R2-KHFGJ | ||
| Word | HVHB3-C6FV7-KQX9W-YQG79-CRY7T | ||
| 2013 | Access | NG2JY-H4JBT-HQXYP-78QH9-4JM2D | |
| Excel | VGPNG-Y7HQW-9RHP7-TKPV3-BG7GB | ||
| InfoPath | DKT8B-N7VXH-D963P-Q4PHY-F8894 | ||
| Lync | 2MG3G-3BNTT-3MFW9-KDQW3-TCK7R | ||
| OneNote | TGN6P-8MMBC-37P2F-XHXXK-P34VW | ||
| Outlook | QPN8Q-BJBTJ-334K3-93TGY-2PMBT | ||
| PowerPoint | 4NT99-8RJFH-Q2VDH-KYG2C-4RD4F | ||
| Project Professional | FN8TT-7WMH6-2D4X9-M337T-2342K | ||
| Project Standard | 6NTH3-CW976-3G3Y2-JK3TX-8QHTT | ||
| Publisher | PN2WF-29XG2-T9HJ7-JQPJR-FCXK4 | ||
| Visio Professional | C2FG9-N6J68-H8BTJ-BW3QX-RM3B3 | ||
| Visio Standard | J484Y-4NKBF-W2HMG-DBMJC-PGWR7 | ||
| Word | 6Q7VD-NX8JD-WJ2VH-88V73-4GBJ7 |
Source: Office 2010, Office 2013
Resources
- Citrix eDocs – Configuring Microsoft KMS Volume Licensing
- CTX128276 – Configuring Key Management System (KMS) Licensing for Windows and Office 2010 and 2013 in Different Scenarios
- CTX – Console Error When Standard Mode Disk is prepared for KMS Activation
- Microsoft TechNet – KMS Activation Timing and Discovery
- Microsoft TechNet – How to troubleshoot the Key Management Service (KMS)
- Citrix Provisioning Service (PVS) and Windows 7 KMS
.
English 
Nederlands
Hi Ingmar,
The procedure you describe here is actually only needed when you want to use your vDisk to reach the required KMS count.
If your KMS server is already activated (which it probably already is if you activate all your supporting server), the only thing you have to do in a vDisk is a slmgr /ipk for windows and a volume license install of Office.
We’ve been doing it like this for years for all our hosted customers in our datacenters.
Hi Michel,
While this probably will work, I doubt if you’re compliant. With the rearm a unique CMID is created for each machine and thus a license claimed. Skipping this process would mean the KMS server will not claim a license for all machines, violating the license terms.
See KB929829 – http://support.microsoft.com/kb/929829/en-us
“To reset the activation timer and to set a unique CMID, the Rearm process must run on the destination computer. This process is used to reset the activation state.”
PS: It’s worth mentioning there’s a threshold to qualify for KMS activation. A minimum of 5 machines for Windows Server and 25 machines for Windows Client machines.
Hi Ingmar,
Large service providers license per socket, so in our case (SPLA) it doesn’t matter how many VM’s (windows instances) we run.
Hi Michel,
If your environment is licensed with the SPLA per-socket use-right then yes, it might not be required to assign each machine a unique CMID. But in all other cases this is a requirement, so I would recommend everyone do so. Do you agree Michel?
No, I’m not a MS licensing expert, but I highly doubt that Microsoft is going to check the count on your KMS server and base your licensing around that.
That would also mean that if you (accidently) misconfigure your vDisk, or Citrix bugs the mechanism, you would automatically be in license violation. Seems very strange to me.
Ingmar, thanks for again a great article!
Just to respond to the discussion, Microsoft actually does use KMS output for license audits. Being in license violation is not the same as misusing KMS. Like you said, you license on host level so who cares about Windows virtual machine licensing anyway.
Although there is little need to do proper KMS licensing when you are doing datacenter licensing on the host this is different when you are licensing by Windows instance.
There is one thing Michel seems to forget, which is logical since he’s doing SPLA and therefore a client OS is no option.
When you are working with stateful images like assigned VDI this will actually hurt your users since there is a license time out. In a stateless scenario this will reset but obviously this is not going to work when you are doing stateful.
Hi Ingmar,
Thanks for your article!
I had the problem that my Windows 7 VM was not able to rearm anymore.
I was getting the error:
“Error: 0xC004D307 The maximum allowed number of re-arms has been exceeded. You must re-install the OS before trying to re-arm again”.
In your article you have the following solution:
This can be solved by setting the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\SoftwareProtectionPlatform\SkipRearm = 0×1 (REG_DWORD).
This regkey is not right. It must be:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Software\ProtectionPlatform
“SkipRearm”=dword:00000001″
Hi Patrick,
Thanks for the correction, I forgot the “CurrentVersion” key in the path, I’ve updated it.
PS: Your path is incorrect, there’s no \ between Software and ProtectionPlatform 😉
Hi Ingmar,
You are right! Sorry that was my mistake 🙂
Very Helpful article.. I’m wondering if you can further explain process for updating an image created with steps above? We are copying PVP and VHD files and getting WGA errors on subsequent updates to our vdisk (looking for a product key/etc). Prior to shutting down a vdisk in private mode should we be doing a -rearm or is that only in the Master? This specific vdisk doesnt have office on it.
Thanks
Eric, each time you change the image from private to standard mode you should rearm the image (to ensure each machine has an unique CMID)
Thanks, That is what I thought. Do you know why that isnt well documented? Is there another way we should be doing images that doesnt require us to do this?
Specifically scenario 3-A which has no mention of re-arm.
http://support.citrix.com/article/CTX128276
Unfortunately I don’t understand what Citrix is trying to explain in their article. Whenever your distributing an image to multiple machines a rearm is required to ensure they receive a unique CMID. You can compare the CMID with a computer’s SID, both are a unique identifier for the computer. Since the SID is managed by PVS there’s no need to run sysprep, in newer versions PVS will probably manage the CMID as well (or so I hope!).
Hello,
I did confirm with Citrix the correct procedure if you are copying VHD and PVP files is to remove KMS licensing when doing updates and then turn it back on when finished. There is no re-arm required.
Ingmar,
Great article. There’s not much info out there that clarifies the subject the way you do here. Great work! 🙂
Thanx Atle!
Hi Ingmar,
thanks for this great article. You are my hero of the day!
I’ve been looking for a clear explanation of the thing for quite some time because the CTX article 128276 and eDocs confused me more than clearing things up.
Great article and much better than the CTX doc’s. I do have one problem though. After preping the VHD on my dev server and streaming to the Prod ones everything goes as expected, until the prod servers are rebooted. They then revert to grace period and have to re-authenticate. Is this right?
Hi Glenn,
Glad you like the article and thank you for the compliment 🙂
What do you mean with “re-authenticate”? Each machine should contact the KMS server and to request/verify it’s license. After a reboot the machine is “clean” again so this procedure should be repeated.
Cheers,
Ingmar
Thanks for the reply Ingmar. Sorry i didn’t make myself clear. The production servers revert to “out of the box grace period” on reboot then I either have to run slmgr /ato or let them automatically authenticate themselves (usually within an hour or so. I’m assuming from your reply this is natural behavior
Thanks Ingmar for such a nice article. We are having issue with machines not able to activate from KMS even after days and ultimately prompting to activate. Manual activation of each machine works fine. We are following these steps when we update a vDisk;
1. Shutdown all machines.
2. Put vDisk in Private mode.
3. Leave KMS Vol Licensing in KMS.
4. Power on one machine.
5. Apply necessary updates.
6. Shutdown the machine.
7. Change VDisk to Standard mode.
8. Verify vol Licensing is in KMS
9. Power ON all Machines.
The machines do not activate even after 20 minutes but can be activated manually.
What step am i missing?
Thanks.
Hi Ingmar,
Which can be done when the amount of rearms the office 2010 expired?
Is step 3 and 6 necessary? Since KMS server already present in the same network.
Step 3 and 6 are required if you didn’t provide the KMS key during installation (for instance an OEM key).
Great article. First one who wrote that the vhd is mounted when the access mode is changed from private to standard AND the the MVL is set to KMS.
What I still don’t understand:
In our environment we rearm the OS and Office, shut down the device with the private image and use this vhd to overwrite another vhd (set to standard mode).
Then we start all devices from the vhd in standard mode.
There is no need to set the MVL to KMS on any of the disks.
We leave it to “none”.
This makes sense because every device will start with a random CMID.
It works here…
Initially I thought that the MVL set to KMS will mask the CMID during the streaming process (like it masks the host name).
In such a case, there would be no need to rearm the OS and Office.
Hi Ingmar,
Out of interest, what version of PVS is this related to. We currently use v6.1 and have had trouble getting Office 2013 to activate correctly using the procedure above and in addition several tweaks found on the web (setting registry key NoReReg etc).
Thanks,
Rob
Please post an article or an update that involves PvD. This feature is a major PITA when it comes to KMS.
Hey Ingmar, this guide works like a charm till the current versions of PVS and Office. Do you know where I have to put in the access or visio client kms keys? I mean for example installing office standard and at a day adding visio or project. The program path is the same, but other client kms key. Ospp does not accept the keys, don’t know why. Product is installed like office.
Thanks in advance and regards
Julian