Citrix PVS: Enabling KMS licensing on a vDisk
When streaming a Windows machine the Windows license can be managed by a Key Management System (KMS). Citrix describes it as follows “KMS volume licensing utilizes a centralized activation server that runs in the datacenter, and servers as a local activation point (opposed to having each system activate with Microsoft over the internet).”
To ensure KMS is working correctly the Windows machine needs to be prepared for KMS, this involves setting the right license key and “re-arming” the license. Citrix has done a pretty good job describing different scenarios in CTX128276 and explaining which actions to take, but there are more steps involved.
In this article I’ll explain what steps you can take to build a PVS vDisk where licensed are managed by KMS and how to troubleshoot some known caveats.
How to prepare your image
Creating a Citrix PVS vDisk for Windows machines that are licensed by a Key Management System (KMS) consists of the following eight steps:
1) Create vDisk
Build your image as you normally would (install your OS, applications and apply the required configuration) and upload the using the imaging wizard. Build a new image and select the Key Management Service (KMS) in the Microsoft Volume Licensing dialog.
After the vDisk is created and the target device is assigned to the new vDisk reboot the machine. Boot from Network (or the Boot Device Manager via ISO or VHD) so the machine will mount the vDisk in private mode.
After you logon with a user (with administrative privileges) the files are converted from volume C: to the vDisk, in other words: the content of the C: drive is copied to the vDisk on the PVS server.
After the content is copied click Finish to continue to the shell.
2) Cleanup windows activation
To start with a clean setup we can cleanup the Windows activation. Run a command prompt with elevated privileges (run as administrator) and issue the following commands:
Net Stop SpPSvc Del C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat Net Start SpPSvc
Source: How to rebuild the Tokens.dat or Activation Tokens file in Windows 7 | 8
3) Install KMS product key (Windows)
Now we need to ensure that Windows has a KMS product key (instead of a OEM or VLK). From an elevated command prompt: Run the Software Licensing Management Tool (SlMgr) and install the 
KMS product key (/IPK) for your Windows version.
SlMgr /IPK <ProductKey>
See the tables attached to this article for the KMS client key for your Windows version
4) Activate Windows
To verify that the license key is a KMS license key and the license can be activated by a KMS server we can test the activation. 
Run the Software Licensing Management Tool (SlMgr) and activate Windows (/ATO).
SlMgr /ATO
Verbose information about the licensing can be retrieved with the Software Licensing Management Tool.
SlMgr /DLV
As you can see the License Status is Licensed. If you have any other result first troubleshoot that (see Microsoft TechNet – How to troubleshoot the Key Management Service (KMS)).
5) Re-arm Windows license
Since we’re going to distribute this vDisk to multiple machines we need to reset it to a non-activated state using the rearm command. Run the Software Licensing Management Tool (SlMgr)
and reset the licensing status of the machine (/ReArm).
SlMgr /ReArm
Do // NOT // reboot the machine
6) Install KMS product key (Office)
In case you’ve installed Microsoft Office and need to license it via KMS, nearly the same steps are required. Run the Office Software Protection Platform (OsPP.vbs) and install the product key (/InPKey) for your Office version.
cscript.exe ospp.vbs /InPKey:<ProductKey>
See the tables attached to this article for the KMS client key for your Office version
You can verify if Office generated a Client Machine ID (CMID) by running the Office Software Protection Platform tool with /dcmid.
cscript.exe ospp.vbs /dcmid
7) Re-arm Office license
Just like Windows, Office also needs to be to reset to a non-activated state using the rearm command. Run the Office Software Protection Plafrom Rearm (OSPPREARM) tool from the x86 location.
C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE or C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
8) Put vDisk in Standard mode
Unlock vDisk
Shut down the target device and wait until the vDisk changes from locked (1) to unlocked (0).
Set Access Mode
Open the properties of the vDisk and set the Access Mode to “Standard Image (multi-device, read-only access)” and verify that Key “Management Service (KMS)” is selected at the Microsoft Volume Licensing tab.
What’s important to know is that the Citrix PVS Stream Service at the moment will mount the vDisk, execute a KmsPrep – or KmsReset if this has been done before – and then unmount it again. This only happens if you change the Access Mode from Private to Standard. If the Access Mode is already in Standard and KMS is selected, the image is NOT updated.
As Citrix describes in Managing Microsoft KMS Volume Licensing “Note: When preparing or updating a KMS configured vDisk that will be copied or cloned, it is important to complete the final KMS configuration task, which is to change the vDisk mode from Private Image Mode to Shared Image Mode, before copying or cloning the vDisk to other Provisioning Servers. Also, both the .pvp and .vhd file must be copied to retain the properties and KMS configuration of the original vDisk”
Error
In case the following error is thrown “An unexpected MAP error occurred – Failed to map vDisk, no Driver” there are two possible problem. 1) The drivers are not installed correctly or 2) the account configured at the Streaming service had insufficient privileges.
1) Drivers are not installed correctly
The first problem is easy to detect and solve. Try to mount the vDisk (right-click on the vDisk > Mount vDisk) from the Provisioning Services Console on the PVS server. If that does not work the drivers are not correctly installed. Go to C:\Program Files\Citrix\Provisioning Services\drivers, right-click on cfsdep2.inf and click Install.
2) Insufficient privileges
If you’re able to mount the vDisk from the Provisioning Service Console then the Citrix PVS Stream Service has insufficient privileges. The account configured to run the Citrix PVS Stream Service needs to have the Perform volume maintenance tasks (SE_MANAGE_VOLUME_NAME) privilege. The reason this privileges is required is because the Citrix PVS Stream service need to mount the vDisk in order to execute the KmsPrep / KmsReset. See CTX132995 for details.
By default only the local Administrators group has the SE_MANAGE_COLUME_NAME privilege assigned. The problem can be solved by making the AD account, or NETWORK SERVICE when log on as “Local System account” is used, member of the local Administrators group. If you don’t want to add NETWORK SERVICE to the local Administrators group – which I don’t recommend – the privilege can be assigned in the security policy: Windows Settings > Security Settings > Local Polies > User Rights Assignment > Perform volume maintenance tasks
Verify license activation
Boot another target device, a different machine then where you created the image/vDisk, and login with an administrative account.
Open an command prompt with elevated privileges and retrieve verbose information about the licensing with the Software Licensing Management Tool.
SlMgr /DLV
Initially the machine is not licensed, instead the license status is “Additional grace period (KMS license expired or hardware out of tolerance”.
During boot the Software Protection Service (Security-SPP) notices that hardware has changed. Besides different hardware is the Client Machine ID (CMID) is changed, this is expected as each machine needs a unique ID.
In the Application log in the Event Viewer you’ll find an event from Security-SPP with ID 1040 informing that “Hardware has changed from previous boot”, immediately followed by ID 1025 “Grace period has been started. Grace days=30 Grace type=1” and ID 1024 “The hardware has changed”
After 30 minutes (up to 2 hours) the client will sent an activation request to the KMS server. Sure enough the KMS server will grant the license and the client is licensed. In the event log an event is raised by Security-SPP with ID 12288 when an activation is requested, ID 12289 when a response is received and finally ID 1003 when the license status check is completed.
Again open an command prompt with elevated privileges and retrieve verbose information about the licensing with the Software Licensing Management Tool.
SlMgr /DLV
The license is no longer in grace period, it is now licensed.
KMS keys
The KMS keys are provided by Microsoft, it’s not a secret. For your convenience I listed all known products keys in tables below.
Microsoft Windows
| Product | Edition | Product key |
| Vista | Business | YFKBB-PQJJV-G996G-VWGXY-2V3X8 |
| Business N | HMBQG-8H2RH-C77VX-27R82-VMQBT | |
| Enterprise | VKK3X-68KWM-X2YGT-QR4M6-4BWMV | |
| Enterprise N | VTC42-BM838-43QHV-84HX6-XJXK | |
| 7 | Professional | FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4 |
| Professional N | MRPKT-YTG23-K7D7T-X2JMM-QY7MG | |
| Professional E | W82YF-2Q76Y-63HXB-FGJG9-GF7QX | |
| Enterprise | 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH | |
| Enterprise N | YDRBP-3D83W-TY26F-D46B2-XCKRJ | |
| Enterprise E | C29WB-22CC8-VJ326-GHFJW-H9DH4 | |
| 8 | Professional | NG4HW-VH26C-733KW-K6F98-J8CK4 |
| Professional N | XCVCF-2NXM9-723PB-MHCB7-2RYQQ | |
| Enterprise | 32JNW-9KQ84-P47T8-D8GGY-CWCK7 | |
| Enterprise N | JMNMF-RHW7P-DMY6X-RF3DR-X2BQT | |
| Server 2008 | Standard | TM24T-X9RMF-VWXK6-X8JC9-BFGM2 |
| Standard without Hyper-V | W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ | |
| Enterprise | YQGMW-MPWTJ-34KDK-48M3W-X4Q6V | |
| Enterprise without Hyper-V | 39BXF-X8Q23-P2WWT-38T2F-G3FPG | |
| HPC | RCTX3-KWVHP-BR6TB-RB6DM-6X7HP | |
| Datacenter | 7M67G-PC374-GR742-YH8V4-TCBY3 | |
| Datacenter without Hyper-V | 22XQ2-VRXRG-P8D42-K34TD-G3QQC | |
| For Itanium-Based Systems | 4DWFP-JF3DJ-B7DTH-78FJB-PDRHK | |
| Server 2008 R2 | Web | 6TPJF-RBVHG-WBW2R-86QPH-6RTM4 |
| HPC edition | TT8MH-CG224-D3D7Q-498W2-9QCTX | |
| Standard | YC6KT-GKW9T-YTKYR-T4X34-R7VHC | |
| Enterprise | 489J6-VHDMP-X63PK-3K798-CPX3Y | |
| Datacenter | 74YFP-3QFB3-KQT8W-PMXWJ-7M648 | |
| For Itanium-based Systems | GT63C-RJFQ3-4GMB6-BRFB9-CB83V | |
| Server 2012 | Core | BN3D2-R7TKB-3YPBD-8DRP2-27GG4 |
| Core N | 8N2M2-HWPGY-7PGT9-HGDD8-GVGGY | |
| Core Single Language | 2WN2H-YGCQR-KFX6K-CD6TF-84YXQ | |
| Core Country Specific | 4K36P-JN4VD-GDC6V-KDT89-DYFKP | |
| Server Standard | XC9B7-NBPP2-83J2H-RHMBY-92BT4 | |
| Standard Core | XC9B7-NBPP2-83J2H-RHMBY-92BT4 | |
| MultiPoint Standard | HM7DN-YVMH3-46JC3-XYTG7-CYQJJ | |
| MultiPoint Premium | XNH6W-2V9GX-RGJ4K-Y8X6F-QGJ2G | |
| Datacenter | 48HP8-DN98B-MYWDG-T2DCC-8W83P | |
| Datacenter Core | 48HP8-DN98B-MYWDG-T2DCC-8W83P |
Source: Microsoft TechNet
Microsoft Office
| Type | Version | Edition | Product key |
| Suites | 2010 | Office Professional Plus | VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB |
| Office Standard | V7QKV-4XVVR-XYV4D-F7DFM-8R6BM | ||
| 2013 | Office Professional Plus | YC7DK-G2NP3-2QQC3-J6H88-GVGXT | |
| Office Standard | KBKQT-2NMXY-JJWGP-M62JB-92CD4 | ||
| Stand-alone products | 2010 | Access | V7Y44-9T38C-R2VJK-666HK-T7DDX |
| Excel | H62QG-HXVKF-PP4HP-66KMR-CW9BM | ||
| Sharepoint Workspace | QYYW6-QP4CB-MBV6G-HYMCJ-4T3J4 | ||
| InfoPath | K96W8-67RPQ-62T9Y-J8FQJ-BT37T | ||
| OneNote | Q4Y4M-RHWJM-PY37F-MTKWH-D3XHX | ||
| Outlook | 7YDC2-CWM8M-RRTJC-8MDVC-X3DWQ | ||
| PowerPoint | RC8FX-88JRY-3PF7C-X8P67-P4VTT | ||
| Project Professional | YGX6F-PGV49-PGW3J-9BTGG-VHKC6 | ||
| Project Standard | 4HP3K-88W3F-W2K3D-6677X-F9PGB | ||
| Publisher | BFK7F-9MYHM-V68C7-DRQ66-83YTP | ||
| Visio Premium | D9DWC-HPYVV-JGF4P-BTWQB-WX8BJ | ||
| Visio Professional | 7MCW8-VRQVK-G677T-PDJCM-Q8TCP | ||
| Visio Standard | 767HD-QGMWX-8QTDB-9G3R2-KHFGJ | ||
| Word | HVHB3-C6FV7-KQX9W-YQG79-CRY7T | ||
| 2013 | Access | NG2JY-H4JBT-HQXYP-78QH9-4JM2D | |
| Excel | VGPNG-Y7HQW-9RHP7-TKPV3-BG7GB | ||
| InfoPath | DKT8B-N7VXH-D963P-Q4PHY-F8894 | ||
| Lync | 2MG3G-3BNTT-3MFW9-KDQW3-TCK7R | ||
| OneNote | TGN6P-8MMBC-37P2F-XHXXK-P34VW | ||
| Outlook | QPN8Q-BJBTJ-334K3-93TGY-2PMBT | ||
| PowerPoint | 4NT99-8RJFH-Q2VDH-KYG2C-4RD4F | ||
| Project Professional | FN8TT-7WMH6-2D4X9-M337T-2342K | ||
| Project Standard | 6NTH3-CW976-3G3Y2-JK3TX-8QHTT | ||
| Publisher | PN2WF-29XG2-T9HJ7-JQPJR-FCXK4 | ||
| Visio Professional | C2FG9-N6J68-H8BTJ-BW3QX-RM3B3 | ||
| Visio Standard | J484Y-4NKBF-W2HMG-DBMJC-PGWR7 | ||
| Word | 6Q7VD-NX8JD-WJ2VH-88V73-4GBJ7 |
Source: Office 2010, Office 2013
Resources
- Citrix eDocs – Configuring Microsoft KMS Volume Licensing
- CTX128276 – Configuring Key Management System (KMS) Licensing for Windows and Office 2010 and 2013 in Different Scenarios
- CTX – Console Error When Standard Mode Disk is prepared for KMS Activation
- Microsoft TechNet – KMS Activation Timing and Discovery
- Microsoft TechNet – How to troubleshoot the Key Management Service (KMS)
- Citrix Provisioning Service (PVS) and Windows 7 KMS
.
Was once an enthusiastic PepperByte employee but is now working at Citrix. His blogs are still valuable to us and we hope to you too.