Persistent Activation Watermark on Azure VM (Windows Server 2022 Datacenter Azure Edition)

Question

Persistent Activation Watermark on Azure VM (Windows Server 2022 Datacenter Azure Edition)

Niket Kumar Singh 735

An Azure virtual machine running Windows Server 2022 Datacenter Azure Edition (cloudteamrdp) is continuously showing the activation watermark:Activate Windows. Go to Settings to activate Windows. Additionally, on login or reboot, the following pop-up appears:

“Your Windows Server 2022 Datacenter Azure Edition VM has been deactivated because you are not running on Azure or a supported Azure Stack hypervisor, or that you have not enabled Azure benefits on the supported Azure Stack...”

Despite being hosted within Azure, and having valid KMS activation, the watermark reappears after reboot or sign-in, indicating a deeper issue tied to Azure attestation or certificate validation.

Actions Taken So Far : https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/activation-watermark-appears

Confirmed VM Configuration

VM SKU: Windows Server 2022 Datacenter Azure Edition
Azure Hybrid Benefit: Enabled
MAC address and private IP match Azure portal values.
IMDS endpoint (169.254.169.254) reachable — verified using PowerShell: Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri http://169.254.169.254/metadata/instance?api-version=2021-02-01

KMS Activation Verified :
Ran standard KMS activation steps:
slmgr /ckms

slmgr /skms kms.core.windows.net

slmgr /ato

slmgr /xpr

slmgr /dlv

Result: Activation successful, valid for 180 days, expiry shown as Nov 2025.

Missing Certificate Chain Identified Using PowerShell attestation script, we identified that:CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US

was missing from the certificate chain on the system. This was confirmed using: $certs = Get-ChildItem -Path Cert:\LocalMachine\CA

Downloaded and Installed the Missing Certificate

Certificate downloaded from official Microsoft CA page: https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains
Imported using: Import-Certificate -FilePath "C:\Path\To\CA03.crt" -CertStoreLocation "Cert:\LocalMachine\CA" Executed fclip.exe as per Microsoft recommendation Ran fclip.exe from C:\Windows\System32: cd C:\Windows\System32 fclip.exe Result: Watermark disappeared

Attempted to Install KB5036909 Patch

Tried to install Windows patch KB5036909 as referenced by Microsoft, but received error: “Update is not applicable to this system”

Current Status

Issue is recurring.

KMS license is active.

IMDS is reachable.

Certificate chain was manually fixed and verified.

Watermark disappears temporarily after fclip.exe, but reappears after some days (2-3)restart.

How to fix this

Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-05-27T11:57:50.6833333+00:00
Hi Niket Kumar Singh,

It was great that you have already followed the steps mentioned in the document Windows activation watermark. But the KB5036909 installation should be must because it was designed to fix this, so ensure that's installed.

you can get KB5036909 from the Update Catalog. KB5036909 may target a specific version/build of Windows. If you're running a different version, even within the same major release, the update won’t apply.

Please check your system version by running winver in the Start menu or in a Run dialog.

Compare your version/build number with the KB5036909 support article to ensure compatibility.

If you're running a different version, even within the same major release, the update won’t apply.

Check KB5036909 installation by running Get-HotFix in the command prompt.

Also try installing all the certificates from the document
Microsoft Azure RSA TLS Issuing CA 03

Microsoft Azure RSA TLS Issuing CA 04

Microsoft Azure RSA TLS Issuing CA 07

Microsoft Azure RSA TLS Issuing CA 08

Then run the c:\windows\system32 and run "fclip.exe" from admin command prompt. Also Update FClip to run in system context by running: Schtasks /change /TN "\Microsoft\Windows\Clip\LicenseImdsIntegration" /RU "NT Authority\System"

If you have any further queries, let me know. If the information is helpful, please click on Upvote.

Thank you.

Accepted answer

0 additional answers

Your answer

Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-05-27T11:57:50.6833333+00:00

Hi Niket Kumar Singh,

It was great that you have already followed the steps mentioned in the document Windows activation watermark. But the KB5036909 installation should be must because it was designed to fix this, so ensure that's installed.

you can get KB5036909 from the Update Catalog. KB5036909 may target a specific version/build of Windows. If you're running a different version, even within the same major release, the update won’t apply.

Please check your system version by running winver in the Start menu or in a Run dialog.

Compare your version/build number with the KB5036909 support article to ensure compatibility.

If you're running a different version, even within the same major release, the update won’t apply.

Check KB5036909 installation by running Get-HotFix in the command prompt.

Also try installing all the certificates from the document
Microsoft Azure RSA TLS Issuing CA 03

Microsoft Azure RSA TLS Issuing CA 04

Microsoft Azure RSA TLS Issuing CA 07

Microsoft Azure RSA TLS Issuing CA 08

Then run the c:\windows\system32 and run "fclip.exe" from admin command prompt. Also Update FClip to run in system context by running: Schtasks /change /TN "\Microsoft\Windows\Clip\LicenseImdsIntegration" /RU "NT Authority\System"

If you have any further queries, let me know. If the information is helpful, please click on Upvote.

Thank you.

Answer 1

Alex Burlachenko 10,250

hi Niket Kumar Singh, thanks for posting this on Q&A be sure u’re not alone in this struggle, trust me. let’s break it down super simple, step by step.

so, u’ve already done a ton of stuff kms activation, checked IMDS, even fixed the cert chain. nice! but that watermark keeps coming back like a bad meme ))) what might help:

recheck the cert chain again. yeah, i know u already did it, but sometimes azure being azure, things get weird. open powershell and run

Get-ChildItem -Path Cert:\LocalMachine\CA | Where-Object { $_.Subject -like "*Microsoft Azure RSA TLS Issuing CA 03*" }

if it’s missing, grab it from here and import it again.

run fclip.exe once more. this little guy sometimes needs a second nudge. just open cmd as admin and do

cd C:\Windows\System32
fclip.exe

wait a sec, then restart. see if the watermark ghosts u again.

check the azure metadata service. sometimes the VM loses its mind and forgets it’s in azure. run this in powershell to make sure

Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

if u get a response with all the VM details, cool. if not, uh-oh something’s blocking it.

force a kms reactivation. slmgr can be stubborn, so let’s yell at it again ))

slmgr /ckms
slmgr /skms kms.core.windows.net
slmgr /ato

if it says "activated," but the watermark stays, azure’s attestation might be glitching.

last resort redeploy the VM. i know, i know, it’s a hassle. but sometimes azure just needs a fresh start. try a redeploy from the portal (not a reboot, a full redeploy!).

if none of this works, so...u need backend support this might be a backend issue they need to fix.

hope this helps, lmk if non.

Best regards,
Alex
and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
https://ctrlaltdel.blog/

Niket Kumar Singh 735 Reputation points

2025-05-28T06:47:23.2933333+00:00

Hi Alex Burlachenko

Thanks for the suggestion, let me try it and update you soon.
Alex Burlachenko 10,250 Reputation points

2025-05-28T09:19:06.9966667+00:00

Niket Kumar Singh well, so let me to know then.

rgds,

Alex

https://ctrlaltdel.blog/
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-05-29T10:51:00.13+00:00

Hi Niket Kumar Singh,

Just checking in to see if you have got a chance to see my response and Alex response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.
Niket Kumar Singh 735 Reputation points

2025-06-02T09:56:31.7533333+00:00

Hi Alex Burlachenko,

we followed the steps but randomly sometimes it appear and later disappering.

Is there any way i can track down why this is happening?
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-06-04T17:57:43.1333333+00:00

Hi Niket Kumar Singh,

I understand that your VM sometimes shows the Activate Windows watermark and sometimes doesn’t.

I request you to look at the Activation Errors in Event Viewer. Check if you see errors around Activation or Attestation or Certificates.

Please let me know, post fclip.exe, the sppsvc.exe was able to be triggered. Are you creating task with local Admin user?

Share via

Persistent Activation Watermark on Azure VM (Windows Server 2022 Datacenter Azure Edition)

0 additional answers

Your answer