Windows Server 2022 Datacenter Azure Edition VM deactivated in MS Azure due to lack of "Azure Stack Hypervisor"

Question

Multiple Windows Server 2022 Datacenter Azure Edition VMs started to give the following pop-up

We are a bit puzzled as all the servers having this issue are in located in MS Azure (East-US).
We checked the connectivity to KMS and we are able to resolve the KMS. We can reactivate the servers successfully but after next restart the popup reappears and all servers are deactivated again.
What could cause the deactivation and how can we fix this issue?

Answer 1

For anyone still having the issue, we have done the below and manually installed the needed certificates. We found our proxy had an issue with the https inspection and resolved this afterwards. but if you need to manually do this, please see the steps below as per a SR to microsoft:

1. Check if communication to IMDS is possible

Please confirm that communication with IMDS is possible by executing the following commands.

Command (Please execute one line at a time):

$Proxy=New-object System.Net.WebProxy
$WebSession=new-object Microsoft.PowerShell.Commands.WebRequestSession
$WebSession.Proxy=$Proxy
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" -WebSession $WebSession 

If the last Invoke-RestMethod command is successfully executed, the following results will be displayed in PowerShell.

|<Example of Execution Result> ---- compute ------- @{azEnvironment=AzurePublicCloud; customData=; evictionPolicy=; isHostCompatibilityLayerVm=false; licenseType=; locat... ----  |

If the above command fails, the Firewall or security software on your OS may be blocking communication to IMDS.

If the above command outputs the result as expected, please proceed to step 2.

 

2.Verifying the Verifiability of IMDS Server Certificates

2.1 Verification of IMDS server certificate

Please check if the IMDS certificate can be verified by using the following command.

$Proxy=New-object System.Net.WebProxy
$WebSession=new-object Microsoft.PowerShell.Commands.WebRequestSession
$WebSession.Proxy=$Proxy
$attestedDoc = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri http://169.254.169.254/metadata/attested/document?api-version=2020-09-01 -WebSession $WebSession
     $signature = [System.Convert]::FromBase64String($attestedDoc.signature)
     $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]($signature)
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert)

 

If the certificate fails to validate, you will see False after the last $chain.Build($cert) command is executed,

Please proceed to 2.2 or later.

If the output is True, please report this to our support.

 

2.2 Checking the certificate used in IMDS

 

The following commands are used to obtain information on certificates used in IMDS.

Command (Please execute one line at a time):

$Proxy=New-object System.Net.WebProxy
$WebSession=new-object Microsoft.PowerShell.Commands.WebRequestSession
$WebSession.Proxy=$Proxy
$attestedDoc = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri http://169.254.169.254/metadata/attested/document?api-version=2020-09-01 -WebSession $WebSession
$signature = [System.Convert]::FromBase64String($attestedDoc.signature)
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]($signature)
[System.IO.File]::WriteAllBytes("C:\IMDS.cer", $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))

 

If all commands are executed successfully, a file named IMDS.cer will be created directly under the C drive.

Open IMDS.cer and check the CN name corresponding to "Issuer" in the "Details" tab.

After confirming the CN name, download the certificate corresponding to the CN name from the following page.

Reference: Azure Certificate Authority details | Microsoft Learn

 

2.3 Import the downloaded certificate

1. Double-click the downloaded certificate file on the server and select "Install Certificate
2. Select "Install Certificate".
3. Select "Local Computer" and select Next.
4. Select "Place all certificates in the following store", select "Intermediate Certificate Authority" from "Browse", click OK, and then select "Next".

5.Finally, click "Finish.

2.4 Perform OS reactivation

Open a command prompt with administrator privileges and execute the following command

Command:

schtasks /RUN /TN "\Microsoft\Windows\Clip\LicenseImdsIntegration"

2.5 Checking the activation

Open "Settings" in the Windows menu and go to "Update and Security" to check the "License Activation" menu.

On the Activation screen, under "Activation," the message "Windows has been activated using your organization's license activation service. "

Answer 2

I've had the following back form Microsoft regarding this. "Our team has discovered that the root of the problem is a glitch in the license activation sequence. Thankfully, this error message is harmless and won't affect your system's performance. Rest assured, we're actively working on a solution, which will be included in the upcoming monthly update."

Answer 3

latest troubleshooting guide:

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/activation-watermark-appears#how-to-determine-if-any-certificates-are-missing

Answer 4

we have VMs in UK south that are showing the same behaviour.. slmgr.vbs /xpr switch shows activation valid for another 6 months - but windows is continually flagging this deactivation

Answer 5

We have the same issue "Windows Server 2022 Datacenter Azure Edition VM is deactivated".

• UK South
• Source image publisher MicrosoftWindowsServer
• Source image offer WindowsServer
• Source image plan 2022-datacenter-azure-edition