IBM Support

Windows Server 2025 Azure Edition Shows and Windows Server 2022 Azure Edition Shows “Not Activated” Watermark Despite Successful KMS Activation

Troubleshooting


Problem

Windows Server 2025 Datacenter Azure Edition or Windows Server 2022 Datacenter Azure Edition virtual machines activated via an on-premises KMS server appear licensed but still display a persistent “Not Activated” watermark.

Symptom

  • slmgr /dlv or slmgr /xpr reports the system as Licensed.
  • Desktop continues to show “Windows not activated” watermark.
  • Activation using KMS appears successful, but the system does not reflect full activation status.

Cause

The issue occurs when required Azure certificate chain components are missing. Installing the missing intermediate/signing certificates and resetting the certificate cache restores certificate validation, allowing KMS activation to be fully recognized and removing the activation watermark.

Environment

  • Windows Server 2025 Datacenter Azure Edition and Windows Server 2022 Datacenter Azure Edition
  • Azure Virtual Machines
  • Activation configured via on-premises KMS server
  • Network connectivity to Azure Instance Metadata Service (IMDS)

Diagnosing The Problem

  1. Verify IMDS Connectivity
    • Confirm the VM can reach Azure IMDS using PowerShell found in Microsoft link titled “Windows activation watermark continues to be displayed.”
    • Output of command should include "@{azEnvironment=AzurePublicCloud; customData=;"
  2. Check Certificate Chain
    • Run Microsoft troubleshooting scripts using PowerShell command found in Microsoft link titled “Windows activation watermark continues to be displayed.”
    • Look for missing certificates in the output.
    • Example error: Certificate not found: 'CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US'
  3. Validate Root and Intermediate Certificates

    • Confirm presence of: 

      Microsoft RSA Root Certificate Authority 2017 (Trusted Root)

    • Identify missing intermediate/signing certificates in the output of the command above.
    • Search Microsoft Azure Certificates found in Microsoft link titled “Azure Certificate Authority details” for the missing intermediate and signing certificates.

 

 

Resolving The Problem

1. Install Missing Certificates

Download and install required certificates into the Intermediate Certification Authorities (Local Computer) store:

In the example output above, search the Microsoft link titled “Azure Certificate Authority details” for:

  • Microsoft TLS G2 RSA CA OCSP 04
  • Microsoft TLS RSA Root G2 - xsign 

2. Clear Certificate Cache

Run:

certutil -urlcache * delete

3. Reconfigure and Trigger Activation

  • Set KMS server:

slmgr /skms <kms-server-FQDN>:1688

  • Activate Windows:

slmgr /ato

4. Remove Watermark

Open an elevated command prompt and run C:\Windows\System32\fclip.exe

5. Reboot the server

  • Verify the Activate Windows watermark is missing on the desktop

Result

After completing the steps:

  • Systems show fully licensed state
  • KMS configuration is correct
  • Partial Product Key reflects Server 2025 Datacenter Azure Edition (e.g., 8MCRC)
  • “Not Activated” watermark is removed

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSTKH9","label":"Microsoft Azure"},"ARM Category":[{"code":"a8mKe000000004NIAQ","label":"Windows"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
20 May 2026

UID

ibm17273610

Page Feedback