Share via

Win 11 Multi-session activation on Azure Local

Matt 21 Reputation points
2025-07-30T04:05:18.45+00:00

Hi there,

I have set up an Azure Local cluster across two hosts with the intention of using the cluster for Azure Virtual Desktop. I've created a Windows 11 Mult-session image that was pulled from the Azure Marketplace and I've deployed a couple of VMs from that. Everything is working well, but the issue I'm having is that the Win 11 VMs will not activate.

From what I understand, these VMs should be activating via the hosts? Looking at this page, when I run "Get-AzStackHCIVMAttestation" on one of the hosts, I get the following which seems correct.User's image

The other various PS commands also return correct results, yet the VMs won't activate. If I look in the VM properties in the Arc Portal, I see the following:

User's image Does that mean it's incorrectly trying to use the AD Based Activation method that has been setup on-premise for other non-AVD/AZ Local systems?

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerald Felix 4,530 Reputation points
    2025-07-30T04:11:25.0433333+00:00

    Hello Matt,

    Thanks for sharing the details, let’s get those Windows 11 Enterprise multi‑session VMs to activate. 👋

    Why activation isn’t kicking in

    Windows 11 multi‑session on Azure Local doesn’t use your on‑prem KMS or ADBA at all. Instead, the guest asks the host for an Azure VM verification token (similar to IMDS in Azure) and self‑activates once it trusts that token. If the token never arrives, Windows falls back to showing “Active Directory‑based activation needed,” which is the behaviour you’re seeing. Microsoft Learn

    Three things to double‑check

    CheckWhat to look forHow to fixOS buildGuest must have April 9 2024 “4B” CU (KB 5036893 for 22H2) or newer. Older builds don’t understand Azure VM verification. Microsoft LearnRun Windows Update or inject the latest CU into your image, then reboot.OS buildGuest must have April 9 2024 “4B” CU (KB 5036893 for 22H2) or newer. Older builds don’t understand Azure VM verification. Microsoft LearnRun Windows Update or inject the latest CU into your image, then reboot.**Guest Service Interface (GSI)**Integration service “Guest Service Interface” must be Running inside the VM (and Enabled on the VM’s Integration Services tab). This is the VM‑bus channel the token uses. Microsoft LearnFrom the host: Enable‑VMIntegrationService ‑VMName <vm> ‑Name "Guest Service Interface"Host attestationGet‑AzureStackHCIAttestation should show Status : Active and IMDS Attestation : On for every node in the cluster. Microsoft LearnIf any node is Expired or Inactive: Sync‑AzureStackHCI and confirm the cluster is registered/connected.--- Quick recovery steps

    1. Patch the image Inside each session host: 
         powershell
   Copy
   winget upgrade --all   # or Windows Update UI
      Verify build ≥ 22621.3447 (run winver). Enable GSI (if it was off) 
         powershell
   Copy
   Enable‑VMIntegrationService ‑VMName "<VM>" ‑Name "Guest Service Interface"

    Restart‑VM "<VM>"

       
   **Force a re‑sync & activation** *On the host:* `Sync‑AzureStackHCI` *In the guest (elevated):* `slmgr /ato` — give it a minute or two.
   
   **Validate** *Guest:* `slmgr /xpr` should now say **“Windows is activated (Azure VM Verification)”**. *Host/Portal:* In **Azure Local → Azure verification for VMs → VMs tab**, the session hosts should move from **Inactive benefits** to **Active benefits**. [Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-local/deploy/azure-verification?view=azloc-2505)
   
---
Still stuck?

**Legacy OS support** – only needed for **Windows 10** multi‑session or very old builds. Enabling it won’t hurt, but for fully‑patched Windows 11 multi‑session you shouldn’t need it.

**Network check inside the guest** (should return JSON):

```yaml
powershell
Copy
Invoke‑RestMethod -Headers @{Metadata='true'} `
  -Uri 'http://127.0.0.1:42542/metadata/attested/document?api-version=2018-10-01'

    If this fails, something is blocking the VM‑bus path (often GSI or firewall rules).

    Give those steps a try and shout if activation still won’t flip — happy to dig deeper!

    Best Regards,

    Jerald Felix

  2. Rashmika Inagadapa 0 Reputation points Microsoft External Staff Moderator
    2025-08-04T12:19:03.9333333+00:00

    Hi Matt,

    Based on the troubleshooting steps you've already performed— the attestation status on the host is showing as "Active" and GSI is enabled, the inability to connect to the attestation endpoint (http://127.0.0.1:42542) from within the guest VM indicates that Guest-side Integration (GSI) is not functioning correctly inside your Windows 11 multi-session VMs.

    I would like to help with a series of steps to fix your issue.

    1. Check if GSI is installed and running in the guest VM

    ·       Open PowerShell as an Administrator inside the guest VM and run the following command to check for the GSI service in the PowerShell:

    Get-Service GuestAttestationService

    ·       If the service does not exist or is not running, GSI is not properly installed. So proceed to next step to fix the GSI.

    2.Install or Repair the Guest Integration Services

    The GSI service is a component of the Azure Stack HCI Guest Tools. Reinstalling this package will fix any corrupted files or missing components.

    ·       On the guest VM, download the latest Azure Stack HCI Guest Tools.

    You can download from here: Azure Stack HCI Guest Tools

    ·       Reboot the VM after installation.

    3. Test the Connection to the Attestation Endpoint

    After reinstalling the tools and rebooting, the GSI service should now be working. Re-run the test to confirm the VM can communicate with the host.

    ·       Open PowerShell as an Administrator inside the guest VM.

    ·       Run the attestation test command below in the PowerShell:

    Invoke-RestMethod -Headers @{Metadata='true'} -Uri 'http://127.0.0.1:42542/metadata/attested/document?api-version=2018-10-01' -usedefaultcredentials

    ·       The command will no longer show "Unable to connect." Instead, it will return a large JSON object containing attestation metadata. This confirms the communication channel is open. If the command still fails, proceed to the "Additional Checks" section below.

    4: Manually Trigger Activation

    With GSI working and communication confirmed, the VM should now be able to activate. You can manually trigger this process.

    • Open PowerShell as an Administrator and Run the following command: slmgr.vbs /ato
    • You will receive a message confirming that the product has been activated successfully.

    If the issue persists, try these additional checks:

    If the issue is not resolved by reinstalling the guest tools, consider these advanced checks:

    • Firewall Rules: A restrictive firewall can block communication. Verify the "Guest Service Interface" firewall rule is enabled with this command running in the PowerShell:  Get-NetFirewallRule -DisplayName "Guest Service Interface (HTTP-in)
    • Operating System Edition: Confirm the VM is running the correct OS edition for AVD. Run DISM /Online /Get-CurrentEdition. It should show EnterpriseMultiSession.
    • Review GSI Logs: For more detailed error information, check the GSI event logs with

    Get-WinEvent -LogName Microsoft-AzureStack-HCI-Guest/Operational | Select-Object -First 10.

    ·       Confirm the port is reachable in the PowerShell:

       Test-NetConnection -ComputerName 127.0.0.1 -Port 42542

    Please kindly follow the above steps and let me know if the issue still persists. I would be happy to help with your queries.

    Thanks,

    Rashmika

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.