Video Screencast Help

CSP Preventing Windows KMS Activation

Created: 12 Feb 2014 | 3 comments

Hi there...still relatively new to CSP.  I thought I had this figured out, but I'm still seeing CSP block Windows KMS product activation.  Event Viewer isn't logging anything as blocked though.

Originally, I thought it was a port block.  So I added our KMS server port (1688) to our Prevention Policy under Kernel_PS > Advanced> Network Controls > Outbound.  I pushed the policy out and most of the servers can activate, and I can drop to an admin console and run commands like slmgr.vbs -dlv and slmgr.vbs -ato

However we have about 20 servers that are still not able to activate against the KMS.  When I run slmgr /dlv, I get:

"On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x46' to display the error text.  Error: 0x46"

or

"On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x80041013' to display the error text.  Error: 0x80041013"

If I try to run slui.exe to get the error, it never opens.  WScript.exe and slui.exe are assigned to svc_safepriv_ps

As soon as I disable CSP, I can run these commands and Windows activates without issue.

Any ideas?  When Windows goes unactivated, I can't run SCCM or perform Windows Updates.

Thanks!

Max

Operating Systems:

Comments 3 CommentsJump to latest comment

michal_dolata's picture

Have you tried to enable Trivial logging?

Not all the blocked events are logged by default

Chuck Edson's picture

Michael is correct -- enable trivial logging.  Note that by default, trivial events are not sent to the manager, and only appear in the agent .csv files.  If you want the events to show up in the database, you will have to edit the config applied to the asset to send trivial events.

Note that this will create a LOT of events, so you don't want to enable trivial events on every asset in your organization and then send them all to the manager -- you can fill up your database very quickly doing that.

If a post helps you, please mark it as the solution to your issue.

MDiOrioIHS's picture

Enabled Trivial Logging, went to go back to one of my trouble systems and now activation is working properly with CSP enabled.  It seems as though when CSP is installed and the system falls out of activation the first time, we must disable CSP and activate.  After that, activation continues to work even when CSP is enabled?

I'll have to catch an unactivated server the next time I find one.