Share via

The registry key HKLM:\SOFTWARE\Microsoft\AzureStack\HciAttestation doesn't exist

Robin Lee 35 Reputation points
2026-03-02T13:14:00.4666667+00:00

I have an Azure Local cluster (version 24H2, build 26100.32370) where Windows Server 2022 and 2025 VMs fail to activate. I noticed the registry key HKLM:\SOFTWARE\Microsoft\AzureStack\HciAttestation doesn't exist on any node.

HciAttestationSvc is running on all nodes.

There's nothing in the Application log or System log.

Azure Local

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chris Puckett - MSFT 5 Reputation points Microsoft Employee
    2026-03-04T14:03:06.9+00:00

    Activating a virtual machine running Windows Server 2025 Datacenter Azure Edition or Windows Server 2022 Datacenter Azure Edition on Azure Local requires the virtual machine to satisfy two criteria.

    1. Product Key installation
    2. Instance Metadata Service (IMDS) attestation to verify the virtual machine is running on Azure Local

    If Automatic Virtual Machine Activation keys are accepted, this completes #1. To check #2, run this command from within the guest VM.

    Get-CimInstance -ClassName SoftwareLicensingService | Select AzureMetadataResponse
    • A successful response is 1. This confirms the VM can communicate with the host's IMDS service. If 1 is returned, this validates #2 above.
    • Any other result (e.g., 4294967295, 0 or an error) indicates a failure in the Guest Service Interface transport or the certificate validation.

    The most likely cause for a non-1 result is a lack of internet access to internet URLs from the guest VM to validate the host's IMDS attestation certificate.

    The virtual machine will need access to the internet to validate the IMDS attestation certificate. If this is not possible due to an air-gapped or highly restricted environment, it will require manually downloading and installing all required certificates and configuring a local CRL/CTL source. See Configure trusted roots and disallowed certificates in Windows | Microsoft Learn for more information on this.

    ⚠️ Important: For internet connected environments you must ensure the Azure Edition VM has outbound HTTP access to all required endpoints for certificate validation.

    1. Windows Certificate Trust Lists (CTLs)

    • The Windows OS must contact Windows Update to download the latest lists of trusted and untrusted root certificates. If this is blocked, chain validation can fail even if the intermediate CA URLs are accessible.
    • Primary Document: Certificate trust in Windows
    • Required Endpoints: 
      - `http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab`

      - `http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab`

    2. Azure PKI & CRL/AIA URLs

  2. Sina Salam 28,361 Reputation points Volunteer Moderator
    2026-03-03T15:13:11.37+00:00

    Hello Robin Lee,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you the registry key HKLM:\SOFTWARE\Microsoft\AzureStack\HciAttestation doesn't exist.

    To permanently resolve the activation failure, first confirm the cluster is properly registered and attestation is active by running Get-AzStackHCI and Get-AzureStackHCIAttestation, then verify VM attestation status using Get-AzStackHCIVMAttestation; if any state is inactive or inconsistent, resync with Sync-AzStackHCI and re-enable attestation via Enable-AzStackHCIAttestation. Inside each Azure Edition VM, validate IMDS connectivity using Invoke-RestMethod -Headers @{Metadata="true"} -Uri http://169.254.169.254/metadata/attested/document?api-version=2018-10-01, ensure the Guest Service Interface integration service is enabled, and confirm the Guest Attestation service is running. If the registry path HKLM:\SOFTWARE\Microsoft\AzureStack\HciAttestation is missing, stop HciAttestationSvc, remove stale entries, restart the service, and reinitialize attestation to regenerate the configuration. This restores the host-to-VM attestation handshake required for Automatic VM Activation of Windows Server Azure Edition on Azure Local, as documented in Microsoft’s Azure Local attestation and activation guidance - https://dotnet.territoriali.olinfo.it/azure/azure-local/manage/vm-attestation and Azure Stack HCI registration documentation - https://dotnet.territoriali.olinfo.it/azure/azure-local/manage/manage-cluster-registration.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments
  3. Himanshu Shekhar 5,240 Reputation points Microsoft External Staff Moderator
    2026-03-02T13:54:29.9466667+00:00

    @Robin Lee

    Based on current findings, this issue is not caused by customer configuration. It is related to Azure Local (Azure Stack HCI) v24H2 VM attestation, which is required for automatic Windows Server guest activation.

    Recommended actions for now:

    Validate cluster and attestation health (for confirmation only):

    On the Azure Local host, please verify:

    1. Cluster is Registered and Connected
    2. HCI Attestation status is Active
    3. These checks help confirm the environment is healthy, but they will not resolve the activation issue.

    Temporary workaround (if activation is urgently required):

    1. Activate Windows Server VMs using KMS or a valid MAK key as a short‑term workaround.
    2. Automatic activation via Azure Local will resume once the underlying attestation issue is resolved.

    Deploy a virtual Azure Local system - https://dotnet.territoriali.olinfo.it/en-us/azure/azure-local/deploy/deployment-virtual?view=azloc-2602

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.