18.9.65.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'

Information

The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically.

The recommended state for this setting is: 'Enabled'.

Rationale:
Even though the KMS licensing method does not _require_ KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Enabled':


Computer Configuration\Policies\Administrative Templates\Windows Components\Software Protection Platform\Turn off KMS Client Online AVS Validation


Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'AVSValidationGP.admx/adml' that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

Impact:
The computer is prevented from sending data to Microsoft regarding its KMS client activation state.

See Also

https://workbench.cisecurity.org/files/1949

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10)

Plugin: Windows

Control ID: f28bfda765bf98b087a8ff87c7e55a84b9ea3714eac0383bc937ff9bb02a3e75