18.9.66.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'

Information

The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically.

The recommended state for this setting is: Enabled.

Rationale:

Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Software Protection Platform\Turn off KMS Client Online AVS Validation

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

Impact:

The computer is prevented from sending data to Microsoft regarding its KMS client activation state.

Default Value:

Disabled. (KMS client activation data will automatically be sent to Microsoft when the device activates.)

See Also

https://workbench.cisecurity.org/files/2742

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION

References: 800-53|CA-7, CSCv7|13.3

Plugin: Windows

Control ID: bda50949da70075afb0db44cd352b55887cd003e40e105249a3442423277fcf8