Detections
Analytics
18.10.63.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
Information
The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically.The recommended state for this setting is: Enabled.
Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. In high-security environments, data must never be shared with third-parties without explicit consent, as it may contain sensitive information.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled :Computer Configuration\Policies\Administrative Templates\Windows Components\Software Protection Platform\Turn off KMS Client Online AVS Validation
Note: This Group Policy path is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
Impact:
The computer is prevented from sending data to Microsoft regarding its KMS client activation state.
See Also
Item Details
Audit Name: CIS Microsoft Windows 11 Stand-alone v5.0.0 L2
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-7b., CSCv7|9.2
Plugin: Windows
Control ID: cb7449cbffcfd069904f2e67d9dc642dcde3d2f22ea942d467b750ed0c7a1729