Tuesday, September 4, 2018

Eliminate rogue KMS with ConfigMgr


A friend of mine came to me as he noticed he had several KMS servers in his environment, yet should only have the one as he also has ADBA setup for the newer Operating Systems. In digging it turns out these others were Windows 7 laptops. We are guessing the users did something to try and change Editions perhaps but definitely intentional. Instead of putting in tickets with his support team we chose to fix it via ConfigMgr ourself. Note this was a focused case so did not spend much time at all to make it more automatic so some expectations were made. If this issue resurfaces I'll do something with compliance settings to really automatically handle.

First off you can find out who is advertising as KMS by doing a SRV record lookup in DNS for _vlmcs._tcp.mydomain.com. nslookup is easiest, though you can use the DNS tool in RSAT and dig down via Forward Lookup Zones | mydomain.com | _tcp | and you'll see all _vlmcs.* records.

 C:\Users\kevinfason>nslookup  
 Default Server: UnKnown  
 Address: 10.1.1.10  
 > set type=srv  
 > _vlmcs._tcp.mydomain.com  
 Server: MYDNSSERVER  
 Address: 10.1.1.10  
 _vlmcs._tcp.mydomain.com    SRV service location:  
      priority    = 0  
      weight     = 0  
      port      = 1688  
      svr hostname  = realkmsserver.mydomain.com  
 _vlmcs._tcp.mydomain.com    SRV service location:  
      priority    = 0  
      weight     = 0  
      port      = 1688  
      svr hostname  = badkmsserver.mydomain.com  


First thing we did was remove the bad records from DNS leaving only the one good one. Since it was only a few systems acting up we created a collection and added these hosts as direct members. Then created a package with the following script to run on them and rerun weekly. Eventually, they went away. We kept an eye on the DNS records and removed as needed which was one time.

The script consists of several steps and its all ran via slmgr.vbs. The first step uninstalls whatever key the system has present:

 ECHO Uninstalling KMS Key  
 cscript %windir%\system32\slmgr.vbs /upk  
 ECHO.  

Next it installs the Windows 7 Pro KMS key that Microsoft provided:

 ECHO Installing KMS Setup Key for Windows 7 Pro  
 cscript %windir%\system32\slmgr.vbs /IPK FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4  
 ECHO.  

We were lucky in that it was only some Windows 7 systems doing it however if it was other versions  we would have to detect the right OS so we use the correct KMS key. Since we were just using a shell script I was originally thinking of just using ver to pull it then an if-then statement for the /IPK step. Something similar to this.
 for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j  

Since the system is now unlicensed we have it activate against the valid KMS.

 ECHO Activating the computer to KMS Server  
 cscript %windir%\system32\slmgr.vbs /ato  
 ECHO.  

Finally, we set the system to not report itself to DNS in case the user decides to do something like this again.

 ECHO Disable this machine from publishing itself as a KMS server in DNS  
 cscript %windir%\system32\slmgr.vbs /cdns  
 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v DisableDnsPublishing /t REG_DWORD /d 1 /f  
 ECHO.  

Should this happen again I'll do something more intelligent to handle it. He also had some policy drawn up to invoke on the users via HR.

-Kevin