A friend of mine came to me as he noticed he had several KMS servers in his environment, yet should only have the one as he also has ADBA setup for the newer Operating Systems. In digging it turns out these others were Windows 7 laptops. We are guessing the users did something to try and change Editions perhaps but definitely intentional. Instead of putting in tickets with his support team we chose to fix it via ConfigMgr ourself. Note this was a focused case so did not spend much time at all to make it more automatic so some expectations were made. If this issue resurfaces I'll do something with compliance settings to really automatically handle.
First off you can find out who is advertising as KMS by doing a SRV record lookup in DNS for _vlmcs._tcp.mydomain.com. nslookup is easiest, though you can use the DNS tool in RSAT and dig down via Forward Lookup Zones | mydomain.com | _tcp | and you'll see all _vlmcs.* records.
C:\Users\kevinfason>nslookup Default Server: UnKnown Address: 10.1.1.10 > set type=srv > _vlmcs._tcp.mydomain.com Server: MYDNSSERVER Address: 10.1.1.10 _vlmcs._tcp.tuffshed.com SRV service location: priority = 0 weight = 0 port = 1688 svr hostname = realkmsserver.mydomain.com _vlmcs._tcp.tuffshed.com SRV service location: priority = 0 weight = 0 port = 1688 svr hostname = badkmsserver.mydomain.com
First thing we did was remove the bad records from DNS leaving only the one good one. Since it was only a few systems acting up we created a collection and added these hosts as direct members. Then created a package with the following script to run on them and rerun weekly. Eventually, they went away. We kept an eye on the DNS records and removed as needed which was one time.
The script consists of several steps and its all ran via slmgr.vbs. The first step uninstalls whatever key the system has present:
ECHO Uninstalling KMS Key cscript %windir%\system32\slmgr.vbs /upk ECHO.
Next it installs the Windows 7 Pro KMS key that Microsoft provided:
ECHO Installing KMS Setup Key for Windows 7 Pro cscript %windir%\system32\slmgr.vbs /IPK FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4 ECHO.
We were lucky in that it was only some Windows 7 systems doing it however if it was other versions we would have to detect the right OS so we use the correct KMS key. Since we were just using a shell script I was originally thinking of just using ver to pull it then an if-then statement for the /IPK step. Something similar to this.
for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j
Since the system is now unlicensed we have it activate against the valid KMS.
ECHO Activating the computer to KMS Server cscript %windir%\system32\slmgr.vbs /ato ECHO.
Finally, we set the system to not report itself to DNS in case the user decides to do something like this again.
ECHO Disable this machine from publishing itself as a KMS server in DNS cscript %windir%\system32\slmgr.vbs /cdns reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v DisableDnsPublishing /t REG_DWORD /d 1 /f ECHO.
Should this happen again I'll do something more intelligent to handle it. He also had some policy drawn up to invoke on the users via HR.