Announcement

Collapse
No announcement yet.

KMS server question, "rogue" installs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • KMS server question, "rogue" installs

    I'll be deploying Windows 7 and Office 2010 to our users in the next few months. I've never dealt with KMS, but will need to this time around.

    If I understand correctly I deploy a KMS server, install 7 Enterprise on the client, without a key and Office 2010 also without a key (they have them built in). Based on DNS they'll find their way to a KMS and when an adequate number of machines is on the LAN they'll register.

    My question is how do I stop a techically savy user (we have a lot of IT presence) from downloading (basically getting it from someone else but me) Win 7 Professional, Enterprise or Office 2010, they install the software and put it in a VM (anywhere on the LAN) and as I understand it they'll use a licence, without my intervention. Eventually they could burn all my valid licenses before all the users get the new OS, Office.

    Please advise on how to prevent this or correct me if I'm imagining this wrong.

  • #2
    Re: KMS server question, "rogue" installs

    Can they join computers to the domain?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: KMS server question, "rogue" installs

      Yes, they currently can. I could probably restrict that, but still there's Office or does the machine need to be in a domain for that as well?

      How are you guys handling this?

      Comment


      • #4
        Re: KMS server question, "rogue" installs

        KMS doesn't chew up licenses, it's just an activation mechanism designed to make it harder for pirates to steal your software booty.

        The KMS service does not keep a static list of all the workstations and servers that have activated and then cut you off when you reach a threshold, nor is KMS data used by Microsoft to make sure you're within licensing compliance.

        As far as what KMS keeps track of: each client that activates is given a unique CMID number that is saved to a table on the KMS host. The KMS host keeps track of each CMID for 30 days. If a client attempts to renew its activation within the 30 days the CMID entry is updated, if the client doesn't attempt to renew its activation the CMID entry is removed. Clients attempt to renew every 7 days. This is the mechanism that's used to maintain the threshold, and is the only data maintained by KMS.

        On the flip side... protect your KMS host keys like they are gold. These are activated with the MS clearinghouse and can only be activated, if I remember correctly, up to 7 times.

        Comment


        • #5
          Re: KMS server question, "rogue" installs

          Thank you ScottMcD, so basically they can't eat up my licenses.
          I have as many as we paid for and those will always be able to be activated, as for the rest, apart from providing a policy and warn them it's not really a problem (as far as KMS) on how many additional machines/installs get on the LAN.

          Thank you for the KMS host key tip, no one gets them but me.

          I should still probably make it so only Domain Admins are able to join to the domain, but I at times feel it's better that they join them, at least the GPOs, WSUS get applied.

          Comment


          • #6
            Re: KMS server question, "rogue" installs

            Originally posted by CypherBit View Post
            I have as many as we paid for and those will always be able to be activated, as for the rest, apart from providing a policy and warn them it's not really a problem (as far as KMS) on how many additional machines/installs get on the LAN.
            That's correct.

            Comment


            • #7
              Re: KMS server question, "rogue" installs

              Thank you for the reassurance. Another question. I'll probably get the hardware, software in the next two months (I want to wait for win2k8 R2 to install KMS there).

              I already installed one 7 Enterprise and one Office 2010 Pro Plus. How long will they work unactivated? I'm aware of the slmgr /rearm switch for Windows, so I should get 120 days there (I hope?). What about Office? How does that work and is there a way to suppress the activation window that is opened every time Office is run.

              Comment


              • #8
                Re: KMS server question, "rogue" installs

                The Office trial was 60 days from memory. Full version may only be 30 days. Someone may be able to confirm or debunk that.
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment

                Working...
                X