be prepared for a microsoft audit - instant...

Be prepared for a Microsoft Audit Author: Alexandru Cojocaru Software vendors generally tend to market the audit process as a positive experience, a helping hand. Whether they call it “License Health Check”, “License Review”, “Compliance Verification”, “SAM Engagement” or “Software License Audit” they all mean the same. And if you have taken part in at least one audit, you know that they never mean good news.

2

BE PREPARED FOR A MICROSOFT AUDIT

Contents Introduction .................................................................................................................................... 3

Types of Microsoft Audits .............................................................................................................. 4

Audit phases ................................................................................................................................... 6

Most common criteria by which Microsoft targets its audits ......................................................... 8

Most common causes of compliance issues ................................................................................. 9

Best Practices .............................................................................................................................. 12

Negotiating with Microsoft ........................................................................................................... 14

Conclusion ................................................................................................................................... 15

3


Introduction IT research companies report a continued increase in the number of end user license audits conducted by leading software vendors, up from 61% a year ago to 65% today. What this means for your company is that you only have a 35% chance to not be audited within the next 12 months. These statistics can be easily translated into recurring financial risk for each organization. Adding to the list of caveats is the fact that Microsoft appears to be leading when it comes to the number of license audits performed, as some sources indicate. No wonder then that software license management and vendor audits become an important topic for the boardroom. The terminology surrounding the annual Microsoft SAM engagements may make customers believe they are being audited. But from a legal perspective, the SAM engagement is a voluntary cooperative effort. In the following section we will run through the key points that will help you minimize this problem for your organization. We will look at the Types of Microsoft Audits and the Audit Phases, which will make you understand the problem better. This will be followed by a dive into the Most common criteria by which Microsoft audits customers, Most common causes for compliance issues and Best practices. These sections will help you proactively address your IT strategy.

https://www.gartner.com/doc/1906816

http://www.netnetweb.com/software_audit_crazy_suppliers

4


Types of Microsoft Audits Microsoft uses different audit types to verify if their customers are licensed correctly. Self-Audit This is the most common and friendly audit type organizations have been subject to. It requires companies to verify whether they are compliant with Microsoft’s licenses, which is usually done by sending Microsoft the software keys for each license or purchased product. Then the companies compare this to their entitlement and purchasing records and establish their license position. The internal cost of a Self-Audit varies depending on the size of the organization and the amount of data that needs to be captured. Unless the organization is 100% compliant or close to that, the cost of the audit will most likely be considerably less than paying for any incompliances uncovered during the other audit types. Software Asset Management (SAM) Engagement The Software Asset Management Engagements are usually conducted by third-party auditors or consultants. Microsoft allows the company that is audited to choose from a list of proposed options of third-parties that can perform the audit. Whilst this helps Microsoft to position the situation in a more neutral fashion, it is not mandatory to have the audit performed by a third party of Microsoft’s choice. Microsoft will request that the auditee allows a third party to audit its software installations and report the results directly to them. At the end of these engagements, the auditee is required to purchase the licenses covering any shortfall in its software licenses. Microsoft’s SAM Engagement has been extensively used instead of traditional software audits, the License Contracts and Compliance (LCC) Audit.

There are some advantages related to the SAM Engagements: - All costs related to the audit project will be borne entirely by Microsoft. - Microsoft will provide, via third parties and/or direct, technical specialists that will assist the customer

in running the necessary discovery scripts and/or applications in order to identify all installed software. - Microsoft will provide, via third parties and/or direct, licensing specialists that will establish a clear

licensing position for the customer. - The auditee will receive recommendations regarding the proper utilization of their software licenses. - The auditee can benefit from the implementation of specific Microsoft SAM procedures and processes.

5


Legal Contracts and Compliance (LCC) Audit This is the most stringent and costly type of audit. Legal Contracts and Compliance Audits are mostly used when an organization decides to ignore the request for or declines to take part in the Self-Audit or SAM Engagement Audit. Essentially, the LCC audit is a legal audit that you must comply with. Legal action can be taken if you delay any notification of an audit. An LCC audit needs to be taken seriously as it is not voluntary. Microsoft will pursue to build a legal case leveraging your license position for financial compensation, ranging from fines and penalties, to criminal prosecution in a worst case scenario. Thousands of small, mid-sized businesses and enterprises are receiving these audits as part of Microsoft’s aggressive growth objectives and their attempt to grow their market share. Typically these audits result in additional license sales for Microsoft.

6


Audit phases A Microsoft Audit can have up to five major phases. Kick-off Meeting The auditors empowered by Microsoft will schedule a meeting, usually in the form of a conference call, where the auditee will be presented with the phases of the project as well as the timelines. Data Collection The auditee is requested to collect data and information regarding their company’s IT infrastructure. This data and information will be then be provided to the auditor company.

The deliverable has to encompass the following: - The hardware configuration of all eligible devices. - An overview of all Microsoft software installed on the declared devices. - An overview of the users that access these devices and make use of Microsoft software. - All documents and contracts which represent the license proof (Certificates of Authenticity, Manuals,

Software Kits, Purchase Orders, Invoices, and Volume Licensing Contracts). Onsite Visit In this phase the auditors will visit the company quarters in order to validate and verify the accuracy of the information previously provided and potentially collect additional information and/or data. It is good to mention that this phase will always be included in situations when Microsoft has reason to suspect that a company may be significantly out of compliance and seems to hide something from them. However, an onsite visit doesn’t by default mean that they suspect your company. Draft report Based on the data gathered in the previous phases, the auditor will prepare a preliminary report that will contain a break-down of installed software in relation to the license entitlements. This is to ensure that the information and data provided so far is correct and to validate some of the findings. Any inconsistency will be addressed at this point in time, before the final report is produced.

https://www.microsoft.com/en-us/Licensing/learn-more/brief-qualified_devices.aspx?UA-50554478-1UA-50554478-1

7


3 Way Exit Meeting This is the final phase. Generally a call is scheduled with all the parties involved in the auditing process: the auditor’s representatives, the auditee’s representatives and Microsoft’s representatives. In this meeting, the auditor will present the final report which includes the final license position of the customer. Usually this report comes in the form of an Excel spread sheet with multiple tabs that contain the entitlement (licenses owned) and deployment (licenses used) overview, ending in a reconciliation tab where the final license situation is summarized. At this point the auditor considers his job finished and steps down, leaving the client and Microsoft to negotiate and establish the commercial terms and conditions.

8


Most common criteria by which Microsoft targets its audits Changing the license metric The exponential growth of technology pushes software vendors like Microsoft to change their license models every once in a while. In order to better understand the situation we can mention the case of Windows Server 2016 and System Center 2016, in which a license model change caused clients to potentially be incompliant. Being audited by other software vendors attracts Microsoft’s attention We often see that when a company is audited by a major software vendor, it catches the attention of other software vendors, including Microsoft. Mergers and acquisitions When companies merge, assimilate or acquire other companies, there is a high probability of them becoming non-compliant. Software licensing is an aspect that is often overlooked during M&As. This can result in insufficient licenses to cover the usage of the newly formed entities. Growing number of employees Companies that experience growth in the number of employees will be on the audit list, if at the annual true-up declarations there is no increase in the number of licenses. Microsoft will consider that the company is most likely out of compliance. Declared financial data correlated with purchasing behavior Organizations that experience an increase in their fiscal value will be targeted if they don’t reflect this growth in their licensing needs. Dissatisfied employees or former employees with a grudge Organizations such as the Business Software Alliance, of which Microsoft is a member, actively invite individuals to come forward and report non-compliance issues. It is quite common to see that employees or former employees that feel unappreciated (or worse), report their employer to the BSA, which will certainly instigate an audit.

http://www.bsa.org

http://www.b-lay.com/articles/2016/01/14/license-simplification-cost-microsoft-windows-server-system-center-2016-/?UA-50554478-1UA-50554478-1

9


Most common causes of compliance issues Understanding how licensing works is key to controlling the financial and legal risk that comes with software non-compliance. Misunderstanding Microsoft's licensing rules or poor internal communications, between the departments that are responsible for purchasing and deploying software are some of the common causes of compliance issues. The most common compliance problems are related to applying the incorrect set of Product Use Rights (PUR), edition mismatch, and version mismatch. In this section we will take these three examples and elaborate on them in order to get a better understanding of the situation.

- Applying the incorrect set of Product Use Rights - Edition mismatch - Version mismatch Applying the incorrect set of Product Use Rights A proper administration of which PUR’s are in effect is essential to control an organization's license compliance risk, as well as to get the most value from the owned licenses. Customers who benefit from downgrade rights will continue to be subject to the same PUR’s of the version and/or edition of the license purchased rather than the PUR’s of the version and edition they downgrade to. A good example are virtualized environments, where the license reassignment frequency and the number of running instances allowed per license for products like Microsoft SQL Server and Microsoft Windows Server have changed substantially over time. For SQL Server Enterprise edition, license reassignment rules were changed a couple of times over the years. Reassignment rules stipulate how frequently and under what conditions customers can move licenses between devices within their organization, in the case of device based license metrics, or between users in the case of user based license metrics.

10


In order to illustrate this, we can show how license reassignment rights have changed over time for SQL Server Enterprise 2005, SQL Server 2008, SQL Server 2008 R2 and SQL Server 2012 Enterprise edition.

- SQL Server Enterprise 2005, permits a reassignment frequency of once every 90 days; - SQL Server 2008 Enterprise and SQL Server 2008 R2 Enterprise, permit an unlimited reassignment

frequency; - SQL Server 2012 Enterprise again has a reassignment frequency of once every 90 days for customers

that don’t own Software Assurance. In the same fashion Exchange 2007 and 2010 server licenses permit reassignment as often as necessary within a "server farm", which is defined by Microsoft as up to two data centers that are in time zones no more than four hours apart. (The four-hour rule prevents "follow-the-sun" licensing, in which licenses are transferred to follow the workday.) However, in order to have equivalent reassignment rights for Exchange 2013, an organization must buy the server licenses with SA and maintain coverage, which costs 25% of the underlying license price per year. (SA is an add-on to perpetual licenses that offers version-upgrade rights and other benefits.) In the absence of SA coverage, an Exchange Server 2013 license allows reassignment between physical servers at most once every 90 days. Another interesting scenario is related to the number of instances that can run within VMs on a device for products like Windows Server 2008 R2 Standard and Windows Server 2012 Standard edition.

- Windows Server 2008 R2 Standard permitted one instance per license; - Windows Server 2012 Standard permitted two instances per license. Once these Product Use Rights nuances are identified correctly, they can potentially lead to a cost saving opportunity. Edition mismatch Deploying a different edition than the one covered by the license agreement is another common issue that leads to customers being non-compliant. Running a higher level edition when owning a lower level edition (e.g. running Enterprise edition when owning Standard edition), is the most common edition mismatch mistake that companies make. When such cases occur, the company is left with three options:

- Buy new licenses; - Acquire Step-up licenses via Software Assurance; - Sometimes (in rare occasions), Microsoft makes an exception and allows the customer to reinstall the

product to the license edition owned.

11


The second case of edition mismatch is the opposite of the first example, namely to run a lower level edition when owning a higher level edition (ex. running Standard edition when owning Enterprise edition). This is legally permitted only under edition downgrade rights. According to the PUR, the following examples illustrate lower edition, or as Microsoft calls it ‘Down Edition’ use rights.

- SQL Server 2008 R2 Enterprise (Server/CAL, Processor License) and Windows Server 2008 R2 Enterprise:

“You may run on the licensed server an instance of Standard in place of Enterprise in any of these operating system environments.”

- SQL Server 2008 R2 Datacenter and Windows Server 2008 R2 Datacenter: “You may run on the licensed server instances of Enterprise or Standard in place of Datacenter in any of the operating system environments.” Version mismatch Although version mismatch errors occur less often than edition mismatches, these still count as one of the most common mistakes that lead to compliance issues. Most licenses purchased through Volume Licensing programs include version downgrade rights, meaning that using a version older than the licensed one is generally not an issue. However, there are still some products that do not include this benefit which tend to get overlooked by end users. Another reason is the fact that most end users understand that they are non-compliant if they run a more recent version than the licensed one or the one they are allowed to use under Software Assurance in production environments,. However, version mismatch errors related to Client Access Licenses occasionally catch customers off guard. CALs allow a client to access all instances of the server product running within the organization, and the version of the CAL must be the same or higher than the version of the server software the client accesses. Most server products require either a User CAL or Device CAL for each client user or device that accesses the server product. For example, an organization with Windows Server 2012 CALs is covered if their server infrastructure is composed of Windows Server 2012 and Windows Server 2008 servers. Whereas Windows Server 2008 CALs don’t cover the usage of Windows Server 2012. It is a very common mistake for organizations to try out new server versions without realizing this requires new CAL licenses.

12


Best Practices Don’t be overly afraid It is sometimes useful to take into account the worst case scenario. However in the case of a Microsoft Audit it is important to know that legal prosecution will occur only in the most severe cases. When Microsoft has reason to suspect that a customer is significantly out of compliance, the company involved is asked to perform either a Self-Audit or a SAM Engagement and report the results. If you cooperate and agree to pay for additional licenses to become compliant, then there won’t be any further consequences. If your company ignores the friendlier audit types mentioned earlier, or refuse to comply, the case may be turned over to the Business Software Alliance (BSA). If the BSA takes action and a company is found to be non-compliant, the fine is often two to four times the license cost for each instance. In addition, the offender will be required to purchase valid licenses or remove the software from their systems. Don’t Procrastinate Don’t postpone until it is too late. Understanding the importance of SAM is key to minimizing the financial risk associated with non-compliance. If you have reason to believe that your company may be out of compliance it’s best to take remediation actions as soon as possible. Microsoft is more understanding when they see indications that you are taking SAM seriously and are determined to become compliant. Don’t Assume Legitimacy Always work with a trusted and certified reseller. There are quite a lot of resellers out there taking advantage of companies by selling them pirated software. Many companies don’t realize they are using pirated software until an audit uncovers the truth. Implement a SAM tool A Software Asset Management tool will provide a good starting point. Being able to discover all the software installed on your IT estate gives you a first idea or estimate of your current license position in relation to your license entitlements. There are a number of good SAM tools, both free and paid, that can be implemented: Free SAM tools:

- Microsoft Assessment and Planning Toolkit is a free tool developed by Microsoft that is designed to scan your Microsoft infrastructure. This tool provides inventory, assessment, and reporting functionalities to simplify the migration planning process, but also discovers installed software. You can download this tool directly from Microsoft’s website.

- Spiceworks allows you to easy search all the software you have installed in your environment and automatically or manually track license keys for any piece of software. Additionally, you can tell which software versions are installed on each individual device. You can download this tool from the official Spiceworks’ website.

https://www.spiceworks.com/welcome/?utm_function=acq&utm_channel=sem&utm_source=google&utm_medium=ppc&utm_campaign=Branded%20-%20Search&utm_term=download%20spiceworks&utm_ag=Spiceworks%20Download&utm_pl=&gclid=Cj0KEQjwl-e4BRCwqeWkv8TWqOoBEiQAMocbP0FyNWKj-XCPHKPmjscnvefI4DPHzL1Z50D8lxjIPXQaAp-r8P8HAQ

https://www.microsoft.com/en-us/download/details.aspx?id=7826

13


Paid tools:

- System Center Configuration Manager (SCCM) is another tool developed by Microsoft, and one of the best tools for SAM related discoveries.

- The non-Microsoft alternatives could be either a tool from Flexera Software or a tool from Snow Software.

Although costly at first, these tools can help save cost in the long run. Whichever option you choose, the tool should at least be able to include the following functionality:

- Scan each of the computers on your network and tell you what software is installed; - Track Microsoft Office and operating system licenses (server and client) across all of your devices; - Discover unlicensed software running on the network; - Automatically gather license information; - Keep tabs on how often each volume license has been utilized; - Generate detailed reports that eliminate the need for manual guesswork. Be organized Organize and centralize all physical proof of purchase documents In the case of an on-site visit, Microsoft will look at the physical proof of purchase: Certificate of Authenticity, installation CD, Manuals, Software Kits, Purchase Orders, Invoices and Volume Licensing Contracts. Consider putting everything into physical folders which holds all software CD’s and keys relating to each new PC and Server you deploy. Work with Your Vendor Most likely you won’t be fully compliant for every piece of software in your company. That’s normal, and Microsoft knows and expects this. Microsoft also expects you to work quickly to become compliant, which will involve working with whit them to determine what it takes to become compliant. Management will be interested in the financial impact, so it’s best to understand the cost implications as soon as possible. What is also important to keep in mind is that Microsoft does not want to shut you down, it is in their best interest to work with you and mediate the situation so that it is beneficial for both parties.

https://www.snowsoftware.com/int

https://www.snowsoftware.com/int

https://www.flexerasoftware.com/?UA-50554478-1UA-50554478-1

14


Negotiating with Microsoft This is a very vast subject on its own, so for the purpose of this white paper we will only touch on some of the key areas. The licensee should be aware of the fact that they are not under an obligation to accept the auditor’s Effective License Position ("ELP") report if they think that it is not accurate. The process of finalizing the final report is recurrent and the details will be adjusted until they reflect the usage as closely as possible. The licensee can count on the second round of negotiations with Microsoft once the ELP report findings have been accepted. After Microsoft estimates the value of the ELP report, the parties will try to negotiate a favorable settlement. The licensee should further be aware that any and all agreements and conclusions reached with Microsoft should be in writing and that any verbal agreement or promise will have no legal value. Understanding Microsoft is also key for negotiations. Getting a general idea of Microsoft’s goals will provide better understanding of the obstacles you are going to face at the negotiation table. You can draw certain conclusions from unofficial discussions with your Microsoft Account manager. Knowing who the decision makers are on Microsoft’s side, and understanding who has decision power can help you “sell” your story to the right person.

15


Conclusion Audits usually come with only 30 days’ notice giving you a relatively short time to prepare for what’s ahead. It is a good practice to make a special session for “Lessons learned” after each audit and record the information in your knowledge base. It is recommended to create a recurrent SAM process with designated roles and responsibilities that will keep everything in check for you. Experts, either in-house or third party consultants with license specific knowledge will be invaluable to most organizations. They can play a decisive role in determining your licensing requirements and negotiating the best terms and conditions before non-compliance situations actually occur. They can also help enterprises get Software Asset Management on the right track, automate the process as much as possible and monitor with Self-Audits to ensure a comfort point is maintained. Make sure you have the right expertise You can of course invest in staff and building knowledge completely on your own. But you might also want to consider enrolling in a fully operational license management program. This can be done in less than three months and will be tailored to the specific demands of your company.

©2017 B-lay BV. All rights reserved.


About the author - Alexandru Cojocaru, Technical Analyst “We never lose … either we win or we learn” Alexandru is a software licensing expert focused on the execution of technical analysis of software deployment and usage data. Alexandru is specialized in Redhat, Progress and Microsoft enterprise software programs. Alexandru uses the knowledge and experience gathered over the last years to provide transparency around IT infrastructures and their licensing implications by turning gathered software data into clear and transparent software usage reports and their related software licensing needs. Alexandru has an educational degree in Computer Science. Contact Alexandru: [email protected] We share our knowledge, so you can focus on the facts! Do you want to know more about different related license management topics, we have a selection of white papers available through www.b-lay.com. If you are in need of extra expertise and a structured approach, feel free to contact B-lay. We will help you make software compliance an exciting opportunity to improve your business! About B-lay B-lay is a specialist in software license management and provides services around software compliance, software audits, software asset management tools and insight in software spend. Our services offer organizations worldwide insight into the risks associated with software licenses, help prevent license compliance issues and help create considerable cost savings by optimizing their licensing position. B-lay was founded in 2008 and has offices in the Netherlands, Romania and the US. B-lay BV | Maliebaan 79 | 3581 CG Utrecht | The Netherlands | [email protected] | www.b-lay.com | +31 88 0233 700

be prepared for a microsoft audit - instant...

Documents