Redmond Negotiator

Is Microsoft's SAM Just a Shakedown in Disguise?

While Software Asset Management once showed promise for customers, Braden warns that the way Microsoft appears to be implementing the program should raise red flags.

• By Scott Braden
• 07/24/2006

Based on what we were told about SAM, it seemed like a great idea. Basically, Microsoft certified a select group of partners who understand the ins and outs of Microsoft licensing, along with the best practices involved in good software asset management. Microsoft even added several new tests in the MCP program, and let me tell you, they are rigorous tests (I took and passed three of them).

But in recent weeks, there have been a steady stream of complaints about the implementation of the program from Microsoft users. The typical scenario goes like this: CIO or IT admin gets repeated contacts from a person who describes themselves as a Microsoft partner, acting on behalf of Microsoft, asking for a meeting to review some apparent problems with the customer's license compliance.

If ignored, these requests become more urgent and explicit. Eventually the Microsoft rep gets cc'd and may get involved as well.

As it turns out, here's what's going on: Microsoft is data mining its purchase history databases, looking for customers whose purchase history doesn't match up with their size, or their number of PCs or servers. For example, one of my clients has been purchasing Dell PCs and buying the OEM version of Office for years. And as far as I can tell without doing an audit, the company is legally licensed.

But according to the Microsoft SAM Partner who contacted my client, this company is probably out of compliance, since Microsoft has no record of selling Office licenses to that company. See, the critical gap is this: Microsoft's purchase history records are very incomplete. Retail shrinkwrap sales, many OEM licenses, even Select or Open volume licenses can easily be missed in the data mining. So even if you are completely legal and in compliance, you may still turn up on the target list as a likely candidate.

Now, Microsoft and its partners are very careful not to use the word "audit."   Instead, they generally propose some sort of "SAM engagement" where the SAM partner comes in to help you get your house in order, as a true consulting partner. And in many cases, Microsoft will cover some or all of the cost of the engagement, and if any "true-up" is needed, will not charge penalties -- so you need only buy the licenses necessary to get compliant.

And let's be honest with each other here: Given the complexity of Microsoft licensing and the realities of managing even a medium-sized IT shop, everybody knows that you're likely to have at least a little bit of non-compliance. And besides, the SAM best practices that the partners will recommend really are solid, well-proven and will likely have a great ROI for you.

So why the reluctance to let these partners come in and sniff around? Well, the most obvious factor is this: The Microsoft SAM partner is working under a contract with Microsoft. This strikes me as a serious conflict of interest – who is there to protect your interest? Where is the non-disclosure and confidentiality clause in this engagement?

And another factor that you probably won't hear from the SAM partners: What happens if you just say no? Will an involuntary audit be the next step? If so, isn't it more accurate to describe these initial conversations as "settlement negotiations?"  

In my view, every time Microsoft or a partner talks with you about compliance issues, you are involved in a conversation that has legal implications, and your corporate attorney should be involved.

So what should you do when you get those contacts? Here's what I recommend – and please note that I'm not an attorney, so don't take this as legal advice:

First: Contact an attorney. At the very least, your internal corporate legal staff, but for reasons of confidentiality, external counsel may be better. Treat these contacts as a prelude to a formal (hostile) audit.

Second: Keep the lines of communications open – ignoring or stonewalling will not help your position. But do manage the communications: Try to get specific claims that you can verify. For example, find out exactly why Microsoft thinks you are out of compliance, what evidence any claims are based on. etc. Don't let it become an open-ended fishing expedition.

Third: Do a quick self-audit on the licenses in question. Hopefully you can answer with confidence and proof that Microsoft's information is incomplete, and you are in fact fully licensed for the products in question. You'll also want to mention your internal policies and procedures in place to ensure compliance; if it's clear that you already follow good SAM practices, there's less reason for suspicion.

Now, if it turns out that you are out of compliance, you have a problem to address, rapidly. It may turn out that your best choice is to bring in the SAM partner for the "not an audit" engagement and check out their recommendations. Of course, be prepared to purchase any license shortfalls they find.

Or, you could elect to go it alone, using your internal staff and tools, or bringing in a consulting firm of your own choice, ensuring loyalty and confidentiality.

Whatever you do, "do nothing, ignore the problem" is not a good option.