Microsoft audit defence gotchas check list from Kylie Fowler of ITAM Intelligence

1. Disclaimer: this document is intended to provide advice and information only and the accuracy of any statements
are not guaranteed. Any actions taken on the basis of this document are carried out at the organisation’s own risk
The ITAM Review UK Annual Conference 2016 Page 1 of 4
Discovery of the Microsoft applications installed on your estate is actually relatively easy. The
challenging part is understanding HOW they are used in order to determine what licenses are
required to support them.
The majority of Microsoft Licensing ‘gotchas’ originate at the IT solutions design stage. It is vital
that Software Asset Managers are engaged at Programme / Project initiation to identify potential
licensing risks, as well as at the solutions design stage to ensure IT solutions are designed to be
licensing efficient and that licensing costs are fully understood BEFORE the solution is deployed
– we call this ‘ITAM by Design’.
Below is a list of classic Microsoft Licensing ‘gotchas’. Use this list to carry out a baseline SAM
risk assessment before your next audit to minimize nasty surprises.
Packaging Errors
What is it?
A packaging error is simply where the wrong version of an application is packaged. The
organization procures sufficient licenses to cover what they think is deployed, but unfortunately
packages and deploys a different version which is unlicensed and therefore non-compliant. A
classic case would be where Microsoft Office Standard has been purchased but Microsoft Office
Pro was the application actually packaged.
What is the risk?
It depends on the size of the organization and the product deployed. In the example above,
Microsoft will not allow you to offset the cost of the MS Office Standard licenses against the cost
of the MS Office Pro licenses, and will require you to repurchase MS Office Pro licenses… it
adds up very quickly.
What can we do about it?
Try and negotiate the option to uninstall the wrong application and reinstall the correct one. Note
that Microsoft is likely to want you to commit to achieving this within a period of time, at the end
of which they may want to audit your compliance. If you intend to migrate to O365 in the near
future, this may be something to throw into the discussions to increase your leverage.
Software Assurance in DataCentres or Cloud
What is it?
Applications such as SQL, Exchange, SharePoint etc do not require Software Assurance when
deployed in static environments. However, if they are migrated to a Data Centre which utilizes
High Availability (HA) and Distributed Resource Scheduler (DRS) (aka Load Balancing),
Microsoft requires that licenses are covered by Software Assurance. This is also the case when
VMs are migrated to public cloud.
This is an issue because the applications are mobile – they can automatically move from
physical host to physical host in contravention of the 90-day transfer rule that applies to
applications that are not covered by software assurance.
What is the risk?
Microsoft does not allow software assurance to be attached to licenses more than 90 days after
the license is purchased, so you will be required to repurchase the license plus SA – expensive
if you have a large SQL estate.
Microsoft Audit Defence
Microsoft Licensing ‘Gotchas’ Checklist

2. Disclaimer: this document is intended to provide advice and information only and the accuracy of any statements
are not guaranteed. Any actions taken on the basis of this document are carried out at the organisation’s own risk
The ITAM Review UK Annual Conference 2016 Page 2 of 4
What can we do about it?
Once the issue has been identified in an audit, there is not much you can do about it – very few
organisations would be willing to take the risk of turning of HA and DRS functionality as this
could cause significant business disruption if a physical host failed. It is likely you will need to
procure the appropriate licenses, BUT if you have future plans to migrate to cloud ensure you
take this into account when deciding how to remediate the non-compliance – what is cost
effective in a Data Centre may not be cost effective in the cloud and vice versa.
If the risk is identified before an audit, organisations may take the opportunity to redesign their
resilience arrangements and switch off HA and load balancing. They may also take the
opportunity to rationalize their application estate, possibly introducing a SQL cluster (licensed
through SQL Enterprise with SA – still expensive, but probably cheaper than re-purchasing lots
of SQL Standard with SA) and test & dev clusters which are licensed through MSDN.
Again, before deciding how best to remedy this issue, ensure you take into account your future
cloud plans and build a thorough business case before making any decisions.
Citrix / Terminal Services
What is it?
This is a particularly nasty risk because it is so unexpected. Citrix and Terminal Services are
examples of multiplexing, and Microsoft’s rules are that where a license is consumed indirectly,
it is still expected to be licensed as if it was actually deployed.
The problem arises because Citrix and Terminal Services are designed to optimize user
experience, and so ‘out of the box’ access controls are user based. However, Microsoft
perpetual licenses such as Microsoft Office, Project and Visio are device based licenses. The
result is that if a desktop application is published via Terminal Services ALL the devices that
could possibly access the device must be licensed for the product – in other words every single
device that can access the Citrix or Terminal Server, regardless of whether the user who is
using the device has access or not.
In addition, all users who have access to Terminal Services must have an RDS CAL, which a lot
of organisations aren’t aware of.
What is the risk?
The risk can be enormous – potentially millions of pounds if Microsoft Office Pro (instead of
Standard), Project Pro and Visio Pro have all been published via Terminal Services and every
machine is able to access these products.
What can we do about it?
If this issue is identified during an audit, you should definitely try and negotiate an option to
remedy this issue by implementing device-based access controls. This usually requires the
deployment of an additional management tool onto the TS or Citrix servers, the identification of
which machines are used by individuals who genuinely require access, and then creating a
white-list of machines that are able to access the Terminal Server. It’s not an easy process and
will require a project to implement, so make sure you give yourself plenty of time to actually
achieve the end result. As with the Packaging Error, Microsoft is likely to require a commitment
to remedy the situation within a particular timeframe.
O365 Downgrade Rights
What is it?
Microsoft O365 Pro Plus does NOT allow downgrade rights, so a purchase of O365 cannot be
used to remediate non-compliance of older perpetual licenses. An additional gotcha is that

3. Disclaimer: this document is intended to provide advice and information only and the accuracy of any statements
are not guaranteed. Any actions taken on the basis of this document are carried out at the organisation’s own risk
The ITAM Review UK Annual Conference 2016 Page 3 of 4
organisations must be careful not to deploy Office 2016 thinking it is the same product as O365
Pro Plus – it isn’t.
As an aside, Microsoft have a rule that subscription licenses cannot be purchased to remediate
perpetual license non-compliance – but as with many things in Microsoft world, you can
negotiate on this point and sometimes even get a favourable result!
What is the risk?
If O365 Pro Plus has been purchased to remediate non-compliance of older perpetual licenses,
Microsoft is within its rights to ask you to purchase an appropriate number of perpetual licenses.
What can we do about it?
Microsoft is VERY keen to see O365 deployed, so you should definitely try and negotiate on this
point. As always, Microsoft is likely to want a time commitment for you to remediate the issue,
which in this case means deploying O365.
Incorrect OEM Operating Systems
What is it?
Microsoft Windows Operating Systems (OS) can only be distributed by Original Equipment
Manufacturers (OEMs). Each desktop that is produced for use with a Microsoft Windows
Operating System has a unique serial number and the OEM must send records of the serial
number and the Microsoft OS supplied to Microsoft as part of the conditions of purchase.
The issue arises because Microsoft’s licensing rules state that if you rebuild a machine with a
Microsoft Windows Operating System, then it must be reinstalled with the unique OEM version
and serial number unless it is Microsoft Windows Professional, which can be installed from an
image.
During an audit, Microsoft will run a report showing which machine was sold with which type of
OEM so that they can confirm that the correct version of Windows is installed on each machine.
Companies get into trouble for two reasons:
a) they have a standard Windows Professional Image which is deployed on non-Windows
Professional machines; and
b) they reimage machines that do not have an MS OEM operating system at all, possibly
because they were intended to be deployed with a Linux operating system.
What is the risk?
The risks are generally fairly low. However some OEMs don’t have systems in place to prevent
Home and Small Business Machines being sold to corporates who are likely to use imaging
technology during deployment so this gotcha can be a bit of a shock.
What can we do about it?
You will be expected to procure ‘Microsoft Windows Get Genuine Licenses’ to replace the
incorrect OEM license. The price varies depending on the quantity of licenses purchased, and
you should be able to negotiate economies of scale with Microsoft if there are a large number of
machines with the incorrect OEM.
If you feel the OEM has mis-sold the incorrect OEM (ie you are an enterprise customer) then
you may also be able to pursue the OEM for compensation.
Enterprise Client Access License (CAL) Requirements
What is it?
Microsoft Applications such as Exchange, SharePoint, Skype for Business etc require CALs for
each end user or end point that accesses the applications services. Many companies start off

4. Disclaimer: this document is intended to provide advice and information only and the accuracy of any statements
are not guaranteed. Any actions taken on the basis of this document are carried out at the organisation’s own risk
The ITAM Review UK Annual Conference 2016 Page 4 of 4
utilising features which require standard CALs, and license on that basis, either on a point
product basis or through the purchase of the Core CAL suite.
However as time goes on and the organisations requirements become more sophisticated, parts
of the organisation may start using Enterprise CAL functionality, not realising that they need to
purchase the additional CALs.
What is the risk?
The risk depends on the number of individuals or end points using the additional functionality,
and how access to this functionality is controlled.
What can we do about it?
It can be very difficult to pin-point exactly which functionality requires an Enterprise CAL and
who is using it. You will need to speak to a licensing expert to understand exactly what the
requirements are and then work with the appropriate Applications Support teams to understand
how usage is tracked within the applications themselves.
External Connectors
What is it?
External Connectors are a type of CAL that is used when the number of end points or users
accessing an external facing server is either un-countable or is such a large number that it is
more economical to license with an External Connector than a CAL. The typical scenario is an
internet server.
The catch is that where you have a server in the background, such as a SQL server, providing
data to the web server (an example of multiplexing) the SQL server also needs an External
Connector.
What is the risk?
For most organisations, the risk in this scenario is relatively low compared to some of the others
discussed. This is because most organisations have a limited number of servers publishing
content to the web server – but of course this does depend on each organisation and how their
solutions have been designed.
What can we do about it?
This is an example where license efficient IT solutions design can make a big difference, but if
the issue is discovered after the fact the only solution is to purchase the required licenses. To
ensure IT Solutions Architects implement ‘ITAM by Design’, make sure that software asset
managers are engaged at programme and project initiation to ensure potential SAM risks are
identified, and that they work with IT solutions architects to ensure that solutions are risk
assessed BEFORE they are deployed, rather than afterwards.
If you have any questions about the contents of this document or would like to discuss any of the
issues raised in more detail, please contact ITAM Intelligence:
Kylie Fowler
Principal Consultant
07946 244 107
kylie.fowler@itamintelligence.com
www.itamintelligence.com