Discussion:
[ale] OT: Microsoft "audit"
Edward O. Holcroft via Ale
2018-05-16 15:02:54 UTC
Permalink
All,

I'm pretty sure this topic has been covered in the past, but here we go
again ...

A few years back we went through a fairly lightweight (I think) Microsoft
audit process and I kinda panicked and did everything in my power to
cooperate with them. I didn't want to piss them off in case we were out of
compliance. It was quite a lot of work on my side, and it was handy I'll
concede, to know that we were all in the clear once the "audit" was
complete.

Since then I have switched the company to a lot of Linux on the server side
(replaced all our regional office Server 2003 with CentOS), and at the same
done done a much better job of monitoring proprietary license compliance.
We still use a small number of Server 2012 servers for auth and group
policy, which we are heavily locked into. And of course ... Doze on the
desktop. About 350 users.

Last year, they wanted to run trough the process again. I declined, even
though the were pretty persistent for a while, they eventually went quiet.
So now we get to 2018 and they've started at it again. My position on this
has evolved over the years, and I reached a point where I just do not want
to cooperate with Microsoft on "checking up" on us after we've thrown
hundred of thousands of dollars into the bottomless pit of their POS
software over the years. I know we're pretty much license compliant as an
organization and I find myself irritated, even offended by this Microsoft
audit request.

So to my question: does anyone possess knowledge on where I stand?
Microsoft does a pretty good job of making it sound like they're legally
entitled to do this and that I do not comply at great peril. Is this true?
Has anyone out there repeatedly declined their offer of license compliance
"help"? How did it go? Is it better to just bend over? I feel like if they
want to do this, I should make them legally compel us, if that's even
possible without them accusing us of a crime.

ed

_________________________________________

*Edward O. Holcroft*
IT Operations Manager

*Madsen, Kneppers & Associates, Inc.*
Construction Consultants & Engineers
11695 Johns Creek Parkway, Suite 250
Johns Creek, GA 30097

*O* 770.446.9606 | *F* 770.446.9612 | *C* 770.630.0949 |
***@mkainc.com

www.mkainc.com
--
MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This
message may be confidential and/or privileged. If you are not the intended
recipient, please notify the sender immediately then delete it - you should
not copy or use it for any purpose or disclose its content to any other
person. Internet communications are not secure. You should scan this
message and any attachments for viruses. Any unauthorized use or
interception of this e-mail is illegal.
Beddingfield, Allen via Ale
2018-05-16 15:07:37 UTC
Permalink
If they are like most software companies, you will find that somewhere buried in the EULA, you have agreed to allow them a proctology exam on your compliance whenever they want.
Allen B.
--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
***@ua.edu

On 5/16/18, 10:03 AM, "Ale on behalf of Edward O. Holcroft via Ale" <ale-***@ale.org on behalf of ***@ale.org> wrote:

All,


I'm pretty sure this topic has been covered in the past, but here we go again ...


A few years back we went through a fairly lightweight (I think) Microsoft audit process and I kinda panicked and did everything in my power to cooperate with them. I didn't want to piss them off in case we
were out of compliance. It was quite a lot of work on my side, and it was handy I'll concede, to know that we were all in the clear once the "audit" was complete.


Since then I have switched the company to a lot of Linux on the server side (replaced all our regional office Server 2003 with CentOS), and at the same done done a much better job of monitoring proprietary
license compliance. We still use a small number of Server 2012 servers for auth and group policy, which we are heavily locked into. And of course ... Doze on the desktop. About 350 users.


Last year, they wanted to run trough the process again. I declined, even though the were pretty persistent for a while, they eventually went quiet. So now we get to 2018 and they've started at it again. My
position on this has evolved over the years, and I reached a point where I just do not want to cooperate with Microsoft on "checking up" on us after we've thrown hundred of thousands of dollars into the bottomless pit of their POS software over the years.
I know we're pretty much license compliant as an organization and I find myself irritated, even offended by this Microsoft audit request.


So to my question: does anyone possess knowledge on where I stand? Microsoft does a pretty good job of making it sound like they're legally entitled to do this and that I do not comply at great peril. Is this
true? Has anyone out there repeatedly declined their offer of license compliance "help"? How did it go? Is it better to just bend over? I feel like if they want to do this, I should make them legally compel us, if that's even possible without them accusing
us of a crime.


ed



_________________________________________

Edward O. Holcroft
IT Operations Manager

Madsen, Kneppers & Associates, Inc.
Construction Consultants & Engineers
11695 Johns Creek Parkway, Suite 250
Johns Creek, GA 30097

O 770.446.9606 | F 770.446.9612
| C 770.630.0949 |
***@mkainc.com

www.mkainc.com <http://www.mkainc.com>












MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This message may be confidential and/or privileged. If you are not the intended recipient, please notify the sender immediately then delete it -
you should not copy or use it for any purpose or disclose its content to any other person. Internet communications are not secure. You should scan this message and any attachments for viruses. Any unauthorized use or interception of this e-mail is illegal.

_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/
DJ-Pfulio via Ale
2018-05-16 15:32:52 UTC
Permalink
Post by Beddingfield, Allen via Ale
If they are like most software companies, you will find that somewhere buried in the EULA, you have agreed to allow them a proctology exam on your compliance whenever they want.
I thought this was part of any volume license agreement from MSFT. OTOH, get
your legal department involved and have them make a determination.

https://ask.slashdot.org/story/01/07/07/1829241/how-do-bsa-raids-work

There are others.
_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Michael Curtis via Ale
2018-05-16 15:45:53 UTC
Permalink
Having run large shops in the past there are two answers to this:
1) If you have an Enterprise Agreement they have the right to come in annually to true up against what you own and what you have deployed. It’s in the print on the contract so there’s not much you can do but take it.

2) If the software is retail or acquired outside of a volume license then you can basically tell them to go to hell and come back with a warrant (I would refrain from that specific language but you get the idea). As far as I am aware they have to show just cause as to why they want to audit you if they want to check your stance with non-volume licenses. In this instance I would consult with corp legal ASAP and not let in the lobby.

Hope this helps.

Thanks!
-Mike
Post by Beddingfield, Allen via Ale
All,
I'm pretty sure this topic has been covered in the past, but here we go again ...
A few years back we went through a fairly lightweight (I think) Microsoft audit process and I kinda panicked and did everything in my power to cooperate with them. I didn't want to piss them off in case we were out of compliance. It was quite a lot of work on my side, and it was handy I'll concede, to know that we were all in the clear once the "audit" was complete.
Since then I have switched the company to a lot of Linux on the server side (replaced all our regional office Server 2003 with CentOS), and at the same done done a much better job of monitoring proprietary license compliance. We still use a small number of Server 2012 servers for auth and group policy, which we are heavily locked into. And of course ... Doze on the desktop. About 350 users.
Last year, they wanted to run trough the process again. I declined, even though the were pretty persistent for a while, they eventually went quiet. So now we get to 2018 and they've started at it again. My position on this has evolved over the years, and I reached a point where I just do not want to cooperate with Microsoft on "checking up" on us after we've thrown hundred of thousands of dollars into the bottomless pit of their POS software over the years. I know we're pretty much license compliant as an organization and I find myself irritated, even offended by this Microsoft audit request.
So to my question: does anyone possess knowledge on where I stand? Microsoft does a pretty good job of making it sound like they're legally entitled to do this and that I do not comply at great peril. Is this true? Has anyone out there repeatedly declined their offer of license compliance "help"? How did it go? Is it better to just bend over? I feel like if they want to do this, I should make them legally compel us, if that's even possible without them accusing us of a crime.
ed
_________________________________________
Edward O. Holcroft
IT Operations Manager
Madsen, Kneppers & Associates, Inc.
Construction Consultants & Engineers
11695 Johns Creek Parkway, Suite 250
Johns Creek, GA 30097
www.mkainc.com
MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This message may be confidential and/or privileged. If you are not the intended recipient, please notify the sender immediately then delete it - you should not copy or use it for any purpose or disclose its content to any other person. Internet communications are not secure. You should scan this message and any attachments for viruses. Any unauthorized use or interception of this e-mail is illegal.
_______________________________________________
Ale mailing list
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Blake, Joseph S via Ale
2018-05-17 14:57:51 UTC
Permalink
It’s best to cooperate early. Your EULAs with Microsoft give them the right to audit your usage of the software, so unless you can prove you have zero Microsoft software in your environment, you’re subject to their audits.

They have three levels, first is the friendly “lightweight” audit you did before. If you refuse, they’ll usually come back with a little more forceful yet still “voluntary” audit. If you refuse that one and they suspect you’re out of compliance will come the legally forced audit via an official FedEx package with the details. Each one is more invasive than the last, and the ‘get a Fedex envelope’ level audit is an IRS level forensic exam.

Luckily I don’t have to deal with this type of stuff anymore, but have had to go through one in a past life. Philosophical issues aside I suggest you cooperate as soon as they contact you, especially if you are very sure that you’re in compliance. The more in depth they get, the more likely it is that they’ll find something technically out of compliance. Certain products (like SQL) have licensing so convoluted that even MS doesn’t know the proper answer, so whether they ding you can sometimes be purely up to the auditor.


From: Ale <ale-***@ale.org> On Behalf Of Edward O. Holcroft via Ale
Sent: Wednesday, May 16, 2018 11:03 AM
To: Atlanta Linux Enthusiasts - Yes! We run Linux! <***@ale.org>
Subject: [ale] OT: Microsoft "audit"

All,

I'm pretty sure this topic has been covered in the past, but here we go again ...

A few years back we went through a fairly lightweight (I think) Microsoft audit process and I kinda panicked and did everything in my power to cooperate with them. I didn't want to piss them off in case we were out of compliance. It was quite a lot of work on my side, and it was handy I'll concede, to know that we were all in the clear once the "audit" was complete.

Since then I have switched the company to a lot of Linux on the server side (replaced all our regional office Server 2003 with CentOS), and at the same done done a much better job of monitoring proprietary license compliance. We still use a small number of Server 2012 servers for auth and group policy, which we are heavily locked into. And of course ... Doze on the desktop. About 350 users.

Last year, they wanted to run trough the process again. I declined, even though the were pretty persistent for a while, they eventually went quiet. So now we get to 2018 and they've started at it again. My position on this has evolved over the years, and I reached a point where I just do not want to cooperate with Microsoft on "checking up" on us after we've thrown hundred of thousands of dollars into the bottomless pit of their POS software over the years. I know we're pretty much license compliant as an organization and I find myself irritated, even offended by this Microsoft audit request.

So to my question: does anyone possess knowledge on where I stand? Microsoft does a pretty good job of making it sound like they're legally entitled to do this and that I do not comply at great peril. Is this true? Has anyone out there repeatedly declined their offer of license compliance "help"? How did it go? Is it better to just bend over? I feel like if they want to do this, I should make them legally compel us, if that's even possible without them accusing us of a crime.

ed

_________________________________________

Edward O. Holcroft
IT Operations Manager

Madsen, Kneppers & Associates, Inc.
Construction Consultants & Engineers
11695 Johns Creek Parkway, Suite 250
Johns Creek, GA 30097

O 770.446.9606 | F 770.446.9612 | C 770.630.0949 | ***@mkainc.com<mailto:***@mkainc.com>

www.mkainc.com<http://www.mkainc.com>

MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This message may be confidential and/or privileged. If you are not the intended recipient, please notify the sender immediately then delete it - you should not copy or use it for any purpose or disclose its content to any other person. Internet communications are not secure. You should scan this message and any attachments for viruses. Any unauthorized use or interception of this e-mail is illegal.
Loading...