Microsoft’s Deeply Flawed SAM Engagement Process

Posted by on Jan 1, 2016 in From the Cloud, From the Mind, Uncategorized | Comments Off on Microsoft’s Deeply Flawed SAM Engagement Process

EfficiencyNext finished its first Microsoft SAM (Software Asset Management) Engagement this last  year, having been contacted by a SAM Engagement specialist contracted by Microsoft. This is a process Microsoft Volume Customers go through so Microsoft can check that customer deployments match the licensing they have purchased.

Let us first say, we are an absolute supporter of Microsoft in their desire to insure people are using their software by the rules. Volume Customers receive steep discounts over retail, so some form of review every so often seems a reasonable fair trade. That said, I was deeply disappointed with the unethical nature of the original contact by the SAM Reviewer, and Microsoft’s inability to make the process efficient. This post is a compilation of thoughts I have; I will leave out the names of the individuals I worked with; if anyone at Microsoft would like to DM me on Twitter for details, you can find me at @napkatz. Likewise, I have a sympathetic ear to anyone else who would like to vent/discuss about this process.

The way the SAM Reviewer Contacted Our Company and Represented Herself was Deceitful and Unethical

I took the initial call from the SAM Reviewer. She said that her company was “Offering a Free Software Asset Management Review” of our software environment, and asked for our IT Manager. The tone was clearly that of a sale. Given that tons of companies cold call us about IT services all the time, I started the usual “just send us something in the mail” line. At that point, the tone changed, and she said she was working with Microsoft and that the review was mandatory. I told her to email me, as I wouldn’t share information about our IT setup with a random caller over the phone. She did email me the formal Microsoft SAM materials, confirming who she said she was. And in the FAQ document she sent over, was this threat:

We hope that customers will work proactively with us to ensure they have a compliant licensing position.  However, given the great emphasis Microsoft places on protecting its intellectual property, for those organizations that don’t wish to engage in this process, a more formal communication may be made with respect to our licensing rights and your organization’s obligations under your Microsoft license agreements.

In short, the SAM Reviewer wasn’t offering or selling us anything; she was forcing our company into a Microsoft-driven audit, under the implied threat of legal action. There’s plenty of potential motivations to be deceitful upfront I suppose; the SAM Reviewer needs to reach a manager of some sort or perhaps the review can’t happen? So maybe she has to lie her way to get to a manager. I don’t know. Whatever the reason, there is no excuse for such unprofessional and unethical behavior. Microsoft should be ashamed of this practice, even if it is their contractors and not them lying and misrepresenting themselves.

In short, it is OK to be angry for how this initial contact works. I was, and to an extent, still am. Especially because at our company, we take great pains to make sure we license our software properly, paying Microsoft thousands of dollars a year. The SAM Engagement process ignores the cheaters who don’t have a Volume Agreements, and instead targets paying customers.

The SAM Reviewer Only Gives You Three Weeks and You Never See the Review Coming

I think this again cuts to how Microsoft doesn’t trust its customers. There’s no reason why these reviews can’t be presented clearly as a scheduled necessity that comes with the privileges of volume purchases at the inception of a Volume Agreement. And scheduled well in advance. These reviews smack of Surprise Inspection, which is too bad. Frankly, this, plus the initial deceit, made me want to run into the waiting arms of Google.

Microsoft Seems to Invest Almost Nothing in its SAM Process

The first step of the process is to complete a “Deployment Summary” workbook that the Microsoft contractor sends to you in “.xls” format (yes the old one that went out of style 8 years ago). It contains macros that are password protected, which generally falls into the category of things I don’t want on my network. That didn’t matter, as the workbook crashed on my computer within 10 seconds of opening it. I received an apology from the SAM National Manager, and another “.xls” Workbook that was Macro free. This one worked, but seriously, Microsoft could invest very little money here, and make the process much easier for its Volume Customers. How about a secure online portal? Or at least a modern version of the document? I don’t know why Microsoft continues to choose to waste their customers valuable time via an outdated and buggy process.

The SAM Reviewers Seem to Be Clueless About Recent Software Products and Azure

The Deployment Summary spreadsheet was missing Windows 10, Visual Studio 2015, and other products we were required to account for. Perhaps most importantly, it had zero recognition that Microsoft Azure, where many customers keep their servers and services, even exists. The SAM Reviewer kept pressing for how we were licensing SQL Server Web and Windows Server, despite the licensing coming from Azure. After a couple back-and-fourths with her team, things got straightened out. But it’s worth noting the Deployment Summary document makes no mention of Azure or how to account for servers there. Seems like disrespect to Microsoft’s CEO, Satya Nadella. Azure was (and probably to an extent still is) his baby.

The SAM Reviewers Have Little Knowledge about First-Party Microsoft Hardware

The SAM Reviewer insisted we provide a receipt for our Surface Pro 1 to validate it shipped with a valid OEM copy of Windows 8 Professional, a step generally required for non-Microsoft hardware when an OEM license is claimed by the company being audited. She seemed to be clueless to the idea that the Surface Pro 1 was actually made by Microsoft, and always shipped with a valid OEM license for Windows 8 Pro, installed by Microsoft itself.  I have the purchase receipt, but chose not to turn it over, as I wanted to see how far the SAM Reviewer would push this ridiculous point. A digital photo of the Serial Number underneath the kickstand turned out to be sufficient in this case, so apparently proof of possession of the hardware seems to be enough. Your Mileage may vary.

The Method for Transmitting the Deployment Summary to Microsoft Has Something to Be Desired, Security-Wise

The SAM Reviewer asks that the completed Deployment Summary file, which contains sensitive information about ones IT setup, be emailed to them, along with any proof of purchases. Yes, customers can place these files in a password protected ZIP or RAR file, but really, Microsoft should be providing the security solution here in the form of an SSL secured online drop-off location. Make no mistake, post-Snowden, most email providers have embraced opportunistic encryption, and by default, most of the emails you send should have sender-to-destination encryption. That said; email security isn’t perfect, and there’s still plenty of room for a person-in-the-middle attack (such as intercepting and removing the flag in an email header that indicates the email is looking for a method of encrypted transmission.

Microsoft operates a whole fleet of web-based portals that can accept file uploads over HTTPS. Using email for transmission of a document that contains sensitive IT information that hackers would love to have seems to me like a bad idea, even in today’s world of opportunistic email encryption. Microsoft should shoot for something that is guaranteed secure?

In Summary

This post focused on the unethical behavior, lack of competence, and arguably insecure approach Microsoft has taken with regard to their SAM Engagements, using contractors as proxies. Again, I believe there is room in this world for a competent, honestly presented SAM Process. Microsoft does the world an incredible amount of good, and the free products it offers enthusiasts, students, and even professionals starting out is wonderful. I admire Microsoft as a whole and feel obliged to call out this part of them that should and dare I say MUST be reformed.

We passed our SAM Engagement with flying colors, by the way. Which makes the whole thing a lose-lose. Microsoft spent money unnecessarily auditing us and came away with no new sales, and we spent valuable staff time that could have been spent servicing customers, and golly, selling Microsoft services. It’s an example of the many continuing ways Microsoft shoots itself in the foot.

Again, I welcome anyone from Microsoft to contact me about my concerns at @napkatz. I will update this post with any further conversations. Anyone who wishes to share their SAM experiences is welcome to contact me as well or comment below.

In my next blog post, I will share some recommendations you and/or your company should consider before and when your inevitable SAM Engagement comes.