Recommendations for dealing with and planning for SAM Engagements

Posted by on Jan 1, 2016 in From the Cloud, From the Mind | Comments Off on Recommendations for dealing with and planning for SAM Engagements

In my last post, I actively protested against Microsoft’s bad behavior with how they execute their SAM Engagements. That said, I am a believer in properly licensing one’s software, and as such, EfficiencyNext operates out of an abundance of caution with regard to this. Here are my recommendations. Disclaimer: I am not a lawyer. This is not legal advice, but advice from someone who implements Microsoft technology.

Cooperate when You Are Contacted, but Verify

The SAM Engagement is a required process, no matter how much the initial contact tries to make it look like they are selling you something. It’s OK to be grumbly, but don’t block the process or try to hold it up. But, always demand they send you an email before giving any information over the phone. I have no doubt there are plenty of hackers pretending to be SAM Reviewers in order to get information they can use to break into networks.

Be Truthful

Don’t lie. In general, these SAM Engagements seem to be used by Microsoft as revenue optimizers. It’s about increasing revenue per customer, not necessarily anything punitive. If you execute the process in good faith, you might find out you need to buy more licensing, but in general, you shouldn’t find yourself being sued or being forced to pay costs in excess of actually buying the necessary licenses. Lying (or being uncooperative) is a road that actually can actually likely lead to legal action.

Understand the Limits of Volume Licensed Operating Systems and OEM Operating Systems

This is one of the Big Gotchas. Microsoft Operating Systems, licensed in Volume and Partner Programs, are Upgrade Licenses only. They do not include licensing for the base operating system, which must also be licensed for the computer the Upgrade License is installed on. These base licenses must be business class; that Windows Home license that comes with many PCs doesn’t cut it. That leaves two options:

  1. When you buy a computer, make sure it comes preinstalled (OEM) with a valid business-class operating system, such as Windows 10 Professional, and DO NOT LOSE THE RECEIPT FOR THE SYSTEM PURCHASE. Keep the physical copy, and also scan it into an online accounting system immediately. Without an invoice stating the computer originally came with the Windows license, the SAM Reviewer can make the case the OEM OS might have been installed after the computer’s sale, rendering the validity of the license unprovable. This is also a significant concern if your company buys PCs used; in such cases, you should insist on getting a copy of the original purchase receipt.
    • I would argue this is a strong case for buying Surface Pro hardware specifically, as the hardware itself should be considered proof of a valid license, as it always comes with a Professional copy of Windows and is manufactured by Microsoft itself. You shouldn’t be screwed if you lose the receipt or buy the Surface Pro 1/2/3/4 used. There’s simply no mechanism for how the computer wouldn’t have a valid OS installed. The fact that Surface Pro come with Windows 8/10 OEM Professional is actually a $140 value that many other machines you buy at retail don’t have.
  2. Purchase Full Retail Copies of a Microsoft Business Class OS, and insure each license is mapped to a computer running an Upgrade Volume License of Microsoft Windows. As of today, technically, even Vista for Business works for this purpose. I highly recommend purchasing current retail copies that are verifiably legitimate, as counterfeit retail software remains a problem today. That’s roughly $200 a pop, but at least with retail licenses, you can transfer them from one PC to another. You can’t do that with OEM licenses. And when you buy retail, KEEP ALL THE PACKAGING, INCLUDING THE COA STICKER AND MOST IMPORTANTLY THE PRODUCT KEY STICKER. Without retaining these, a SAM Reviewer will likely presume you don’t own the software. The EULAs that come with Windows require that you maintain proof of license. Lock up the materials above and DO NOT LOSE THEM.


In short, if you are a Volume Customer or Microsoft Partner sitting on Microsoft OS Volume Licenses, don’t go nuts and install them on machines that don’t have valid and verifiable underlying business licenses. This will come back to bite you during your SAM Engagement.

Understand the Limits of MSDN Operating System Licenses

Developers can download and install copies of Windows on many, many machines, both physical and virtual. Understand these installations can only be used to develop and test software. If a developer uses the Operating System for anything not related to software development, that is a license violation. So make sure all your developers, if you have any, are properly licensed at the OS level for non-development activities, should they use their PCs for such.

Think About Adopting Office 365 for Your Staff

Seriously, keeping track of every copy of Office by PC, all of its activations, and the original purchase dates and receipts is hard. And difficult to control, even when licensing through the Volume Channel. We have found licensing by user on a subscription basis and not by device much easier to manage and account for. Office 365 has its own deployment checks to insure staff members aren’t doing too many installations. This capacity is very handy, and the extra Microsoft services that come with Office 365 make this approach affordable in many ways (Exchange Email, Skype for Business, SharePoint Online included). The fact that each staff member gets up to five deployments of Office is also a plus, not to mention mobile device usage.

Use SharePoint Online and OneDrive for Business

The more servers you have, the more difficult a SAM Audit can be. Using OneDrive for Business, instead of dedicated file servers running Windows, reduces the complexity of your local environment, and thus the review. My only caveat is this; access to your files should require more than an email address and password. ALWAYS ALWAYS turn on Multi-Factor authentication for your Microsoft Organizational Accounts.

Use Azure Where You Can

Not only is Azure very flexible with regard to IaaS deployments, but the licensing generally comes bundled with the machines you provision. For each Windows Server, there is no per-user CAL charge.

And, for SQL Server, you also don’t need to worry about whether you are paying for the appropriate amount of cores; the licensing is cooked into the cost so long as you use one of Azure’s SQL Server images. The Enterprise version licensing isn’t cheap; running 4 cores will set your company back $12k a year, just for the licensing. Standard version licensing is about $3.6k a year for 4 cores. SQL Server Web, if the shoe fits, is very cheap at maybe around $290 a year.

If you need some Enterprise capability, such as Transparent Data Encryption for HIPPA compliance, and don’t want to be out $12k a year, looking at SQL Azure is also wise. TDE is a baked in capability that can easily be turned on, and databases can now be part of pools that you can purchase which share resources, as opposed to paying per database.

The bottom line is Azure can greatly reduce the footprint of licensing you specifically need to account for. And one could argue this is where the future lies anyway.


During a SAM Engagement, it’s best to work with the SAM Reviewer during the process, and be cooperative and honest. For the time being, put aside any potential unethical ways they represented themselves upfront. Also, before the process, have a good understanding of the common Gotchas.

In our experience, it is a good exercise to migrate to cloud oriented services, such as Office 365, SharePoint Online, OneDrive for Business, and Azure, where much of the license management is handled for you. Simplification is a great strategy when it comes to license management. For all your cloud accounts, however, don’t forget to turn on multi-factor authentication.

Frankly, similar to Office 365, I wish business class Windows could be licensed to users on a subscription basis, without having to worry about this whole “Upgrade Only” nonsense. It’s high time for Windows 365 as an additive option to the current Windows licensing options.