SPLA Audits and Anonymous / Authenticated / Outsourced / Non-Outsourced Windows Server Licenses
Businesses that have endured audits initiated by Microsoft in connection with Services Provider License Agreements (SPLAs) are all too aware that Microsoft’s auditors spare no effort in identifying opportunities to increase the total amount of the compliance purchases demanded to resolve licensing discrepancies. For service providers that have licensed Windows Server operating systems under SPLA for some time, one of the tactics used by Microsoft stems from the confusing, bifurcated licensing regime that Microsoft previously applied to that product.
Prior to 2009, Microsoft differentiated between “Anonymous” and (more expensive) “Authenticated” SKUs for Windows Server licenses acquired under SPLA. The differences between those two offerings are described in the Use Rights document available here. In summary, Microsoft allowed SPLA licensees to order the Anonymous/Unauthenticated licenses as long as users were not individually identified by the operating system or only use Windows as an application platform.
Perhaps realizing that those definitions were very difficult to apply in practice – especially in the context of a disputed audit – Microsoft replaced that bifurcation and transitioned to “Non-Outsourced” and (more expensive) “Outsourced” SKUs in July 2009 (as described here). Under that framework, the focus shifted from the functionality of the software to the SPLA provider’s role in offering the software to its customers.
However, that definition is just as difficult to apply in real-world licensing scenarios (if not more so), and in June 2011, Microsoft scrapped the bifurcated approach altogether.
Unfortunately, while IT administrators no longer have to worry about which type of Windows Server license to report under SPLA today, Microsoft still applies the above concepts in its retroactive compliance calculations for audits. We have represented clients in SPLA-audit disputes where Microsoft has applied the Anonymous/Authenticated analysis to pre-7/2009 deployments, then the Non-Outsourced/Outsourced analysis to 7/2009-6/2011 deployments, and then the “everything is Non-Outsourced” analysis to 6/2011-present deployments. All with the purpose of maximizing the amount owed to resolve the dispute.
For this reason (among many others), businesses facing SPLA audits owe it to themselves to consult with counsel when responding to Microsoft’s audit demands. In many cases, the auditors simply apply the relevant rules incorrectly. Successful challenges to those discrepancies can have a significant impact on a company’s audit exposure.