clean inventory data contract overview for customers inventory data contract overview for customers...

Page | 1 31 January 2018

1WorkSpace Step 1 Site will reject files that have not been anonymized by the WCA. 2Some steps are performed on the Step 1 Site, but all steps are accessible via the WCA. 3The CIDC must be encrypted using the WorkSpace Companion App (WCA) prior to uploading to the main

WorkSpace site to pass validation.

Clean Inventory Data Contract Overview for Customers

This document provides an overview of the Clean Inventory Data Contract (CIDC), which is an Excel workbook that

consolidates and formats your Microsoft software deployment and usage data. The CIDC is used to generate the

Established Deployment Position (EDP) and Effective License Position (ELP) reports, which are deliverables provided by

your Microsoft Software Asset Management (SAM) Partner at the completion of your Microsoft SAM Engagement.

The workbook is named “data contract” because it is specifically formatted (schema, data types, and validations) to work

with the WorkSpace. The WorkSpace is a platform designed to facilitate the collection and analysis of high quality data

gathered for SAM Engagements through the use of three main components: The WorkSpace Companion App (WCA),

the WorkSpace Step 1 site (accessible via WCA), and the main WorkSpace site.

There are a few steps to completing a CIDC; the first is uploading your anonymized Artifacts1 (raw data files) to the

WorkSpace Step 1 site (accessible via WCA) to generate the Standard Report, Enterprise Report, Refinement Report, and

Preliminary CIDC; the second is to review and refine the reports to ensure all necessary data has been gathered; and the

final step is to manually complete the CIDC by adding or adjusting information that cannot be collected through data

collection tools. Your partner will complete the majority of these steps, working with you to ensure the most accurate

and complete representation of your IT environment.

The Standard Report provides a snapshot of inventory coverage and identifies gaps in data collection; the Enterprise

Report provides global and per product views and rich data visualization features which are more suitable for

management and executive review and the Refinement Report enables you to add more information about your

software deployments. All reports should be reviewed before downloading the Preliminary CIDC. Reviewing these

reports first provides an opportunity to identify any additional data points that need to be collected. All reports require

the WCA to restore Personal Identifiable Information (PII) so they can be reviewed in detail.

To improve data coverage, your partner will use the Standard, Enterprise and Refinement reports to identify workstations

and servers that may need to be scanned again, marked as out of scope, or categorized for a particular environment

such as Production versus Non-Production. New data and information can be uploaded to the WorkSpace Step 1 site, as

anonymized Artifacts, to generate a new set of updated reports for review again.

Your partner should iterate the process of identifying gaps in coverage, collecting more data as needed, and refining the

information until the coverage is as good as can reasonably be achieved. More details on these reports and how to use

them effectively is described below.




Generating Reports and Refining Inventory Results

To obtain a full and clear picture of your deployment data, it is likely that data was collected from different and multiple

data sources. There are scenarios where a specific computer system may be referenced by multiple data sources or

multiple times by the same source. Additionally, different data sources can specify the same data points with different

values (e.g. virtual host) and data points that tend to be specific to a certain type of data source (e.g. last logon time). To

provide the optimal result, the WorkSpace synthesizes an inventory record for each computer system that factors in all

the available information. Many factors are taken into consideration when establishing the unique set of machines and

their properties, but in general, the most recently discovered data points are the values reflected in the report.

When collecting data, the WCA formats the raw data into what are called Artifacts and anonymizes PII contained within

those Artifacts. The process of anonymization enables the WorkSpace Step 1 site to consolidate and de-duplicate data

even when your PII is obscured.

The anonymized Artifacts are then uploaded to the WorkSpace Step 1 site to generate the Standard Report, Enterprise

Report, Refinement Report, and Preliminary CIDC.

Standard Report

The Standard Report is an Excel workbook that includes a summary of your data completeness, enabling your partner to

identify gaps and machine level details to pinpoint those gaps for further investigation.

Scan Summary: In the Scan Summary worksheet shown here, you can see the coverage percentage and count for both

servers and workstations. In this example, there are 87 total servers (according to Active Directory) but the data

collection by machine was only successful for 78 servers resulting in an 89% success rate, and the workstation count is

only indicating a 67% success rate.

To find out more about failed or incomplete scans, the other worksheets in the Standard Report provide machine level

and user level detail. While this report may not indicate exactly why the scan failed, it does provide enough information

to identify which machines need further investigation.

Inventory: The Inventory worksheet contains machine level data that can be filtered to narrow in on failed or

incomplete scans, as well as pertinent information such as, machines marked as out of scope in columns named

“InScope” and “ScopeReason.” If a workstation has not connected to the network in 90 or more days, it will be marked as

out of scope on the Inventory worksheet and will not show in the Scan Summary. The default value of 90 days can be

changed when your partner creates the Standard Report in the WorkSpace Step 1 site. For example, it can be amended

to 30 or 45 days, or you can override the scope in the Refinement Report marking a machine in or out of scope

regardless of the number of days it has not connected to the network.




Users: The Users worksheet helps identify the user counts necessary for accurately calculating the number and kinds of

Client Access Licenses (CALs) you need. It is also useful for reviewing user activity by domain using the Last Activity Date

or Days Since Last Activity columns to identify any users still connecting to the network that should no longer have

access, further enforcing cybersecurity policies.

Server Worksheets (i.e., Windows Server Worksheet): These various server worksheets show detailed server

information such as processor and core counts, host and guest mapping, clustering, and server product edition and

version.

In addition to using this report for data coverage, your partner can gain valuable insights about how to improve your

overall IT management. For example, in addition to improving cybersecurity by reviewing user activity levels, as

mentioned above, machine activity levels can help you identify ways to optimize workloads. Machines that are

determined to be out-of-use based on having no activity for some time could be decommissioned. For machines with

low activities levels you may be able to determine applications and data that can migrate to cloud backup storage or

even a pay as you go model, rather than continuing to support them on-premises.

Enterprise Report

The Enterprise Report is an Excel workbook that includes a series of 25 reports which provides a global and per product

view of the collected inventory using rich data visualization features.

Scan Report: This tab contains the same information as the Scan Summary tab of the Standard Report. Customers and

partners can have a view of coverage and count for both servers and workstations.




Deployment Summary and Deployment Report: These 2 tabs contain information of deployed quantities for

Microsoft products. The Deployment Summary tab presents an easy to visualize way of deployed data, where

information for servers and workstations are displayed in 3 groups: machines, operating systems and applications. The

Deployment Report contains a view of all inventoried data.

Windows Workstation Summary and Windows Server Summary: These worksheets contain a nice view for

deployed quantities for Windows Workstations and Servers. For both worksheets, information is categorized by physical,

hypervisor hosts, virtual machines and unknown (uncategorized).




Hypervisor Summary and Hypervisor Report: These 2 tabs contain information related to virtual hosts and clusters.

The Hypervisor Summary tab presents an overview of processor and core counts for hypervisor hosts. The Hypervisor

Report is a detailed view of the Hypervisor Summary tab.

Windows Server Detail: This worksheet shows detailed server information such as processor and core counts, host

and guest mapping, clustering, and server product edition and version.




Users: The Users worksheet helps identify the user counts necessary for accurately calculating the number and kinds of

Client Access Licenses (CALs) you need. It is also useful for reviewing user activity by domain using the Last Activity Date

or Days Since Last Activity columns to identify any users still connecting to the network that should no longer have

access, further enforcing cybersecurity policies.

In addition to the presented views, the Enterprise Report contains separated device views for the following products: SQL

Server, SharePoint, Exchange, Lync, System Center, Dynamics CRM, BizTalk and Office.

Refinement Report

The Refinement Report is an Excel workbook that enables you to refine the data collected and fill in some of the

information gaps so that your data coverage is complete and comprehensive. Notes that are added to the Refinement

Report are carried over in later reports such as the CIDC and EDP to provide more information that may be needed

further down the engagement process. Below are some examples of refinements that can be made by updating the

Refinement Report and then uploading it again as an anonymized Artifact.

Summary: This worksheet provides a high-level count of rows within the subsequent worksheets that should be

reviewed and potentially updated along with instructions on what kinds of information can be adjusted. As changes are

made on the other worksheets, the Summary worksheet will update accordingly.




Workstations and Servers: These worksheets can be adjusted by indicating whether specific machines should stay in

or out of scope. For example, it may be appropriate to exclude de-provisioned servers. Any machines believed to be

valid and in-scope should also be refined as Physical or Virtual to ensure later license allocations are accurate, unless an

additional data source will be used to target those machines.

Partial OS and Non Microsoft: These worksheets include machine records for which the operating system record is

incomplete, absent, or known to be from a publisher other than Microsoft.

Virtual Hosts: This worksheet lists virtual machines where the virtual host is currently unknown. The name, number of

physical processors, and number of physical cores for the host can be added so that the virtual machine is properly

recognized and mapped later in the Preliminary CIDC. Completing this worksheet will also update the Standard Report

to eliminate the unknown hosts section on each of the Server worksheets.

SQL and Office Editions: In some cases, product edition detail for SQL and Office instances may not be captured

during the data collection process. In this case, the edition should be added on the SQL Editions and Office Editions

worksheets.




Scope: Lastly, a complete list of machines discovered is available on the Scope worksheet, with their tool-assigned scope

(in or out, based on activity and data collection status). Existing scope of any machine can be overwritten in the orange

cells (moving in scope machines out, and the reverse). Machines already updated in the Workstations or Servers

worksheets do not need to be handled again in the Scope worksheet.

Once the Refinement Report is updated, it is anonymized and uploaded to the WorkSpace Step 1 site to generate

another set of reports for review and a more accurate Preliminary CIDC. As mentioned earlier, your partner should

iterate the process above to identify missing data, collect additional details as needed, and refine that information until

the coverage is as good as can reasonably be achieved. Microsoft SAM Engagements require that data coverage must

reach at least 90% for all devices.

Manually Completing the CIDC

After completing the above steps, the Preliminary CIDC can be downloaded for review and completion. Again, the WCA

must be used to restore your PII. To manually complete the CIDC, your partner will work closely with you to add and

verify information contained within the report.

Completing the CIDC provides the WorkSpace site with guidance on how you are using your software deployments and

other information that cannot be discovered via inventory tools. For example, whether a software deployment should

map to a specific Licensing Model based on how it is being used, such as User versus Device CAL or a Processor versus

Core License. The accuracy and completion of this information is critical to gaining the most value from your

engagement as the final CIDC will be the basis for your EDP and ELP reports later.

How to Complete the CIDC

The first worksheet in the CIDC provides detailed instructions on what fields need to be reviewed and manually

completed (also highlighted in yellow) throughout Worksheets A through G. These instructions include descriptions of

the use of those fields and guidance on how to input the correct information.




Worksheets A through G are broken out by common product groupings such as Hardware and Operating System, Client

and Server Applications, Access Licensing, and User Subscription Licensing. These worksheets should be reviewed for

accuracy and completed by following the specific steps outlined in the Instructions worksheet.

There are several scenarios that may need to be reviewed and considered when making modifications to the CIDC. Here

are just a few.

Example modifications Scenarios

License Quantity Required - A default

value of 1 license per deployment is

included but, in certain scenarios more

licenses may be required.

If a physical server has four processors it requires two processor licenses,

one for each dual-core processor. Therefore, the License Quantity

Required would be updated from 1 to 2.

You may need to add required licenses for physical workstations

accessing any Virtual Desktop Applications (VDAs) that may not have

been discovered via inventory tools.

When assigning licenses to a host, only 1 Datacenter license is required as

it allows unlimited virtualization under that host. However, more than 1

Standard license maybe required depending on how many virtual servers

are hosted. Effective License Quantity may need to be adjusted

depending on your specific scenario.

License Model Assigned - In certain

scenarios, you may need to select between

multiple and different license types.

Depending on how users are accessing a server, here you can determine

whether you need Device or User Access which will help match up the

appropriate CALs later in your ELP.

License Program Group Assigned -

Used to differentiate between licenses that

would typically appear in your MLS versus

other license type such as OEM.

Physical workstations or servers you've acquired should have come with

an OEM license for the operating system. If you are not using your

volume license agreement to upgrade to a newer operating system, then

you would change this field to indicate you are using your original OEM

license for these particular software deployments.

Environment Type - Useful when

determining whether MSDN licensing can

be used.

Depending on how you are using the software deployed, you may

change the "Environment Type" from Production (default) to

Development to leverage MSDN licensing.




Additional Information Needed

At least two additional reports are needed to complete your CIDC; a current Product and Program Definitions

(Workspace_DomainData.xlsx) report and your latest Microsoft Licensing Statement (MLS). Your partner may also ask

you for any other records and documentation that can aid in the completion of the CIDC.

The Product and Program Definitions report is updated weekly and available for download by your partner from the

WorkSpace site. This report is necessary for the completion of the CIDC as it contains details on the taxonomy (i.e.,

naming conventions) used within the WorkSpace site, such as License Product Family Names or License Product Family

Version Names. If this information is entered incorrectly, then the CIDC may fail when uploaded to the WorkSpace site.

In some cases, the upload may pass but the quality of the data loaded will be low or inaccurate resulting in time-

consuming rework.

The MLS, which is provided by your SAM Engagement Manager, provides a detailed account of your Microsoft Volume

License Agreements as well as the product licenses and Software Assurance (SA) benefits acquired under these

agreements. This information is valuable when updating information in your CIDC such as which License Model you wish

to use for specific deployments or whether you have SA benefits as part of one or more license agreements. To ensure

accuracy, your partner should review the MLS with you to check whether all agreements are shown in your statement.

Although you and your SAM Partner may refer to your MLS when completing the CIDC, it is important to review and

add quantities and information into the CIDC based on actual software deployment and usage, not what licenses have

been acquired through agreements. This ensures accurate reporting on how you should be licensing your software

deployments versus how you are currently licensed.

Uploading the Completed CIDC

After the correct values have been entered, the Completed CIDC is encrypted using the WCA. This process ensures that

your PII is not accessible to Microsoft or anyone in transit.3 After encrypting the CIDC, your partner will upload the

Completed CIDC to the main WorkSpace site, and continue on with the next steps of the engagement.

If the CIDC fails to upload, a warning is shown and a CIDC Error Report is provided to help guide you and your partner

through the necessary changes to successfully complete the CIDC report. The Error Report contains inline error reporting

made directly to the CIDC report. When you or your partner open the Error Report, you will notice the spreadsheet looks

identical to the CIDC file that you attempted to upload. The difference is that the Error Report has highlighted all of the

cells that have caused a validation error to occur. The description of errors can be found in the “Error(s) Description”

column added to the far right of the original columns in each of the worksheets where errors have occurred. The data

set within the Error Report is still protected with PII encryption and file level protection, both of which should be removed

prior to making edits to the report.

For more information on all of the SAM Engagement deliverables, consult with your SAM Partner. For more details on

the data collection process, anonymization, and encryption, ask your partner to provide the “WorkSpace Companion

App Overview” and the “Software Asset Management (SAM) Engagement Data Usage and Privacy Information”

documents.

clean inventory data contract overview for customers inventory data contract overview for customers...

Documents