Microsoft News Tracker

One of the Windows Vista concessions that Microsoft promised the European Union antitrust regulators in October was that they would provide kernel level APIs for third party security software vendors to work with the PatchGuard kernel protection code in 64-bit versions of the operating system. The timeline for creating and delivering those APIs kicked up quite a ruckus, but today Microsoft released a draft and reiterated the promised availability by the time Vista Service Pack 1 ships:

Microsoft Corp. today released draft application programming interfaces designed to allow third-party security products to get around a contentious kernel protection technology in the Vista operating system called PatchGuard.

The draft APIs will be available to security vendors for testing and comment through the end of January. A final version of the APIs will then become available when Microsoft releases Service Pack 1 for Vista sometime in mid-2007, according to Ben Fathi, vice president of development for the Windows Core Operating System.

Microsoft today also released a separate criteria evaluation document that details the processes Microsoft used in evaluating vendor requests for APIs to the Vista kernel. As with the draft APIs, Microsoft is seeking third-party security vendor feedback on its criteria evaluation processes.

There are more details by following the link and in a separate Q&A with Fathi. Reactions from the vendors haven’t come in yet:

McAfee officials said they would comment on Microsoft’s move Tuesday afternoon; Symantec won’t talk about the decision until Friday.

but what strikes me is that we now have yet another date for the infinitely mutable Vista SP1 (mentioned previously here).

Update, Nov. 22: McAfee is pleased, no comment yet from Symantec.

It turns out that we shouldn’t have worried that Thursday’s launch of Vista and Office (et. al.) was rather ho hum - there are apparently two more Vista launch events to come and that’s just in the USA. CEO Steve Ballmer says Microsoft will spend hundred of millions of dollars marketing Vista making it Microsoft’s most widely marketed product. Now instead of wondering about the apathy, one is forced to question the overkill. After all, as Carl Howe observes, Microsoft is a toll collector:

So what’s wrong with being a toll collector? Not a thing. It’s just like being a utility — it provides a consistent earning stream that should generate significant dividends. The only problem: Microsoft isn’t valued like a utility; it’s valued as a technology company with a price earnings ratio of 23, whereas utility companies tend to be in the teens. And its dividend yield of 1.3% is a far cry from the 2% to 4% of utility firms. And utility companies don’t devote seven billion a year to research and development either, nor do they launch me-too music players like Zune. They do, however, have an obligation to do maintenance on their properties, and that’s exactly what Vista and Office are: maintenance.

Other surprises from the launch included the revelation that there is no schedule for Vista Service Pack 1. There’s no schedule for the previously presumed dead WinFS file system technology either, but Microsoft now claims to still be working on it. And speaking of schedules, of the major security vendors, only McAfee has product ready for Vista.

But back to the fundamental question of how the new releases impact the transfer of loot to the Microsoft bottom line. As I have observed previously (and to continue the toll collector analogy), Microsoft can only increase the returns by catching those users who have been sneaking through without paying or increasing the amount that the lawful users fork over and now is as good a time as any to examine the state of play.

For the former, Microsoft CEO Sees Less Piracy With Vista and the Vista System Protection Platform “kill switch” certainly makes that likely. The new Genuine Advantage programs for Windows XP and Office also make it less likely that pirates will find any havens there, so Microsoft is making the choice quite clear: pay up or don’t use Windows/Office. Whether this translates into more paying users or a flight to free Open Source alternatives remains to be seen.

As for the return per unit sold to lawful users, Microsoft has laid the ground work for upselling enhanced versions of Vista, but it’s similarly unclear how successful and lucrative that will be. Mary Jo Foley elaborates in Will Vista prices be on a par with XP’s everywhere?

Even though the Windows Vista versions don’t match up exactly, feature for feature, with the comparable XP ones, Microsoft has held retail pricing fairly constant, officials have said. (And ditto for volume-license pricing, according to the Softies.)

Outside the U.S., however, it seems customers are going to be charged quite a bit more for Vista than XP, according to early data from Australia and Germany.

…

Microsoft officials are blaming local retailers for the mark-up.

…

So far, I haven’t seen data on how much PC makers are planning to charge for Vista systems here or abroad. And given that far more customers buy PCs with Windows preloaded on new systems than buy retail copies of Windows, those figures will be more of a true barometer of how expensive Vista will be.

While there is no clear answer on the per unit returns, everyone seems to have an opinion on uptake:

Jay Greene at Business Week:

When Microsoft’s two most important products become available for businesses (the consumer version of Vista will be ready in January), adoption is likely to be modest at best. To some extent, that’s because companies are cautious about adopting new technology. They want to make sure new products work with existing systems. And they don’t want to disrupt employees who are accustomed to using what they have.

But Microsoft faces another challenge. Many corporate buyers don’t believe there’s enough pizzazz in the new software to increase their budgets to deploy new products right away. The Society for Information Management, a trade group of business tech buyers, polled its members in October and found that 58% haven’t decided when they’ll roll out Vista. Another 27% plan to do so in 2008 and beyond.

…

Office 2007 is unlikely to ramp up much faster. That’s because most companies are going to wait to install Vista first, since the new Office takes advantage of many of the new operating system’s features. At an October symposium, research firm Gartner surveyed corporate tech buyers representing about 3 million corporate PCs and found that just 20% would deploy Office 2007 before Vista. Another 38% said they’d roll out both products simultaneously. And 16% said they’d wait and adopt Office 2007 after getting Vista out to employees. That suggests the vast majority of rollouts will come in 2008 and beyond.

As usual, however, ordinary consumers will be the early adopters - Microsoft Windows Vista to Gain More Ground with Consumers than Enterprises in 2007, Says IDC:

During calendar year 2007, Windows Vista Home products are projected to account for 90% of new Windows client operating environments deployed by home users. By comparison, Windows Vista Business and Windows Vista Enterprise will account for 35% of the new Windows client operating environments deployed by business users. During the second full year of availability, Windows Vista Business and Windows Vista Enterprise will grow to account for 80% of new deployments.

The crystal ball then is typically foggy, but it’s clear that not much is going to happen until consumers can get their hands on Vista and that story won’t unfold until February.

Ted Kummert, Microsoft’s Corporate Vice President, Security, Access and Solutions Division:

Today we are announcing key security products across the client, server and network edge, which map to our customer promise to help protect information and control access. First, we are excited to announce the public beta for Microsoft Forefront Client Security, a new product that helps protect business desktops, laptops, and server operating systems from viruses, spyware, and other threats. Second, we are announcing two new server security products, Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint, which are currently in public beta, and will be available to volume-licensing customers in December. Finally, today we are unveiling new Application Optimization features for the Intelligent Application Gateway, a product included in Microsoft’s acquisition of Whale Communications this year.

While all are of importance, Microsoft Forefront Client Security is drawing the most buzz since it’s a stake pointed right at the heart of the lucrative corporate security market which has heretofore been dominated by Symantec, McAfee, and other third party ISV’s whose relationship with Microsoft has grown so rancorous lately. More information and the Client Security beta download are here.

It was easy enough for Microsoft to promise the EU that they would provide Vista security APIs to competing security software vendors, but delivering on that promise has turned into a real melee.

Microsoft did deliver some Security Center documentation on Monday, but was stung by complaints from McAfee and Symantec that it was inadequate and had scheduled a conference call yesterday to clarify matters. Unfortunately, the call did not go smoothly:

This meeting was under NDA, so what was actually discussed I can’t say. 

However, the not-secret part of it was that someone at Microsoft accidentally sent out the LiveMeeting presentation invites as “presenter”, which if you’ve ever used LiveMeeting, is an invitation to chaos.  Realizing their error, the meeting was rescheduled for 30 minutes later, and that didn’t all come together, because the meeting had been originally setup to end at 12:30, so we were promptly all kicked off.  Finally at 12:45 EDT the meeting went as planned.  Those who missed this meeting will have the ability to view another later today.

While I have my disagreements with Microsoft on the PatchGuard issue, I must defend them in this instance. It was a case of a few honest mistakes made by well-intentioned people, probably working under a tremendous amount of stress. No big deal people.

OK, but then Microsoft clarified the purpose of the meeting which they felt was “Microsoft’s intention to invite nearly 150 security products vendors to join it in the development of an open security services API for Windows,” and emphasized the fact that:

Such an API would not open up PatchGuard, the kernel protection system the company currently plans for Windows Vista, the spokesperson pointed out emphatically several times during our discussion, nor does Microsoft have any plans to ever open up PatchGuard.

“Microsoft continues to believe the kernel must be protected from unauthorized access,” BetaNews was told. To that end, the company proposes “a process for developing methods for software that works alongside PatchGuard.”

Such a process, if initiated, could take several months, by Microsoft estimates, with the goal being to produce the results of this initiative in time for the release of Vista Service Pack 1. Though the spokesperson used the phrase “the SP1 timeframe” to refer to the release of these services, Microsoft declined to attach a time to that timeframe.

This was all too much for McAfee which blasted Microsoft:

“Despite pledges, press conferences and speeches by Microsoft, the community of independent security companies that consumers rely on for computer protection has seen little indication that Microsoft intends to live up to the promises it made last week,” McAfee attorney Christopher Thomas said in a statement.

“We have been greatly disappointed by the lack of action by the company so far and Microsoft has not lived up, either in detail or in spirit, to the hollow assurances offered by its top management last week.”

and, of course, Microsoft returned the compliment:

It’s unfortunate that McAfee’s lawyers are making these kinds of inaccurate and inflammatory statements,” said Ben Fathi, corporate vice president of Microsoft’s security technology unit.

He said Microsoft was being even-handed in developing the needed software, which would happen “in the months ahead”.

It doesn’t take an international antitrust lawyer to see the problem here, just someone with a recollection of recent events:

In the past, the Commission has expressed concerns about delays by Microsoft in providing information to other companies because during that time, those firms have lost market share and eventually been sidetracked.

Then there’s the whopping supplemental fine that the European Commission slapped on Microsoft for the sluggish delay in delivering interoperability information the last time around. Why does Microsoft persist in playing the same old tune? Do they think the regulatory reaction is going to be any better this time? If they really like waving a red flag at Neelie Kroes, they shouldn’t be surprised when she shows up snorting and pawing the ground.

Update: In fairness to Microsoft, they do contend that they have provided extensive Security Center API info on and since Monday.

Microsoft’s partial delivery of EU placating Vista security APIs is drawing fire from competitors McAfee and Symantec:

A statement from McAfee worldwide corporate communications vice president Siobhan MacDermott said:

We did receive a document from Microsoft yesterday that contained the SDK for Windows Security Centre only. We continue to have questions pertaining to this document and have asked Microsoft for meetings and/or additional clarification about what MS has sent us. To date, we have not had any cooperation from MS and no response on McAfee’s repeated requests to review the information.

Contrary to what it says publicly, Microsoft has not cooperated with the leading security providers. In fact, we have not received anything at all from Microsoft concerning PatchGuard. …

And Symantec:

With regards to Microsoft and their announcement regarding security provisions in the Windows Vista operating system, Symantec has yet to actually see the final detailed information needed to address our concerns regarding Windows Security Centre or PatchGuard. While we are encouraged by their statements and are hopeful their actions will indeed lead to customers being allowed to use whatever security solutions they would like on the Vista operating system, the operative question is exactly when will the final detailed information be made available to security providers?

It is important to note that the Vista operating system is slated to ship to OEM within the next few weeks. Therefore, security providers would need to have the final detailed information to address their concerns about Windows Security Centre and PatchGuard provided to them in a timely manner.

You have to admit that it’s rather a dirty trick on Microsoft’s part to announce on Oct. 13 that they have resolved the issue, deliver part of the promised APIs on Oct. 16, and then expect the security vendors to rework their products in timely fashion when Vista RTM is now generally expected to be on Oct. 25.

Meanwhile, Microsoft CEO Steve Ballmer returned fire:

“I don’t know anything about allegations of McAfee. We have gone ahead with the release of APIs consistent with the directions we have taken to put Windows (Vista) in the marketplace on schedule and we are absolutely executing on all of the plans properly,” he said.

More broadly, Ballmer said of complaints by security companies: “We are through that … We’re prepared to release our product.”

Uh Oh! I think someone just paged European Competition Commissioner Neelie Kroes, but then her appearance is inevitable anyhow.

Update: That was quick:

Microsoft will brief security software companies on-line on Thursday, after firms McAfee and Symantec complained it was delaying promised cooperation about their security concerns.