Microsoft Software Protection Platform

View the EuroPriSe-certificate

Cert. No.



13/11/2008 until 30/11/2010

Public Report

Microsoft SPP short public report [PDF]


Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399


Data minimization and encryption


i) The computer’s “machine name” proposed during the installation can contain the user name and might allow an identification of the user when the machine name is transmitted during activation. Users are advised to change the machine name to a non-personal name. Currently, a filter mechanism at Microsoft prevents the storage of transmitted machine names. By January 19th, 2009, an update will be available stopping the transfer of machine names from clients ultimately. 

Addendum: The machine name is not transmitted to Microsoft any more.

ii) The so-called Breach Response Tool is deployed as an important update (KB940510). This mechanism runs once and checks whether client components used for activation are tampered and reports the results to Microsoft. The reporting can only be disabled in Volume Activation scenarios; in OEM and other license scenarios directed to end users telemetry data are sent even if the system is untampered. Only machine related, non-personal data are transmitted (concerning Microsoft). The transmission can be avoided only by suppressing this update and further versions of the Breach Response Tool.
Currently, no link from the delivered BRT update to the according privacy statement is provided. Microsoft will add such a link by December 1st, 2008.

Addendum: Microsoft added a link to the according privacy statement.


“Microsoft Software Protection Platform” is the name for the summary of the services Activation, Volume License Management and Security Breach Response used for Microsoft’s license management binding hardware components to a license.


"Activation" means the binding of a software installation to a dedicated hardware using hardware and software identifiers stored at Microsoft or in local management tools. The main scenarios are various license types (Single License Activation, Activation by Original Equipment Manufacturer (OEM), Volume License Activation with local management server or management tools), interfaces to Windows Genuine Advantage (WGA) and Breach Response Tool (BRT). These unique identifiers (e.g., hardware checksums, product keys) do not contain neither personal data nor allow Microsoft to identify users. Only major hardware changes require a re-activation. WGA is used to check the activation state and provides a temporary download license when Microsoft is asked to provide specific downloads. BRT is used to check whether system components important for activation are tampered.

The genuine test in general as well as the update mechanism is NOT part of the evaluation (ToE). Only data transmissions between the Software Protection Platform and WGA are part of the target of evaluation.

    Technical Evaluator

    Stephan Di Nunzio
    TÜV Informationstechnik GmbH
    Langemarckstrasse 20
    45141 Essen

    Legal Evaluator

    Marcus Belke, Attorney at Law
    Oliver Gönner, Attorney at Law
    2B Advice GmbH
    Wilhelmstrasse 40-42
    53111 Bonn

    European Privacy Seal for Microsoft Software Protection Platform



    This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk. For more information please go to EuroPriSe Terms & Conditions