Rules that prohibit use of consumer versions of Vista, advanced security features, and rights management features within virtual machines (VMs) were about to be relaxed in June 2007, but Microsoft reversed course at the last moment, electing to retain the rules as they were. Microsoft did not explain the reason for the reversal, but the sudden change of heart suggests intervention by a senior business executive or other product group that saw some business or legal threat to the company.

Virtualization Restrictions

The Vista End User License Agreements (EULAs) contain the following provisions:

• Vista Home Basic and Home Premium are not permitted to be used as the guest OS in VMs
• BitLocker, which encrypts data on a Vista boot volume, may not be used in a VM
• Digital media or applications protected by any form of Microsoft rights management may not be played or used in a VM.

The company was considering removing these provisions, and briefed analysts and press about their removal as late as June 18, noting that the restrictions were widely criticized by customers, bloggers, partners, and others. But the following day, when the change was scheduled to be announced, the company reversed course, stating that it would not modify the EULA after all, and that the current restrictions represent "an appropriate balance" of security and business benefits.

The reversal was more broadly criticized than the original EULA restrictions and may have less to do with any concern over customer security than with delaying market adoption of competitive virtualization software.

Virtualization Threats

Among the possible threats raised by more liberal virtualization rights are the following:

• Business customers using less-expensive consumer editions in VMs
• Greater adoption of the Apple OS as a consumer's primary OS, with a low-cost edition of Vista used in a VM for software that is available only for Windows
• Possible threats to users with poor security or lax usage standards from certain rootkit threats, such as "Blue Pill" (a VM exploit which, as yet, exists only as a concept and is not known to have been used)
• Potential use of VMs to distribute copyrighted material that uses hardware-based digital rights management; since every VM created by virtual management software, such as Microsoft's Virtual PC, has the same hardware profile, a VM on which content had been unlocked could be transferred to another computer and accessed by a different user.

Although the EULA prohibits such uses, none of the restrictions are enforced by the OS itself—Microsoft's own Virtual PC software will create and run VMs that use consumer versions of Vista, for example, without warning customers of potential threats. BitLocker and rights-managed files can also be used in VMs with little or no more effort than in physical operating environments.

The restrictions may retard virtualization use in some scenarios, such as for Windows-based virtual appliances, which are VMs preconfigured with an OS and a specialized application, such as a firewall, a content management solution, or corporatewide search. In some cases, the higher cost of a business OS in such a VM—about US$100 more for a business version of Vista—may reduce the market for the appliance.

However, most such appliances today use an open-source OS; because the entire VM has been preconfigured by the virtual appliance vendor, the customer is largely isolated from the underlying OS and does not need to know how to configure Linux in a VM, for example. Indeed, if the restrictions have any impact, the higher cost of using Vista in VMs may encourage customers to look more closely at OS alternatives, such as previous versions of Windows, which have no such restrictions, or open source options.

For a review of virtualization rules for Microsoft OSs and applications, see "Virtualization Licensing Adapts to New Challenges" on page 46 of the June 2007 Update.