I'm not sure how many of them actually audited it and how many of them had to get access to the source code to tick a box.
Government contracts for software often include having the rights for the source code in case the vendor goes out of business.
In other cases they might want to audit only certain parts of the OS, or just to integrate their own code at a level that out of the box Windows interoperability doesn't support.
If you say have a hardware encryption & security module which connects directly to the hard hard drive and includes a smart card reader for access you will probably need the ability to run custom code in the BIOS, boot loader and OS levels.
Then again if you have the resources of a US, major European power, Russian or Chinese state agency you might have the ability to also audit the full source code.
I had personal access to the Windows "shared source" system, as a third-party. Issued a smart card for remote access. It's not that hard to get and I know other individuals who maintain that access.
It comes in really handy for figuring out specific bugs or implementation details. I'd imagine any large-enough customer would find similar value.
Maybe it's not really about auditing it, as it is about finding their own flaws to exploit. In the US, it's actually worse, because Microsoft also gives NSA the zerodays it finds on a silver platter, way ahead of fixing them (not necessarily suggesting Microsoft will delay fixing them on purpose, but as we know sometimes fixing a major bug can take many months - see the whole Project Zero vs Microsoft scandal - months in which the NSA can put those bugs to "good use").
Oh btw, Apple and Intel do this, too, now (Intel may have been doing it for years, but we know for a fact Apple "volunteered" to do it, too, this year at Obama's Cyber Summit). As far as we know Google has refused to do it, and hopefully it stays that way.
Microsoft releases security advisories to many large costumers especially in regulated sectors a head of time not just to governments.
Large banks for example will get information about new "zero-day" vulnerabilities from their TAM some times months before a patch is released so they could adjust accordingly.
The NSA doesn't get an exploit they are notified about the vulnerability in good faith, in some cases Microsoft and their partners will release a signature which can enabled host or network bases intrusion detection/prevention systems to mitigate the vulnerability until it's patched.
There are other initiatives by various security vendors the most prominent would be ZDI by TippingPoint (now HP) which actually buy exploits so they could make signatures for their IPS, they notify their partners but in many cases withhold the vulnerability information for upto 6 months from the vendor of the vulnerable product.
Government contracts for software often include having the rights for the source code in case the vendor goes out of business.
In other cases they might want to audit only certain parts of the OS, or just to integrate their own code at a level that out of the box Windows interoperability doesn't support.
If you say have a hardware encryption & security module which connects directly to the hard hard drive and includes a smart card reader for access you will probably need the ability to run custom code in the BIOS, boot loader and OS levels.
Then again if you have the resources of a US, major European power, Russian or Chinese state agency you might have the ability to also audit the full source code.