Licensing the Windows Client OS on VDI Today
[July 20, 2015 note: A more recent version of this report, updated to reflect licensing changes, can be found at www.directionsonmicrosoft.com/licensing/secured/2015/07/licensing-windows-virtual-desktops.]
To provide centrally managed Windows desktops, many organizations are turning to a virtual desktop infrastructure (VDI), which hosts the Windows client OS and applications in virtual machines (VMs) on servers in a data center. Users access these virtual desktops from computers that run Windows or from devices such as iPads that don't. Although licensing the Windows client OS for installation and execution on a typical client PC is relatively straightforward, licensing the OS to run within centrally managed virtual desktops is more complicated, involving purchase of additional subscriptions for the devices being used to access the VDI.
A variety of factors entice organizations to embrace VDI, even though the technology can be complex to design and deploy as well as expensive to license. These factors include the following:
- Reducing the cost of computer management by centrally managing a desktop consisting of an OS and applications
- Providing flexible access to desktops from shared devices, remotely located devices, or devices that are not owned or managed by the organization (such as a contractor's laptop or an employee's home computer, tablet, or smartphone)
- Ensuring the organization's data is stored centrally and protected from loss, damage, or improper disclosure.
A large-scale VDI deployment requires several additional layers of technology infrastructure beyond running instances of Microsoft's Windows client OS on a server. A variety of vendors—including Citrix, Microsoft, and VMware—offer such infrastructure, including hypervisor software to host multiple VMs simultaneously on a server, directory services and other software to handle authentication and security, connection brokers and gateways to route users to the VMs, provisioning and software deployment and patching tools to create and maintain the VMs, and monitoring systems and other technologies to diagnose and fix problems before users are negatively impacted.
How the underlying technological infrastructure that makes VDI practical is licensed depends on the VDI vendor and architecture. Regardless of vendor, the right to run the Windows client OS inside VMs on a server and make them accessible to clients must be licensed from Microsoft. This article summarizes the required subscriptions and rules that affect the device accessing the Windows client OS running on a VDI. It does not address either the licensing of the VDI server software or how to license desktop application software, such as Office, running with the Windows client OS.
Licensing the Windows Client OS for VDI
Under traditional Windows client OS computing models, the license that allows the Windows client OS to be installed and execute on a client computer is associated with that client computing device. However, a license that provides the right to install and execute the Windows client OS within VMs on a VDI server is not purchased for and associated with the servers themselves, but rather with the client devices that will be used to remotely access the VMs.
Microsoft offers several different subscriptions for client devices, each providing the right to simultaneously run up to four Windows client OS-based VMs on VDI servers on behalf of the client as well as to access them from the client device. (For an illustration, see "May This Device Access Windows on a VDI?".) For example, a remote client device with a subscription that allows access to a VDI may access up to four instances of the Windows client OS running on four different VMs on a single server or on different servers.
Additionally, the remote client device with a subscription to access VDI and, therefore, the Windows client OS in a VDI, may access a version of the Windows client earlier than the one licensed on the device. For example, a client device licensed to access Windows 7 Professional in a VDI may access two instances of Windows 7 Professional, one instance of Windows Vista Business, and one instance of Windows XP Professional (or any other combination of up to four instances of the Windows client OS entitled by the client device license). These "downgrade" rights can be useful for organizations that need to run applications that are incompatible with the latest Windows client OS version.
Licensing Devices for Windows VDI Access
To correctly access the Windows client OS running on a VDI, the device must be a Windows licensed device with an active Software Assurance (SA) subscription, a device with an Intune Subscription License (SL), or a device with a Virtual Desktop Access (VDA) subscription.
A Windows licensed device with an active SA subscription. A Windows licensed device is a single, physical hardware system or device which has an assigned Windows Professional license. For example, a laptop with a Windows 7 Professional OEM license is a Windows licensed device. SA is a subscription that can be added to a license for an annual fee in return for rights to product version upgrades and other benefits. Among the rights included with SA on a Windows Professional OS is the right to access instances of a Windows client OS running on a VDI.
Organizations purchase SA coverage for Windows licensed devices through a volume licensing program such as an Enterprise Agreement (EA) or Select, generally at an annual cost of 29% of the Windows Professional Upgrade license price in the program. For example, SA on Windows Professional costs US$55 annually in the Open License program, which is generally the highest price a U.S. organization would pay in volume licensing. Organizations may purchase Windows SA only for devices that have an underlying Windows Professional license, which includes traditional desktops, laptops and Windows tablets (that use the AMD or Intel x86 or x64 processors) purchased from OEMs with Windows 7 Professional, and Apple Macs (with a Windows Professional Upgrade). SA coverage is not available for iPads, smartphones, or devices such as graphics terminals that do not come with a Windows Professional license and are not eligible for a Windows Professional Upgrade license in volume licensing. If an SA subscription is not added within 90 days of acquiring OEM hardware, then a Windows Upgrade license and SA have to be added together.
A device with an Intune SL. Windows Intune is a subscription-based offering for computers licensed with the Windows client OS that provides Microsoft-hosted management infrastructure and malware protection. Intune is available as a subscription only, with a renewable term as long as three years. Each device managed by Intune requires a device subscription, and to qualify for an Intune subscription, a device must already be licensed for a qualifying edition of the Windows OS, such as Windows XP Professional, Windows Vista Business or Ultimate, or Windows 7 Professional or Ultimate. Intune subscription licenses cost US$11 per device per month before volume discounts.
A device with a Windows VDA subscription license. Other devices, including Windows licensed devices without either an active SA subscription or an Intune subscription, or devices not licensed for the Windows client OS, such as an Apple iPad, require a VDA subscription license before they may access the Windows client OS running on a VDI. Such devices could include Windows computers such as a user's home computer or contractor's laptop, a Windows Server, an Apple Mac or iPad, and any vendor's smartphone (although screen size may make this impractical). VDA subscription licenses can be bought in several volume licensing programs and cost US$100 annually before volume discounts.
Primary User of a Device Receives Roaming Use Rights
A fourth way that a device may be licensed to access the Windows client OS running on a VDI is through the device's user. Every client device with active Windows SA subscription, an Intune subscription, or VDA subscription, may have a single designated primary user. That user may access an organization's VDI from other devices that do not have their own VDI licenses, under certain conditions. For example, an employee who is the primary user of a computer licensed for Windows 7 Professional with SA is allowed to access her company's VDI from a shared computer at a conference site or from her home computer.
Several important restrictions apply to this "roaming use right," which are laid out in the Microsoft Product Use Rights (PUR) document, but some terms describing the correct usage are not completely defined.
Primary user. First, the meaning of "primary user" is not specifically defined in the PUR. It is likely the person who is assigned to use the licensed device to perform their work, but it is not clear who the primary user should be in some situations; for example, a shared device could have one user who accesses the licensed device on the day shift and a different user who accesses the same device on the night shift.
Qualifying third-party device. Second, the unlicensed device the primary user is going to use to access the Windows client OS on the VDI must be a "qualifying third-party device," which the PUR defines as a device that "is not controlled, directly or indirectly, by you or your affiliates." However, control is not defined in the PUR. A "VDI Licensing Frequently Asked Questions (FAQ)" document from Microsoft attempts to clarify the use of a qualifying third-party device. For example: "The primary user of a Windows VDA device has extended roaming rights, so they can access their VDI desktop while roaming outside of the corporate domain from any non-corporate device, such as a home PC or Internet kiosk." While Microsoft says device ownership by the organization does not constitute control, it is still not clear whether management by technologies such as Active Directory Group Policy or Exchange ActiveSync does.
Off-premises. Finally, the primary user may not be using the qualifying third-party device while on the organization's physical premises. This means that mobile devices brought in to work may not be licensed via roaming use rights; they will need another form of VDI license, such as a VDA subscription.
For example, an employee might be the primary user of a Windows computer with active SA coverage and have an iPad that does not have its own VDA license. The employee is allowed to use her iPad to access an instance of the Windows client OS running on a VDI, if she is at home. However, if she brings her iPad to work (moves on-premises), VDI access is not allowed under roaming use rights. Likewise, if her organization manages her iPad using Exchange ActiveSync, her iPad might no longer be a qualifying third-party device, as explained above, which would prohibit VDI access.
Best Practices for VDI
Organizations considering VDI should budget between US$50 and US$135 per client device per year (not counting volume discounts) for each device that needs to access a VDI in order to comply with the license requirements.
Roaming use rights may help with license compliance in some cases, but the usage restrictions likely mean that they are an unworkable solution for licensing personally owned mobile devices like iPads, which is one of the main reasons many organizations are considering a VDI.
VDI may be one of the strongest reasons to include the Windows client OS on an Enterprise Agreement (EA). Customers who do that get a Windows Professional Upgrade license and SA for every device included on the agreement, which means the devices are covered for VDI access. Moreover, Microsoft has loosened the terms for what devices can be included on an EA, so most of an organization's devices might be covered that way.
Organizations that want centrally managed desktops accessed remotely should seriously evaluate Windows Server Remote Desktop Session Host and related third-party technologies from companies like Citrix as an alternative to VDI. These provide a lot of the capabilities of VDI with less licensing cost and complexity. However, VDI has some technical advantages, such as the ability to run more desktop applications, the ability to offer a wider range of desktop configurations to the user, and better isolation between users.
Microsoft's technology for implementing a VDI is described in "Understanding Windows Virtual Desktop Infrastructure" on page 3 of the Aug. 2010 Update.
Licensing the infrastructure of a Microsoft-based VDI is described in "Licensing a Windows-Based VDI Infrastructure" on page 25 of the Jan. 2010 Update.
Microsoft's VDI Web page is at www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/vdi.aspx.
Microsoft's Desktop Virtualization FAQ is available at download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf.
How Microsoft licenses the Windows client OS for VDI has changed a few times over the past five years and is covered in "Virtual Desktop Licensing Reworked" on page 28 of the Apr. 2010 Update. Included is a discussion of Virtual Enterprise Centralized Desktop (VECD) licenses, which used to be required for VDI but have since been discontinued.
Intune licensing, including the VDI-related use rights Intune includes, is covered in "Windows Intune Licensing and Purchasing Options" on page 25 of the July 2011 Update.