On Feb 24, the US Space shuttle Discovery took off from Kennedy Space Centre for its final mission. At its launch, Discovery will have completed 38 voyages and traveled 230 million kilometers. In 1970 approximately 200,000 miles from Earth in a damaged spacecraft, new protocols were designed and new equipment re-created from spare parts in order to bring astronauts safely back to earth. In 1961 the first man entered space and come 1969, man was walking on the moon.
Given all this ingenuity and accomplishment why is it, in 2011, the mere task of assigning valid licenses to desktop virtualisation should appear an arcane process?
How do different virtualization models impact how you license your desktop services? What are the current licensing models and do they apply in all instances of desktop virtualisation? Do the models impact on provisioning of services be they laptops, thin clients, Bring Your Own Computer (BYOC), or mobile devices?
Is desktop virtualization licensing an intentionally complex process and what other options could there be?
We’ve discussed licensing Microsoft Server in a virtualized environment. We highlighted that the Microsoft server “virtualization rights” do not include desktop operating systems. Let’s consider the desktop deployment models and how licenses can be assigned to them.
5. Pre-Flight Checks: Microsoft License Types, Windows 7 vs Microsoft XP
Microsoft have three types of licenses :-
- OEM: The license comes with the device. Buy a PC that runs Windows and it’ll be running an Original Equipment Manufacturer (OEM) license. That license is for that device. New device, new license. Upgrade? New License. There are no upgrade rights, no transfer rights, no support, no image management options with an OEM license.
- Retail, or Full Packaged Product: Software-in-a-box. Purchased through stores or resellers. You can purchase both full versions and upgrades of software through FPP.
- Volume : Pay for the software license rather than a box & some physical “thing” that the software comes on. Cheaper to produce, so cheaper to buy en-masse. Microsoft tailors its many, many Volume Licensing programs to meet the needs of specific industries. Although ‘volume’ suggests these licenses are geared for medium-to-large organisations, you can take advantage of Volume licensing even if you’re a small business – “volume” starts from five licenses.
Windows XP has a wonderfully laissez faire attitude to its license use in a virtualised desktop environment. Once the license code was entered during installation it was never called for again. Such easy going days are over. Windows 7 has six editions, we’re going to focus on the three geared to business use :-
- Windows 7 (Professional) – (Retail, OEM and Volume Licensing)
- Windows 7 (Enterprise) – (Volume Licensing & OEM through Software Assurance)
- Windows 7 (Ultimate) – (Retail, OEM)
For your desktop strategy it is important to note that Professional Edition does not support
- Audio Recording over Remote Desktop Services
- Multi-monitor display over Terminal Services
4. Software Assurance
When you’ve got your Windows 7 Professional licenses, either through Volume Licensing upgrades or through OEM, you can cover those licenses with Microsoft Software Assurance (SA) to get additional benefits. One of those benefits is the right to use Windows 7 Enterprise. Windows 7 Enterprise offers a number of benefits such as BitLocker Drive Encryption and Multilingual User Interface Language Packs and the Microsoft Desktop Optimization Pack.
In addition, with SA you can run up to four instances of the software in virtual machines. You may create and store an unlimited number of copies (for example, copies in VMs) for use on any licensed device i.e. a device that you have notionally assigned your Windows 7 SA license to.
Bear in mind SA is a renewable yearly license, if your SA expires you are no longer entitled to use the features that SA provides.
3. Desktop Delivery Model License Considerations
In our article “Sorting Out Desktop Virtualization” we highlighted that there are a number of desktop delivery models.
| Client Hosted Virtual Desktops – “Type#1” | As with the previous model, run the hypervisor on the user’s device (e.g. Citrix XenClient, Virtual Computer NxTop) but with the hypervisor as the core operating environment. |
 |
This model does have an impact on the existing desktop OS: as the hypervisor is the lowest layer you will need to reinstall the OS. Not as flexible as Type#2, but arguably more stable and with better security and performance. Given you need to replace the core OS, not so useful for BYOC solutions, but a powerful workspace management solution that allows centralised control without the need for large scale infrastructure. An OEM license could be used here if you were only going to run one OS instance and manage the VM on each and every machine. The complexity here is that each device would have to be assigned a specific image with the OEM licensed applied. While this may work for the enterprise unready XenClient v1.x ,this defeats the ease-of-centralised-management-single-image-deployment method that NxTop. Use a Win7 Professional Upgrade License (Volume) and/or obtain Software Assurance for the OEM license assigned to the device. Why? Because this then allows you to creation a single image for multiple deployments and allows your users to host up to four Windows instances on the same licensed device. |
| Server Hosted Virtual Desktops | Also known as Virtual Desktop Infrastructure (VDI) (e.g., Citrix XenDesktop, Ericom PowerTerm Webconnect,Quest vWorkspace, VMware View) |
 |
2010 saw end of the maligned Microsoft Virtual Enterprise Centralized Desktop (VECD) license. VECDs were replaced with one of the following :- • Virtual desktop access rights become a Windows Client Software Assurance benefit. Customers who intend on using PCs covered under SA are able to access their Virtual Desktop Infrastructure (VDI) desktops at no additional charge. • Customers who want to use non-qualifying SA devices need to license each of those devices with a Windows Virtual Desktop Access (Windows VDA) to be able to access a Windows VDI desktop. VDA Licenses are purchased per device, per year. What is a non-qualifying device? Third party devices such as contractor or employee-owned PCs, thin clients, non-windows PCs such as Macs, iPads and smartphones. What happens if you’ve a Retail/FPP Win 7 License? Can you still use it for VDI? Not really: Microsoft only allow the following uses of FPP for VDI:- 1) The physical server on which the virtual desktop is installed is assigned only to one user, and not shared with other VDI desktops. Yep, this is nuts, don’t do this. 2) In your VDI environment, you assign a 1-1 VM-to-device relationship. That VM cannot move between servers in the data centre. Not entirely flexible; and in all fairness, it could be less expensive to use a Windows VDA license: although a VDA license needs to be purchased annually. So, for example buy a FPP Win 7 License, “assign” it to your iPad, put a VM instance on a server, license it with the same FPP license and you’re good to go. Over three years, it’d have been cheaper license wise. Not very flexible, has no support, difficult to manage but cheaper license wise over the term. |
| Presentation Virtualization |
Multiple sessions hosted on a server instance using Microsoft’s Remote Data Services (RDS), (formerly Terminal Services) (e.g. Citrix XenApp, Ericom PowerTerm Webconnect, Quest vWorkspace). |
 |
Every Microsoft PV user needs a Remote Deployment Services Client Access License (RDS CAL)RDS CALs replaced the Terminal Server CAL (TSCAL). We explained the differences between the two in our bizarrely popular “Hail the Microsoft RDS CAL-more than just a renamed TS CAL” Unlike their VDI cousins RDSCALs can be assigned to devices or users. When a client—either a user or a device—connects to a session, the server determines if an RDS CAL is needed. The PV server then requests an RDS CAL from a Remote Desktop license server on behalf of the client attempting to connect to the RD Session Host server. If an appropriate RDS CAL is available from a license server, the RDS CAL is issued to the client, and the client is able to connect to the RD Session Host server. Although there is a 120 day licensing grace period during which no license server is required, after the grace period ends, clients must have a valid RDS CAL issued by a license server before they can log on to an RD Session Host server. A difficulty for many organisations is that 2003 TS CALS are not readily upgradeable to 2008 R2 RDS CALS. If you’ve a Windows 2003 environment and are considering upgrading to Windows 2008R2, you need to renew all TS CALS as RDS CALS, unless you’ve been keeping your Software Assurance up-to-date. |
2. Desktop Virtualization = Flexibility?
In theory yes, but to remain compliant with Microsoft’s licensing be aware of the impact of accessing a Windows desktop OS from a range of devices, especially non-windows devices or devices your organisation does not own.
Of all the virtualisation models PV is perhaps the most straightforward especially for thin client/non-corporate device access. For thin client VDI implementations you need to purchase a VDA license each year, every year: this is not the case with PV.
So, with flexibility comes responsibility – to have the flexibility to deploy workspaces to users on the most appropriate device (laptop, tablet, thin-client) in the most appropriate way (off-line, locally, remote) it is not the case of one user, one Microsoft OS license – but each each device being assigned a Microsoft license.
1. How could this be better?
Concurrency? There was a bit of a kerfuffle when Citrix announced that their XenDesktop product wouldn’t support the concurrent user licensing model that XenApp does. A concurrent model needs a licensing component in order to operate effectively. Microsoft doesn’t have this for their desktop OSes.
Microsoft have introduced licensing checks for volume products since Vista with their Product Activation services. Multiple Activation Key (MAK) services allow you to activate licenses either to Microsoft directly, or via a proxy service you configure. MAK is intended for small implementations and roaming users. Microsoft’s Key Management Service is a service you need to install and configure on your network and is intended to allow you to undertake activation within your network and without contacting Microsoft. KMS licensed products will regularly check with the KMS server – so perhaps not a good solution if your uses are going to be roaming about.
And that is a fundamental problem to ‘managing Microsoft licenses’ – how do you manage licenses for those who do not have consistent access to your license service so that they can be counted? Easy to do when you’re connecting back to the datacentre – not so easy for off-line use. Perhaps Microsoft could license a solution such as AppSense’s Application Manager so license rules could be defined and assigned to the remote device – while that could work for Windows PCs/laptops, it would be difficult to manage non-Windows device.
What alternatives could there be?
a. VDA tied to user or not device? if I have my own laptop, and my own tablet technically I need two VDA licenses – or I can only use one, or the other every 90 days. Assigning VDA licenses to users rather than devices makes sense for customers, and fits in with other license Microsoft license models (such as those for SQL) – but would have an impact on Microsoft’s revenue from PC manufactures.
b. OEM version of VDA? I thought about this then I considered that “Apple would have to include a VDA license in their iPad”. Unlikely.
c. Not use Microsoft as your OS? There I’ve said it. As unlikely as Point 2 because of the deeply embedded nature of the desktop-user Microsoft-desktop relationship that is in play today. Technology experts, analysts and vendors can wax lyrical about dynamic use of desktops but the fact of the matter is the vast majority of IT users sit down at a device, work on it, walk away from the device: and that device is a PC with a Windows OS with Windows apps. This is unlikely to change in the near future. As we move towards web-based applications perhaps this will alter, but that move is slow and cumbersome.
Blast off! Does Microsoft Intentionally Make Licensing Complex?
Microsoft’s power and influence came from developing products for the “Personal Computer”. While the Personal Computer model has been under siege for some time. there is still an amount of fear, uncertainty and doubt around moving away from the physical desktop model to something else. Microsoft’s desktop licensing policy is still geared towards delivering services to a specific device: the introduction of the VDA license was a step towards more straightforward. However, what Microsoft would also like you to do is take advantage of their SA program: like any other software company because they’d like you to keep paying them, not buy-once-walk-away-and-then-come back-and-ask-why-the-dev-guys-haven’t-fixed-the-bugs-and-security-issues.
Licensing VDI is not Rocket Science. Fundamentally, rocket science is essentially “mathematics”, all be it maths using all the numbers and at least two alphabets. But being “maths” it has well defined and describable rules, open and accessible by all.
Microsoft Licensing is none of these things. While wading through the mass of documentation and guidance and rules you are often left thinking that it would be easier to be 200,000 miles from Earth in a damaged spacecraft designing new protocols.
On your way?
Need some more information? Here’s some links you may find useful:
- Microsoft Volume Licensing
- Comparison of Windows 7 Editions
- Microsoft Software Assurance
- Licensing Windows 7 for Use with Virtual Machine Technologies
- Emma Explains Licensing in Depth
- Windows KMS Activation