Licensing VDI for Microsoft Desktops – is it rocket science?

On Feb 24, the US Space shuttle Discovery took off from Kennedy Space Centre for its final mission. At its launch, Discovery will have completed 38 voyages and traveled 230 million kilometers.  In 1970 approximately 200,000 miles from Earth in a damaged spacecraft, new protocols were  designed and new equipment re-created from spare parts in order to bring astronauts safely back to earth. In 1961 the first man entered space and come 1969, man was walking on the moon.
Given all this ingenuity and accomplishment why is it, in 2011, the mere task of assigning valid licenses to desktop virtualisation should appear an arcane process?
How do different virtualization models impact how you license your desktop services? What are the current licensing models and do they apply in all instances of desktop virtualisation? Do the models impact on provisioning of services be they laptops, thin clients, Bring Your Own Computer (BYOC), or mobile devices?
Is desktop virtualization licensing an intentionally complex process and what other options could there be?
We’ve discussed licensing Microsoft Server in a virtualized environment. We highlighted that the Microsoft server “virtualization rights” do not include desktop operating systems. Let’s consider the desktop deployment models and how licenses can be assigned to them.
5. Pre-Flight Checks: Microsoft License Types, Windows 7 vs Microsoft XP

Microsoft have three types of licenses :-

  • OEM: The license comes with the device. Buy a PC that runs Windows and it’ll be running an Original Equipment Manufacturer (OEM) license. That license is for that device.  New device, new license. Upgrade? New License. There are no upgrade rights, no transfer rights, no support, no image management options with an OEM license.
  • Retail, or Full Packaged Product: Software-in-a-box. Purchased through stores or resellers. You can purchase both full versions and upgrades of software through FPP.
  • Volume : Pay for the software license rather than a box & some physical “thing” that the software comes on. Cheaper to produce, so cheaper to buy en-masse. Microsoft tailors its many, many Volume Licensing programs to meet the needs of specific industries. Although ‘volume’ suggests these licenses are geared for medium-to-large organisations, you can take advantage of Volume licensing even if you’re a small business – “volume” starts from five licenses.

Windows XP has a wonderfully laissez faire attitude to its license use in a virtualised desktop environment. Once the license code was entered during installation it was never called for again. Such easy going days are over. Windows 7 has six editions, we’re going to focus on the three geared to business use :-

  • Windows 7 (Professional) – (Retail, OEM and Volume Licensing)
  • Windows 7 (Enterprise) – (Volume Licensing & OEM through Software Assurance)
  • Windows 7 (Ultimate) – (Retail, OEM)

For your desktop strategy it is important to note that Professional Edition does not support

  • Audio Recording over Remote Desktop Services
  • Multi-monitor display over Terminal Services

4. Software Assurance
When you’ve got your Windows 7 Professional licenses, either through Volume Licensing upgrades or through OEM, you can cover those licenses with Microsoft Software Assurance (SA) to get additional benefits. One of those benefits is the right to use Windows 7 Enterprise. Windows 7 Enterprise offers a number of benefits such as BitLocker Drive Encryption and Multilingual User Interface Language Packs and the Microsoft Desktop Optimization Pack.
In addition, with SA you can run up to four instances of the software in virtual machines. You may create and store an unlimited number of copies (for example, copies in VMs) for use on any licensed device i.e. a device that you have notionally assigned your Windows 7 SA license to.
Bear in mind SA is a renewable yearly license, if your SA expires you are no longer entitled to use the features that SA provides.
3. Desktop Delivery Model License Considerations
In our article “Sorting Out Desktop Virtualization” we highlighted that there are a number of desktop delivery models.

Physical Desktops I.e. PC’s, Laptops, with Windows XP, Windows 7 and installed applications

Physical Desktop
The most straightforward desktop delivery model – and likely the most prevalent today. Each device has a license assigned to it – the “licensed device”. 
If you’re considering managing traditional desktops with the likes of Citrix Provisioning services, or Vision Solution’s Double-Take Flex, bear in mind you will have to upgrade your OEM licenses with a Volume License and/or with Software Assurance to have the facility to deploy images to multiple machines. This is not the case with the management solutions that don’t deploy the core OS. For example, Wanova’s Mirage distributed desktop management solution can be utilised to allow management and data centralisation without the need for complex infrastructure, or changing your end device license.
Client Hosted Virtual Desktops – “Type#2”
Rather than run a virtual desktop on a server hypervisor, run a hypervisor on the user’s device but as a program hosted on an existing OS. e.g. MokaFive, RingCube vDesk, VMware ACE , Parallels Workstation
Client Hypervisor
This model allows the deployment of new workspaces to existing devices, with minimal impact on the existing desktop OS. The local desktop OS may not belong to your organisation – e.g. this model is useful for BYOC solutions, or for allowing third parties access to your desktop resources from their own devices. 
If your company owns the device and it has an OEM license assigned, it would appear you’d need to assign a Win7 Professional License and/or obtain Software Assurance for the OEM license assigned to the device. Why? Because this allows you to use the core OS as Windows 7 (or Windows XP) and a virtual machine running Windows 7 and/or Windows XP. What happens if  you’ve just got Windows XP? Then you need to have additional Windows XP licenses for each virtual instance: which you can’t buy… so instead you’ll need to upgrade to Windows 7 Professional. If your company doesn’t own the device, or the device is a non-windows device (e.g. a Mac) you’d still need to have a Windows 7 license to assign to this non-corporate device – and be aware you can’t use an “upgrade” license. Why? you don’t own the device, so can’t upgrade the OEM license if it has one.
However, I can see no reason why you can’t simply purchase a Windows Virtual Desktop Access (VDA) license and assign this to the remote device. A VDA license allows you to:

  • Install Windows 7/Vista/XP virtual machines (VMs) on any combination of hardware and storage
  • Single Windows VDA license allows concurrent access for up to four VMs
  • Reassignment rights to another device after 90 days, or in the case of end point failure
  • Dynamic desktop licensing enabled through Key Management Services (KMS) / Multiple Activation Keys (MAK) activation
  • Unlimited backups of both running and stored virtual machines
Client Hosted Virtual Desktops – “Type#1” As with the previous model, run the hypervisor on the user’s device (e.g. Citrix XenClient, Virtual Computer NxTop)  but with the hypervisor as the core operating environment.
Bare Metal Client Side Hypervisor This model does have an impact on the existing desktop OS: as the hypervisor is the lowest layer you will need to reinstall the OS. Not as flexible as Type#2, but arguably more stable and with better security and performance. Given you need to replace the core OS, not so useful for BYOC solutions, but a powerful workspace management solution that allows centralised control without the need for large scale infrastructure. 
An OEM license could be used here if you were only going to run one OS instance and manage the VM on each and every machine. The complexity here is that each device would have to be assigned a specific image with the OEM licensed applied. While this may work for the enterprise unready XenClient v1.x ,this defeats the ease-of-centralised-management-single-image-deployment method that NxTop.
Use a Win7 Professional Upgrade License (Volume) and/or obtain Software Assurance for the OEM license assigned to the device. Why? Because this then allows you to creation a single image for multiple deployments and allows your users to host up to four Windows instances on the same licensed device.
Server Hosted Virtual Desktops Also known as  Virtual Desktop Infrastructure (VDI)  (e.g., Citrix XenDesktop, Ericom PowerTerm Webconnect,Quest vWorkspace, VMware View)
Server Hosted Virtual Desktop 2010 saw end of the maligned Microsoft Virtual Enterprise Centralized Desktop (VECD) license. VECDs were replaced with one of the following :- 
• Virtual desktop access rights become a Windows Client Software Assurance benefit. Customers who intend on using PCs covered under SA are able to access their Virtual Desktop Infrastructure (VDI) desktops at no additional charge.
• Customers who want to use non-qualifying SA devices need to license each of those devices with a Windows Virtual Desktop Access (Windows VDA) to be able to access a Windows VDI desktop. VDA Licenses are purchased per device, per year. What is a non-qualifying device?  Third party devices  such as contractor or employee-owned PCs, thin clients, non-windows PCs such as Macs, iPads and smartphones.
What happens if you’ve a Retail/FPP Win 7 License? Can you still use it for VDI? Not really: Microsoft only allow the following uses of FPP for VDI:-
1) The physical server on which the virtual desktop is installed is assigned only to one user, and not shared with other VDI desktops. Yep, this is nuts, don’t do this.
2) In your VDI environment, you assign a 1-1 VM-to-device relationship. That VM cannot move between servers in the data centre. Not entirely flexible; and in all fairness, it could be less expensive to use a Windows VDA license: although a VDA license needs to be purchased annually.
So, for example buy a FPP Win 7 License, “assign” it to your iPad, put a VM instance on a server, license it with the same FPP license and you’re good to go. Over three years, it’d have been cheaper license wise. Not very flexible, has no support, difficult to manage but cheaper license wise over the term.
Presentation Virtualization
Multiple sessions hosted on a server instance using Microsoft’s  Remote Data Services (RDS), (formerly Terminal Services) (e.g. Citrix XenApp, Ericom PowerTerm Webconnect, Quest vWorkspace).

PVServer
Every Microsoft PV user needs a Remote Deployment Services Client Access License (RDS CAL)RDS CALs replaced the Terminal Server CAL (TSCAL). We explained the differences between the two in our bizarrely popular “Hail the Microsoft RDS CAL-more than just a renamed TS CAL” 
Unlike their VDI cousins RDSCALs can be assigned to devices or users.
When a client—either a user or a device—connects to a session, the server determines if an RDS CAL is needed. The PV server then requests an RDS CAL from a Remote Desktop license server on behalf of the client attempting to connect to the RD Session Host server. If an appropriate RDS CAL is available from a license server, the RDS CAL is issued to the client, and the client is able to connect to the RD Session Host server. Although there is a 120 day  licensing grace period during which no license server is required, after the grace period ends, clients must have a valid RDS CAL issued by a license server before they can log on to an RD Session Host server.
A difficulty for many organisations is that 2003 TS CALS are not readily upgradeable to 2008 R2 RDS CALS. If you’ve a Windows 2003 environment and are considering upgrading to Windows 2008R2, you need to renew all TS CALS  as RDS CALS, unless you’ve been keeping your Software Assurance up-to-date.

2. Desktop Virtualization = Flexibility?
In theory yes, but to remain compliant with Microsoft’s licensing be aware of the impact of accessing a Windows desktop OS from a range of devices, especially non-windows devices or devices your organisation does not own.
Of all the virtualisation models PV is perhaps the most straightforward especially for thin client/non-corporate device access. For thin client VDI implementations you need to purchase a VDA license each year, every year: this is not the case with PV.
So, with flexibility comes responsibility – to have the flexibility to deploy workspaces to users on the most appropriate device (laptop, tablet, thin-client) in the most appropriate way (off-line, locally, remote) it is not the case of one user, one Microsoft OS license – but each each device being assigned a Microsoft license.
1. How could this be better?
Concurrency? There was a bit of a kerfuffle when Citrix announced that their XenDesktop product wouldn’t support the concurrent user licensing model that XenApp does. A concurrent model needs a licensing component in order to operate effectively. Microsoft doesn’t have this for their desktop OSes.
Microsoft have introduced licensing checks for volume products since Vista with their Product Activation services. Multiple Activation Key (MAK) services allow you to activate licenses either to Microsoft directly, or via a proxy service you configure. MAK is intended for small implementations and roaming users.  Microsoft’s Key Management Service is a service you need to install and configure on your network and is intended to allow you to undertake activation within your network and without contacting  Microsoft. KMS licensed products will regularly check with the KMS server – so perhaps not a good solution if your uses are going to be roaming about.
And that is a fundamental problem to ‘managing Microsoft licenses’ – how do you manage licenses for those who do not have consistent access to your license service so that they can be counted? Easy to do when you’re connecting back to the datacentre – not so easy for off-line use. Perhaps Microsoft could license a solution such as AppSense’s Application Manager so license rules could be defined and assigned to the remote device – while that could work for Windows PCs/laptops, it would be difficult to manage non-Windows device.
What alternatives could there be?

a.  VDA tied to user or not device? if I have my own laptop, and my own tablet technically I need two VDA licenses – or I can only use one, or the other every 90 days. Assigning VDA licenses to users rather than devices makes sense for customers, and fits in with other license Microsoft license models (such as those for SQL) – but would have an impact on Microsoft’s revenue from PC manufactures.
b.  OEM version of VDA? I thought about this then I considered that “Apple would have to include a VDA license in their iPad”. Unlikely.
c.  Not use Microsoft as your OS? There I’ve said it. As unlikely as Point 2 because of the deeply embedded nature of the desktop-user Microsoft-desktop relationship that is in play today. Technology experts, analysts and vendors can wax lyrical about dynamic use of desktops but the fact of the matter is the vast majority of IT users sit down at a device, work on it, walk away from the device: and that device is a PC with a Windows OS with Windows apps. This is unlikely to change in the near future. As we move towards web-based applications perhaps this will alter, but that move is slow and cumbersome.

Blast off! Does Microsoft Intentionally Make Licensing Complex?
Microsoft’s power and influence came from developing products for the “Personal Computer”. While the Personal Computer model has been under siege for some time. there is still an amount of fear, uncertainty and doubt around moving away from the physical desktop model to something else. Microsoft’s desktop licensing policy is still geared towards delivering services to a specific device: the introduction of the VDA license was a step towards more straightforward. However, what Microsoft would also like you to do is take advantage of their SA program: like any other software company because they’d like you to keep paying them, not buy-once-walk-away-and-then-come back-and-ask-why-the-dev-guys-haven’t-fixed-the-bugs-and-security-issues.
Licensing VDI is not Rocket Science. Fundamentally, rocket science is essentially “mathematics”, all be it maths using all the numbers and at least two alphabets. But being “maths” it has well defined and describable rules, open and accessible by all.
Microsoft Licensing is none of these things. While wading through the mass of documentation and guidance and rules you are often left thinking that it would be easier to be 200,000 miles from Earth in a damaged spacecraft designing new protocols.
On your way?

Need some more information? Here’s some links you may find useful: