Applications and OS Licensing: Remote Access and Roaming Use

Organisations are increasingly looking at centralizing the Desktop. This guide looks at the way Desktop Virtualization can be approached in an organisation to keep the licensing in check for Windows and Office.

I have included a guide on the alternative deployment methods for Microsoft Operating Systems and Applications and the relevant sections of the Product Use Rights

There are several sections of The Product Use Rights that are relevant to this article. In particular, the General License Terms and the section on Remote Access that will be important for access to host PCs over brokers like GoToMyPC

In addition, there are also important terms within the Software Assurance Annex regarding access to Applications and Operating Systems on organisation servers from 3rd Party Devices.

This article will also extend specifically to slate devices like iPads.

— Indented content with references is from the Product Use Rights, March 2011. All other content and diagrams are for information purposes only.


Methods of Deployment

OS Virtualization
OS virtualization separates the operating system workloads from the underlying hardware. OS virtualization can be divided into two broad categories

Client Hosted Desktop allows virtual windows desktops on the physical device to support legacy apps that run only on Windows XP. Microsoft Enterprise Desktop Virtualization (MED-V)

Server Hosted Desktop
•Microsoft Virtual Desktop Infrastructure (VDI) technology enables users to access their personal Windows desktops
that are hosted on the organisation servers. VDI is another deployment model for Windows desktops, and is a popular and emergent technology that is suitable and cost-effective for corporations with specific use scenarios, such as organizations that would like to give remote users access to their corporate desktops without investing in expensive laptops to leverage VDI technology.

OS Streaming
Centralized copies of an operating system can be streamed to devices for local execution.

Virtual Desktop Infrastructure (VDI)

Virtual Desktop Infrastructure (VDI) is an alternative to the traditional desktop deployment model for Windows desktops. Each user can get access to a personal desktop in the datacenter from any connected device. The access device could include a normal desktop environment with Windows or a Thin Client (TC).

App Virtualization
IT departments will need to reduce application management costs and improve application deployment speed. Secondly, end users want to have their business critical apps available on any authorised PC. To achieve this, Microsoft Application Virtualization (App-V) decouples applications from the OS and helps to eliminate app-to-app incompatibility, because applications are no longer installed on the local client device. IT departments can also benefit from streaming Apps by speeding up deployments rather than local Installs.

Remote App programs enable software to be accessed remotely through Remote Desktop Services (RDS) and appear as if running on the end user’s local PC. These are hosted apps, and can be accessed through a web browser.

Remote Access to Desktop with technologies like GoToMyPC by Citrix use a broker to tunnel into the always-on and internet connected host PC in the office.


Applications

 

Remote Access

This refers specifically to access of the primary host computer from a 3rd party device. An example might be access of Office Professional Plus on a work PC remotely over the internet using Citrix GoToMyPC as a broker. This access method will have the work PC running back in the office and the end user uses a 3rd party service to ‘tunnel in’ from a 3rd party device.

a) Remote Access. You may access and use the software remotely from another device as described below.

· Primary user. The single primary user of the device hosting the remote desktop session may access and use the software remotely from any other device. No other person may use the software under the same license at the same time except to provide support services.

· Non-primary users. Any user may access and use the software remotely from a separately licensed device.

[Ref: Product User Rights, March 2011, Page 17 of 125]

Summary

Remote access to applications on a host PC by the Primary User of that device are covered by the volume licenses for Office assigned to the Primary Work device.

This option is where the work PC is running back in the office and the end user is “tunnelling in” from another PC.

The later introduced roaming rights allows access to virtualized Office, which is run from a server, versus running on the licensed PC that existed prior to roaming use rights (see below).

 

Secondary User (shift worker)

Normally uses common pc at work on shift pattern or shares PC with others (nurses in hospital), occasional access from home PC to access host PC over GoToMyPC:

Remote access to the Host PC  from a non-primary user of that device will need to have a license for Office Professional Plus for the home PC.


Applications

 

Portable Device

In the General License Terms section of the Product Use Rights, a desktop application can be accessed from a portable device.

a) Portable Device. You may install a copy on a portable device for use by the single primary user of the licensed device. [Product Use Rights, March 2011, Page 17 of 125]

To clarify, the Product Use Rights grants “Portable Use Rights” and not secondary, this is just a bit of nomenclature that keeps it focused on the type of device. Portable Use rights are granted in all the Volume License programs that do not have the concept of “qualified desktop” in the agreement.

Accordingly, for all but Open Value-Company Wide, Open Value Subscription and Enterprise Agreement (EA) & Enterprise Agreement Subscription (EAS) this is a applicable clause of the PUR. In the programs where we count “qualified desktops” the agreement language dictates that ALL qualified desktops (portable or not) must be included in the desktop count.

— This should assist you in determining the qualified desktop count when looking at an Enterprise Agreement.


Applications on the Server

Microsoft allow a Desktop Application to be installed on a Network Device and used as follows:

A. Your Use Rights. If you comply with your volume license agreement, including these product use rights and the Product List, you may use the software and online services only as expressly permitted in these product use rights. [Product Use Rights, March 2011, Page 11 of 125] […]

Licensed Device. Before you use the software under a license, you must assign that license to one device (physical hardware system). That device is the ”licensed device.”

[Product Use Rights, March 2011, Page 17 of 125]

a) Network Device. You may also install additional copies on a network device. You may only use those copies as described in the Remote Access section below. [Product Use Rights, March 2011, Page 17 of 125] […]

a) Remote Access. You may access and use the software remotely from another device as described below.

  • · Primary user. The single primary user of the device hosting the remote desktop session may access and use the software remotely from any other device. No other person may use the software under the same license at the same time except to provide support services.
  • · Non-primary users. Any user may access and use the software remotely from a separately licensed device.

[Product Use Rights, March 2011, Page 17 of 125]

Summary

Microsoft has licensed Office by end-point device. End-point devices that access Office on the Terminal Server will need a relevant Office license assigned to them.

If 50 information workers access Office on a terminal server from 50 organization owned devices, then 50 Office licenses are required. However,  if 50 information workers access Office on a terminal server from 100 organization-owned devices, then 100 Office licenses are required.

If that access to Office is remotely accessed from HVD – Office licensing is the same as running Office from a Terminal Server.

If access is from a 3rd party device. Please see the remote access section below.

 

Web Apps

A user with Office Professional Plus 2010 licensed to a device of which he or she is the primary user has a right to access Office Web Apps from other devices. This can be applied to Thick Clients and Thin Clients with a supported web browser.


 

Roaming Use

  • Microsoft has allocated Roaming Use Rights from 3rd party Devices on the basis of active Software Assurance with Desktop Apps like Office, Project and Visio.
  • Microsoft states that this right is extended for only work-related purposes and not to be used for personal use.
  • The Roaming Use Rights section of the Product Use Rights are only applicable to access to the HVD and Terminal Server off-premise.
  • When the primary user is on your or your affiliates premises, Roaming Use Rights are not applicable.
  • The Roaming Use Right does not apply to running the software in a physical OSE on the 3rd party device.

 

Examples for iPad

  • The iPad is the users Primary Device — This would only apply in specific user scenarios. However,  this would need a license for Office Professional Plus assigned to the iPad as the end-point device.
  • The iPad is a Secondary end-point device — The iPad is owned by the User and he or she is the Primary User of the Primary PC with a license for Office with Active SA. Then they can access Office on their iPad.
    This would require a Remote Desktop Services CAL and Windows Server CAL.
  • The iPad is a Secondary end-point device — The iPad is owned by the User and he or she is the Primary User of the Primary PC with a license for Office only. Your organization will need to procure Software Assurance for Office. This might need re-purchasing the License with Software Assurance If the Office license was procured > 90 days ago. This would require a Remote Desktop Services CAL and Windows Server CAL.
  • If the iPad is owned by the organization then it will need a Office license assigned.

 

Included below for reference, are the relevant sections of the PUR: 

When the primary user is on your or your affiliates’ premises, Roaming Use Rights are not applicable

[Product Use Rights, March 2011, Page 116 of 125]

· Except as provided below, the single primary user of the licensed device may:

o remotely access the software running on your servers (e.g., in your datacenter) from a qualifying third party device1, and

o run the software in a virtual OSE on a qualifying third party device1 .

1A “qualifying third party device” is a device that is not controlled, directly or indirectly, by you or your affiliates (e.g., a third party’s public kiosk).

When the primary user is on your or your affiliates’ premises, Roaming Use Rights are not applicable.

· You may not run the software in the physical OSE on the qualifying third party device under the Roaming Use Rights.

[Product Use Rights, March 2011, Page 122 of 125]

 

image


 

Operating Systems

 

Roaming Use Rights for Windows

Microsoft have moved the right to access Windows in the datacenter, virtual desktop access, into Software Assurance.

  • The single primary user of the end-point device, with a license for Windows and Active Software Assurance, may access their virtual desktop (HVD) from a 3rd party device that is not owned or affiliated with the organization.

This would involve no other action. The other device is covered by “Roaming Rights”

  • If  the single primary user of the end-point device, without active software assurance assigned to the device license, would like to connect to the HVD from a 3rd party device that is not owned of affiliated with the organization:

Virtual Desktop Access (VDA) subscription for either the PC or 3rd Party Device.

  • If the end-point device is accessed by a non-primary user, (such as a shared workstation terminal), roaming use rights will not apply.

This will need a separate Virtual Desktop Access (VDA) subscription.

Summary

  1. Customers that use PCs already covered with Windows Client SA to access a virtual desktop do not need any additional licensing.
  2. For customers intending to use devices that do not qualify for Windows client SA. Microsoft has introduced Virtual Desktop Access (VDA).
  3. Access Windows in the datacenter (HVD) and access in a virtual OS, on a 3rd party device, requires Active Software Assurance.
  4. This can be either as Windows SA or U&SA (Upgrade & SA) under Volume Licensing for Thick Client PCs
  5. Thin Clients will need to be licensed with Virtual Desktop Access (VDA) Subscription that allows access and use of Windows from a Thin Client device.

image

Examples for iPad

  • The iPad is the users Primary Device — This would only apply in specific user scenarios. However, whether this is owned by the organization or the User, the organization is responsible for procuring Virtual Desktop Access subscription for the iPad.
  • The iPad is a Secondary end-point device — The iPad is owned by the User and he or she is the Primary User of the Primary PC with a license for Windows and Active SA  then roaming use rights will apply.
  • The iPad is a Secondary end-point device — The iPad is owned by the User and he or she is the Primary User of the Primary PC with a license for Windows and VDA Subscription then roaming use rights will apply.
  • The iPad is a Secondary end-point device — The iPad is owned by the User and he or she is the Primary User of the Primary PC with a license for Windows only then the organization must procure Virtual Desktop Access Subscription or SA for the PC, or, acquire Virtual Desktop Access Subscription for the iPad.
    • If the PC with OEM Windows was acquired < 90 days SA can be attached.
    • If > 90 days then Windows Professional Upgrade on Volume Licensing would need to be purchased again with SA. This will make Windows VDA Subscription more compelling on price-point. 
  • The iPad is a Secondary end-point device — The iPad is owned by the Organization – this will require Virtual Desktop Access subscription for the iPad.

Corporate Scenarios

Corporate Owned Computers
An organization has 100 devices that need access to the VDI environment. However, only 80 users and only 50 VMs are used at any one time. Since 100 different devices will be accessing the VDI environment the following would be required:
• Devices are PCs covered with SA: No additional licensing
• Devices are thin clients not covered with SA: 100 Windows VDA licenses

Corporate PCs with Shift Workers
An organization has 100 devices that need access to the VDI environment. However, they have 300 shift based users and up to 150 VMs are used at any one time. Since 100 different devices will be accessing the VDI environment the following would  be required:
• Devices are PCs covered with SA: No additional licensing
• Devices are thin clients not covered with SA: 100 Windows VDA licenses

Mixed Desktop Hardware
An organization has 100 PCs with SA and 100 thin-clients that need access to the VDI environment. However, they have only 100 users and accessing 100 VMs are at any one time. Since 200 different devices will be accessing the VDI environment the following
combinations of licenses is required:
The PCs with SA do not require additional licensing. The 100 thin clients need 100 Windows VDA licenses.

Occasional Home User
An organization with 100 employees who are the primary users of 100 thin clients covered under Windows VDA at work. These employees occasionally work from home and access the corporate VMs via VDI from their home machine (employee-owned).
• If the employees are a primary user of a VDA licensed device at work, no additional VDA licenses are required.
• If the employees are not a primary user of a VDA licensed devices at work, 100 Windows VDA licenses are required.

100% Home users

An organization has 100 employees who work from home and will access corporate VMs via VDI from their employee owned device at home. Since 100 different devices will be accessing the VDI environment the following would be required:
• 100 Windows VDA licenses

Roaming User
An organization has 300 thin clients that need access to the VDI environment. However, only 100 users and only 50 VMs are used at any one time. Since 300 different devices will be accessing the VDI environment the following would be required:
• 300 Windows VDA licenses

Contractor owned PCs
An organization has 100 contractors that are working for 6 months, and then are replaced by 100 different contractors for the next 6 months. Each contractor will have one contractor-owned computer to access the organizations corporate virtual machine via VDI.
• 100 Windows VDA licenses are required


Windows on a ‘Session’

The following extract is taken from the March 2011 Product Use Rights.

· Remote Desktop. The single primary user of the licensed device may access a session from any other device using Remote Desktop or similar technologies. A “session” means the experience of interacting with the software, directly or indirectly, through any combination of input, output and display peripherals. Other users may access a session from any device, using these technologies, if:

(1) the remote device is separately licensed to run the software; or

(2) the user or remote device has the appropriate Remote Desktop License (RDL).

[Ref: Product Use Rights, March 2011, Page 22 of 125]


image

image

If you are asking why your thin clients can’t leverage your Windows U&SA or SA from your Volume Licensing agreement – the rationale is that all VL Windows licenses are upgrades and do not include the base OEM license

image

A common misconception is that Windows on Volume Licensing is a full license. This is not the case, above I have collated details of valid base licenses for Windows 7 Pro. In addition, below I have provided a common overview of how to obtain a full license.

image
 

Windows Remote Desktop Services (RDS) CAL

In addition to this requirement, Microsoft has included a Client Access License (CAL) for access to Windows in the Datacenter. This is additive, not a replacement to the normal Windows Server CAL.

· Windows Server 2008 R2 Remote Desktop Services Access. You must acquire a Windows Server 2008 Remote Desktop Services CAL or Windows Server 2008 Terminal Services CAL for each user or device that directly or indirectly accesses the Remote Desktop Services Functionality. You also need one of these CALs for each user or device that directly or indirectly accesses the server software to host a graphical user interface (using the Windows Server 2008 R2 Remote Desktop Services functionality or other technology).

This might be access to Remote Desktop Protocol or Citrix Metaframe.

The technical difference between running applications from an HVD (holographic versatile disk) versus an RDS is that with
HVD, users can access a copy of Windows OS running on a virtual machine (VM) dedicated for their use, and not on a shared server instance. This technology allows certain applications to run that may fail on a shared terminal server.

image

 

Digg This

Advertisements

3 thoughts on “Applications and OS Licensing: Remote Access and Roaming Use

  1. Good post, thanks.

    A common scenario for which I can’t find an answer is the business that owns old XP desktops and want to use them to access Win7 in a VDI environment.

    They can buy Windows 7 volume licenses with SA and qualify to access the Win7 VDI. But what happens when those PCs die? Do they have to buy a new physical PC with Windows? Or does a thin client with a Windows OS, like Win 2009 Embedded, qualify to let them access their existing Win 7 VDI?

    Is there any way to use thin clients without purchasing a VDA subscription?

    • Hi Matt,

      Get what you’re saying here. The answer you’re probably not wanting is below I am afraid:

      The Thick Client will have a OEM license for Windows as a qualifying base for the volume license upgrade. The VL license is Upgrade & SA.
      When you refresh the PC, Microsoft is expecting there to be a OEM license (CoA – Certificate of Authenticity sticker will be on the case)
      Windows Embedded and Home Edition is not a qualifying base. (In fact, I think I have an article on this blog that covers this in more detail)

      If you go the Thin Client route – then It’s the VDA Subscription. This will be slightly more expensive as It is effectively accounting for there not being an OEM license on the Thin Client device.

      You can use Thin Clients by streaming the Apps direct from a Citrix or Remote Desktop Services – this won’t need a Windows license.
      It will depend on the specifics of your estate and volume agreements.

      Worth running by your Microsoft Reseller, or If you’re a managed account your Microsoft Business Manager.

  2. Congratulations on an excellent article that highlights a number of issues that many users will not be aware of when remotely accessing Win7 environments that are hosted on physical or virtual machines.

    By way of example, we are setting up a “remote learning classroom” where we want to allow students to remotely access either physical or virtual Win7 Pro desktops via RDP. The most obvious licensing solution is to just buy Win7 Pro FPP and install it on the physical PCs or in the VMs. But unfortunately that’s not the case because (1) there will be many different students (say 100-200) that will require remote access in any given year (2) the PCs/laptops that they are using to access the remote classroom are typically only licensed for WinXP Pro and (3) some of the classrooom’s Win7 Pro desktops could be hosted within VMs.

    These situations create the following Microsoft licensing issues : (a) Because there are many different students the “Single Primary User” clause that would potentially allow a WinXP Pro device to access a Win7 desktop hosted on a physical PC does not appear to apply. i.e. the student/user could change on a day by day basis, so as to whether each new student becomes the new single primary user is not 100% clear (b) if each student is not the single primary user then they become a “Non Primary User” and cannot access the Win7 Pro desktop from a WinXP Pro device because it is not “separately licensed” with Win7 Pro. They would need to upgrade their license to Win7 Pro so that it matched the license of the remote desktop that they wanted to access (c) if the Win7 Pro desktops in the classroom are hosted in VMs, then all the rules change to Microsoft’s virtual access licensing policy. In the case of the classroom it would be possible to purchase multiple VDA licenses and reassign them every 90 days to different students. But audit records would need to be kept of which student and which device the VDA license was aplied to during any 90 day period. Using the 90 day re-assignment right would help to reduce the total number of VDA licenses required. i.e. you could potentially share one VDA license between up to 4 different students per year. But the downside is the ongoing cost of the VDA license subscriptions and the need to maintain audit records.

    Anyway, it’s an interesting scenario that we’re still working through. If there are any thoughts on how to best address the use of physical PCs (which is the preference) in this type of remote access classroom, then that would be very helpful !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s