Are single user Terminal Server VMs running on Windows Datacenter a loophole for VDI without SA?

One of the worst things about desktop virtualization is that Microsoft's licensing rules around it are complex and draconian. (Behold the power of a monopoly!)

One of the worst things about desktop virtualization is that Microsoft's licensing rules around it are complex and draconian. (Behold the power of a monopoly!) Even if you have a fully licensed copy of Windows 7, you need to have an additional license called "VDA" (formerly called "VECD") in order to connect to that copy of Windows via VDI and to be allowed to run it from a shared image or to migrate it to different servers.

Some people (and Microsoft) claim that VDA is not a problem anymore, because if you have a Windows desktop covered under Software Assurance (SA), then VDA is included for free. While this is true, having SA means that you pay for the right to use Windows on a yearly subscription basis--you never "own" the Windows license outright, and if you stop paying, you have to stop using Windows. Microsoft says this is great because it takes the guesswork out of budgeting, but in reality you only get the real value out of this if you always upgrade to the latest version of Windows. (I mean imagine if you had been paying for SA since Windows XP came out ten years ago and you, like many people, skipped Vista and are just now getting to Windows 7? If this is you, then congratulations, because you just paid $1,000 for each copy of Windows XP over all those years!) [UPDATE 12:23p: Gabe wrote that SA is only 29% renewal for two years, meaning that you could keep a desktop OS for ten years for only about $500, not $1,000 like I wrote.]

So this is why there are plenty of scenarios where it's better to just pay once and own forever. (And of course Microsoft knows this which is why they keep sweetening the SA program with bonuses like MDOP and VDA. If SA was really that good, would they have to bribe people to use it?)

The bottom line is that if you want to use VDI, you must have VDA. And in order to have VDA you must have SA. And in order to have SA, you must pay Microsoft about $100 per desktop, per year, forever. (Microsoft's own FAQs defend their decision to offer VDA only via the SA subscription by saying that since VDI allows organizations to deliver their desktops as a service, this allows licensing to be paid for more like a service too. Ok fine! But why not make that an option instead of a requirement? Oh yeah.. because they're a monopoly!)

The Datacenter Server loophole?

In order to avoid buying SA and paying Microsoft money year after year regardless of whether you actually upgrade or not, some people have pointed out that VDA only applies to the desktop version of Windows (e.g. Windows 7). But if you use the server version of Windows, there is no VDA.

Now I'm not talking about using Windows Server with terminal server / remote desktop with RDS CALs. I'm talking about a scenario where you've decided that you need VDI instead of terminal server. So what if you made your VDI with Windows Server VMs instead of Windows desktop VMs? In fact if you buy a copy of Windows Server 2008 R2 Datacenter Edition, that will cost about $6,000 for a dual processor license, but (1) you will "own" that license outright and can run it as long as you want, and (2) the Datacenter Edition of Windows Server lets you run as many server VMs as you want.

So now you can have VDI without VDA. The only "catch" is that your users are running Windows Server VMs instead of desktop VMs. (To be clear, this is not terminal server per se. In this case we're using these servers 1-to-1 for users. Users could install their own software, have admin rights, reboot, live migrate, etc. Each user would "own" his or her own VM, just like VDI.)

Plenty has been written on the internet to make Windows Server 2008 R2 look and feel like Windows 7. You can enable the Windows 7 theme, the search index, the sidebar, etc. In fact Citrix has released a whole toolkit (which is awesome) geared for server providers who want to use Terminal Server to deliver "real" desktops. (Even though this toolkit is made for multi-user terminal servers, the techniques are the same for converting a single-user server into a "desktop".)

And if you still think this is a bad idea, the fact that Microsoft doesn't like it is more fodder for me on why I do like it! :) From Microsoft's VECD FAQ:

Q: Do I need to pay for Windows VECD if I use Windows Server as a client operating system in my virtual machine? OR
Q: I’ve heard that I can avoid paying for Windows VECD by using Windows Server as my VDI desktop OS. Is this true?

Running a Windows Server® OS as the desktop in the datacenter does not require Windows VECD, but there are many reasons why a Server OS should not be used as a desktop, especially in the datacenter:

  • The user experience with servers as the desktop is very different from using a Windows client.
  • Many applications for end users were written for a client OS and not a server OS. Each of your applications would need to be retested to ensure compatibility with a Server OS. Additionally, most vendors do not offer support for client applications running on servers.
  • Clients and servers are on different patch cycles, adding to management complexity.
  • Most of the VDI ecosystem will support Windows client in the datacenter, not the Server OS.

However, if you do decide to run a Server OS as the desktop, please note that you will need to pay an RDS-CAL to correctly license that scenario.

Wait, you need RDS CALs for this?!?

So far I was really on board with this whole "just use Server instead of Windows 7 to avoid VDA" thing. I mean $6k per physical server, one shot, done! What's not to love! But that last line from the FAQ about needed to buy an RDS CAL for that scenario… what's that about?

The way I remember it, Windows Server OSes allow two built-in remote desktop connections which do not require terminal server and licensing servers and all that crap. Sure, the restriction is that users who login with one of the two built-in connections must be administrators, but that's fine, because that's the whole reason I'm using VDI in the first place. (And in this scenario, I'm just doing VDI with single-user servers.)

So I can't understand why this requires an RDS CAL?

According to the Windows Server 2008 R2 licensing and pricing guide: (p24)

In addition to the Windows Server 2008 CAL, a Terminal Services 2008 CAL (TS CAL) or Windows Server 2008 Remote Desktop Services CAL (RDS CAL) will be required to access any application or graphical user interface remotely hosted by Windows Server 2008 R2. This includes, but is not limited to, the use of Remote Desktop Services

and

As in Windows Server 2003, the Remote Desktop Services feature in Windows Server is intended for remote administration (This is referring to the built-in two free connections.)

So I'm not sure if this is a change from the past or what? But basically Microsoft is saying that if a user is using an application in a graphical way from a Windows Server, then you need an RDS CAL. (This means that all those newer cool ways of accessing Windows apps remotely that don't use Remote Desktop will still need RDS CALs.)

So this means that the Windows Server OS doesn't even allow one single user to use it for tasks other than administration, regardless of how they're connecting? (I guess this means if you run Windows Server OS on your laptop locally, you also need an RDS CAL?)

Did this just kill this whole concept? Or is paying $6k one time plus $110 per RDS CAL one time better than SA for VDA? (At least RDS CALs are available in per-user or per-device licensing modes.)

Why do think think? (Besides hating monopolies?)

UDPATE: 7:24am, I changed the phrasing of VECD to update it to VDA, which is Microsoft's new term for it. Thanks @shawnbass for pointing that out. I had no idea.

Join the conversation

12 comments

Send me notifications when other members comment.

Please create a username to comment.

Well now the issue I see is the definition of 'administration'. As part of daily duties for managing a server/environment someone may need to write scripts using Word, monitor emails (using Outlook) and may be even using Excel and SAP. :-)


Jokes aside they will have to clearly define what 'Remote Administration' means what opens a whole can of worms as anyone can claim anything regarding how they manage/administer their environments.


Locally I assume you need nothing as they clearly state 'remotely hosted by Windows Server' what is definitely not the case when you are using your laptop/desktop with a server OS.


Regardless, another major PITA with Microsoft Licensing. Well, this was expected and it is typical coming from them...


Cancel

First I agree with the comments that Claudio Rodrigues made.  


I do not agree fully with the statement “Clients and servers are on different patch cycles, adding to management complexity”.


To understand where I am going with this you would need to read an old blog I wrote:


blogs.technet.com/.../windows-sp1-is-now-out-how-exciting.aspx


Windows 7 is binary identical to Windows 2008 R2, just as Win7 SP1 is binary identical to Windows 2008 R2 SP1 hence the reason why there is a single download for the service pack and a single download for the symbols.


So in reference to “Clients and servers are on different patch cycles, adding to management complexity”.


Keep in mind there are 3 different types of operating system binaries RTM, QFE, GDR although these terms have changed fairly recently the concepts remain almost identical to what I am about to describe.  RTM is released code you would be in stores or in the original .iso file.  QFE binaries are built from one of many hotfix code trees, and GDR is for a binary that contains a smaller set of QFE fixes but it allows you to place less code changes on your system thus resulting in less code changes being applied before they are tested. Up until development locks down the code base mostly all QFE changes roll up into the RTM or service pack code, this gets very tricky and a little off topic for this post.


Microsoft performs rigorous tests on patches.  Let’s suppose there is a bug in IIS, Microsoft will release a patch to both the client and server because they can both contain IIS.  Let’s suppose Microsoft releases a patch for the certificate authority, there is no need to release that patch on the client because the client OS does not include the CA role as an option.  To sum it up you should not find that clients and servers are on different patch cycles, I suspect someone at Microsoft in Marketing who does not truly understand the internals of the OS’s wrote that.


In short I agree with what Brian is saying here and suspect this blog will create a firestorm of discussion.


In terms of the server operating systems and client operating systems being different this is true that they act different.  So any given action could take several patches because at runtime there is logic in the binaries to detect the version of the OS.  This information is obtainable from the OSVERSIONINFOEX structure which is called by the GetVersionEx() and VerifyVersionInfo() API calls. Reference msdn.microsoft.com/.../ms724833(v=vs.85).aspx .


This is very techy I know but bottom line is that Windows 2008 R2 and Windows 7 SP1 are the same product from a development standpoint and when Windows 2008 R2 is configured to look and act like Windows 7 things will generally work the way you would expect them to.


It is very true that applications or even the OS may not do the right thing. In these rare cases where you hit poorly written code the application can be fixed by the developer or you can use an application shim to effectively lie to the OS and “fix up” the GetVersionEx() or VerifyVersionInfo() calls at runtime.  This comment should cover most cases and keep in mind that I am talking about extreme edge cases here most of the time you should expect the results that Brian suggests in the blog.  Great post Brian!


Greg Lirette – Greg@lirette.net


Cancel

Sorry typo the comment should have stated "So any given action could take several paths because at runtime there is logic in the binaries to detect the version of the OS."


Cancel

One additional impact.  With Win7/SA you need to purchase MDOP add-on to get App-V (and those other things that few people actually use).


The 2008 R2 RDS Cal, and the 2008 TS Cal (deemed to be "functionally equivalent" by Microsoft, both include a license to use the App-V client on the server.  I discussed this in this White Paper: www.tmurgent.com/.../Windows_Server_2008_R2_CALs_and_AppV.pdf


Cancel

Hmmm.... when will Microsoft wake up and realize the gem they have with TS/RDS and how much revenue could actually be made from this goldmine versus VDI... a solution for less than 1 - 2% of business case scenarios at best?...Microsoft Corp -- big disconnect from what their sales people need for solution sets versus what Microsoft Corp is pushing out to the market.....  


Cancel

Just to clarify, you DO own the underlying product license when you purchase Software Assurance (SA). SA is designed to give you additional benefits on top of the product  license, such as upgrade rights, training vouchers, packaged services benefits, etc. SA is normally purchased and annualized over a 3 year term. At the end of your term you can chose to chose to purchase another 3 year term of SA, or, not. But either way, it's important to understand that the LICENSE and the SA on the license are 2 different things. Once you buy the license, its yours to keep forever. If you bought Windows 7 w/ SA on a 3 year term, you can let SA expire when the term is up and you still own that Windows 7  license forever.


Cancel

Claudio is, as ever, right. RDS is for remote administration, not running a remote desktop for that you need RDS.


Greg is right as well, not that it matters. Microsoft provided the real reason why this idea isn't going to fly


"Additionally, most vendors do not offer support for client applications running on servers."


if your app vendor won't support running their app on a server OS, and why should they, then you are going to have a hard time selling this idea to your internal customers.  This doesn't rule the idea out completely, I can think of a couple of organizations that would consider this type of idea if it would deliver any major benefit,but honestly what do you get from it beyond saving a few $? If you want to save money with VDI there are far easier ways than this.


Cancel

Many applications for end users were written for a client OS and not a server OS. Each of your applications would need to be retested to ensure compatibility with a Server OS. Additionally, most vendors do not offer support for client applications running on servers.


Is this what they tell their Terminal Services customers as well?


I can't see any medium or large enterprise seriously adopting this. The support headache and overheads associated with this would be a nightmare and surely outweigh the cost saving.


Cancel

Don't forget that SA allows you to have 1+4 desktop instances (1 physical and 4 virtual).


What that means is since VDA is included in SA, you can deploy client thin pc (Windows ThinPC) and remote VDI desktop using only one license.


Roaming rights are also interesting here (but I would still prefer per-user licenses :)).


What can be also interesting for many small customers (and most people are not aware of this) is that it's not only VDA\SA that allows you to connect to client desktop, but also Intune licenses (VDA\SA\Intune are equal).


Martin


Cancel

Nice article, Brian. You describe the approach that we've taken at Leostream Mobile Desktops (www.leostreamdesktops.com) to provide public-cloud hosted Windows desktop. By leveraging the Microsoft Windows Server 2008 licensing agreement that Amazon has with Microsoft, we provide folks with inexpensive Windows Servers that can be used as desktops. Instead of needing an entire OS license, the customer needs only the appropriate, and less expensive, RDS CAL.


Cancel

OK it was a late night, what I should have said was


Claudio is, as ever, right. RDS is for remote administration, not running a remote desktop, for that you need VDA or SA.


Cancel

Ancient thread, but my SPLA contact at HP confirms that WS2008 R2 VDI guests are permissable...just not Win 7.


Weird.


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close