VDI Licensing Complex in Windows 8 Enterprise
Licensing experts believe licensing for Windows 8 Enterprise virtual desktops may end up costing you more and/or bring new restrictions.
Microsoft indicated it will be "enhancing" its SA benefits when the Windows 8 Enterprise edition is released to market, according to a Microsoft blog
. That release is expected to happen sometime this year. A new "release preview" of Windows 8 will be available in early June, according to a comment by Steven Sinofsky, Windows head, as reported by All Things D
. However, many expect the actual product release will happen sometime in the fall of this year.
These enhanced SA benefits, in some cases, will entail an extra cost, or possibly could even be a new restriction on existing benefits concerning software use cases. Microsoft's blog doesn't offer enough details to clarify the many questions about this new SA policy to come.
For instance, Microsoft will offer an "optional add-on" for Windows 8 client SA-covered PCs called the "Companion Device License" (CDL). By "add-on," Microsoft means it's an extra cost on top of SA, although the cost hasn't been disclosed.
Here's the definition of the new CDL from Microsoft's blog:
"For users of Windows Software Assurance licensed PCs this optional add-on will provide rights to access a corporate desktop either through VDI or Windows To Go on up to four personally owned devices."
Paul DeGroot, head of independent consultancy Pica Communications and an expert in Microsoft's licensing, offers perhaps the best explanation about what Microsoft may mean by new SA changes. For instance, I asked him if Android or iPad tablets would be covered by the CDL to remotely access a virtual desktop.
"My reading of this is that the CDL doesn't license remote access to virtual desktops, only physical desktops, and only from personal devices," DeGroot said via e-mail, although he noted that Microsoft has not yet released any contract information and it's difficult to draw conclusions. "If they want access to virtual desktops from a non-Windows RT device, without the personal ownership restriction, they will need a VDA subscription for their iPad or Android tablet, and probably for their Windows 8 device as well, since a home device isn't covered by SA and doesn't have VDI access rights."
A VDA is a per-device Microsoft "Virtual Desktop Access" license for PCs. Customers purchasing SA for PCs also get VDA licensing at no extra cost. Microsoft also sells VDA licenses separately for devices not covered under SA or for devices that fall outside Microsoft's VDI licensing concept, such as thin clients.
In the case of Windows RT devices, they will have VDA rights automatically assigned in some cases, according to Microsoft's blog.
"When used as a companion of a Windows Software Assurance licensed PC, Windows RT will automatically receive extended VDA rights," the blog states. "These rights will provide access to a full VDI image running in the datacenter which will make Windows RT a great complementary tablet option for business customers."
DeGroot pointed out in our e-mail correspondence that the CDL is described as being licensed for the "corporate desktop," whereas VDA-licensed devices have access to the "datacenter." It's possible that the CDL is a per-user type of subscription, he speculated, although it's not clear from Microsoft's description. The language in the blog about "extended VDA rights" is different from past Microsoft licensing language, he noted, so it's not clear what Microsoft means.
"So, to sum this up," DeGroot said about the VDA rights associated with Windows RT devices, "it says that if you have a PC licensed for Windows 8, with SA added to that, you can access VDI from Windows RT devices without requiring a VDA license, which is normally required for devices with embedded OSes."
Windows RT devices, under Microsoft's new SA policy, "appear to have better access to VDI than Windows 8 Pro devices," DeGroot noted. That's an oddity that hasn't been explained by Microsoft as yet.
For more insights on the new SA changes and VDI licensing, see DeGroot's analysis in this BetaNews article. For instance, he speculates that Microsoft may be removing the "primary user" privilege of Windows users to access their desktops from another device.
"Crazy" VDI Licensing
Brian Madden, a former Microsoft MVP (most valuable professional), was one of the first to highlight the new CDL and VDA changes. He noted in a blog post that Windows RT devices can connect to a company's network via VDI for free whereas doing that through an Apple or Android device requires the purchase of a CDL.
"How is this policy even legal from an antitrust standpoint?" he wondered in the blog post.
Madden, who quit the honorary MVP title in protest over Microsoft's VDI licensing policies, also noted that Windows RT devices can't be domain joined and can't run legacy apps, so it was expected that x86/x64 Windows 8 devices would the optimal choice for organizations wanting remote device access, not Windows RT devices.
According to Madden, under current SA extended roaming rights, employees with their own devices can access VDI desktops without restriction, but they can't access VDI desktops with those devices are located within the workplace. He explained that "the CDL "solves a licensing problem that a lot of people don't even know exists." The CDL gets rid of that "crazy problem," he added.
Enterprise Edition Features
On top of the SA changes, Microsoft's blog described some Windows 8 Enterprise edition features to come. Organizations that have used the Enterprise edition of Windows 7 will find a lot of familiar territory here.
Windows 8 Enterprise edition will offer the DirectAccess feature, which facilitates remote device access to a corporate network without all of the typical virtual private network handshaking. The Enterprise edition comes with BranchCache, which is designed to help with bandwidth issues on a wide area network when serving files to local branch offices. AppLocker also is a returning feature in the Windows 8 Enterprise edition. It allows IT pros to lock down the kind of apps that users can install on devices.
A new feature in the Windows 8 Enterprise edition is Windows To Go, which is a sort of portable corporate-managed desktop stored on a memory stick. By plugging the memory stick into a USB port on a remote machine or home machine, users get access to the corporate desktop. Since it's a managed instance of Windows 8 Enterprise edition, IT pros can maintain their security policies on Windows To Go.
A second new feature pertains to loading apps on "domain joined PCs and tablets running Windows 8 Enterprise" -- in other words, it applies to x86/x64-based devices and not to Windows RT devices. Microsoft's blog says it will be possible for IT organizations to "side-load internal, Windows 8 Metro style apps" when the OS is released. "Side loading" is Microsoft's term for packaging a Metro-style application for distribution to users, which requires that the device be domain joined and the application be "cryptographically signed" with a certificate, and all of this happens outside the Windows Store repository, which imposes its own security restrictions on applications. The side loading process is described in this Microsoft blog. All Windows RT applications, in contrast, must come from the Windows Store or through a self-service portal, which is described here.
Benefits of Software Assurance
Microsoft touted other benefits of Software Assurance, which DeGroot said can cost "up to $55 [per user] a year."
Software Assurance is an annuity-based subscription that gives organizations the right to upgrade to the next version of a particular piece of Microsoft software within their coverage period. It also adds a few educational help perks. Organizations subscribing to SA get the option to pay extra for access to the Microsoft Desktop Optimization Pack (MDOP), which is a set of six tools for virtualization, management and PC-restore capabilities. However, MDOP costs an extra $10 per device per year.
A final perk of SA is virtual desktop access rights, which are included if an organization's PCs or laptops are covered by SA. Otherwise, the devices would need a VDA license to connect to a virtualized Windows desktop. A VDA license costs $100 per year per device, according to Microsoft FAQ on desktop virtualization licensing (link to PDF), which was revised this month. The FAQ is well worth spending the time to read.
While the VDA licensing includes roaming rights, DeGroot has explained that those rights only apply to roaming from a home network or an untrusted public network, not roaming on a corporate network. Microsoft's desktop virtualization licensing FAQ explains that a home user would have to have a PC at work covered by a VDA license in order to use these roaming rights and access the corporate desktop from a home device.