2021.10.20 14:26 sharkbite0141 GUIDE: A Microsoft Windows Server OS Licensing Primer for Physical and Virtual Environments

Hi All! I've seen a number of posts over time asking for advice on how to license their environments with Windows Server. I thought it might be helpful to write up a a "primer" on Windows Server licensing for those who are newer to Microsoft Licensing in the sysadmin world. All of this information is available directly from Microsoft in their Licensing Briefs, which are an excellent resource, but I know they can be confusing for those not previously experienced with Microsoft Licensing and its nuances.
What follows is based on my experience over the past 16 years between working for a non-profit, a MSP that sold OEM, Retail, and Volume Licenses, eventually even became SPLA licensed to provide hosted services, an enterprise environment, that underwent official KPMG-run Microsoft Licensing Audit that held both multiple types of Volume Licenses (Open Value vs Open Business) and even an Enterprise Agreement (EA), and my current position that in an organization that holds an EA for all Microsoft licensing.
Now, I'm not an official Microsoft Licensing representative, so if you believe my information is incorrect, please let me know and I'll do my best to fix the post or clarify a point. Also, this isn't meant to suffice as a be-all-end-all for Microsoft OS licensing, more of a general beginner sysadmin's guide.
I'll break it down into 2 main sections:

  1. Windows Server OS
  2. Windows Server OS Virtualization
I didn't include Windows Desktop OS licensing in this guide because it gets complicated with a lot of the newer options out there like Microsoft 365 E3/E5, but I will add this very important note: Don't think you can just buy a Windows 10/Windows 11 license and run it in a VM. The base Desktop OS retail or volume license mostly does not include virtualization rights. There's very specific licensing that must be used for virtualizing the Desktop OS. See the Licensing Windows Desktop OS for Virtual Machines Brief for those details.
I'm also writing this with the assumption that you are licensing as an end-user organization and are not providing hosted/cloud services to individuals or businesses outside of your own organization. If that's the case, then you should be under a Service Provider License Agreement (SPLA), which has it's own set of complexities.
I'll start with a quick glossary as well as there are some common terms used throughout Microsoft's licensing:
Glossary OSE = Operating System Environment (The installed OS software whether physical or virtual)CAL = Client Access License (License required by the client user or device accessing the server)SA = Software Assurance (Entitles you to version upgrades, and some other items; usually lasts a period of 2 years, then you have to renew to maintain it)Windows Server Core = GUI-less version of Windows Server for reduced security and disk footprintWindows Server Desktop Experience = Windows Server with a full GUI experience
1. Windows Server Licensing At the most basic level, properly licensing Windows Server requires 2 things:
  1. Physical-Core-Count License of the OS software
  2. User and/or Device CALs for users and/or devices accessing services on a Windows Server OS
As for those requirements, there are no ifs, ands, or buts about them. I'll start at the basic level as if we're licensing a single physical server (with no virtualization):
Windows Server Editions Windows Server comes in 3 editions:
Let's look at the different editions and how they're licensed.
Windows Server Essentials Windows Server Essentials is specialized edition that is extremely-limited and designed for very small environments. It has a hard-limit of 25 user accounts and 50 devices, is licensed per physical CPU socket, with a maximum of 2 sockets, regardless of CPU core count, is limited to 64GB of RAM, and doesn't require User or Device CALs. It's generally meant for small mom-and-pop type operations that won't grow beyond that size and only need something like simple Active Directory and a file server for, say, QuickBooks sharing. On the note of Active Directory: if the Essentials edition is your Domain Controller, it and only it can be a domain controller. Basically it's meant for a very small environment with a single physical server with no requirements for virtualization. General recommendation amongst those of us experienced with it: RUN AWAY. DO NOT USE IT. But it has it's use cases, and if it fits yours or your client's, then it's a perfectly fine option.
Windows Server Standard & Windows Server Datacenter These are the editions of Windows most sysadmins experience. They're the more "fully featured" editions with effectively all Windows Server features available. These versions of Windows Server, since the 2016 version, are now under a Core-Based licensing program. This means that the Server OS software license is based upon the physical core count of all CPUs in an individual physical server. There are a handful of specialized features that are only fully unlimited in the Datacenter version, but both Standard and Datacenter are licensed the same way in the Core-Based licensing program.
Downgrade Rights Now here's another thing to know about Windows Server licensing. When you purchase a Windows Server license, you receive what are called Downgrade rights. What this allows you to do is run an older version of the Windows Server OS than what you have purchased, or a lower edition of the OS than what you purchased. The downgrade rights are technically limited to the 2 previous versions of the OS.
Where this comes in handy is third-party applications. A lot of applications take their sweet time upgrading to support newer versions of the operating system. So sometimes a company will purchase a license of a piece of software, but the latest version of operating system they support is actually older than what is commercially available. (Say they support Server 2016, but not Server 2019).
Let's take a look at what these downgrade rights get you in terms of what you can run, based on which version and edition you have purchased. Top row is the purchased version and edition of Server OS. The left column is the version you're allowed to run with the table entries showing the editions you're allowed based on your "up-level" license.
Server 2022 Datacenter Server 2022 Standard Server 2019 Datacenter Server 2019 Standard Server 2016 Datacenter Server 2016 Standard
Windows Server 2022 Datacenter / Standard Standard
Windows Server 2019 Datacenter / Standard Standard Datacenter / Standard Standard
Windows Server 2016 Datacenter / Standard Standard Datacenter / Standard Standard Datacenter / Standard Standard
Windows Server 2012 R2 Datacenter / Standard Standard Datacenter / Standard Standard
Windows Server 2012 Datacenter / Standard Standard
So you'll see that if you purchase the Datacenter edition of the Server OS, you can run either Datacenter or Standard on your installation. And you'll see for each version (2022/2019/2016/2012 R2), you can run the previous 2 editions of the operating system based on that license. (If it comes time for an audit, YMMV with this, but most auditors will consider all older versions of the OS licensed if said server server has been "assigned" a newer license with the same or better level edition, provided that you also carry Software Assurance on said new OS license. So if you just had to run a 2008 R2 Standard server, the auditor would likely make you purchase a 2022 Standard or Datacenter license plus Software Assurance, and then they'd consider it "licensed". Again, not a Microsoft employee, nor am I an auditor, so don't take this as official advice; it's just what I've experienced personally from a KPMG-run audit).
Now, on to the meat:
Core-Based Licensing: When calculating your requirements for Core-Based licensing, the core count of your license must match or exceed the number of physical CPU cores you have in each individual server. Count only physical cores; logical cores, created by functionality like Intel's Hyperthreading, creates additional threads that Windows sees as "logical cores", but those additional threads are not counted in licensing requirements.
Core-based Server OS licenses are sold in 2-core "packs", with a minimum purchase of 16 cores per one physical server, working out to 8 "2-core packs". This requirement is the same for both the Standard and Datacenter editions of Windows Server.
UseDevice CAL Licensing: User and Device CAL licensing is the same as it's always been. How you account for and decide on which licenses to use varies based on your environments and use-cases.
On a general basis, it's usually safe to count the number of users who connect to your network and use any piece of software on any server running Windows Server (Microsoft software or third-party doesn't matter, if it runs on Windows Server, a CAL is required for access), and then purchase that many User CALs.
One very important factor: you must purchase the same version of CAL as the OS you are licensing, or greater. Let's look at some examples:
OS Version CAL Version Required
Windows Server 2022 Windows Server 2022 UseDevice CAL
Windows Server 2019 Windows Server 2019 or 2022 UseDevice CAL
Windows Server 2016 Windows Server 2016, 2019, or 2022 UseDevice CAL
Windows Server 2012 R2 Windows Server 2012 R2, 2016, or 2019 UseDevice CAL
Also, you don't have to re-purchase CALs for every individual server you license. You only have to purchase them once for each version of the Server OS you are using.
So say you already have a server running Windows Server 2012 R2 in your environment and have 50 Server 2012 R2 UseDevice CALs. Now let's say you want to add a second server running Windows Server 2019. You will need to buy 50 new Server 2019 UseDevice CALs to match the new server version. Six months later, you decide you need a third server running Windows Server 2019. You already purchased 50 Server 2019 UseDevice CALs with the first Server 2019 OS purchase, so you're covered. You don't need to purchase any additional CALs unless you have increased your number of users or devices accessing the 3 servers.
Now, deciding on whether to choose a User or a Device CAL can be complicated. Here's some scenarios:
Scenario 1: Your company has 50 employees, 10 of which are executive/management. The company has 50 desktops in a one-desktop-per-user configuration, and 10 laptops for your executive and management staff (so execs/management have 2 PCs each).
Scenario 2: Your company has 100 employees, 40 of which are admin/management/executive staff, and 60 of which are employees of your 24x7x365 call center. You have a total of 70 PCs: 40 desktops for your admin/management/executive employees who all have mobile phones, 10 laptops for execs/management, and 20 desktops for your call center. Your call center is staffed in a 3-shift rotation, where only 20 people are working in the call center at a time, and each single workstation is shared between 3 people across the shifts.
Scenario 3: The same as Scenario 2, but we're adding 3 Multi-Function Printers into the mix. Two of them are only used by admin/management/executive staff, but one of them is used by the call center staff. Your MFPs get their IP addresses from your Microsoft Windows DHCP server, and they use the DNS services on your Domain Controller because they're configured to be able to scan a document to a folder on your file share.
Scenario 4: Your company runs a insurance plan. The user and PC count for your staff is similar to Scenario 2. You also run a web portal in-house using IIS (or Apache/Tomcat/Nginx/etc.) on one of your Windows servers (not in the Cloud or provided by a hosting company) tied into your back-end systems where people can manage their insurance policies. You have 5000 customers with accounts on this portal.
Okay, now let's think about what licensing we want to choose for each of these scenarios:
In Scenario 1, you're best served by purchasing 50 User CALs. A User CAL covers accessing any Windows Server device by the assigned user from an unlimited number of clients (PCs, tablets, mobile phones, etc.)
In Scenario 2, you're likely going to want to purchase 40 User CALs for your admin/management/executive staff, and 20 Device CALs for your call center PCs. Because there are only 20 PCs for use by call center staff, you're hot-desking your 60 call center employees between the 3 shifts, you can license those workstations by Device instead of user, since your call center staff will never have more than one PC assigned to them and will never access your system with more than one PC. This allowed you to only have to purchase a total of 60 CALs instead of 100, thus offering cost savings.
In Scenario 3, you've now run into one of the biggest, and most frustrating, in my opinion, "gotchas" with Microsoft CAL licensing: Microsoft deems that any user or device that uses any service running on a Windows Server OS, it must be licensed with a CAL. Because your MFPs are getting their IP from Microsoft DHCP and using Microsoft DNS, those devices must be licensed. Because 2 of them are only ever used by the admin/management/executive staff, the User CALs assigned to those users covers licensing of those 2 MFPs. BUT, because you have 1 MFP that is used by your call center staff, and you opted to use Device CALs to license their PCs, that MFP will require a Device CAL.
In Scenario 4, things get interesting. Just like in Scenario 3, any user or device that uses any service running on a Windows Server OS, must be licensed with a CAL. Because of this, in addition to your 100 employees, those 5000 customers with portal access need to be licensed with a CAL. Now, before you get worried and think, "OMG, do I really have to buy 5000 user CALs to cover all my customers?", the answer is no. "But, you said they must be licensed." That's because there's an additional license type that can be purchased called the External Connector License. This license is purchased per physical server for when you have External Users accessing your systems. What is an External User? Microsoft's Product Terms document the definition as "External Users means users that are not either Customer’s or its Affiliates’ employees, or its affiliates’ onsite contractors or onsite agents." So effectively customers, and customers only. Contractors are considered employees for the purpose of the EC license. The External Connector license CANNOT be used to license your internal users, affiliates, or contractors.
Now the EC license is decently cheap, in the overall scheme of things, but may have some sticker shock if you're not used to seeing it. If memory serves, it's usually about $1,500 USD per server. But considering User CALs are around $80/each in Scenario 4, $80/CAL x 5000 Users = $400,000. The $1,500 option is quite obviously is a much better choice for you here. If you're in this kind of scenario, you should really speak to a Microsoft Licensing specialist with your preferred VAR to make sure your bases are covered.
As a helpful note on the "every user and/or device must be licensed" front: It's highly, highly, highly recommended that you do not use any service running Windows Server for your guest networks (like for DHCP or DNS). Because each and every person and/or device that connects to said guest network would then require a CAL of some type. Technically you could purchase an External Connector License to cover those users, but that's likely a waste of money when you can likely provide the same functionality through DHCP and DNS services using your switches, routers, and external DNS providers.
Okay, are you thoroughly confused yet? Because now we're going to dive into Virtualization Licensing.
2. Windows Server Licensing in Virtual Environments (VMs) At a base-level, Windows Server licensing for VMs works just like above, with some additional considerations and caveats, and it all depends on which edition of Windows Server you're licensing, and is not affected by which Hypervisor OS you are running. Meaning these considerations are all the same whether you use Hyper-V, VMware (ESXi/Workstation/Fusion), Nutanix, Proxmox, KVM, RHV, Citrix Hypervisor, VirtualBox, Parallels, etc.. The "advantage" of running Hyper-V is that it's a pretty full-featured hypervisor included with the Windows Server OS and doesn't cost extra to use, and has full native-VM backup functionality included, so you can use backup applications like Veeam or Commvault (unlike with VMware where the free edition of ESXi doesn't include the backup APIs, so you can't actually perform native VM backups and instead would have to use some sort of agent-based backup inside the VM OS).
Windows Server comes in 3 editions:
Now, there are some additional specialized editions like Nano Server and Embedded server versions, but those are outside the scope of this discussion. If you're using those, you likely already understand the licensing implications.
Windows Server Essentials: Windows Server Essentials is heavily-limited and designed for very small environments. It has a hard-limit of 25 user accounts, and doesn't require CALs. It's generally meant for small mom-and-pop type operations that won't grow beyond that size and only need something like simple Active Directory and a file server for, say, QuickBooks sharing. It does not allow for virtualization, and most everyone will tell you to stay away from it unless you have a very specific circumstance that you know you will never need anything other than one single, solitary physical server.
Windows Server Standard / Datacenter: Now Windows Server Standard and Datacenter both allow for virtualization, and each license allows the following per each physical server:
OS Edition Number of VMs (OSEs) Per Physical Server License
Windows Server Standard 2*
Windows Server Datacenter Unlimited
*For each physical server you license with Windows Server Standard, you are licensed to run two (2) OSEs/VMs on that physical server. There's also a special use-case with Standard: You are allowed to use that single physical server license to also run the Windows Server Standard operating system as the hypervisor OS on the physical hardware, if and only if that installation is used to manage the Hyper-V role (and VMs) on that server. So, that technically means you get 3 OSEs, but it is very specific in that you cannot run any other applications in the OSE running on the physical hardware than what is used to manage Hyper-V (this doesn't mean you can't run things like AV. It just means that the OS is only licensed for the purpose of managing VMs running on that piece of hardware).
Now, say you need to run more than 2 VMs on a physical box, but you don't need unlimited VMs. In order to become licensed for additional VMs, you must purchase additional core packs of the Server OS license. For each additional fully-licensed set of cores, you receive 2 additional VMs.
So, say you want to run 4 VMs on a 20-core server, and you want to use Windows Server Standard. You need to purchase 40 cores worth of Server OS licenses. So mathematically, it works out to
( (Number of VMs) / 2 ) * Number of Cores
Want 8 VMs on that 20-core server? (8/2)*20 = 80 cores
The breakeven point on this is generally somewhere around 14 VMs. If you're getting to a point where you're starting to run more than 14 VMs on a single physical server, you should switch to Windows Server Datacenter licensing, instead.
Appendix 1: Remote Desktop Server Licensing Remote Desktop Services, formerly known as Terminal Services, and usually referred to as RDS, is a Windows Server Role that allows for multiple simultaneous (or concurrent) users to be able to remotely login to a single server and work in that environment. Many are familiar with this through services such as Citrix (aka XenApp or Workspace Virtual Apps and Desktops), or VMware Horizon.
While Remote Desktop Services is included in the Windows Server operating system, it is separately licensed on a per User or Device basis on top of the Server Core and Server CAL licensing, similar to Microsoft Exchange or Microsoft SQL Server.
Many people get confused with licensing for Remote Desktop Servers. A lot of people believe that if you purchase a RDS CAL, then you don't need to purchase a Server CAL. This is incorrect. Every user or device you purchase an RDS CAL for must have an accompanying Server CAL. RDS licenses are considered "additive", as in additional-to the base-line Server CAL.
Another mistake people make is "well, I'm using Citrix/VMware Horizon, I don't need to purchase a RDS CAL because I'm not using Microsoft's RDS." That's also incorrect. Citrix Workspace Virtual Apps and Desktop, and VMware Horizon actually use Microsoft RDS at an underlying OS API level and even require the RDS Role to be installed on the Server. So, as a result, they require Microsoft RDS CALs to go along with their own individual licensing.
RDS CAL licensing follows the same pattern as OS CAL licensing. You must purchase the version of CAL associated with the version of OS you are intending to use. Downgrade rights also apply:
OS Version RDS CAL Version Required
Windows Server 2022 RDS 2022 CAL
Windows Server 2019 RDS 2019 or 2022 CAL
Windows Server 2016 RDS 2016, 2019, or 2022 CAL
Windows Server 2012 R2 RDS 2012, 2016, 2019, or 2022 CAL
Windows Server 2012 RDS 2012, 2016, 2019, or 2022 CAL
Windows Server 2008 R2 RDS 2008 R2, 2012, 2016, 2019, or 2022 CAL
Appendix 2: Software Assurance If your company likes being on the latest-and-greatest versions, and is able to keep your systems frequently updated, Software Assurance may be a good option for you. Or even if you want to maintain newer licensing to prevent from larger long-term costs if you keep a frequent upgrade cadence on your systems, it's a very cost-effective option.
Software Assurance is Microsoft's name for "upgrade protection" or "software maintenance", and is available only through a Volume Licensing program. When you purchase it and keep your SA Agreement current/active, you are entitled to/licensed for the latest version of the software for which you've purchased SA.
It's generally offered as a 2-year agreement with your license, so 2 years after the initial purchase, you must renew it in order to maintain all the rights and entitlements granted by SA.
Price wise, it's generally 50% of the initial purchase price of the license, and it must be purchased with the initial license purchase. So say your Windows Server Standard 2022 license is going to cost $1069. If you want Software Assurance, it'll add roughly $535 to the purchase price of that license, for a total of $1,604 up-front. In 2 years, to maintain SA, you'd renew at that 50% license price of $535.
Over time, if you are one to keep your environment updated with newer versions of the OS to keep up with modern technology and security, it can much more financial sense to pay for Software Assurance than to continually re-purchase full licensing.
Summary So that's Windows Server licensing. For greater detail on Windows Server Virtualization licensing, I'd recommend checking out the Licensing Microsoft server products for use in virtual environments brief and the Licensing Windows Server for use with virtualization technologies brief.
All of Microsoft's Licensing briefs, including those two are available here.
submitted by sharkbite0141 to sysadmin [link] [comments]

