Microsoft Windows Software Assurance isn’t the same as VDA

On the cusp of my last blog post, one of my colleagues pointed out another Microsoft document that shed some more light on the virtual desktop subject.  According to the  Licensing Windows 7 for Use with Virtual Machines licensing brief, which actually spells out how Windows can or can’t be licensed for use in a virtual desktop, it also highlights a couple things that you can and can’t do with VDA.

One thing in particular that caught my attention, was that if you plan on using a Client Hypervisor, like Citrix XenClient or the one built into Windows 8, you cannot use VDA.  You pretty much have to buy a device with OEM Windows and then upgrade to SA to run a VM (or 4).  You also can’t dual boot with Windows, or run Windows locally with up to 4 virtual Windows VMs, but I don’t see too many folks looking to do this with VDA anyways.

So for right now, it looks like licensing your endpoint with OEM Windows and upgrading to SA may yield the most amount of benefits if your use case calls for it.



Please Read This before you deploy Virtual Desktops

Ok, i’ll keep this one simple and straightforward. There is only one licensing model to access a virtualized/hosted Windows 7 desktop, and that’s called Microsoft Virtual Desktop Access (VDA).  VDA has been around for a few years now (previously VECD), and here’s how it works.

  1. VDA is only available as a subscription model, and is about $100/device/year depending on your licensing tier.
  2. VDA is also available at no additional cost if your device has active Software Assurance.
  3. VDA also has Extended Roaming Rights (ERR) for the operating system, which allows the primary end point’s user to use a personally-owned device, such as a home computer or an iPad etc. to access that virtual desktop, as long as that device isn’t running on the organization’s or an affiliate’s network.   Just so you didn’t miss that one, which is critical for compliance reasons; ERR does not allow you to bring in a personal device and use your virtual desktop in the office, its only allowed when you are not on company property.

The clarification of how this works is done best by using an example.  Bob works in the Finance department at a large company.  He has a company-issued Windows 7 desktop computer with Office 2010, as well as an older notebook which runs Windows XP and Office 2003.  He has also been given a new iPad which was customized by the IT department.  IT has recently deployed a VMware View desktop solution, which enables Bob to get to a new virtual desktop and all his applications, from any device. The goal of this VMware View system is to unify Bob’s technology experience across his desktop, notebook and iPad, so he always has a common Windows 7 virtual desktop with all his data and apps.

The IT department has active Software Assurance (SA) on all its devices, including Office.  Since Bob’s desktop and notebook both have active SA, they are licensed properly to access his new virtual desktop, including all his Office Applications.  However, since the iPad doesn’t have an OEM Windows operating system or SA, the IT department will need to purchase additional VDA licensing for that device.  In fact, they will also need to purchase an additional Office 2010 license for that iPad if Bob plans to open and edit Excel spreadsheets while connecting with VMware View.  The key point here is that the device is actually a corporate asset, so it needs to be licensed like any other device that needs to access Windows 7 and Office.  Now, since Bob’s desktop is his primary device that has SA on it, he is also entitled to go home and use his personal iPad or PC to access his virtual desktop, provided that he is not bringing these devices physically onto the corporate network or an affiliate’s office.

Believe it or not, the above example is actually pretty simple.  But what if Bob’s IT department didn’t have SA on anything?  If that were the case, in order for Bob to access his new virtual desktop using his desktop, notebook or iPad, IT would need to purchase three VDA licenses as well as three Office licenses.  And if he needed to access his virtual desktop from a personal computer or tablet while at home, SA would be needed on one of those Office licenses.

Are we having fun yet? And you wonder why Client Virtualization adoption is stalling?  There’s one of the reason’s why.  In the interest of being simple and realistic, here is some advice:

  1. Don’t try and beat the system.  Avoid buying OEM licenses in bulk or doing Data Center Edition desktops with a Windows 7 skin.  If you need full Windows 7, VDA is the only way to go.
  2. Talk to your reseller’s Microsoft Licensing team.  These rules change all the time and they are always current on the latest and greatest compliance rules.
  3. If you find yourself struggling with the TCO and ROI aspect of deploying a Virtual Desktop solution, there is nothing wrong with deploying a regular desktop/notebook solution.  Windows 7/8 on a pc/notebook isn’t going away anytime soon and if designed and managed correctly, can be a rock solid solution for your organization.
  4. After you figure it all out, run your licensing scenario by another licensing specialist.  It never hurts to double-check your work.

Diving into Mobility & BYOD

Mobility seems to be the talk of the town these days; and it should be.  Smartphones are now the norm, and with millions of tablets floating around, the lines are starting to blur between the traditional ways we once viewed mobility.

In the past, when someone said mobility, I would assume they were talking about a BlackBerry, Palm Treo or Windows Mobile device.  However today, not only do we have new contenders like Apple’s iPhone and Google’s Android (who dominate the smart phone market), but we have a new class of devices – tablets, slates, ultrabooks and more to come.

Another term we can’t seem to stay away from these days is BYOD (Bring Your Own Device), and this is definitely a force that’s driving mobility solutions.  We first started seeing people carrying around their own netbooks (remember those?) and it seems that after the iPad and the MacBook Air, this started becoming increasingly prevalent.  Sure, there are many companies that provide these devices to their employees, but you would be surprised how many of these devices are actually owned by each individual employee.

So getting back to defining Mobility; what exactly is it?  Let’s take a look at all the possible options:

  1. Devices – Clearly, smartphones and tablets are in this category.  But what about the staple computing device – the notebook?  Isn’t the notebook the real catalyst that started mobility?  Of course it is, and notebooks and now ultrabooks are definitely in the mix when you talk about mobility.  In a nutshell, we’re talking about any device that can connect back into your data center applications, or even cloud-hosted ones.
  2. Carrier-enabled Broadband –  Every device has WiFi today, and almost everything in this category has a carrier broadband option.  For smart phones, it’s a given, they can all consume data plans, and in some cases, you can’t activate service without a data plan.  For tablets, this is a model-based option, like the new iPad with various LTE and 3G carrier options.  Another quite popular option is buying a mobile hotspot, like the Sprint Overdrive Pro, that can allow up to 5 WiFi users to access its 3G/4G network thereby consolidating data plans and sharing connectivity between devices.  From a mobility perspective, being able to activate these devices, managing them and watching data overages is key for organizations that provide these carrier services to their workforce.
  3. Security – This is on top of everyone’s list.  With initial smartphones that were limited in functionality, we could tie down these devices, encrypt their email/calendar data and remotely wipe it if necessary.  With today’s smartphones and tablets, you can pretty much extend their functionality to that of a computer, and controlling how your data is stored, either locally or in the cloud is a nightmare.  Thankfully there is a slew of  Mobile Device Management (MDM) players that can enforce security policies on each device, so that data leakage can be prevented (even though it’s not full-proof at the time of this writing).  Something else to consider here, is a more advanced Network Access Control (NAC) technology such as Cisco’s Identity Service Engine (ISE) technology.  This will enable your end users to only access systems they are authorized to access, even if they are on the local network.  Essentially, rather than relying on each application’s software to control who can ‘get’ to what system on your network, this controls and reports access attempts from the network layer, thereby isolating users and devices before they even become a threat.
  4. Policy – Having a strong, governed IT Acceptable Use Policy is key, but even more important is setting the right enforcement and ramifications if employees fail to adhere to such policies.  This is a huge issue today, with many organizations that don’t even have any policies in place, or have policies that aren’t being followed/governed.  The bottom line is that every organization should have a current, well-defined policy, and every coworker should be held accountable for adhering to that policy.  While policy inspection isn’t completely automated today, it will be in the future as more granular controls and reporting tools emerge in the marketplace.  Think about a mix of Cisco ISE, Splunk , Mobile Iron and Microsoft System Center; it’s all coming together eventually.
  5. Apps – It’s all about the apps these days.  And while we may all agree that a local app running on your device gives you the best mobile experience, there are still a lot of apps that are only available in a browser.  For everything else that can’t be ‘applified’, we resort to using Client Virtualization technologies, such as those made by Citrix, Microsoft and VMware.   However, embarking on a Client Virtualization journey is not for the faint hearted; this takes a lot of time, planning, testing, training etc. before it can be rolled out to the masses.  Thus mobility includes the management, monitoring and updating of not just local apps, but also client virtualization technologies, which include both virtualized apps and desktops.

This may all seem very overwhelming.  However, in many cases, it may be a necessity to move your organization forward.  In some cases, you could just stay the current course and wait for the next big wave of technologies.  The bottom line is; start with a well justified business plan.  Many go down the Client Virtualization or BYOD path because the assumption is that ‘everyone needs iPad or remote access.’  While that may be true, you have to look at mobility as an end-to-end solution, and understanding all the intricacies, including a phased adoption approach that will be key in making it a successful addition to your organization’s technology strategy.

Notice that I didn’t mention TCO or ROI in this blog entry.  There is a reason for that, because unless you look at mobility collectively, you can’t get an accurate reading on this.  Start with TCO today versus TCO post implementation, and many times, you will be surprised by the results.