Microsoft Licensing on AWS – More Insights on Changes to Remote Hosting and Your Options

By Dan Brewster

Director of Client Services – Microsoft, NPI

March 22, 2021
IT Microsoft

Interested in learning more about NPI’s services?

Contact Us

Back in the day I used to tell clients that Microsoft didn’t really care who owned the hardware – as long as the product was being used for the exclusive benefit of the licensed customer. With the advent of virtual desktops being hosted at Amazon, Microsoft has changed its tune somewhat. In October of 2019, Microsoft quietly changed some of its use rights that affect Microsoft licensing on AWS in an effort to further nudge its customers towards Azure.

It is important to understand the two most likely scenarios that have been impacted by Microsoft’s use rights changes: (1) Remote hosting of the Windows Operating System, and (2) Remote hosting of its application products. Both scenarios were impacted by the October 2019 changes. We recently published a bulletin on how remote hosting and access will cost more for some customers. In this blog post, we dig further into these changes and explain your options if you’re an AWS customer.

Remote Hosting of the Windows Operating System

Let’s begin with the Windows Operating System – we’re talking about the personal operating system – Windows 10.  Microsoft first introduced a product called the Windows Virtual Desktop Access (VDA) a number of years ago to help organizations license devices that do not qualify for Windows Software Assurance while providing access to a virtual desktop hosted in their VDI environment.  These devices would typically be thin clients or contractor-owned PCs – or, in other words, devices that an enterprise was not managing.

The VDA license was designed to recoup Microsoft’s loss of revenue for the underlying OEM license. A quick primer on the OEM license is that virtually all personal computers sold to enterprises come with a full version of the Windows operating system from the Original Equipment Manufacturer (OEM). The licenses that are purchased under the volume licensing programs are upgrade licenses, requiring an original OEM license. Microsoft felt, rightly or wrongly, that the virtual desktop was receiving the benefit of the graphic user interface and it couldn’t be sure that it had received the OEM revenue. Hence the VDA license. When clients were simply hosting their VDI environment on their own internal infrastructure, you simply needed to ensure that the client was covered with Software Assurance for the Windows OS. You could purchase SA for the Windows OS for your internal devices, you could purchase an M365 E5 or E5 subscription, or you could purchase a VDA license for those thin-clients or contractor owned PCs.

This worked fine for well over two decades until customers started looking at DaaS options that were hosted by third parties. Before October of 2019, you licensed a remote-hosted VDI infrastructure the same way that you licensed internally-hosted VDI infrastructure. Perhaps someone at Microsoft realized that many of its customers were taking advantage of Amazon Workspaces. It’s logical to fear that if a customer was moving to Amazon hosted desktops, they might also be moving their server infrastructure to Amazon as well. Creating friction to prevent that “lost revenue” from going to Amazon is likely one factor that precipitated changes to Microsoft licensing on AWS.

While Microsoft’s Product Terms documents have never really been suitable bedside reading, it almost seems intentionally confusing when Microsoft articulates these new licensing changes. If you read through the Product Terms document, you’ll find 28 instances of the following phrase: “Dedicated Servers that are under the management or control of an entity other than Customer or one of its Affiliates are subject to the Outsourcing Software Management clause.

Let’s go down the rabbit hole a bit. So, what is the Outsourcing Software Management Clause? You’ll find the following definition under the Universal License Terms in the Product Terms document:

Customer may install and use licensed copies of the software on Servers and other devices that are under the day-to-day management and control of Authorized Outsourcers, provided all such Servers and other devices are and remain fully dedicated to Customer’s use. Customer is responsible for all of the obligations under its volume licensing agreement regardless of the physical location of the hardware upon which the software is used. Except as expressly permitted here or elsewhere in these Product Terms, Customer is not permitted to install or use licensed copies of the software on Servers and other devices that are under the management or control of a third party.

We learn two things from the Outsourcing Software Management Clause. First, the hardware must be dedicated to the licensed customer – in other words, no shared servers.  Second, we see that we must use an Authorized Outsourcer to install and use licensed copies of the software.  What’s an Authorized Outsourcer?

Authorized Outsourcer means any third party service provider that is not a Listed Provider and is not using Listed Provider as a Data Center Provider as part of the outsourcing service.

An “Authorized Outsourcer” means any third-party service product that is NOT a Listed Provider, which currently includes Alibaba, Amazon, Google, and – interestingly – Microsoft. It sure would have been a lot easier for Microsoft to say “You can’t remotely host at Alibaba, Amazon, or Google.” Of course, Microsoft offers remote hosting of the Windows operating system through Windows Virtual Desktop (WVD) in Azure.

Believe it or not, there’s an exception to this change governing Microsoft licensing on AWS. If you are a VDA E3 or E5 user, you may remotely access a Windows operating system VDI on any Listed Provider (Alibaba, Amazon, Google, etc.):

4.2.2 Remote Virtualization
Any user of a Licensed Device, or any device used by a Licensed User, may remotely access up to four Virtual OSEs or one Physical OSE of Windows software acquired through a volume licensing agreement on (a) device(s) dedicated to Customer’s use. Dedicated Servers that are under the management or control of an entity other than Customer or one of its Affiliates are subject to the Outsourcing Software Management clause. Notwithstanding anything to the contrary in the Outsourcing Software Management clause, Customer’s VDA E3 and E5 Licensed Users may remotely access Windows software under these Remote Virtualization rights on any Listed Provider’s Servers dedicated to Customer’s use.

The exception is valid for the VDA license only. It’s not valid for the M365 E3 or E5 users, which includes the Windows operating system. Said another way, you could easily find yourself in a situation where you’ve licensed M365 E3 or E5 (Microsoft’s marquee desktop bundle) and still need to purchase a VDA per user license in order to take advantage of DaaS at Amazon. The cost of the VDA license? Approximately $10 per user per month.  While most customers won’t like the additional expense, there is a way to use Microsoft’s competitors for DaaS.

Remote Hosting of Microsoft’s Application Products

Microsoft has largely moved its enterprise clients to the 365 Apps, which are included in O365 and M365.  The Microsoft 365 Apps allow Licensed Users to access Office experiences on PCs, Macs and mobile devices. The Licensed User may activate the software for local or remote use on up to five concurrent operating system environments (OSEs).

Unlike the Windows operating system, customers may choose to deploy the Microsoft 365 Apps on remotely-hosted servers that are dedicated to the customer, or even in shared server environments:

  • Dedicated server scenarios include deploying on the customer’s own servers or using a third party to host a dedicated server. If the customer chooses to use a third party, this is often referred to as “Outsourcing Software Management” and requires the third party to be an Authorized Outsourcer. The hosted environment must be on servers dedicated to the customer. An Authorized Outsourcer is any outsourcer that is not a Listed Provider and not using a Listed Provider as a datacenter provider.

Shared server scenarios include using Microsoft Azure or a third-party service provider that is a Qualified Multitenant Hosting Partner (QMTH). A list of QMTH Partners and additional deployment requirements are available at If the customer chooses to use a QMTH, the QMTH may not be a Listed Provider or be using a Listed Provider as a data center provider.

Sound familiar? Remote hosting with a Listed Provider is not permitted under any scenario. While true that O365 can be used as SaaS with a shared server, it can only be used by a Qualified Multitenant Hosting Partner and not a Listed Provider. Microsoft does offer a 50+ page document of Qualified Multitenant Hosting Partners, yet you won’t find Amazon or Google on that list.

Changes to Microsoft Licensing on AWS Could Have Material Impact on Customer Spend

Microsoft seems determined to move its large enterprise customers to Azure. What happens if you were previously using the Windows OS at Amazon Workspace? Microsoft will tell you that you have the right to continue to do so if you signed your Enterprise Agreement before October 19, 2019.  You’ll need to purchase a VDA Per User license for those users when you renew your agreement, however. If you have 10,000 users, it will cost you an additional $1,092,000 per year for an EA Level C customer. There is no alternative for O365 E3 or M365 E3 users today – other than using a Qualified Multitenant Hosting Partner.

It’s important to be aware of these issues when negotiating your renewal agreements as these changes could have a material impact on spend. Understanding your options (when available) as well as ways you can offset financial impacts across your Microsoft estate through licensing and cost optimization will be instrumental in keeping costs in check and avoiding multi-million-dollar surprises at audit time. If you want a licensing expert on your side of the table as you analyze your  organization’s Microsoft spend, reach out.