All articles
September 3, 2024
 min
Brett LaForgeBrett LaForge
Brett LaForge

Do’s and Don’ts of RDS Licensing

Under-licensing RDS can lead to costly audits—we discussed real cases you don't want to be in, and tools to automate accurate RDS tracking and reporting.

Remote Desktop Services (RDS) Licensing- The Do's and Don'ts
An Eye-Opening Example: The Under-Licensed Hosting Company
Key Takeaways: What Should They Have Done?
Why RDS Licensing is Unique—and Frequently Misunderstood
A Roadmap for RDS Compliance
Conclusion: Don’t Be “That Guy”

Share this article

Subscribe to our newsletter

Hooray, you're subscribed! 🎉
Something went wrong, please try again later.

Remote Desktop Services (RDS) is a potential Achilles' heel for service providers. While the basic principles of RDS licensing aren’t exceedingly complex, the details can be tricky—and mistakes are surprisingly common. Besides Windows Server and SQL Server, RDS is one of the most frequently misreported products among service providers and their end customers. This isn’t just an academic concern: licensing missteps can result in substantial legal and financial exposure.

To illustrate the risks, I’ll share a real-world example of a service provider who accidentally under-licensed their RDS environment, explain what went wrong, and lay out the critical do’s and don’ts you need to follow to avoid a similar fate. Whether you’re new to RDS or consider yourself a seasoned licensing pro, these lessons are for you.

An Eye-Opening Example: The Under-Licensed Hosting Company

Let’s consider a scenario I encountered with a small but growing hosting company. This provider offers a “desktops as a service” solution, leveraging Windows Server and RDS hosted in their own data center. With about 300 users logging in each month, everything seemed to be running smoothly—until it wasn’t. Here’s how their process worked (and where it went wrong):

  • Client Reporting: The provider asked each customer to declare the number of users they had each month. The provider would then bill and, crucially, license based on the customer-reported headcount.
  • License Assignment: The billing and licensing were performed using monthly user tallies, rather than actual system access or Active Directory user lists.
  • Tracking: There was no mechanism in place to track all users with access rights. Instead, licensing was determined retroactively based on billing statements.
  • Ongoing Practice: This pattern continued for several years, with no audits or checks disrupting their chosen process.

The cracks began to appear only when the provider received a Microsoft audit notification. When the auditors arrived, they insisted that the company run a script to enumerate every Active Directory user and every system in use across their RDS farm. The audit revealed a major problem: the provider was dramatically underreporting actual users with access to RDS.

What did the audit find?

License counts had been based on customer invoices, not on the number of users technically able to access RDS.

Many users remained in Active Directory, or were otherwise able to access RDS, even if they hadn’t logged in that month.

There were no policies in place to automatically disable or remove inactive users, or to restrict access to only those actively using the service.

The Fallout:

The immediate audit uncovered more than 50 additional users per month who should have been counted—and licensed—but weren’t. This wasn’t just a recent oversight. Microsoft auditors look back over a period of 3 to 5 years. In this specific case:

  • Fifty extra users per month
  • Multiplied by thirty-six months (three years)
  • Resulted in a huge number of unpaid RDS licenses.

Not only did this expose the provider to significant penalties and back-payment obligations to Microsoft, it also created a tangled mess with their own clients. Imagine having to go back to your customers and explain that, thanks to a licensing error, they owe for dozens of extra licenses each and every month for the past several years. It’s not a conversation anyone wants to have.

Key Takeaways: What Should They Have Done?

Learning from the mistakes of others can prevent a lot of headaches down the road. Here are the essential steps the hosting company should have followed. Keep these do’s and don’ts top of mind for your own RDS environment:

1. Don’t License Based on What You Invoice

Licensing isn’t about what you bill your customers or what they report to you; it’s about actual access. Under Microsoft’s licensing terms, you must license each and every user who has the potential to access RDS—even if they rarely use it or didn’t use it in a given month.

2. Do License Every Potential User (Not Just Active Users)

If a user account exists in Active Directory or any system that can authenticate to your RDS environment, that user needs to be licensed. Simply put, if someone can access the system, they must have a license—actual usage isn’t the deciding factor.

3. Don’t Leave Access Unrestricted

When you allow users to remain enabled in your environment or fail to regularly review and disable obsolete accounts, you create both compliance risks and security exposures. Always have solid user access management policies in place.

4. Do Implement Security Policies and Proactive Access Controls

Your IT team should have well-documented procedures for promptly disabling accounts when a user leaves or no longer needs access. Make it part of your regular operations to audit which accounts have RDS access and verify that this matches up with who should have it.

5. Do Leverage Technology for Monitoring and Reporting

Manual license tracking is a recipe for mistakes. Use automated tools such as Octopus to monitor your environment. These tools can help generate accurate monthly reports and ensure no user goes uncounted. Here’s a quick video on Octopus reporting to help you get started.

6. Establish a Software Asset Management (SAM) Practice

Having a mature SAM practice is essential. This means:

  • Keeping a central inventory of all licensed software across your environment
  • Tracking license assignments and entitlements
  • Performing regular self-audits

Staying up-to-date with Microsoft’s licensing changes or announcements With SAM, you make compliance not just an annual event, but an ongoing process.

Why RDS Licensing is Unique—and Frequently Misunderstood

A fundamental reason RDS licensing catches so many providers off guard is that it’s both straightforward and surprisingly stringent:

  • Per-User or Per-Device Licensing: Microsoft allows licensing either by user (User CAL) or by device (Device CAL), but you can’t mix and match for a single deployment.
  • Counting “Potential” Users: Unlike some other products, RDS licensing is based on the possibility of access, not simply usage.
  • No Proration or Partial Months: There’s no allowance for someone who uses the system “just once” or “for half the month.” If the account can access RDS at any time during the month, it needs a license for the full month.
  • Audit Risk: Microsoft increasingly performs both random and targeted licensing audits. Non-compliance is expensive, and fixing mistakes after an audit is far more painful than maintaining compliance up front.
  • Customer Relations: Under-licensing not only exposes you to Microsoft penalties but also means you may be undercharging your customers, skewing your revenue, and costing you money.

A Roadmap for RDS Compliance

Here’s a step-by-step guide to putting effective RDS licensing management in place:

  1. Inventory All Users Regularly
    Schedule a monthly or quarterly review of all user accounts with RDS access rights. Remove or disable unused accounts aggressively.
  2. Enforce Strong Account Management Policies
    Set policies to automatically disable accounts when users no longer need RDS access. Link this process to employee onboarding and offboarding routines.
  3. Automate License Counting and Reporting
    Deploy tools (like Octopus or similar) that can objectively measure and report on actual RDS access and entitlement.
  4. Educate Your Team and Your Customers
    Make sure everyone involved—salespeople, billing staff, IT administrators, and customers—understands the licensing requirements. Transparency avoids misunderstandings and errors.
  5. Budget for True Licensing Needs
    Recognize that fully licensing for actual access levels may cost more, but it avoids the much uglier scenario of retroactive penalties.
  6. Review Microsoft Licensing Guides Frequently

Microsoft updates its service provider licensing agreements regularly. Stay informed and adapt your processes so you’re always in step with the latest rules.

Conclusion: Don’t Be “That Guy”

While RDS licensing isn’t rocket science, it’s a classic example of how little oversights can snowball into big compliance failures if left unchecked. The example I shared isn’t unique; there are dozens of similar stories out there. The takeaway is simple: always license for potential access, not just active users. Make user tracking and regular compliance checks a non-negotiable part of your operations.

If you cut corners, you’ll eventually get caught—and you’ll likely pay more in penalties, lost reputation, and angry customer conversations than you ever saved in the first place. Audit-proof your RDS environment, charge your customers fairly, and put good processes in place now.

Don’t be the guy who gets dragged into a multi-year audit disaster. Take your licensing seriously, and you’ll sleep better at night.

Thanks for reading,

SPLA Man

Continue reading

See all articles
December 11, 2025
 min

Black boxes are no joke

If your reporting software counts licenses but cannot prove where that number came from, or if you lack a recorded history of changes, that is a black box.

While licensing matters and how SPLA partners can effectively manage their licensing costs
July 3, 2024
 min

Why Does Licensing Matter?

The rise of subscriptions brings complex software licensing. Octopus Cloud’s new module helps hosters track, manage, and stay compliant with all license types.

Microsoft SPLA partners trust Octopus Cloud
March 24, 2025
 min

Why SPLA Partners Trust Octopus Cloud for Compliance

Octopus Cloud, a strategic solution provider for Microsoft SPLA Partners, helps optimize costs, secure compliance, and enhance strategic planning.

See all articles

Ready to make your next move?

Experience the speed, ease, and limitless scalability of our platform.

Book a demo
Contact us