Ask any IT asset manager to show you the Windows Server licensing inventory, and they will produce a list of core licences assigned to physical servers. Ask them to show you the Client Access Licence inventory, and you will get a pause, a spreadsheet that has not been updated since the last EA renewal, and a number that bears only a passing resemblance to the actual user or device count. Client Access Licences are the forgotten half of Windows Server licensing. They generate fewer headlines than core licensing or virtualisation compliance, but they generate audit findings with the same financial consequences. Every user who authenticates against Active Directory, accesses a file share, connects to a print server, queries a DNS server, or receives a Group Policy update requires a Windows Server CAL — and that is before considering the separate RDS CALs for Remote Desktop Services, the separate SQL Server CALs for database access, or the External Connector licences for customer-facing applications. This guide explains every dimension of Windows Server CAL licensing: the types, the versioning rules, the multiplexing trap, the cost modelling framework for choosing between User and Device CALs, and the audit scenarios that catch enterprises year after year.
A Windows Server Client Access Licence is a legal entitlement — not a piece of software, not a key, not a token, and not something that is installed or enforced technically. It is a licence that grants a specific user or device the legal right to access services provided by a Windows Server operating system. Without a CAL, the access is unlicensed, regardless of whether it works technically.
This distinction matters enormously. Windows Server does not check for CALs before allowing a connection. Active Directory does not verify CAL assignments before authenticating a user. File shares do not refuse access to unlicensed devices. DNS does not check CAL entitlements before resolving a query. Everything works perfectly without CALs — right up until the moment Microsoft audits and asks for proof that every user or device accessing Windows Server services has a corresponding CAL entitlement.
What a CAL grants: The right for a user or device to access any number of Windows Server instances within the organisation. A single User CAL allows that user to access every Windows Server in the enterprise — the domain controller, the file server, the print server, the application server, every server running Windows Server. A single Device CAL does the same for a specific device. The CAL is not per-server; it is per-user or per-device across the entire Windows Server estate.
What a CAL does NOT grant: The right to run Windows Server on hardware (that requires core licences). The right to access Remote Desktop Services (that requires separate RDS CALs). The right to access SQL Server databases (that requires separate SQL Server CALs or core licences). The right to access Exchange Server, SharePoint Server, or other Microsoft server applications (each requires its own application-specific CALs). Windows Server CALs cover only the Windows Server operating system services.
A Windows Server User CAL is assigned to a specific named person and allows that person to access Windows Server services from any number of devices. The employee can connect from a desktop in the office, a laptop at home, a tablet on the train, and a phone in a coffee shop — one User CAL covers all of them.
User CALs are optimal when users access Windows Server from multiple devices, which is the default reality in most modern enterprises. An employee with a desktop, a laptop, a phone, and a tablet would require four Device CALs but only one User CAL. In any environment where the number of users is less than the total number of devices accessing Windows Server, User CALs are cheaper.
Typical User CAL scenarios: Knowledge workers with multiple corporate devices. Remote and hybrid workers connecting from home devices and office devices. Executives and managers who access corporate resources from laptops, phones, and tablets. Sales teams using CRM applications from multiple devices in the field. Any workforce where the average employee accesses Windows Server from more than 1.5 devices.
User CALs must be assigned to specific named users, even though there is no technical enforcement mechanism. The practical approach: maintain a User CAL registry that maps CALs to Active Directory user accounts. The total number of User CALs purchased must be equal to or greater than the total number of unique users who access Windows Server services. In most enterprises, this means every employee with an Active Directory account needs a User CAL — because virtually every authenticated user interacts with Windows Server through authentication, Group Policy, file shares, DNS, or other infrastructure services.
A Windows Server Device CAL is assigned to a specific device (a desktop, laptop, kiosk, thin client, or other endpoint) and allows any number of users to access Windows Server services from that device. Ten shift workers sharing a single factory-floor terminal need one Device CAL for the terminal, not ten User CALs for the workers.
Device CALs are optimal when multiple users share a single device, which is common in specific industries and work environments. In any scenario where the number of shared devices is less than the number of people who use them, Device CALs are cheaper.
Typical Device CAL scenarios: Call centres where three shifts of agents share the same workstations (30 desktops used by 90 agents = 30 Device CALs vs 90 User CALs). Hospital nursing stations where multiple nurses share a terminal during rounds. Retail point-of-sale terminals used by rotating staff. Factory floor kiosks accessed by production workers across shifts. Library or training room computers used by different people throughout the day. Hotel business centre computers accessed by guests.
Device CALs must be assigned to specific devices. The practical approach: maintain a Device CAL registry that maps CALs to hardware asset IDs or device names. The total number of Device CALs purchased must equal or exceed the total number of unique devices that access Windows Server services. This is typically easier to count than users because devices are physical, inventoried objects — but it requires that the asset management system accurately tracks every device that connects to the network and accesses server services.
The User CAL vs Device CAL decision is a mathematical optimisation, not a policy preference. The right answer depends on the ratio of users to devices in your specific environment.
Windows Server User CALs and Device CALs are priced identically at list price (approximately $44 per CAL at 2026 list pricing, though EA pricing is significantly lower). The cost difference comes entirely from the quantity needed:
Scenario A — User CALs win: An enterprise has 5,000 employees who each use 2 devices (a laptop and a phone). User CALs: 5,000 needed. Device CALs: 10,000 needed. User CALs save 50%.
Scenario B — Device CALs win: A call centre has 200 workstations shared by 600 agents across 3 shifts. Device CALs: 200 needed. User CALs: 600 needed. Device CALs save 67%.
Scenario C — Mixed model wins: An enterprise has 4,000 knowledge workers (each with 2 devices) and 500 shared workstations used by 1,500 shift workers. Pure User CALs: 5,500 needed (4,000 + 1,500). Pure Device CALs: 8,500 needed (8,000 + 500). Mixed model: 4,000 User CALs for knowledge workers + 500 Device CALs for shared workstations = 4,500 total licences. The mixed model saves 18% vs User CALs alone and 47% vs Device CALs alone.
Microsoft permits mixing User CALs and Device CALs within the same organisation. This is the optimal approach for most enterprises because the workforce is not homogeneous: some employees have multiple devices (User CALs are cheaper), and some devices are shared by multiple people (Device CALs are cheaper). The calculation should be performed segment by segment:
Step 1: Identify every user who accesses Windows Server services from more than one device. These users are User CAL candidates. Count them.
Step 2: Identify every shared device (used by more than one person). These devices are Device CAL candidates. Count them.
Step 3: For each segment, calculate the cost under User CALs and Device CALs. Choose the cheaper option for each segment.
Step 4: Verify that no user or device falls through the gap. A user counted under User CALs does not need Device CALs for their devices. A device counted under Device CALs covers all users of that device, so those users do not need User CALs for access from that specific device — but if those users also access Windows Server from personal devices or other non-CAL’d devices, they need User CALs for those access paths.
This mixed-model optimisation typically saves 15–25% compared to a single-type approach. It requires more administrative effort to track two CAL types, but the cost savings justify the governance investment for any enterprise with more than 500 users.
Windows Server CALs are version-specific, and the CAL version must be equal to or greater than the Windows Server version being accessed. A Windows Server 2022 CAL grants access to Windows Server 2022 and all earlier versions. A Windows Server 2019 CAL grants access to Windows Server 2019 and earlier — but does NOT grant access to Windows Server 2022.
The upgrade trap: When an enterprise upgrades Windows Server from 2019 to 2022 (or from 2022 to 2025), every CAL must also be upgraded to the corresponding version. If the enterprise has Software Assurance on its CALs, the version upgrade is automatic and included. If the enterprise does not have SA on its CALs, new CALs at the current version must be purchased.
The mixed-version environment: Most enterprises run multiple Windows Server versions simultaneously (some servers on 2019, others on 2022, newer deployments on 2025). Users who access servers running different versions need a CAL that matches the highest version they access. If a user accesses both a Windows Server 2019 file share and a Windows Server 2022 domain controller, they need a 2022 CAL (or newer). In practice, this means the CAL version should match the newest Windows Server version deployed anywhere in the environment, because virtually every user interacts with the domain controller, which is typically one of the first servers upgraded to the latest version.
SA on CALs: Software Assurance on Windows Server CALs provides automatic version upgrade rights. When the enterprise deploys a newer Windows Server version, SA-covered CALs automatically become valid for the new version. Given that CAL version upgrades are required whenever server versions are upgraded, SA on CALs is usually a sound investment for organisations that upgrade Windows Server regularly (every 3–5 years). The SA cost (~25% of CAL price per year) is typically less than purchasing new CALs at each upgrade. See Software Assurance benefits for server licensing.
Standard User and Device CALs work for internal users — employees, contractors, and named individuals whose access can be counted and tracked. But what about external users: customers visiting a web portal, partners accessing an extranet, members of the public using an internet-facing application? These users also access Windows Server services, and they also require licensing.
Microsoft offers two options for external access:
Option 1 — Individual CALs: Purchase a User CAL or Device CAL for every external user or device. This is practical when the external user count is small and known (a partner portal with 50 regular partner users), but impractical when the count is large or unknown (a customer-facing web application with thousands or millions of visitors).
Option 2 — External Connector licence: Purchase one External Connector licence per Windows Server instance that external users access. The External Connector provides unlimited external access to that specific server. If external users access three Windows Server instances (a web server, an application server, and a database server), three External Connector licences are needed.
Pricing: The External Connector licence is priced at a significant premium over individual CALs — approximately the same as the core licence set for the server. For a 16-core Standard server, the External Connector costs roughly the same as the Standard licence itself. This is still dramatically cheaper than purchasing individual CALs for thousands of external users.
The compliance gap: External Connector licences are among the most frequently overlooked licensing requirements in enterprise environments. Any customer-facing application hosted on Windows Server — a web portal, a customer service platform, an API endpoint, a partner extranet — requires either individual CALs for every external user or External Connector licences for every Windows Server instance in the application architecture. Enterprises that deploy customer-facing workloads on Windows Server without External Connectors have an audit exposure that is trivially easy for Microsoft to identify and quantify.
If users access Windows Server through Remote Desktop Services (formerly Terminal Services), they need RDS CALs in addition to Windows Server CALs. An RDS CAL is a separate per-user or per-device licence that grants the right to establish a remote desktop session or access a RemoteApp published through the RDS Session Host role.
Any time a user establishes an interactive session on a Windows Server via the Remote Desktop Protocol (RDP) to an RDS Session Host. This includes direct RDP connections to terminal servers, Citrix Virtual Apps environments that use RDS session hosts as the underlying delivery mechanism (the vast majority of Citrix deployments), VMware Horizon session-based desktops on Windows Server, and RemoteApp published applications delivered through RDS.
When RDS CALs are NOT required: Remote administration of servers using RDP to the server’s console session (Windows Server includes 2 administrative RDP connections that do not require RDS CALs). Azure Virtual Desktop sessions (AVD does not require RDS CALs — this is a deliberate Microsoft incentive for AVD adoption). Access to Windows Server services over the network without an interactive desktop session (file shares, print services, Active Directory, DNS, web services — these require only Windows Server CALs, not RDS CALs). For the complete AVD licensing analysis, see the remote and hybrid work licensing guide.
RDS CALs follow the same User CAL vs Device CAL model and the same versioning rules as Windows Server CALs. RDS User CALs are assigned to specific users. RDS Device CALs are assigned to specific devices. The RDS CAL version must match or exceed the Windows Server version running the RDS role. SA on RDS CALs provides automatic version upgrades.
The same cost modelling framework applies: calculate the cost under User and Device models and choose the optimal type per user segment. Remote workers who connect from multiple personal devices should have RDS User CALs. Shared terminals in a call centre that multiple agents use for RDS sessions should have RDS Device CALs.
When the RDS role is installed without a licence server configured, Windows Server grants a 120-day grace period during which RDS connections are allowed without CAL enforcement. After 120 days, the server begins denying connections — but only if the licence server is present and reports insufficient CALs. If no licence server is configured at all, some environments continue to allow connections indefinitely (depending on the configuration), logging warnings that administrators rarely monitor.
This grace period creates a false sense of compliance. The enterprise deploys RDS, users connect, everything works, and the assumption is that licensing is handled. Months or years later, a Microsoft audit compares RDS connection logs against RDS CAL purchases and identifies the gap. The remediation is RDS CALs at list price for the peak concurrent or total unique user/device count during the audit period. See common Microsoft audit findings.
Multiplexing is the use of hardware or software that pools connections, reroutes information, or reduces the number of users or devices that directly access Windows Server. Common multiplexing technologies include web servers, load balancers, connection pooling middleware, and application servers that sit between end users and Windows Server back-end systems.
Microsoft’s position: Multiplexing does not reduce the number of CALs required. Every end user or device that ultimately accesses Windows Server services — whether directly or through a multiplexing layer — requires a CAL. If 10,000 web users access a website that runs on IIS (Windows Server), and IIS uses connection pooling to connect to a Windows Server-based SQL Server back end through 50 pooled connections, the enterprise needs licences for the 10,000 end users, not the 50 pooled connections.
Why this matters: Many enterprise architectures place middleware between users and servers specifically to reduce the connection count. From a licensing perspective, Microsoft looks through the middleware layer to the actual user or device count. A web application with 50,000 monthly active users running on a Windows Server + SQL Server back end requires CAL coverage (or External Connector licences) for those 50,000 users, regardless of how the application architecture pools or manages the connections.
The practical impact: For internal users, the multiplexing rule means the CAL count should reflect the total user population that accesses server services, not the concurrent connection count. For external users, it means External Connector licences are almost always the right choice for customer-facing applications, because counting the actual external user population is both impractical and invariably leads to a higher CAL cost than the fixed External Connector price.
The shift to cloud and hybrid architectures creates new CAL licensing questions.
Windows Server VMs running in Azure under a pay-as-you-go or Reserved Instance model include the Windows Server licence in the Azure VM price. Users accessing those Azure-hosted Windows Server instances do not need separate Windows Server CALs — the CAL requirement is satisfied by the Azure consumption model. However, if the enterprise uses Azure Hybrid Benefit (bringing existing on-premise licences to Azure), the CAL situation depends on the access pattern. Internal users accessing Azure-hosted servers may still need CALs if the access is to on-premise-style services (Active Directory, file shares) replicated or extended to Azure, though Microsoft’s guidance on this is evolving and should be verified for your specific architecture.
RDS CALs for Azure-hosted RDS deployments follow different rules depending on the delivery method. Azure Virtual Desktop does not require RDS CALs. Traditional RDS running on a Windows Server VM in Azure does require RDS CALs. This distinction is one of the primary licensing incentives for migrating from traditional RDS to AVD. See the CIO playbook for remote work and VDI.
Enterprises running Windows Server both on-premise and in Azure need to map CAL requirements for each environment separately. On-premise Windows Server instances require CALs for all users and devices that access them. Azure-hosted instances under standard Azure pricing include the CAL coverage in the VM cost. The hybrid complexity arises when users access both environments: the same user authenticating against an on-premise domain controller and accessing an Azure-hosted application needs a Windows Server CAL for the on-premise access (the Azure access is covered by the Azure pricing model).
Windows Server workloads hosted by third-party providers (AWS, GCP, co-location facilities) have specific CAL implications. If the enterprise is providing its own Windows Server licences (BYOL on dedicated hosts), CALs follow the same rules as on-premise: every user and device accessing the hosted servers needs CALs. If the hosting provider is supplying Windows Server licences under SPLA (Services Provider License Agreement), the CAL responsibility typically falls on the hosting provider and is included in their service pricing — but this should be verified in the hosting contract. See Windows Server hybrid cloud licensing.
CAL compliance is a standard component of every Microsoft licence audit. The audit team compares the enterprise’s purchased CAL count against the actual user or device population that accesses Windows Server.
Active Directory user count: The simplest audit methodology. Microsoft counts the number of enabled user accounts in Active Directory and compares against the number of User CALs purchased. Every enabled account that has authenticated in the audit period requires a CAL. Dormant accounts, service accounts, and test accounts that have not authenticated may be excluded, but the enterprise must demonstrate that these accounts are genuinely inactive.
Device inventory: For Device CALs, the audit compares the number of devices that have connected to Windows Server services against the Device CAL count. Configuration Manager (SCCM/MECM), Intune, and network access logs provide the device inventory.
Version compliance: The audit verifies that the CAL version matches or exceeds the Windows Server version. An enterprise with Windows Server 2022 deployments and Windows Server 2019 CALs (without SA) has a version compliance gap that requires either purchasing new 2022 CALs or applying SA retroactively.
RDS CAL gap: The audit identifies servers running the RDS Session Host role and compares RDS connection data against RDS CAL purchases. This is the most common CAL audit finding because RDS connections work without CAL enforcement, creating a gap that is invisible to IT but immediately visible to auditors.
External access without External Connectors: The audit identifies customer-facing or partner-facing Windows Server instances that lack External Connector licences. Web server logs, load balancer data, and application architecture documentation reveal the external access patterns.
Pull your Active Directory user count and your device inventory (from Intune, SCCM, or asset management tools). Calculate the ratio. If the average user accesses from more than 1 device, User CALs are cheaper for that segment. If devices are shared by more than 1 user, Device CALs are cheaper for those devices. Model both scenarios for each segment and choose the optimal CAL type. Expect 15–25% savings from a mixed-model approach compared to a single-type default.
Disabled accounts, orphaned accounts, service accounts that do not require interactive access, and accounts for terminated employees inflate the user count and therefore the User CAL requirement. Run an AD cleanup before each true-up and before each audit response. Every account removed from the “active users” count is one fewer User CAL needed. In enterprises with more than 5,000 users, the AD cleanup typically identifies 5–15% more accounts than the actual employee population.
Identify every Windows Server instance that serves external users: web servers, application servers, API gateways, partner portals, customer-facing databases. For each, determine whether External Connector licences are in place. If not, calculate the cost: External Connector licences for identified servers vs individual CALs for the estimated external user count. External Connectors are almost always cheaper for applications with more than 100 external users.
If your environment includes RDS session hosts, Citrix environments using RDS, or VMware Horizon session desktops on Windows Server, count the users or devices that connect via RDS. Compare against purchased RDS CALs. If there is a gap, remediate before the next audit by purchasing the required RDS CALs. If you are considering migrating from traditional RDS to Azure Virtual Desktop, factor in the RDS CAL savings (AVD eliminates the RDS CAL requirement) as part of the migration business case.
Evaluate whether SA on CALs is more cost-effective than purchasing new CALs at each Windows Server version upgrade. If the enterprise upgrades Windows Server every 3–5 years, the cumulative SA cost is typically less than the cost of purchasing new CALs at each upgrade cycle. If the enterprise runs a single Windows Server version for 7–10 years with no plans to upgrade, SA may not be justified.
CALs purchased through the Enterprise Agreement or Server and Cloud Enrollment benefit from volume pricing that is significantly better than list price. For enterprises with large CAL counts (5,000+), the EA discount on CALs alone can represent substantial savings. Ensure that CAL requirements are included in the EA negotiation scope alongside core licences, M365 subscriptions, and Azure commitments. See EA negotiation strategies.
Microsoft 365 E3 and E5 include Windows Server CAL rights as part of the subscription. An enterprise where every employee already has M365 E3 may not need to purchase separate Windows Server User CALs for those employees. Verify this with your Microsoft licensing documentation, as the specific CAL entitlements included in M365 plans can change between product terms. This is particularly relevant for organisations considering the transition from standalone on-premise CALs to an M365-based model. See M365 E3 vs E5 vs F3 and Microsoft Licensing for Beginners.
“CALs are the licensing requirement that generates the most eye-rolls and the most audit findings. They are not glamorous. They are not technically complex. They are simple: every user or device that touches Windows Server needs a licence. The enterprises that manage CALs well automate the count, reconcile it quarterly, choose the right CAL type per segment, and include CALs in the EA negotiation. The enterprises that manage CALs badly buy a round number of CALs at EA inception, never update the count, and discover the gap at audit when Microsoft compares Active Directory against the purchase order. The remediation is always more expensive than the prevention.” — Fredrik Filipsson, Co-Founder, Redress Compliance
Yes. Windows Server core licences grant the right to run the operating system on hardware. Client Access Licences grant the right for users or devices to access the services provided by that server. Both are required. A server with core licences but no CALs for its users is not fully licensed, and the CAL gap is a standard audit finding.
Yes. Microsoft permits mixing User and Device CALs within the same environment. This is the optimal approach for most enterprises: User CALs for knowledge workers who access from multiple devices, Device CALs for shared workstations used by multiple people. The mixed model typically saves 15–25% compared to using a single CAL type for the entire organisation.
An External Connector licence provides unlimited access to a specific Windows Server instance for external users (customers, partners, members of the public). One External Connector licence is required per Windows Server instance accessed by external users. It replaces the need to purchase individual CALs for each external user, which is impractical when the external user count is large or unknown. It is required for any customer-facing application hosted on Windows Server.
No. Azure Virtual Desktop does not require RDS CALs. The Windows access rights for AVD are included in qualifying Microsoft 365 licences (E3, E5, F3, Business Premium) or Windows Enterprise E3/E5 per-user subscriptions. This is a deliberate Microsoft incentive to drive AVD adoption over traditional RDS deployments, which do require RDS CALs.
No. CALs are version-specific and must match or exceed the Windows Server version being accessed. Windows Server 2019 CALs do not grant access to Windows Server 2022. You need either Windows Server 2022 CALs or Windows Server 2019 CALs with active Software Assurance (which provides automatic version upgrade rights). If you are upgrading any server in your environment to a newer version, verify that your CAL version covers it.
Microsoft 365 E3 and E5 include Windows Server CAL entitlements as part of the subscription. This means employees with M365 E3 or E5 licences may not need separate Windows Server User CALs. However, this entitlement should be verified against the current Microsoft Product Terms, as the specific inclusions can change between product terms updates. This does not cover RDS CALs, which remain a separate requirement.
Redress Compliance provides independent Windows Server licence assessments covering core licences, CAL type optimisation, RDS CAL compliance, External Connector gap analysis, and audit readiness. We help enterprises right-size their CAL portfolio, prevent audit exposure, and negotiate optimal CAL pricing within the EA.