Every authenticated user or device accessing a Windows Server needs a Client Access License. The per unit cost is small. The audit landing is meaningful because the unit count is large, the reconciliation is mechanical, and the under licensing is consistent. CALs are the line where Microsoft auditors find the most reliable settlement dollars in a Windows Server audit because the math is straightforward and the gaps are nearly universal. Reconciling the CAL position is the single highest reward audit defense activity on the Windows Server line.
A Windows Server CAL licenses a user or a device for access to the server. Two flavors exist. Per User CAL follows the named user across any device. Per Device CAL follows the named device across any user. The right answer depends on the access pattern of the population.
Per User CALs follow the named user. One license covers all devices the user accesses servers from. Right answer for knowledge worker populations where the user works from multiple devices. Laptop, phone, tablet, home machine.
Per Device CALs follow the named device. One license covers any user accessing servers from that device. Right answer for shared device populations such as call centers, manufacturing floors, healthcare clinical workstations, and retail stores.
Microsoft sells CALs individually and as bundled CAL Suites. The Suites stack Windows Server CAL with the access licenses for Exchange, SharePoint, Skype for Business or Teams Server, and Configuration Manager. The Suite economics work where the buyer holds entitlements to all components and not where the buyer only needs the Windows Server CAL.
The single Windows Server CAL covers the user or device for Windows Server access only. Right answer where the buyer does not need Exchange, SharePoint, or Configuration Manager access in the same population.
The Core CAL Suite bundles Windows Server CAL with Exchange Standard CAL, SharePoint Standard CAL, Skype for Business Server Standard CAL, and Configuration Manager CAL. Economics work for on prem Microsoft server estates.
The Enterprise CAL Suite extends the Core CAL Suite with the Enterprise CAL components. Higher tier Exchange CAL, SharePoint Enterprise CAL, Skype for Business Enterprise CAL, Defender for Identity, and several add ons.
CAL audit findings cluster around a few patterns. Contractors not counted. Machine identities accessing servers without coverage. RDS CALs missed entirely. Per Device CALs over counted because idle equipment was included. The fix is procedural rather than commercial.
The most reliable CAL audit finding. Active Directory user counts exceed the CAL footprint because contractor populations, service accounts, machine identities, and external partner accounts were not counted in the original CAL purchase. The audit reconciliation surfaces the gap.
The fix is procedural. Onboarding workflows should trigger CAL acquisition for net new authenticating identities. The reconciliation at audit defense time aggregates the missing population and acquires the CAL position before Microsoft does. The audit landing is preventable.
Remote Desktop Services access requires an RDS CAL on top of the base Windows Server CAL. Citrix, VMware Horizon, and any thin client estate accessing Windows session hosts need RDS CALs for the underlying RDS protocol. Most enterprises license the Citrix or Horizon estate and miss the underlying RDS CAL entirely.
The audit landing on missed RDS CALs is consistently meaningful. Per user RDS CALs across a thin client population compound quickly. The defense is to surface the gap in pre audit reconciliation and acquire the position before Microsoft does or before the audit lands.
The CAL line is rarely the headline negotiation but it is consistently the cleanest recovery on a Windows Server engagement. The renewal moment is the right time to right size the CAL footprint, choose between per user and per device intentionally, and reconcile the Suite stack against what the estate actually consumes.
Renewal is the moment to reconcile the CAL footprint to actual user and device counts. Active Directory data, Intune device inventory, and the access logs provide a defensible baseline. The buyer who shows up with this baseline produces a meaningfully cleaner CAL line and a meaningfully smaller audit exposure together.
The CAL line is part of the broader EA renewal envelope. The right size moves the renewal number without changing capability.
Estates that migrated workloads to M365 may still hold Core CAL Suite or Enterprise CAL Suite for capability they no longer use. The Suite components covering Exchange, SharePoint, and Configuration Manager get displaced by M365 attach over time. The renewal moment is the right time to step out of the Suite into single CALs where the components are no longer needed.
Contract drafting protects the CAL position. Capped uplift on CAL pricing. Pre approved population expansion at contracted rates. The right to step out of Suites mid contract where component capability is displaced. The buyer keeps optionality and the CAL line tracks the actual estate rather than the historical estate.
The CAL engagement is a population reconciliation, a per user versus per device decision per population, a Suite stack review, and an RDS CAL inventory. The output is a CAL footprint that defends the audit and prices to consumption.
We pull Active Directory user counts, contractor identity counts, service account inventory, and authenticating machine identity counts. The output is an honest user and device population that the CAL footprint should cover. The reconciliation surfaces the gap, the over count, and the populations the buyer was not aware needed CAL coverage.
The same reconciliation produces the population recommendation. Per User CALs for the knowledge worker and roaming populations. Per Device CALs for the shift work and shared device populations. External Connector where it makes economic sense. The mix produces a meaningfully cheaper position than uniform per user CAL allocation.
We inventory the RDS access pattern across the estate. Session host populations, thin client deployments, Citrix and VMware Horizon estates needing RDS CALs underneath. The output is a defensible RDS CAL footprint that closes the audit gap most enterprises carry.
The Suite stack review identifies CAL Suites that should be stepped out of where M365 has displaced the bundled components. The renewal lands with the CAL position right sized, the Suite stack rationalized, and a contract that protects the resulting position through the term. The audit baseline is clean.
The CAL diagnostic surfaces contractor and machine identity drift, missed RDS CAL coverage, over counted Per Device CAL footprints, and CAL Suites that should be stepped out of. The result is a clean audit baseline and a meaningfully smaller CAL line into the next renewal.