Windows Server Client Access Licences are mandatory and frequently mismanaged. Every user or device that accesses Windows Server functionality — directly or through an application — requires a CAL in addition to the server licence. This is not optional, not waivable, and not satisfied by the server licence alone. Despite being a straightforward licensing requirement in principle, CAL management is the third most common source of Windows Server audit findings after virtualisation coverage gaps and edition misapplication.
The two primary sources of CAL waste are: defaulting to User CALs for all workforce segments without calculating the Device CAL alternative (a 35–55% overspend error in device-centric industries), and purchasing CALs based on total headcount rather than actual server access population (systematically over-licensing in organisations where only a subset of employees access Windows Server services). This guide covers the User CAL vs Device CAL decision framework, the External Connector economics, the indirect access obligation, and the CAL governance approach that prevents both overspend and audit exposure.
For the complete Windows Server licensing overview, see the Windows Server Licensing Complete Guide. For Remote Desktop Services CAL requirements, see the RDS Licensing Guide.
CAL Fundamentals
A Windows Server Client Access Licence authorises a single user or a single device to access Windows Server services. The CAL must be assigned before access occurs — it is not a concurrent access licence (where you only need as many licences as simultaneous users) or a named-user model where licences are revoked and re-issued. It is an assignment-based licence: the user or device must hold an assigned CAL, and that assignment consumes the licence for the duration of the assignment period.
Windows Server CALs are version-specific in one direction: a Windows Server 2022 CAL covers access to Windows Server 2022 and all previous versions. A Windows Server 2019 CAL does not cover access to Windows Server 2022. This means organisations running a mixed Windows Server estate must base their CAL version on the highest version deployed, not the version most commonly accessed. Organisations that continued purchasing 2019 CALs after deploying 2022 servers are under-licensed for their 2022 instances.
User CAL: Definition and Application
A User CAL authorises a single named user to access Windows Server services from any number of devices. The user can access from their work desktop, laptop, home computer, mobile device, and any other device simultaneously or sequentially — all covered by one User CAL. User CALs are assigned to specific individuals (named users) and cannot be transferred between users except under documented departure and replacement scenarios.
User CALs are the correct choice when:
- Users access Windows Server services from multiple devices (office desktop, laptop, mobile)
- Device count is low relative to user count (fewer devices than users)
- The organisation operates in office-centric work patterns with individual device ownership
- Remote access via VPN or Remote Desktop is common (each remote access counts as a user, not a device)
Device CAL: Definition and Application
A Device CAL authorises a single device to access Windows Server services by any number of users. Multiple users sharing a single licensed device are all covered by the one Device CAL assigned to that device. Device CALs are assigned to specific hardware and are appropriate wherever multiple users share workstations.
Device CALs are the correct choice when:
- Multiple users share a single device (shift workers at a shared workstation, nurses at a shared terminal, retail staff at a shared till system)
- Device count is significantly lower than the user population that accesses Windows Server
- The access pattern is shift-based (3 shifts × 3 users per device = 9 users covered by 1 Device CAL)
- Kiosk devices with multiple anonymous users accessing defined services
User CAL vs Device CAL Break-Even
The break-even calculation is straightforward: if the number of devices accessing Windows Server is lower than the number of users who access it, Device CALs are cheaper. The ratio threshold depends on your access patterns — specifically, how many users share each device.
| Scenario | Users | Devices | User CAL Cost (est.) | Device CAL Cost (est.) | Cheaper Option |
|---|---|---|---|---|---|
| Office workers, 1 device each | 500 | 500 | £29,000 | £29,000 | Equal |
| Office workers, avg 1.5 devices each | 500 | 750 | £29,000 | £43,500 | User CAL |
| Manufacturing, 3 shifts × shared devices | 900 | 300 | £52,200 | £17,400 | Device CAL (70% saving) |
| Healthcare, shared nursing stations | 4,200 | 800 | £243,600 | £46,400 | Device CAL (81% saving) |
| Retail, shared POS terminals | 1,600 | 200 | £92,800 | £11,600 | Device CAL (87% saving) |
| Mixed office + factory floor | 1,200 (600 office + 600 factory) | 800 (600 + 200) | £69,600 | £46,400 | Device CAL (33% saving) |
Note: CAL pricing used above is approximate at £58 per User CAL and £58 per Device CAL (pricing is typically equal per unit). The saving comes entirely from counting devices vs counting users — not from a price difference between the two types.
The mixed scenario in the final row illustrates the most common enterprise pattern: office workers who use multiple devices push toward User CALs, but factory floor or healthcare staff sharing devices push strongly toward Device CALs. The optimal strategy is a mixed CAL position — User CALs for office workers with multiple devices, Device CALs for shared-device workers — which requires more careful governance but consistently produces lower total CAL spend than a single-type approach.
External Connector Licensing
The External Connector licence provides an alternative to per-user or per-device CALs for external users — individuals outside your organisation who access Windows Server services. A single External Connector licence assigned to a specific server covers unlimited external user access to that server, from any device, by any number of people not employed by or contracted to your organisation.
External Connector licences are typically priced in the range of £3,500–£5,500 per server depending on Windows Server version, EA discount band, and whether SA is included. At £58 per User CAL, the break-even is approximately 60–95 external users per server. For any server that more than 100 external users access, the External Connector is almost certainly cheaper than per-user CALs.
| External Users per Server | User CAL Cost (est. at £58) | External Connector Cost (est.) | Cheaper Option |
|---|---|---|---|
| 50 | £2,900 | £4,500 | User CALs |
| 100 | £5,800 | £4,500 | External Connector |
| 500 | £29,000 | £4,500 | External Connector (84% saving) |
| 2,000 | £116,000 | £4,500 | External Connector (96% saving) |
| Unlimited | Unlimited | £4,500 (fixed) | External Connector |
The External Connector is most valuable for customer-facing portals, partner integration platforms, and supplier access systems where the external user count is large and variable. Organisations with seasonal or fluctuating external access — e-commerce peaks, temporary contractor pools, event registration systems — benefit disproportionately from the External Connector's fixed cost, which does not scale with access volume.
The Indirect Access Obligation
One of the most contested CAL areas is indirect access: the obligation to licence users who access Windows Server functionality through a middle-tier application or service, even if they never directly connect to the Windows Server itself.
If a user accesses a web application that retrieves data from a Windows Server backend, that user may require a Windows Server CAL depending on whether the application interacts with Windows Server-specific services (Active Directory authentication, file services, print services) or uses general web protocols that happen to run on a Windows Server host. The distinction is not always clear, and Microsoft's own documentation on indirect access has evolved over successive licensing versions.
The practical guidance from our advisory practice: if the middle-tier application authenticates users against Active Directory, reads from Windows file shares, or calls Windows-specific services, the users accessing through that application require CALs. If the application functions as a completely abstracted web service where the underlying server OS is incidental, the indirect access obligation is more defensible as not applicable. When in doubt, document your position with legal review before an audit — the indirect access obligation is the most frequently disputed CAL finding in formal Microsoft audits.
CAL Governance Framework
Effective CAL governance prevents both overspend (purchasing CALs for non-accessing users) and audit exposure (failing to licence actual accessing users). The minimum governance framework:
- Build an access map. For each Windows Server instance, document who (or which devices) accesses it, how frequently, and through what mechanism (direct connection, application, Remote Desktop). This access map is the foundation of both the CAL type decision and the CAL count calculation.
- Segment the access population by device pattern. Separate users who access from multiple personal devices (User CAL candidates) from users who share organisational devices (Device CAL candidates). The mixed CAL approach delivers the lowest total CAL cost for most large organisations.
- Identify external user populations. For each server with external access, count the active external user population over a 12-month period. Compare External Connector cost against User CAL cost at that population. Apply External Connector where it is cheaper.
- Audit the CAL count quarterly against actual user changes. Joiners require CAL assignment within 90 days. Leavers can have CALs reclaimed after departure (User CALs can be reassigned after a defined reassignment period — typically 90 days). Device CALs can be reassigned when a device is retired or repurposed.
- Document the indirect access position. For any application that accesses Windows Server services on behalf of users, document whether indirect access CAL obligations apply and the basis for that conclusion. This documentation is your first defence in any CAL dispute.
CAL over-purchasing — buying User CALs for entire headcount without considering the Device CAL alternative — is the most common CAL waste pattern we identify in enterprise licensing reviews. It is also the easiest to fix: Device CAL substitution requires no infrastructure change, no system modification, and no Microsoft approval. It requires only a change to the EA order form at renewal or an amendment during the term.
RDS CALs: A Separate Requirement
Remote Desktop Services (RDS) has its own CAL requirement that operates in addition to, not instead of, the Windows Server CAL. If users access Windows Server through RDS — Remote Desktop Protocol, RemoteApp, Remote Desktop Session Host — they require both a Windows Server CAL and an RDS CAL. Organisations that have Windows Server CALs but not RDS CALs for users accessing via Remote Desktop are under-licensed for the RDS component. The RDS Licensing Guide covers the RDS CAL requirements, Device vs User RDS CAL economics, and the RDS Per Device vs Per User mode interaction with the Windows Server CAL.