Proper license for cloud sandbox service

Marcin Dąbski 1 Reputation point


I have been asked to gain some knowledge about proper licensing for sandbox and use of virtualization - I am not sure if there is a CLEAR way to understand what should I buy. I plant to do something very similar, so I must know this and that.

Given there are cloud sandboxing services such as and and they use virtual machines (VM) to "analyze" files, how is that possible that it is legal in terms of licensing.
From what I have understood, if I were to create 5 VMs with Windows10 Professional, I would need to buy 5x Windows10 Professional Retail licenses. As stated in EULA, one license per one VM. But elsewhere here on this forum I have read that one should buy Windows VDA or Software Assurance or CALs per user etc.
But I think it isn't covered in the license anywhere, for sandboxing like above, there is no users connecting to those VMs. They are just turned on, malware is run and gets shut down. No user connected, no RDP/VNC/remote connection was made. All results of analysis were sent from VM to hypervisor host via API.

If noone is connecting remotely to the VM, and it is only used to execute a file and check the result, can I stick to Windows Retail license? All informations I've found so far is "you need VDA or CALs because someone is connecting remotely" but here noone is accessing the VM itself. I would like some clarifications here, as I know one of above cloud services uses "Retail" licenses and they seem to be OK.

EDIT: For some more clarifications, VMs are completely isolated from any other devices (even from other VMs). All they see is HTTP server running on hypervisor (RedHat KVM) so it's impossible to connect to them via RDP or similar remote access technology. VMs and RedHat as host sit on the same physical machine.


Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,247 questions
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,369 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Dale Kudusi 3,246 Reputation points

    The following docs might help:

    Licensing Windows desktop operating system for use with virtual machines

    Licensing the Windows Desktop for VDI Environments

    Best regards.

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Marcin Dąbski 1 Reputation point


    But this doesn't really sum up for me.

    Given the following:
    How do you calculate the number of Windows VDA licenses required?
    Since Windows VDA is based on the number of access devices, the total number of Windows VDA licenses required equals the total number of thin clients and other non-SA devices that will access the VDI environment

    The problem is, there is no "thin clients" or "non-SA devices" because no user will ever use the desktop interface. There is no "remote device" to connect to the desktop, as VMs will be isolated. RDP will NOT be used. Also most of the time, virtual machines will be turned off if they are not analyzing the files.

    One more question: if I am about to install some hypervisor like VMWare ESXi on bare metal server, and want to use Win10 Pro as guest VM which will be only used to perform some computations (noone will connect there with GUI), what license should the Win10 get?

    0 comments No comments

  3. prmanhas-MSFT 17,796 Reputation points Microsoft Employee

    @Marcin Dąbski Apologies for delay in response and all the inconvenience caused because of the issue.

    From a licensing perspective, the use rights for installation and use of the Windows Operating System (OS) if governed by the language within the terms that apply to the software. So in the context of Windows Desktop OS (Retail), you follow the language in the End User License Agreement that is presented during the installation. That can be found here. In terms of Windows Desktop OS acquired through a Volume License Agreement, you follow the language from the Commercial Licensing Terms here (based on agreement type).

    That said, if you want to use a Windows Desktop OS to analyze files without any user interaction, the customer would look to license with the M365 E3 Unattended License (SL). This was specifically created for situations where automated process will require the use of the Windows Desktop OS where no user interaction is present. The license assignment and use rights are documented in the Commercial Licensing Terms which I placed below for your convenience and highlighted the specifics. You will also find the following Licensing Brief helpful: Microsoft 365 Unattended License Overview.

    Commercial Licensing Terms (

    Microsoft 365 - Unattended License
    “Robotic Process Automation”, otherwise known as “RPA” or “bots” means an application, or any set of applications used to capture data and manipulate applications to perform repetitive tasks. Bots operate upon any UI element of Windows 10 within an OSE and/or operates upon any Office application in any OSE.
    “Unattended Bot” – Any bot that does not strictly conform to the definition of “Attended Bot” shall be considered an “Unattended Bot.”
    “Attended Bot” - An Attended Bot assists a person to execute automation on the person’s local and/or remote workstations. It operates concurrently with the person on the same workstation/s to accomplish repetitive tasks and is triggered by explicit actions of that person.
    Assignment and Use Rights
    • Customer may assign a Microsoft 365 A3/E3 - Unattended License to an Unattended bot running on either of the following:
    o Hardware dedicated to Customer’s use (subject to the Outsourcing Software Management Clause).
    o A virtual machine on Azure (including Windows Virtual Desktop on Azure).
    • There is no Qualifying OS requirement for the Microsoft 365 A3/E3 suite.
    • Each Microsoft 365 A3/E3 - Unattended License allows the use of the M365 A3/E3 suite in only a single unique physical or virtual OSE for Robotic Process Automation.

    • Each Microsoft 365 A3/E3 – Unattended License is allowed a single unique instance of Microsoft 365 Apps for enterprise.
    • License reassignment for bots follow the same rules for users and devices as if the bot is a user. (See License Assignment and Reassignment)
    Use Limitation
    • Unattended Bots may not create or replicate activities or workflows on behalf of an unlicensed user or device. (See Multiplexing)
    • Microsoft reserves the right to restrict or disable Microsoft API calls with reasonable notice, due to unreasonable amount of bandwidth, adversely impacting the stability of Microsoft API’s, or adversely affecting the behavior of other apps.

    If you have any further questions on your inquiry, please don’t hesitate to reply to this response and let me know.

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

    0 comments No comments