VMware Horizon and EUC Audit Considerations Under Broadcom

VMware Horizon and EUC Audit Considerations Under Broadcom

Introduction – Why Horizon and Other VMware Products Matter in Audits

Broadcom’s acquisition of VMware has raised the stakes for software license compliance. VMware Horizon (the End-User Computing platform for virtual desktops/apps) and other VMware products like NSX and vSAN are now under heightened scrutiny. Broadcom is known for strict audits and maximizing license revenue.

This means enterprises using Horizon and related VMware technologies must be prepared for more frequent and rigorous compliance checks.

Shortfalls that might have been overlooked before could now trigger costly true-ups or penalties. Read our complete guide to Preparing for VMware License Audits Under Broadcom: Risks, Traps & Defense.

Even though VMware’s Horizon portfolio was spun off to a new company after the acquisition, many organizations still bundle it into their VMware environment and fear audits similar to those conducted by Broadcom.

EUC administrators, CIOs, and IT procurement teams should take proactive steps to defend against audits and ensure compliance.

This guide provides a strategic and practical overview of VMware Horizon audit readiness and overall VMware EUC license compliance in the Broadcom era.

We’ll cover licensing basics, common compliance traps, and concrete steps to stay audit-ready.

Horizon Licensing Explained (Named User vs. Concurrent User)

VMware Horizon licensing is available in two primary flavors: Named User and Concurrent User. Understanding the difference is crucial for compliance:

Key point: In named user models, entitlements drive license needs – not just actual usage. In concurrent models, the simultaneous use of resources drives needs. Select the model that best suits your organization’s work patterns and diligently track its progress.

If you have 300 named-user licenses but accidentally leave 350 users enabled for Horizon in AD, you’re technically out of compliance.

Likewise, if you bought 200 concurrent licenses and hit 210 active sessions during a surge, you’ve exceeded your entitlement at that moment.

Ensure Active Directory alignment: Horizon ties into AD for user access.

Maintain an AD group or list for Horizon users that aligns with your license count. If using named licenses, keep the group’s membership at or below the number of licenses.

For concurrent use, still limit access if possible, or at least closely monitor usage. A clean mapping of AD users to entitlements will simplify compliance.

Read about audits for Aria, Navigating a VMware (vRealize/Aria) Suite Audit.

Common Audit Requests & Risks for Horizon

When a VMware (now Broadcom) audit focuses on Horizon, be ready for detailed data requests. Auditors will typically request records that demonstrate the number of users utilizing the system and the frequency of their usage.

Common Horizon audit requests and associated risks include:

• Active Directory User Listings: Auditors may request a list of all users authorized for Horizon. This could be an AD group export or Horizon’s own user entitlement report. Risk: If you haven’t pruned old accounts, this list may include ex-employees or inactive users (“ghost users”), which can inflate your apparent license needs. Broadcom’s auditors might count every name on the list as requiring a license.
• Horizon Login/Usage Reports: They often seek Horizon Connection Server logs or administrative reports showing user login activity and peak concurrent connections. Risk: These logs could reveal more unique users or higher concurrent session counts than you’re licensed for. For example, a spike in usage during a work-from-home event might show 110 concurrent users when you only own 100 concurrent licenses.
• Horizon Manager License Reports: Horizon’s admin console provides license usage information (e.g., the number of named users who have logged in, or peak concurrent usage). Auditors love official reports because they come from the product itself. Risk: If your Horizon environment’s own records show overuse at any point, it’s hard to dispute without a valid explanation.
• Growth Patterns: Broadcom knows that VDI deployments tend to grow over time. They might analyze how your Horizon usage today compares to your last purchase. If you bought 200 licenses two years ago but added many new staff or students since, they suspect overuse. Audit trigger: A significant increase in virtual desktop count or a sudden surge in Horizon client devices may trigger an audit request.
• Inactive vs. Disabled Users: Auditors might request both a current user list and a recent login list. If there’s a disparity (e.g., 500 users in an AD group but only 300 logged in last quarter), they will ask why. Risk: They may initially count all 500 as non-compliant usage. It’s on you to prove 200 were inactive or should not count (see best practices on disabling accounts).

Why these requests matter:

Broadcom’s audit partners are looking for any evidence of a license shortfall. In Horizon, this typically occurs due to either over-provisioning users (too many named users being given access) or usage spikes exceeding concurrent limits.

Being prepared to answer these requests with clean data is critical.

How to resolve the audit, Engaging with Broadcom on VMware Audit Resolution.

Compliance Best Practices for Horizon

Staying compliant with Horizon in the Broadcom era means adopting disciplined practices.

Here are concrete steps to keep your Horizon licensing in check:

• Reconcile AD Users vs. Licenses Regularly: Compare the number of users in your Horizon entitlement group to your purchased named-user licenses. Do this monthly. For concurrent licensing, review the maximum concurrent users from Horizon reports. Proactively address any overage before an audit does.
• Disable or Remove Unused Accounts Promptly: As soon as a Horizon user leaves the organization or no longer requires access, disable their AD account or remove them from the Horizon users group. This prevents “ghost users” from lingering. A policy of immediate deactivation upon employee departure is crucial. It not only keeps you compliant but also signals good governance to auditors.
• Run and Archive Horizon License Usage Reports: Use Horizon’s admin console (Settings > Product Licensing & Usage) to generate reports on license consumption. For named users, get a report of all users who have logged in (and when). For concurrent connections, record the peak number per day or month. Archive these reports offline (e.g., save PDFs or exports) and date them. If an audit happens, you have a paper trail to demonstrate historical compliance or to explain anomalies.
• Monitor Peak Periods Against Entitlements: Identify when your Horizon usage peaks (e.g., end of quarter crunch, morning logon rush). Make sure your concurrent license count comfortably covers those peaks. If you see usage regularly hitting, say, 95% of your concurrent limit, it’s time to consider purchasing more licenses or load-balancing usage. Don’t wait until you’ve exceeded the limit — auditors will pounce on even brief overage as non-compliance.
• Limit Default Entitlements: Don’t broadly entitle everyone to Horizon by default. Use specific groups for those who truly need virtual desktops. The smaller the entitled population, the lower your named license requirement (and the easier to track concurrent usage). Many compliance issues arise when Horizon is opened up to too many users “just in case.” Be judicious and document why each user has access.

Implementing these best practices creates an audit-ready Horizon environment. You’ll catch and correct issues internally, instead of letting Broadcom catch them for you. It’s far cheaper and easier to reconcile licenses on your own terms than under audit pressure.

NSX & vSAN Audit Considerations

Horizon may be the focus for EUC teams, but other VMware products, such as NSX and vSAN, also fall under audit scrutiny. Broadcom’s auditors will examine these for compliance gaps:

VMware NSX (Network Virtualization): NSX licensing has historically been per-CPU (socket) or per-core, and now, under Broadcom, it’s usually tied to the same core-based subscription model as vSphere or bundled with VMware Cloud Foundation.

Key audit considerations for NSX:

• License All Hosts Running NSX: If NSX is enabled on a vSphere cluster, every host in that cluster must be licensed for NSX. A common trap is enabling NSX on a few hosts but not buying enough licenses for the entire cluster. Auditors will likely request a list of all clusters where NSX is installed and verify that you have licenses for every host (or every CPU/core, depending on the terms). There’s no “half-license” cluster – partial deployment still counts as full deployment in their eyes.
• Uniform Edition Usage: Ensure you’re not mixing NSX editions in a way that violates terms. For example, you cannot legally use advanced NSX features on a host with only a Standard NSX license. In practice, if any advanced feature (like micro-segmentation or firewalling) is used, auditors may assert you need the highest edition across the board. All NSX usage might be bumped to the highest edition in use for compliance purposes. Review what NSX features you’ve enabled and make sure your license edition (Standard, Advanced, Enterprise) matches those features.
• Track Cluster Changes: Expanding an NSX-enabled cluster with new hosts? Add licenses immediately. Broadcom auditors will catch if you added hosts (increasing core counts) without a corresponding license increase. Even an unintentional delay can appear to be non-compliance. Maintain a log of NSX deployments: which clusters have it and how many hosts/cores are licensed versus in use.
• Audit Data for NSX: Be prepared to provide vCenter or NSX Manager exports that show which hosts NSX components are installed on, and the license keys or counts applied. Auditors may also review the NSX Manager’s dashboard for the active license status. Keep this data handy and up to date.

VMware vSAN (Software-Defined Storage): vSAN is typically licensed per host (per CPU or core, analogous to vSphere). Under Broadcom, vSAN is often included as part of bundles or offered as an add-on by capacity.

For audit defense:

• Match vSAN Licenses to Clusters: Every host contributing storage in a vSAN cluster requires a vSAN license. Auditors will verify that your vSAN-enabled clusters match your license inventory. If you have 20 hosts in vSAN clusters, you should have 20 vSAN licenses (or the correct subscription covering those cores). Ensure you didn’t enable vSAN on a test cluster or new hosts without also procuring licenses.
• Edition and Capacity Alignment: vSAN has editions (Standard, Advanced, Enterprise) that unlock features such as deduplication and encryption. If you’re using any advanced vSAN feature, verify you own the proper edition. Using encryption with only Standard licenses, for example, is a compliance gap. Also, if vSAN is licensed by capacity under a subscription, ensure that your stored data stays within the purchased capacity or that you’ve subscribed to the required tier.
• Co-Terminus Licensing: vSAN and vSphere are closely tied. Often, an audit will examine vSphere and vSAN counts together. If you have more vSAN licenses than vSphere or vice versa, that’s a red flag (e.g., 10 vSphere hosts but 12 hosts worth of vSAN usage). Align these and document any scenarios where they might differ (such as vSAN for Desktop licenses that cover specific VDI hosts – be prepared to explain this to auditors).

Other VMware Products (vCenter, vRealize/Aria, etc.): Broadcom will not ignore the “smaller” components:

• vCenter Server: Ensure you’re within the allowed number of vCenter instances. Nowadays, vCenter may be included in bundles, but if you deploy multiple vCenters, ensure that this is permitted by your license. Auditors could ask for the number of vCenter deployments.
• vRealize/Aria Suite: If you use Aria Operations, Log Insight, Automation, etc., verify you have the proper bundle or add-on licenses. For example, Aria Operations was historically licensed per OSI or per CPU. Confirm that the number of monitored nodes or CPUs is within your entitlement. Using more endpoints than licensed (e.g., pointing Log Insight at 100 servers when you have 50 OSI licenses) is a classic compliance issue. Keep an eye on any “free” or trial deployments of these tools that may have inadvertently entered production.
• NSX/vSAN and vSphere Bundling: Under Broadcom’s simplified bundles, if you have purchased Cloud Foundation or vSphere + vSAN, some entitlements are combined. But an audit will still break them out to check compliance. Ensure you understand how the components of your bundle are licensed. If you opted not to use a component (say, NSX), document that to counter any assumption that you should have it licensed in use. Conversely, if you activate a component not included in your purchase, that constitutes non-compliance.

In summary, treat NSX, vSAN, and related products with the same diligence as Horizon or vSphere. Broadcom’s audit teams will. Know your deployments inside out and keep license counts in lockstep with any expansion.

Common Compliance Traps to Avoid

After working with many VMware customers, we’ve identified some common compliance traps that can catch you off guard.

Avoid these pitfalls to stay on safe ground:

• “Ghost” Horizon Users: Former employees or test accounts that remain active in AD or Horizon entitlement groups. These users inflate your named user count. Trap: Auditors count them even if they haven’t logged in recently. Avoidance: Regularly purge or disable accounts that shouldn’t have access. Don’t wait until audit time; make it routine to remove departed users from all license-counted groups.
• NSX Mixed Licensing in a Cluster: Using different NSX license levels or incomplete coverage in one environment. For example, applying NSX licenses only to some hosts, or mixing Standard and Enterprise features. Trap: VMware licensing requires homogeneous coverage; an auditor will consider the whole cluster at the highest feature level in use. Avoidance: Standardize on one NSX edition per environment. If you need Enterprise features on even one host, budget as if all hosts require Enterprise licenses (or isolate that host in its own fully licensed cluster).
• vSAN Overextension: Enabling vSAN on clusters without enough licenses to cover every node, or expanding storage capacity beyond licensed limits. Trap: You might enable vSAN for a new project but forget to buy additional licenses, especially if capacity-based licensing isn’t closely monitored. Avoidance: Implement approval checks when enabling vSAN to ensure license count and capacity headroom are verified. Tie any cluster expansion process to a licensing review so you don’t accidentally run unlicensed vSAN nodes.
• Trial or NFR Keys in Production: Running VMware software with “trial” licenses or partner NFR (Not-For-Resale) keys outside of lab environments. Trap: Trials typically last 60 days, but admins sometimes leave them running “just a bit longer” in production pilots. Auditors can easily spot trial keys or expired license warnings in logs and will treat continued use as unlicensed deployment. Avoidance: Strictly segregate trial environments. If a trial is moved to production, purchase the proper licenses before the trial expires. Keep an inventory of all license keys in use and ensure none are evaluation versions. (This is a quick win: it’s straightforward to scan for “Evaluation” or “Expiration” statuses in vCenter and Horizon admin panels.)
• Ignoring ELA/Contract Constraints: If you were on a VMware ELA (Enterprise License Agreement) or subscription contract, misunderstanding its terms can be a trap. For example, using licenses beyond a contractual cap, or assuming you had unrestricted use when you didn’t. Avoidance: Read your VMware contracts carefully after the acquisition. Broadcom may enforce clauses strictly. Know exactly what rights you have (e.g., a Horizon Enterprise bundle might not allow some standalone use cases you assumed). Clarify any ambiguities in writing.

Each of these traps is avoidable with a bit of forethought and governance.

Conduct internal training for your virtualization and EUC admins so they’re aware of these gotchas. A well-intentioned IT staffer might spin up a new VDI pool with a trial license, unaware of the compliance implications—that’s why process and awareness are crucial.

Self-Audit Checklist for VMware EUC and Beyond

The best defense against a surprise audit is to conduct an internal audit first. Establish a regular self-audit program for your VMware Horizon and other VMware products.

Below is a practical checklist to follow:

• 🌐 Horizon User & Usage Audit (Monthly): Export your list of Horizon-entitled users (from AD or Horizon console) and compare it to your license count. Note any discrepancies (i.e., more users than licenses) and take immediate action (remove or purchase additional licenses). Also, pull a usage report for the past month: check peak concurrent sessions vs. your entitlements. Archive these reports as proof of ongoing compliance monitoring.
• 🔒 NSX Deployment Audit (Quarterly): Review all vCenter clusters to identify where NSX is installed. For each NSX-enabled cluster, list the total hosts/cores and ensure you have matching NSX licenses. Document any changes (e.g., “Added two hosts to Cluster A in Q1, purchased additional NSX licenses for two hosts in Q1 true-up”). Verifying this every quarter helps catch instances where an admin might have extended NSX without proper licensing.
• 💽 vSAN License Audit (Quarterly): In vCenter’s licensing or vSAN menu, check that each vSAN cluster shows a valid license covering all its hosts. Confirm the edition and capacity usage against what you purchased. If you see an “evaluation” status or an over-capacity warning, address it immediately. Maintain a spreadsheet or log of vSAN clusters, including the number of hosts and assigned license keys.
• 📊 Cross-Verify vSphere vs Add-ons: Cross-check the number of vSphere licenses, NSX licenses, vSAN licenses, etc., in use. They should align logically (e.g., you shouldn’t have more NSX licenses than vSphere hosts – a sign something’s off in records). Any misalignment is a signal to investigate before an auditor does.
• 🗂 License Documentation Archive (Continuous): Maintain an archive of all VMware licensing documents. This includes license keys, purchase orders, ELA or contract documents, and records of any communications about licensing with VMware/Broadcom. Keep screenshots or exports of license assignments from vCenter, Horizon, NSX Manager, etc., as of each quarter’s end. In the event of an audit, you can quickly retrieve proof of what was deployed and licensed at any given point in time.
• 📈 Internal Compliance Dashboard: Consider creating a simple dashboard or report (even an Excel sheet or an ITAM tool) that tracks key metrics, such as the number of Horizon users versus licenses, peak Horizon concurrency, the number of NSX hosts versus licenses, and the number of vSAN hosts versus licenses. Update it regularly. This visual aid can be shared with IT management to show compliance status. It also serves as an early warning system if any metric begins to approach the license limit.
• 🔁 Simulate an Audit Annually: Do an annual “mock audit.” Have your team produce the type of data an auditor would typically request (user lists, logs, license keys). Review the results as if you were Broadcom. This exercise often reveals anomalies, such as forgotten test deployments or accounts that should have been removed. Better you find them than an auditor does.

By running through this checklist, you create a habit of compliance. It transforms audits from a fire drill into a routine health check. Importantly, document the outcomes and any remediation steps taken.

If Broadcom ever comes knocking, you can demonstrate a solid track record of internal compliance management, which can sometimes persuade them to be more lenient with any findings.

Responding to Audit Notices: Horizon & Beyond

Despite your best efforts, you might still receive an audit notice. It’s critical to manage the response carefully and strategically.

Here’s how to handle an audit request for Horizon or other VMware products under Broadcom:

• Stay Calm and Organize: An audit notice is not an accusation of wrongdoing; it’s a request to verify compliance. Assemble a small internal team (IT asset manager, EUC admin, virtualization lead, procurement/legal rep). Review exactly what the notice is asking for and by when.
• Limit the Scope of Data Provided: Provide only what is explicitly requested, without including any additional information. If Broadcom’s auditors ask for “a list of all users with Horizon access,” you should furnish precisely that (and only that). Do not hand over entire AD dumps or extraneous data that wasn’t requested – extra information can accidentally expose compliance gaps unrelated to the request. Similarly, if they ask for “reports of concurrent usage for the last 3 months,” you don’t need to send a full year of logs. Scope discipline prevents the audit from mushrooming in scope.
• Review Data Before Sending: Never send raw data without first reviewing it internally. Double-check the user lists or logs for anomalies. For instance, if your Horizon user export includes disabled accounts, consider removing those entries or clearly annotating them as disabled. If a vSAN report shows an evaluation license (oops!), address it internally first if possible. You want to present data that is accurate and, if possible, already cleaned of obvious compliance issues (or accompanied by an explanation of any known issues you’re addressing).
• Be Factual and Concise: When submitting data or answers, stick to facts. Avoid volunteering theories or excuses unless asked. If something needs clarification, provide a short written explanation alongside the data. For example: “Note: 50 of the 550 accounts in the Horizon user list are disabled accounts pending removal; they have been inactive and should not count toward license usage.” This preemptively frames the data in your favor.
• Use Official Tools for Data: Wherever possible, use VMware’s own tools to generate the evidence. Auditors trust vCenter’s license reports, Horizon’s usage reports, NSX Manager outputs, etc., over custom scripts or manual counts. It also shows you’re not hiding anything – you’re giving them the figures straight from the source. That said, double-check these reports for completeness.
• Protect Confidential Information: Ensure any data you provide doesn’t expose sensitive info beyond licensing. User lists, for example, may contain personal data. Coordinate with your legal or HR team if necessary to anonymize or limit personal details (e.g., use usernames instead of full names/email addresses if acceptable). Always mark documents as “Confidential” and route communications through the proper legal channel as required by your contract.
• Engage in Dialogue if Needed: If any request is unclear or seems overly broad, don’t be afraid to ask for clarification or negotiate the format. For instance, if they say “provide all vSphere logs,” you might go back and ask, “Could you specify which logs or data points you need to verify licensing? We can provide a vCenter license report for vSphere/NSX/vSAN usage.” Often, auditors will agree to a simpler data set that still satisfies their needs. This can drastically reduce the workload and the risk of handing over irrelevant info.

Audit Response Example: If asked for Horizon usage data, you might respond with a cover note: “Please find attached a report of Horizon concurrent connections per day for Q1 2025, as generated by the Horizon Administrator console. Notably, our peak usage was 85 concurrent sessions, well within our licensed limit of 100. Additionally, the named user report lists 480 total users, of which 30 were disabled accounts (marked in the report) that had no activity. We have excluded those from active count.” – This kind of response provides the requested info and also pre-emptively explains data points in a favorable way.

In essence, control the narrative of the audit. You can’t avoid providing data, but you can ensure it’s accurate, contextualized, and limited to what’s asked. This professional, measured approach builds trust with the auditors and can prevent misinterpretation.

Negotiation Playbook for Overuse Findings

Audits often end with some findings – maybe the auditors believe you’re over on Horizon licenses or that you enabled NSX on a host without a license. Don’t panic.

Treat the findings as the start of a negotiation. Broadcom ultimately wants revenue, not a fight.

Here’s how to negotiate if they claim you’re non-compliant:

• Validate and Push Back (Politely): First, verify the findings against your own records. If they say you’re 50 users over on Horizon, double-check if those include inactive accounts or if a data error occurred. It’s possible the auditor counted users incorrectly (it happens). Respond with clarifications: “We believe 15 of those users were inactive and should be excluded. Here is evidence of their termination dates.” Always be factual and back it with documentation.
• Don’t Admit Guilt Too Quickly: Frame any overuse as unintentional and tied to business growth or technical oversight, not willful neglect. For example, “Our VDI usage grew faster than anticipated in the past year, and it appears we exceeded our Horizon named user count by 30 due to that growth.” This sets a tone that you’re a loyal customer who simply needs more capacity, rather than someone trying to skirt rules.
• Offer to True Up via Purchase, Not Penalty: Broadcom’s preferred outcome is selling you more licenses. Use that. Instead of paying a one-time penalty fee for overuse, propose purchasing additional licenses or subscriptions to cover the gap in the future. Ideally, fold this into your renewal or an expansion deal. “We’re prepared to immediately purchase the additional 30 licenses to become compliant, and we’d like to align this with our upcoming renewal to benefit from our standard discounting,” is a reasonable stance. You’re showing willingness to pay for what you used, but on terms that make commercial sense for you.
• Negotiate Discounts or Bundles: Take advantage of the opportunity to secure a better deal. If you must purchase licenses due to the audit, you have leverage to request better pricing or to bundle other needs. For example, if you were considering expanding NSX or vSAN in the next year, bring it up: “Since we need 30 more Horizon licenses, we are also open to discussing an upgrade of our NSX edition for security needs. Can we negotiate a bundle that addresses both, at a more favorable rate?” Vendors often respond well to this approach because you’re turning a compliance issue into a sales opportunity for them – and you get a concession in return.
• Waive Back-Maintenance if Possible: Auditors might calculate back-dated support or maintenance fees for the period you were “overused.” Consider having those waived if you agree to a forward-looking purchase. “We’d like any retroactive maintenance fees forgiven as a goodwill gesture, given that we’re promptly correcting the licensing and continuing as a VMware customer.” Broadcom has been known to waive penalties if a customer commits to a new deal – but you often have to ask.
• Document the Resolution: Once you reach an agreement (e.g., you purchase X licenses, Broadcom closes the audit), obtain written confirmation that the purchase resolves the compliance issue. Ensure the audit is formally closed in the letter or email. This protects you from surprise later. Also, clarify if the new licenses are prorated to align with your existing contract or are a separate term – you want to manage renewals coherently.

Negotiation Example: Imagine an audit finds 10 unlicensed vSAN cores and 20 extra Horizon users. You might say: “We acknowledge the compliance gap. We propose purchasing the licenses for those 10 vSAN cores and 20 Horizon users effective immediately. Since our enterprise agreement is up for renewal in 6 months, we’d like to co-term these additions with that renewal. In exchange for resolving this promptly, we are seeking an incentive – perhaps applying our renewal discount to these purchases or receiving equivalent credit toward an NSX upgrade we’re planning.” – This signals you’re addressing the issue while asserting reasonable requests. Broadcom may come back with a counter-offer, but you’ve set the stage to negotiate rather than passively pay their first bill.

• Dispute if Counts Are Inflated: If you genuinely believe the audit findings are wrong (for instance, counting employees who left a year ago), don’t hesitate to provide a detailed counter-analysis. So long as you’re professional and backed by data, it’s valid to push back. Broadcom’s audit team can make mistakes or interpret data in a way that favors them. Your job is to ensure the final number is fair. We’ve seen cases where a compliance gap was significantly reduced after the customer demonstrated that many “overused” licenses were tied to deactivated users.

Remember, everything is negotiable in the realm of software audits.

Broadcom may have a reputation for toughness, but they also want to maintain strong customer relationships and avoid driving you to a competitor.

By being cooperative yet firm, you can turn a painful audit result into a manageable business transaction.

Preventative Governance Practices

The ultimate goal is not just to survive audits, but to bake compliance into your IT governance so audits become non-events.

Here are key governance practices to implement in your organization for VMware Horizon and other products:

• Quarterly License Compliance Reviews: Make license compliance an agenda item every quarter. The virtualization/EUC team should report the current license counts and usage to IT leadership. Identify any projected growth that might require more licenses and plan the budget accordingly. Regular reviews keep everyone aware and accountable. It’s much easier to get a budget for licenses preemptively than to beg for it after an audit surprise.
• Join Data with HR Processes: Tie your HR offboarding process to license management. Whenever an employee leaves or a contractor’s term ends, ensure their accounts are promptly removed from all systems, including Horizon, and any other user-based licenses. This could be a simple checkbox in the HR termination checklist: “Remove from VMware Horizon access.” For concurrent licensing, although user removal is less directly tied to the license count, it still enhances security and reduces potential misuse.
• Centralize License Ownership: Designate a license owner or compliance officer for VMware products. This person or team keeps the official record of entitlements vs. deployments. They should be looped in on any project that involves deploying VMware technology. For instance, if the EUC team wants to roll out a new Horizon pool, the license owner should verify entitlements first. Central ownership prevents siloed teams from accidentally overusing licenses.
• Maintain an Audit-Ready Archive: We touched on archiving reports and documents – make this a formal practice. Every time you purchase additional VMware licenses or renew a contract, store the paperwork in a designated repository. Likewise, at set intervals (e.g., end of each quarter), save snapshots of usage (user counts, host counts, etc.). Over time, you build a goldmine of documentation. In an audit, you can quickly pull up “as of X date, we had Y licenses and Z usage” for any point in question. It can shut down debates fast.
• Enforce “No Trial in Prod” Policy: As governance, establish a firm policy that no trial, evaluation, or NFR software is to be used in production environments, no exceptions. Communicate this to all IT staff. If there’s a legitimate need to test a VMware product in production, fast-track the purchase of proper licenses (or engage VMware for a formal extended evaluation that’s documented). Make sure everyone knows that even small breaches (like spinning up an extra NSX edge node with a trial key) can have big consequences.
• Monitor Vendor Communications: Broadcom will continue adjusting VMware’s licensing programs. Stay updated on any announcements or changes. Subscribe to VMware/Broadcom advisories or have your vendor reseller keep you informed. For example, if Broadcom introduces a new licensing model or decides to audit a specific product line more aggressively, you want to be aware of this early. Adapt your compliance approach accordingly. Governance is not static – it evolves with the vendor landscape.
• Regular Training and Refreshers: Provide training for your administrators on license compliance. New features in NSX or Horizon might tempt them to try things outside your entitlement. Educate them on the proper procedures. Similarly, if Broadcom changes license metrics (say, moves Horizon to subscription-only or alters terms), brief your team so they don’t mistakenly violate those terms.

By embedding these practices, you create a culture of compliance and accountability. It’s far better to catch an issue in a quarterly review or via an internal policy check than to have an external auditor catch it.

Governance might sound boring, but it’s the armor that lets you go into any audit with confidence.

FAQs

Q: How are Horizon concurrent licenses tracked during an audit?
A: Typically, auditors will review Horizon’s own usage data for concurrent sessions. Horizon 8 (and newer) provides a Usage page in the admin console showing active concurrent connections over time. During an audit, you might be asked to export these logs or reports for a given period. The audit team will identify the peak number of simultaneous users and compare it to your licensed concurrent count. It’s important that you already know your peak usage. Ideally, you present a report (e.g., the maximum concurrent reached was 85 out of 100 licensed) demonstrating compliance. If there were any spikes above your entitlement, be prepared to explain them (perhaps an anomaly or a brief test) or expect to address them via extra licensing. The key is that concurrency is measured at the highest point of overlap, so even a one-time peak over the limit can be flagged.

Q: Does Broadcom count inactive Horizon users in a license audit?
A: Broadcom’s auditors will initially count every named user they see with access to Horizon. Inactive users can be counted if they are still enabled. However, users who are truly disabled or deleted (removed from AD or Horizon entitlements) should not be counted. It’s up to you to clearly distinguish between inactive and active accounts. In an audit response, you should clearly indicate which accounts were deactivated and the corresponding date. If you show that certain users hadn’t logged in for the past year and were terminated employees, you have a strong case to exclude them from the “active named user” count. Broadcom is generally focused on ensuring you have licenses for actual usage, not punishing you for keeping records of old accounts. But if those accounts were left enabled, they may argue they could have been used, thus requiring a license. This is why we emphasize the importance of disabling accounts promptly. In summary: auditors may count inactive-but-enabled accounts, so you must proactively remove them or defend their exclusion with evidence.

Q: Are NSX and vSAN audited separately, or as part of a vSphere audit?
A: In most cases, Broadcom will conduct a holistic VMware audit covering all products you own. Therefore, if you have vSphere, NSX, and vSAN, the audit will encompass all three. The auditors will conduct separate checks for each (because the licensing metrics differ), but these generally occur under one coordinated audit engagement. For example, they might request vCenter reports to verify vSphere core licensing, and in the same breath, request NSX Manager data for NSX usage and vSAN configuration information for vSAN licensing. They won’t ignore NSX and vSAN just because they’re add-ons – in fact, those are prime targets since some customers overlook them. However, if you only license certain products (for example, if you don’t use NSX at all), the audit would focus on what’s relevant. Also note: sometimes audit letters explicitly list which products are in scope. If NSX/vSAN are mentioned, be prepared to provide evidence for each. In any case, treat it as a full environment audit.

Q: Can using trial or NFR licenses trigger non-compliance penalties?
A: Yes. Using trial (evaluation) or NFR licenses in production is essentially using the software without a valid license. If an audit uncovers that, they will treat it the same as unlicensed usage. The outcome is usually that you’ll be required to purchase proper licenses for that usage (often retroactively to when the trial should have ended). There typically isn’t a separate “penalty fee” beyond that, unless they argue you derived value without paying for an extended period (then they might add back-dated support costs). But either way, it’s going to cost you. Importantly, trial licenses are easily identified – they have distinctive keys or expirations. VMware systems often log when they’re in evaluation mode. Auditors know to look for those indicators. NFR licenses (provided to partners or for lab use) are usually not allowed in production, as per the license agreement, so they also count as unlicensed. The best practice is to never let trial/NFR deployments touch live workloads or persist beyond testing. If you have accidentally done so, rectify the issue before an audit by purchasing the necessary licenses or removing the deployment. During an audit, if you’ve already addressed it (e.g., “Yes, we had one host on trial for 30 days, but we have since licensed it fully”), you’re in a better position. If it’s still in trial, expect a compliance finding.

Q: How can I tell if I’m compliant before an official audit?
A: Performing the self-audit steps we outlined is the best way. You can also engage third-party license consultants to do a compliance assessment (essentially a mock audit) if you want extra assurance. Additionally, VMware’s own tools can help: vCenter’s Licensing section displays usage versus licenses for vSphere, vSAN, and other products, and the Horizon console shows license usage. Keep an eye on any alerts or warnings in these tools (for example, vCenter might show “license usage exceeds license count” if you’ve under-provisioned licenses for hosts). Another tip: review your VMware support contracts – if you’re paying support on 100 licenses but you know you have 120 hosts in use, that’s a discrepancy (support contracts often mirror license count). Finally, stay informed in the VMware community. Many administrators share their audit experiences on forums; if Broadcom’s auditors have a new tactic, word gets around. Knowing what’s coming can help you double-check the same things in your environment.

Staying compliant with VMware Horizon and related products under Broadcom’s regime may feel like walking through a minefield, but with the right practices, it becomes business as usual.

Be proactive, detail-oriented, and unafraid to push back when things don’t add up. In this new era of strict VMware audits, an ounce of prevention (and preparation) is truly worth a pound of cure.

By following the guidance in this audit-defense guide, you can keep your organization out of trouble, even as Broadcom turns up the heat on compliance. Happy (and compliant) virtualizing!

Read about our Broadcom Audit Defense Service.

Do you want to know more about our Broadcom Audit Defense Services?

Please enable JavaScript in your browser to complete this form.

Name *

Email *

Company

Message *

Submit