An independent analysis of two virtual desktop architecture alternatives for BCCA Construction Accounting — prepared by Vicinity Group LLC.
BCCA Construction Accounting operates with approximately 45 users across Hawaii and the Philippines, relying on QuickBooks Desktop, QuickBooks Enterprise in multi-user mode, and Sunburst payroll software to serve its construction accounting clients. These are thick-client, Windows-native applications with specific requirements for persistent desktop environments and local database connectivity.
The current Azure Virtual Desktop environment, deployed by MC3, uses a pooled desktop model that has presented challenges with application compatibility, user experience, and latency. Users in both Hawaii and the Philippines connect to virtual desktops hosted in Microsoft's West US 2 region (Oregon), introducing measurable latency that impacts the responsiveness of database-driven applications.
This assessment evaluates two architectural paths forward. Option A converts the existing Azure environment from pooled to dedicated persistent desktops and adds Microsoft Intune for endpoint management. Option B deploys physical servers in a Honolulu colocation facility running Microsoft Remote Desktop Services, paired with a FortiGate next-generation firewall. Both options resolve the application compatibility issues. They differ in their approach to latency, cost structure, and infrastructure management.
This document presents factual analysis with cost frameworks for each option. Vicinity manages both cloud and on-premises architectures and has no financial preference between the two. The data is presented so that BCCA can make an informed decision based on priorities, budget, and risk tolerance.
Three interconnected issues are driving the need for an architectural change.
QuickBooks Desktop, QuickBooks Enterprise, and Sunburst payroll were designed for persistent Windows environments. Pooled virtual desktops reset to a gold image after each session, which conflicts with how these applications store licensing, database connections, and user configuration.
Licensing activation: QuickBooks Desktop validates its license against hardware identifiers and registry entries on each launch. In a pooled VDI environment where desktops revert to a base image, these activation markers are lost between sessions, triggering repeated re-activation prompts or outright license failures.
Database file locking: QuickBooks Enterprise multi-user mode relies on a database server manager process that maintains file locks on company files. Non-persistent sessions can interrupt these locks unpredictably, leading to data corruption risks and "company file in use" errors.
Registry and configuration persistence: Both QuickBooks and Sunburst store critical configuration in the Windows registry and local AppData directories. Pooled desktops discard these changes at logoff, requiring users to reconfigure preferences, printer mappings, and application settings at every login.
Sunburst payroll: Sunburst Software Solutions is a Windows-based payroll application that requires persistent access to local databases and application files. Like QuickBooks, it expects a stable Windows desktop environment where configuration persists across sessions.
Azure West US 2 is located in Oregon. Users in Hawaii experience 60–80ms round-trip latency; users in the Philippines experience 150–180ms. For database-driven applications like QuickBooks in multi-user mode, this latency compounds with every database call.
| Route | Approx. RTT |
|---|---|
| Azure West US 2 (Oregon) → Honolulu, HI | 60–80 ms |
| Azure West US 2 (Oregon) → Manila, PH | 150–180 ms |
| Honolulu Data Center → Honolulu (local) | <5 ms |
| Honolulu Data Center → Manila, PH | 100–130 ms |
QuickBooks Enterprise in multi-user mode generates hundreds of small database queries per operation. Each query incurs a round-trip to the database server. At 60–80ms per round trip, an operation requiring 50 sequential queries adds 3–4 seconds of pure network latency. At 150–180ms (Philippines), that same operation takes 7.5–9 seconds. This is a physics constraint — the speed of light through fiber across the Pacific Ocean — and cannot be resolved by adding bandwidth or upgrading VM sizes.
When VDI performance is insufficient, users find workarounds. Some team members have reverted to running applications on personal, unmanaged desktops. This creates an endpoint security gap — the opposite of the original goal of centralized desktop management.
Unmanaged endpoints operating outside of centralized IT control present several risks: no enforced disk encryption, no centralized patching, no visibility into installed software, and no ability to remotely wipe a device if it is lost or compromised.
For an accounting firm handling sensitive client financial data, including payroll records and tax information, this represents a compliance and liability concern. Both options in this assessment address the endpoint management gap, though through different mechanisms.
This option converts the existing Azure Virtual Desktop environment from pooled desktops to dedicated persistent desktops. Rather than assigning one desktop per individual user, each dedicated desktop is organized around a client organization — one persistent VM per QuickBooks company file. Multiple BCCA employees who work on a given client share that client's dedicated desktop. Applications, licensing activation, registry settings, and database connections all persist across sessions.
The infrastructure remains hosted in Azure West US 2 (Oregon) using E4s_v5 virtual machines (4 vCPU / 32 GB RAM) for client desktops, with a D4_v5 server (4 vCPU / 16 GB RAM) hosting Active Directory and shared file storage. Azure Backup provides data protection with zone-redundant storage.
All users receive Microsoft 365 Business Premium ($23.10/user/month), which includes Office applications, Exchange Online, OneDrive, and critically, Microsoft Intune for Mobile Device Management (MDM). Intune is deployed across all user devices, including the personal devices currently in use, restoring centralized visibility and policy enforcement without requiring hardware replacement.
In the current pooled desktop environment, multiple users share a pool of virtual machines built from a common gold image. When a user logs off, their session is discarded and the VM reverts to its base state. This is efficient for simple, stateless workloads (web browsing, email) but problematic for applications that depend on persistent local state.
A dedicated persistent desktop is a specific VM that retains its state across sessions, just like a physical PC. In BCCA's case, each dedicated desktop is organized around a client organization — one VM per QuickBooks company file, shared by the BCCA employees who service that client. Applications are installed, configured, and licensed once per desktop. QuickBooks connects to its company file, Sunburst is configured for that client's payroll, and all settings persist indefinitely.
This model reduces the total number of dedicated VMs needed (one per client, not one per employee) while still solving the persistence problem. The trade-off is cost: dedicated desktops consume compute and storage resources continuously, while pooled desktops can scale down during off-hours. With 3-year reserved instances, the per-VM cost is reduced significantly.
With dedicated persistent desktops, QuickBooks Desktop and Enterprise install and activate once per VM, just as they would on a physical workstation. Each dedicated desktop corresponds to a specific client organization and its QuickBooks company file. The license validation persists across sessions because the VM's hardware profile and registry remain stable.
Multiple BCCA employees who service a given client connect to that client's dedicated desktop via Azure Virtual Desktop. QuickBooks Enterprise multi-user mode enables concurrent access within the same company file. The D4_v5 infrastructure server (4 vCPU / 16 GB RAM) hosts Active Directory and shared file storage. Since all VMs reside within the same Azure virtual network, inter-VM latency is sub-millisecond — database operations perform well within the Azure environment.
Sunburst payroll runs as a standard Windows desktop application on each dedicated VM, with its configuration and data connections maintained across sessions.
Microsoft 365 Business Premium ($23.10/user/month) provides the full Microsoft productivity suite alongside Microsoft Intune for Mobile Device Management (MDM) and Mobile Application Management (MAM). This applies to all user endpoints — including the personal devices that team members are currently using. Key capabilities include:
Intune, included with Microsoft 365 Business Premium, addresses the shadow IT gap by bringing personal devices under management without requiring hardware replacement. Users enroll their existing devices, and compliance policies are enforced automatically. The M365 Business Premium license is required for both Option A and Option B.
This option does not resolve the latency issue. The virtual desktops remain hosted in Azure West US 2 (Oregon). Users in Hawaii will continue to experience approximately 60–80ms round-trip time, and users in the Philippines will continue to experience approximately 150–180ms.
The user experience will improve because dedicated desktops eliminate the session reset issues, application reinstallation, and re-licensing problems. But the fundamental responsiveness of the remote session — mouse movement, screen updates, and especially the cumulative latency of database-heavy QuickBooks operations — will remain constrained by the Oregon-to-Hawaii/Philippines network path.
This is a physics constraint inherent to the geographic distance between Azure West US 2 and BCCA's user locations. It cannot be mitigated by VM sizing, bandwidth upgrades, or protocol optimization.
| Line Item | Monthly | Annual |
|---|---|---|
| Azure Compute (VMs) Personal + pooled desktops, 3-yr RI |
$1950 | $23400 |
| Azure Storage & Networking OS disks, data disks, FSLogix profiles, NAT Gateway |
$280 | $3360 |
| Azure Backup ZRS, 30-day retention |
$120 | $1440 |
| Microsoft 365 Business Premium $23.10/user/mo — includes Intune, Office apps, Exchange, OneDrive |
$1040 | $12480 |
| Vicinity Managed Services 16x M1DEVICEA ($108/mo ea) + 1x M1SERVERA ($190/mo) — VDI infrastructure only; does not include management of on-premise computers or laptops |
$1918 | $23016 |
| Total (45 users) | $5308 | $63696 |
Pricing based on 3-year Reserved Instances in West US 2. Estimates subject to change based on actual Azure consumption and licensing negotiations.
This option deploys a single physical server in a DRFortress, Honolulu, HI colocation facility, running Microsoft Hyper-V with Windows Server and Remote Desktop Services (RDS). Users connect via standard RDP — the same protocol family used by Azure Virtual Desktop, and the same technology BCCA used successfully before the AVD migration.
The rack loadout in a quarter cabinet (10 RU) at DRFortress consists of four components: a FortiGate 120G next-generation firewall with full Unified Threat Protection, a FortiSwitch 124G managed switch, a Thinkmate RAX RXS5-2212-G1 server (2x Xeon Gold 6544Y 16-core, 256 GB DDR5, 7x 1.92TB SSD RAID 6, 10GbE, 5-yr warranty), and a Datto S6-24 backup appliance (12 TB).
The Datto appliance provides 1-year retention with both local and cloud-based recovery options. Internet connectivity is via DRFortress's DRFConnect service at 1 Gbps ($699/mo), a multi-homed, redundant bandwidth service.
As with Option A, all users receive Microsoft 365 Business Premium ($23.10/user/month), which includes Microsoft Intune for endpoint management across all user devices. This ensures consistent endpoint security and compliance policy enforcement regardless of which infrastructure option is selected.
The Thinkmate RAX RXS5-2212-G1 server includes:
The colocation deployment fits within a single quarter cabinet at DRFortress:
This is a single-hypervisor deployment with no on-site server redundancy. Hardware availability is addressed by the 5-year onsite warranty with advanced parts replacement, and the Datto appliance provides instant virtualization capability — if the server fails, VMs can be temporarily run directly on the Datto until the server is repaired.
The server specification is driven directly by the virtual machine workloads it must host. Below is the mapping from VM requirements to physical hardware.
| VM Role | Qty | vCPU | RAM | Storage |
|---|---|---|---|---|
| Virtual Desktop | 16 | 2 cores each | 16 GB each | 256 GB SSD each |
| File Server | 1 | 4 cores | 16 GB | 256 GB OS + 2,048 GB data + 512 GB profiles |
| Hypervisor overhead | — | ~2 cores | ~8 GB | ~100 GB |
| Total Required | — | 38 vCPU | 280 GB | ~7.0 TB |
The 16 virtual desktops require 32 vCPU, plus 4 for the file server and ~2 for the hypervisor — 38 vCPU total. The dual Xeon Gold 6544Y processors provide 32 physical cores with 64 hyper-threads. At a 1.19:1 vCPU-to-core ratio, this is well within the industry best practice of 3:1–5:1 for VDI workloads, leaving substantial headroom for burst activity.
If every VM ran at maximum allocation simultaneously, the total would reach 280 GB. In practice, Hyper-V Dynamic Memory ensures VMs only consume what they actively use. Typical VDI desktop sessions average 6–8 GB, bringing real-world utilization to approximately 96–128 GB for desktops + 16 GB for the file server + 8 GB for the hypervisor — roughly 120–152 GB under normal load, well within the 256 GB installed. Peak headroom remains available for heavy workloads like large spreadsheets or month-end reporting.
The 16 desktop VMs require 4 TB, the file server requires 2.8 TB across its three disks, and the hypervisor uses ~100 GB — approximately 7 TB total. The 7-drive RAID 6 array provides 9.6 TB raw capacity, but after NTFS formatting and filesystem overhead (~20% loss), the usable formatted capacity is approximately 7.68 TB — leaving roughly 680 GB of free space for growth, snapshots, and temporary files.
Remote Desktop Services (RDS) provides multi-session Windows Server desktops where multiple users share a server's resources while maintaining isolated sessions. This is a proven, mature technology that BCCA used successfully before the Azure migration.
QuickBooks compatibility: QuickBooks Desktop and Enterprise install directly on the RDS server or connect to a file server within the same local network. Database operations occur over the local network (sub-millisecond latency), not across the internet. Multi-user mode operates reliably because the Database Server Manager and company files are hosted on the same physical infrastructure.
Sunburst payroll: Runs as a standard Windows application within each user's RDS session, with persistent configuration and local database access.
RDS licensing: Windows Server 2025 Remote Desktop Services uses Per-User CALs at $7.5/user/year — a straightforward, predictable licensing model.
Hosting in Honolulu fundamentally changes the latency equation for BCCA's Hawaii-based users:
The internet connection is provided by DRFConnect at 1 Gbps ($699/mo), DRFortress's multi-homed, redundant bandwidth service aggregated from multiple carriers.
The FortiGate 120G is a next-generation firewall providing comprehensive network security for the colocation environment:
The firewall, switch, and all subscriptions are managed by Vicinity as part of the monthly managed services agreement. The Unified Threat Protection subscription ($2100/year) includes ongoing signature updates, threat intelligence feeds, and firmware updates.
The Datto S6-24 provides both local and cloud-based backup and disaster recovery:
The 3-year commitment at $1900/month represents a significant line item, but provides enterprise-grade business continuity that addresses the single-site risk inherent in a colocation deployment.
| Line Item | Cost |
|---|---|
| Thinkmate RAX RXS5-2212-G1 × 1 | $35226 |
| FortiGate 120G | $3000 |
| FortiSwitch 124G | $1432 |
| DRFortress Setup Fees (NRC) | $1350 |
| One-Time Total | $41008 |
| Line Item | Monthly | Annual |
|---|---|---|
| DRFortress Colocation Cabinet, power (primary + redundant), DRFConnect 1 Gbps |
$1699 | $20388 |
| Fortinet Licensing & Warranty UTP, FortiCare, cloud mgmt, FortiClient VPN, switch support |
— | $4991 |
| Microsoft Licensing Windows Server 2025 Datacenter + RDS CALs (45 users) |
— | $976 |
| Microsoft 365 Business Premium $23.1/user/mo × 45 users |
$1040 | $12474 |
| Datto S6-24 Backup | $1900 | $22800 |
| Vicinity Managed Services | $2108 | $25296 |
| Annual Recurring Total | — | $86925 |
Hardware pricing quoted February 2026. Colo pricing per DRFortress rate card. All prices subject to change.
A factual comparison across key dimensions. Neither option is universally superior — they represent different trade-offs.
| Dimension | Option A: Azure Dedicated | Option B: Honolulu Colo |
|---|---|---|
| Application Compatibility | Resolved — persistent desktops retain state | Resolved — RDS sessions with local server hosting |
| User Latency (Hawaii) | 60-80ms RTT to Oregon | <5ms to local data center |
| User Latency (Philippines) | 150-180ms RTT to Oregon | 100-130ms RTT to Honolulu |
| Endpoint Security | Intune MDM + Conditional Access | Intune MDM + FortiGate NGFW + FortiClient VPN |
| Cost Model | 100% OpEx (monthly recurring) | CapEx Year 1, then steady OpEx |
| Scalability | Elastic — add/remove VMs on demand | Fixed — capacity bound to hardware |
| Hardware Ownership | None — Microsoft-managed cloud | Full ownership, single server, 5-year warranty |
| Backup & DR | Azure Backup (ZRS, 30-day retention) | Datto S6-24 (12 TB, 1-year retention) |
| Internet Dependency | Critical — all compute is cloud-hosted | Moderate — local compute, internet for remote access |
| 5-Year TCO Estimate | $257,000 | $403,000 |
A 5-year cost comparison framework. Option A is pure operating expense. Option B front-loads capital expenditure for a single-server deployment, with lower recurring compute costs but higher recurring costs for colocation and backup infrastructure.
100% operating expense — no capital outlay
| Period | Cost |
|---|---|
| Year 1 | $63696 |
| Year 2 | $63696 |
| Year 3 | $63696 |
| Year 4 | $63696 |
| Year 5 | $63696 |
| 5-Year Total | $318480 |
Capital expenditure Year 1, then recurring OpEx
| Period | Cost |
|---|---|
| Year 1 (CapEx + OpEx) | $127933 |
| Year 2 | $86925 |
| Year 3 | $86925 |
| Year 4 | $86925 |
| Year 5 | $86925 |
| 5-Year Total | $475633 |
Estimates based on current pricing as of February 2026. Actual costs may vary based on Azure consumption, vendor negotiations, and user count changes. These figures assume 45 users for the full 5-year period.