AWS MAP for Windows Workloads: Migration Strategies and Licensing

How Does Windows Licensing Work on AWS?

AWS offers two primary licensing models for Windows Server on EC2. Understanding both is essential for cost optimization under MAP.

License Included is the simpler option. AWS bundles the Windows Server license into the EC2 instance hourly rate. You pay a premium over equivalent Linux instances—typically 30–50% more per hour—but you avoid managing licenses entirely. This model works on shared tenancy instances and requires no relationship with Microsoft beyond what AWS handles.

Bring Your Own License (BYOL) uses your existing Windows Server licenses on AWS Dedicated Hosts. You allocate physical servers through EC2 Dedicated Hosts, then apply your Volume Licensing or Enterprise Agreement licenses. This approach requires active Software Assurance or subscription licenses with License Mobility rights. BYOL can save 20–40% compared to License Included pricing for organizations with eligible agreements.

Microsoft updated its licensing terms in October 2022, adding a surcharge for running certain workloads on "Listed Providers" including AWS. This change affected new license purchases and renewals. Organizations with existing Software Assurance agreements before the change may be grandfathered under previous terms. MAP partners help you determine which rules apply to your specific licensing position.

What AWS Services Replace Self-Managed Windows Infrastructure?

Moving Windows workloads to AWS is not just about rehosting VMs. AWS offers managed services that replace common Windows infrastructure components, reducing the operational burden your team carries.

Amazon FSx for Windows File Server provides fully managed Windows-native file shares. It supports SMB protocol, NTFS permissions, and DFS namespaces. Organizations migrating file servers to FSx eliminate Windows Server patching, storage management, and backup configuration for file services. FSx integrates directly with your Active Directory for seamless permission management.

Amazon RDS for SQL Server replaces self-managed SQL Server installations. RDS handles patching, backups, high availability with Multi-AZ deployments, and storage scaling. You choose the SQL Server edition (Express, Web, Standard, Enterprise) and licensing model. For deeper guidance on database moves, our article on database migration under MAP covers DMS and SCT in detail.

Amazon WorkSpaces replaces on-premises VDI deployments running Windows desktops. WorkSpaces provides persistent Windows 10 or 11 desktops with License Included pricing. Organizations migrating Citrix or VMware Horizon environments to WorkSpaces simplify their desktop management stack significantly.

AWS Systems Manager replaces SCCM for patch management and configuration across your Windows fleet. It provides automated patching, inventory collection, and run command capabilities without deploying additional infrastructure.

How Do You Integrate Active Directory with AWS?

Active Directory is the backbone of Windows authentication and authorization. Every Windows migration must plan for AD integration early. AWS provides three options, each suited to different scenarios.

AWS Managed Microsoft AD deploys a fully managed Active Directory in your VPC. AWS handles domain controller provisioning, patching, and replication. You get a standard AD forest that trusts your on-premises AD through a forest or external trust. This option works best for organizations establishing a permanent AD presence on AWS.

AD Connector provides a proxy that redirects authentication requests to your on-premises AD. No directory data replicates to AWS. This option suits organizations that want to keep AD on-premises while enabling AWS services (WorkSpaces, RDS, FSx) to authenticate against existing domains. It requires reliable network connectivity between AWS and your data center.

Self-managed AD on EC2 gives you full control. You deploy Windows Server domain controllers on EC2 instances and manage them like on-premises servers. This approach provides maximum flexibility but carries the highest operational burden. It makes sense for complex AD topographies or when managed services cannot meet specific schema extension or replication requirements.

Whichever approach you choose, plan the AD integration during the MAP mobilization phase. Domain trust establishment, DNS configuration, and Group Policy replication need to be working before migrated Windows servers join the domain on AWS.

What Migration Tools Work Best for Windows Workloads?

AWS Application Migration Service (MGN) is the primary tool for rehosting Windows servers. MGN installs a lightweight agent on each source server. The agent continuously replicates disk blocks to a staging area in your AWS account. When you are ready to cut over, MGN launches EC2 instances from the replicated disks.

MGN handles Windows-specific tasks like driver injection and network interface mapping. It supports Windows Server 2012 R2 through 2022. For older versions like Windows Server 2008 R2, you may need to upgrade in place before migration or use CloudEndure Migration as an alternative.

For MAP funding purposes, MGN migration events are tracked and reported. The number of servers migrated through MGN directly influences credit calculations. Each successfully migrated server counts toward your MAP commitment, unlocking additional funding tiers.

PowerShell-based automation accelerates Windows migration at scale. Scripts that pre-configure networking, join domains, install monitoring agents, and validate application health reduce the per-server migration time from hours to minutes. MAP partners typically bring these automation frameworks from previous engagements.

How Do You Handle Windows Server End-of-Support Versions?

Windows Server 2012 and 2012 R2 reached end of support in October 2023. Organizations still running these versions face security risks from unpatched vulnerabilities and compliance violations from running unsupported software. MAP provides a structured path to modernize these workloads.

Option one is in-place upgrade before migration. Upgrade from 2012 R2 to 2019 or 2022 on-premises, then migrate to AWS. This approach carries risk because in-place Windows upgrades sometimes fail, but it keeps the migration tooling straightforward.

Option two is migrate and upgrade. Rehost the 2012 R2 server on AWS using MGN, then upgrade the EC2 instance to Windows Server 2019 or 2022. This approach separates the platform change from the OS upgrade, reducing the variables in each step.

Option three is migrate and modernize. Replace the Windows Server application with a managed service or container. A .NET application on Windows Server 2012 R2 might containerize into a Windows container on Amazon ECS. This requires more development effort but eliminates the Windows Server management overhead entirely.

AWS Extended Support for Windows Server provides security patches for end-of-support versions on EC2 at an additional cost. This buys time but is not a long-term solution. MAP credits can fund the upgrade effort that Extended Support is bridging.

What Licensing Pitfalls Should You Avoid?

Microsoft licensing audits on cloud infrastructure are increasingly common. Several pitfalls catch organizations unprepared during or after migration.

Running BYOL licenses on shared tenancy EC2 instances violates Microsoft's licensing terms. BYOL requires Dedicated Hosts or Dedicated Instances with specific configurations. If your migration lands BYOL workloads on shared instances, you are technically unlicensed. MAP partners configure landing zones that enforce the correct tenancy from the start.

SQL Server licensing per vCPU on AWS differs from per-core licensing on-premises. SQL Server Enterprise requires a minimum of four core licenses per physical core. On EC2, licensing applies per vCPU. Hyper-threading ratios and instance type selection directly impact licensing costs. A poorly chosen instance type can double your SQL Server licensing expense.

License Mobility through Software Assurance has specific product eligibility lists. Not all Microsoft products qualify. Windows Server itself does not have License Mobility—it requires BYOL on Dedicated Hosts. SQL Server, SharePoint, and Exchange have License Mobility, but the terms differ by product. Verify eligibility for each product before assuming your existing licenses transfer to AWS.

Conclusion

Windows workload migration under AWS MAP requires more licensing awareness than any other workload type. The choice between License Included and BYOL affects your total cost for years. Active Directory integration determines your authentication architecture. Managed services like FSx, RDS, and WorkSpaces can replace self-managed Windows infrastructure and reduce operational effort. MAP credits and partner expertise make these transitions financially practical, even for organizations with complex Microsoft licensing agreements. Start with a licensing assessment, plan your AD integration, and migrate in waves that validate each component before scaling.