Amazon EVS now offers Windows Server Licensing: A step-by-step guide

Flexibility, control, and choice have always been core pillars of the Amazon Elastic VMware Service (Amazon EVS). Amazon EVS gives you the ability to maintain existing investments in VMware technologies while embracing the benefits of the cloud. With Amazon EVS, you can run VMware Cloud Foundation (VCF) directly within your Amazon VPC on EC2 bare-metal instances, allowing you to migrate workloads quickly and eliminate aging infrastructure while maintaining your existing tooling and operational processes.

We’re excited to share that Amazon EVS now offers Microsoft Windows Server licensing, enabling you to migrate or create Virtual Machines (VMs) running Microsoft Windows Server operating system directly in your EVS environment. In this post, we’ll share what it means for your migration journey, walk through how it works, and show you how to get started.

More flexibility: Your Windows Server licensing options on Amazon EVS

You now have two options for running your Windows-based VMs on Amazon EVS, depending on your situation:

Bring Your Own License (BYOL): If you hold eligible Windows Server licenses with portability rights (for example, Windows Server 2016 or 2019 licenses purchased before October 1, 2019), you can bring those licenses to your EVS environment. This lets you continue using licenses you’ve already invested in.

Microsoft Windows License Entitlements for Amazon EVS: For VMs without portability rights, such as those running Windows Server 2022 or 2025, you can now entitle those VMs directly through Amazon EVS. You pay on a per-vCPU-hour basis, and you can add or remove entitlements at any time, giving you flexibility to manage costs as your needs change.

Key concepts before you get started

Before configuring your licensing, there are two core concepts to understand: EVS connectors and Windows Server license entitlements.

EVS connectors: With this launch, we’re introducing EVS connectors. Connectors enable the Amazon EVS service to communicate with the VCF management appliances (such as vCenter Server) in your EVS environment. Each connector maps to a single management appliance and uses the fully qualified domain name (FQDN) along with credentials stored in AWS Secrets Manager for authentication. Windows Server licensing requires a vCenter connector in your Amazon EVS environment. This enables Amazon EVS to track your Windows Server license usage and monitor VM lifecycle events,

Windows Server license entitlements: You’ll need to create an entitlement for each Windows Server VM that uses an AWS-provided license. Once created, Amazon EVS monitors the VM’s power status and vCPU configuration, so billing aligns with actual usage, and you can scale consumption depending on workload demands.

How billing works: While monitoring starts at entitlement creation, you’re only charged based on the VM’s actual resource usage while running. Windows licensing on Amazon EVS is billed per vCPU-hour for the VMs you entitle. You’re only charged for the VMs you choose to license through AWS. The VMs covered by Windows Server license portability rights carry no additional licensing cost from AWS. For a pricing example, visit the Amazon EVS pricing page.

Step-by-step guide

The following steps guide you through configuring your licensing within your EVS environment.

Steps:

1. Set up a user account within your VMware vCenter server with the ReadOnly role attached and store credential within AWS Secrets Manager.
2. Create a vCenter connector within EVS.
3. Add a Windows Server license entitlement within EVS using the VMware VM IDs.
4. Create Activation VPC endpoint and configure Windows Server VMs to use the AWS Key Management Server (KMS).

Step 1: Set up a user account in the VMware vCenter server running within your EVS environment with the ReadOnly role attached and store credential within AWS Secrets Manager

The EVS connector requires credentials to authenticate with the vCenter Server appliance in your EVS environment. Before creating the connector, create a dedicated user account with the ReadOnly role for the connector to use.

1. Log into the vCenter Server in your Amazon EVS environment with an account that has the administrative privileges necessary to create new users and assign roles.
2. Set up a local Single-Sign On user and assign that user to the ReadOnly group.

Figure 1: Set username, password, and description (recommended) for a new user

Figure 2: Add a newly created user to ReadOnlyUsers group

Next, for the EVS connector to work with your vCenter appliance, it needs the credentials you just created. To store and share these credentials securely with Amazon EVS, use AWS Secrets Manager with a specific tag that allows the EVS to retrieve the credential.

1. From the AWS Console, access the AWS Secrets Manager landing page.
2. Select Store a new secret.
3. Select Other type of secret.
4. In the Key/value pairs section, add the full username as the Key and the password as the value. After adding these details, select Next.
   1. Username must be username@vsphere.local
   2. In our example, the username is evs-connector@vsphere.local
5. In the Secret name and description section, add a name for the secret. You can add a description as an option.
6. In the Tags – optional section select Add.
7. Add a key containing EvsAccess with the value of true.

Note:The Key and Value are case sensitive.

Figure 3: Tag secret with EvsAccess=true

8. The Configure rotation section can be left as default. Select Next.
9.  Review the details and select Store.

Step 2: Create a vCenter connector within EVS

Now we will create an Amazon EVS connector to enable communication to your vCenter Server.

1. From the AWS Console, access Amazon EVS.
2. Select the EVS environment that you want to add the connector to.
3. Select the Connector tab and then Create connector.

Figure 4: Create a new connector

4. Enter the FQDN of your Amazon EVS vCenter appliance.
5. Select the AWS Secrets Manager secret from the list that you previously created.
6. Select the checkbox to confirm you have configured the necessary vCenter user access and permissions, then select Create connector.

Figure 5: Submit a form to create a new connector with access to EVS vCenter

The connector may take up to 10 minutes for the connection to be validated. You can check the state of the connector via the connectors tab in the Amazon EVS environment.

You must wait for the State to be Active and Status to be Passed before continuing to the next step.

Step 3: Add a Windows Server license entitlement within EVS using VMware VM IDs

After setting up your user accounts and connectors, you’re now ready to entitle your VMs for Windows Server licenses.

1. 1. From the AWS Console, access Amazon EVS.
   2. Select the EVS environment where you need to add the connector.
   3. Select the Entitlements tab and then Add entitlements.

Figure 6: Add entitlements

4. You can either upload a .csv file or add the VM IDs manually. For this walkthrough, we are adding the IDs manually.

Note: In vCenter you can use PowerCLI or other tooling to get the VM Managed Object ID.

Note: Each entitlement may only contain 100 VMs. You can request entitlements for the VMs in batches of 100 VMs.

5. Provide the VM IDs in the text box, with each ID separated by a comma.
6. Select Add entitlements.

Figure 7: Submit VM IDs to a new entitlement

7. To verify completion, check that the entitlement status has changed to Active.

Step 4: Create Activation VPC endpoint and configure Windows Server VMs to use the AWS Key Management Server (KMS)

Amazon EVS provides a Key Management Services (KMS) server endpoint to use within entitled VMs for activation. After creating entitlements you can create a VPC endpoint to enable connectivity to the Amazon EVS provided KMS server.

You can only create this endpoint if you have a running Amazon EVS environment where you are using AWS-offered windows server licensing.

1. From the AWS Console, access Amazon VPC.
2. From the navigation pane on the left, select Endpoints from the PrivateLink and Lattice section.
3. Select Create endpoint.
4. Input a name for the endpoint.
5. Under Type select AWS services.

Figure 8: Create Activation VPC endpoint

6. Select the service with the name: “com.amazonaws.<region>.evs-windows-server-activation“.
7.  Under network settings, select the Amazon EVS VPC in the drop down menu.

Figure 9: Setup activation service for a new endpoint

8. Next, select the service access subnet from within the Subnets section.

Figure 10: Associate a Service Access Subnet for the new endpoint

9. Select a security group to attach to the endpoint. The security group must permit inbound TCP 1688 from any Windows Server VM that will connect to the AWS KMS server.
10. Once the endpoint status is Available, select the endpoint name and scroll down and find the Private DNS name, this will be required in the next task.

Figure 11: Obtain endpoint’s private DNS name

Next, you will need to configure the entitled VMs to use the Amazon EVS provided KMS server endpoint for windows activation. This can be done manually on each VM, or you can use PowerShell or group policies to automate the process. For the purposes of this blog, we’ll be showing the manual option using PowerShell.

1. Log into your Windows Server VM and open a PowerShell window.
2. Configure the VM to use the AWS KMS server with the following command, using the Private DNS name you copied:

slmgr /skms <VPC Endpoint Private DNS Name>:1688


For our example, the command would be:

slmgr /skms evs-windows-server-activation.us-east-2.amazonaws.com:1688

3. Note the dialog window that notifies you that the Key Management Service machine has been set to the AWS KMS server:

Figure 12: Successfully set Windows Server VM to use AWS KMS server

4. Next, run the following command to activate your Windows Server VM:

slmgr /ato

If successful you will receive a dialog window notifying you that the product was activated successfully:

Figure 13: Successful activation of Windows Server VM1

5. To confirm a Windows Server VM has been configured correctly, you may use the following command:

slmgr /dli

You will see the message below if successful:

Figure 14: License activation confirmation

If you’re interested in using Command Line Interface (CLI), you can read through the user guide for guidance.

Getting started

Start your journey to AWS today. Whether you’re planning a strategic data center exit, looking to reduce operational costs, or ready to unlock cloud innovation, Amazon EVS provides a simplified path forward for your VCF-based workloads.

Get started: Access the Amazon EVS console today

Deep dive: Review our technical documentation to learn about Amazon EVS and licensing

Explore migration and modernization options: Visit the AWS for VMware page to discover all of your options to migrate and modernize VMware workloads to AWS

Start planning: Connect with us and start with no-cost assessment.

About the authors