Manage Remote Desktop Services licenses for Amazon WorkSpaces Core with AWS License Manager
Insights from my journey to license RDS for Citrix DaaS on Amazon WorkSpaces Core with AWS License Manager.
Justin Grego
Amazon Employee
Published Apr 29, 2025
With Amazon WorkSpaces Core, Windows Server bundle options do not include Microsoft Remote Desktop Services (RDS) Subscriber Access Licenses (SAL). Customers need to bring their own RDS CAL or SAL licenses for user or device access to WorkSpaces Core Windows Server bundles.
Customers often ask if there is a way to acquire those licenses either directly from the WorkSpaces Core service or via the AWS marketplace. Previously, customers had to procure the licenses through various Microsoft licensing agreements and utilize them using a Bring-Your-Own-License (BYOL) model. BYOL requires maintaining active Software Assurance on Remote Desktop User Client Access Licenses (CALs) or alternatively by claiming Microsoft RDS SALs on your Services Provider Licensing Agreement (SPLA). However, this is complicated by the fact that as of September 30, 2025, Microsoft will no longer allow SPLA licenses to be brought to Listed Providers (including AWS). AWS recently announced the general availability of AWS provided Subscriber Access Licenses for RDS via AWS License Manager.
There is an excellent article, How to configure Microsoft Remote Desktop Services using user-based subscription licenses with AWS License Manager, available on the AWS Blogs site which covers how to setup the new service, but only mentions use cases running on Amazon Elastic Compute Cloud (EC2).
I set off to confirm if you could utilize this new feature with Amazon WorkSpaces Core server based instances as well. In particular, I tested this against a Citrix DaaS on WorkSpaces Core environment. So can you utilize AWS License Manager to license RDS for your WorkSpaces Core users? Yes you can! I followed the blog linked above for initial setup, and was ultimately successful in proving out the solution. I also captured some key learnings along the way, which I discuss below.
- User can be subscribed to a license via the License Manager console, or auto-subscribed by launching a session on a WorkSpaces Core instance configured to obtain licenses from the License Manager endpoint address.
- AWS LM RDS CAL tokens have a 60 day lifespan, and users are not automatically unsubscribed due to inactivity. While most customers will likely utilize the auto-subscription route for simplicity, ensure you are reviewing or managing your user subscriptions when users no longer require access to your WorkSpaces Core server based instances.
- I recommend using automation via AWS Lambda or other mechanisms to ensure you are optimizing your license costs. One way would be to monitor the AD Group membership that grants access to your WorkSpaces Core desktop and applications. As users are removed from those group(s), the automation could then unsubscribe the user from the RDS license. This ensures you are removing users who no longer have access to the remote desktops and once their token expires you are no longer paying for the RDS license.
- Connectivity and routing to AWS Systems Manager (SSM) from the Virtual Private Cloud (VPC) you have deployed License Manager into is vital. Ensure that VPC either has internet connectivity or that you have provisioned VPC endpoints (VPCe) for Systems Manager.
- In order for the LM servers to discover your domain during deployment, ensure your DHCP option set is configured correctly. In my lab, I configured my DHCP option set to direct the VPC DNS to my Domain Controllers for DNS, NTP, and NetBIOS. I then had forwarders on my AD DNS servers that pointed to the VPC DNS server (the X.X.X.2 address of the VPC CIDR block) for DNS lookup and resolution of AWS resources. This setup ensured that the LM servers could find and join my Active Directory, as well as resolve the IP addresses for the SSM VPCe. This is by no means the only way to configure DNS, and many customers opt to utilize Route53 DNS and it's forwards to enable resolution of both AWS and internal domain resources.
- While deploying LM into your account, the initial elastic network interface (ENI) created in your account uses the default VPC Security Group (SG). If this SG has never been modified, it should contain sufficient rules to allow the required traffic to flow. However, if your organization has modified this security group, you may run into connectivity issues during deployment. This ENI is used for discovery and initial setup. Once past this step and the service deploys the actual RDS license servers, a new security group is automatically created and attached to their ENIs with the required firewall rules. This security group name starts with LicenseServerConnectivity-.
Screenshot of License Server security group - If your internal domain name is also an externally valid and resolvable one like mine, you may run into sporadic issues while deploying the solution. I found that simply retrying the deployment of the License Server would eventually result in success. The service team is working to ensure the service is more resilient under this scenario.
- Use Group Policy to configure your WorkSpaces Core instances to retrieve their RDS licenses from the AWS License Manager server. You can enter the RDS License Server endpoint or Server IPs, or both. Find these addresses in the License Manager console under User-based subscriptions, Products, then Microsoft Remote Desktop Services (RDS).
Ultimately, you can utilize AWS License Manager to obtain user licenses for your Amazon WorkSpaces Core environment. By doing so, you can simplify license procurement, streamline user access management, and ensure compliance without relying on complex BYOL models. While there are some key considerations around connectivity, security group configurations, and DNS settings, these can be effectively managed with proper planning and automation. Leveraging AWS License Manager for RDS licenses not only reduces administrative overhead but also helps optimize license costs over time. This new capability provides customers with a more scalable, efficient, and AWS-native solution for licensing Windows Server-based WorkSpaces Core environments.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.