# Use License Manager user-based subscriptions for supported software products
With user-based subscriptions in AWS License Manager, you can purchase fully-compliant licensed software subscriptions. Licenses are provided by Amazon and have a per-user subscription fee. Amazon EC2 provides pre-configured Amazon Machine Images (AMIs) with the supported software, along with license-included Windows Server licenses. These licenses can be used without long-term licensing commitments.
To use user-based subscriptions, you associate users from [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html) (AWS Managed Microsoft AD), or from your self-managed (on-premises) domain, with EC2 instances providing the software. To make your licensed software available, you must create user-based subscriptions and associate them with instances launched from pre-configured AMIs. [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) will configure and harden the license-included instances you launch. Users must connect with Remote Desktop software to access the instances providing the software.
Each associated user and [vCPU](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html) for the license-included instances incur charges. Amazon EC2 Reserved Instances and Savings Plan pricing models can help optimize your Amazon EC2 costs. For more information, see [Reserved Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-reserved-instances.html) in the *Amazon Elastic Compute Cloud User Guide*. User-based subscriptions are billed from the first half of the month to the end of the month.
**Topics**
+ [Considerations for using user-based subscriptions in License Manager](#usubs-considerations)
+ [Subscription charges in License Manager](#usubs-subscription-charges)
+ [Prerequisites to create user-based subscriptions in License Manager](#usubs-prerequisites)
+ [Supported software products for user-based subscriptions in License Manager](#usubs-software)
+ [Active Directory](#ad-support)
+ [Additional software](#usubs-software-additional)
+ [Get started with user-based subscriptions in License Manager](user-based-subscriptions-getting-started.md)
+ [Configure Active Directory GPO for more active remote user sessions](usubs-configure-gpo.md)
+ [Get Started with Cross-Account AWS License Manager using Shared AWS Managed Microsoft AD](license-cross-account.md)
+ [Launch an instance from a license included AMI](usubs-launch-instance.md)
+ [Connect to a user-based subscription instance with RDP](user-based-subscriptions-connect.md)
+ [Modify firewall settings for your Microsoft Office subscription](usubs-modify-firewall.md)
+ [Manage subscription users for License Manager user-based subscriptions](usubs-manage-users.md)
+ [Deregister an Active Directory from License Manager settings](usubs-deregister-ad.md)
+ [Troubleshoot user-based subscriptions in License Manager](user-based-subscriptions-troubleshoot.md)
## Considerations for using user-based subscriptions in License Manager
The following considerations apply when using user-based subscriptions with License Manager:
+ The AWS Marketplace subscription for license-included Microsoft Remote Desktop Services (`Win Remote Desktop Services SAL`) has a per user per month fee, with no proration.
+ Instances that provide user-based subscriptions support up to two active user sessions at a time by default. To enable more than two active user sessions, you can configure an Active Directory Group Policy Object (GPO), and set the Microsoft RDS licensing mode to `Per User`. For more information, see the prerequisites for [Configure Active Directory GPO for more active remote user sessions](usubs-configure-gpo.md).
+ When you create local users with administrator privileges on instances that provide user-based subscriptions, the instance health status might change to unhealthy. License Manager can terminate instances that are unhealthy for non-compliance. For more information, see [Troubleshooting instance compliance](user-based-subscriptions-troubleshoot.md#user-based-subscriptions-troubleshoot-instance-compliance).
+ When you configure your Active Directory with Microsoft Office products, your VPC must have [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) provisioned in at least one subnet. If you want to remove all VPC endpoint resources created by License Manager, you must remove any Active Directory that's configured from the License Manager settings. For more information, see [Deregister an Active Directory from License Manager settings](usubs-deregister-ad.md).
+ The tag key of `AWSLicenseManager` with the value of `UserSubscriptions` assigned by License Manager to your instances must not be altered or deleted.
+ For the service to function as expected the two network interfaces created for License Manager must not be altered or deleted.
+ The objects that License Manager creates in the AWS Managed Microsoft AD directory's **AWS Reserved** organizational unit (OU) must not be altered or deleted.
+ The instances deployed for user-based subscriptions must be managed nodes with AWS Systems Manager and joined to the same domain. For information on keeping your instances managed by Systems Manager, see the [Troubleshoot user-based subscriptions in License Manager](user-based-subscriptions-troubleshoot.md#user-based-subscriptions-troubleshoot-systems-manager-connectivity) section of this guide.
+ To stop incurring Microsoft Office or Visual Studio subscription charges for a user, you must disassociate the user from all instances they are associated with. For more information, see [Disassociate users from an instance that provides License Manager user-based subscriptions](usubs-disassociate-users.md).
## Subscription charges in License Manager
Subscription and billing in License Manager varies based on the subscription product that's used.
**Microsoft Office and Visual Studio subscriptions**
For Microsoft Office and Visual Studio subscriptions, billing stops as soon as you have disassociated the user from all instances that provide the subscription product, and unsubscribed them from the product.
**Microsoft Remote Desktop Services (RDS) subscriptions**
Microsoft RDS is billed on a per user, per month basis based on a combination of the user subscription and the client access license (CAL) token that's issued from the license server when the user connects to an instance that provides the subscription product.
### Microsoft RDS billing in License Manager
Microsoft RDS billing begins when the Active Directory user is subscribed through License Manager, and ends after the client access license (CAL) token expires, 60 days from the date it's issued, with no proration for partial months. Billing continues until the token expires, even if you unsubscribe the user.
If an unsubscribed user continues to log in after the license token expires, they are automatically re-subscribed, and billing continues until they are again unsubscribed and their token expires.
Similarly, if a user who has never subscribed, but logs into an instance that is associated with the license server, License Manager automatically subscribes them and begins RDS billing. Billing continues until they are unsubscribed and their token expires.
To stop billing for a user at the end of the current month, you must remove that user from the Active Directory that's configured for the license server before unsubscribing.
**Warning**
If you remove an Active Directory user who still has an active Microsoft Office or Visual Studio subscription, that user will no longer be able to access instances that they are associated with.
The following example scenarios demonstrate how RDS billing works.
#### Scenario 1: Standard subscription and billing
The following scenario shows a standard set of actions that affect billing for an Active Directory (AD) user who is subscribed on 12/15/2024, but never accesses a subscription instance.
*Action:* If the user never unsubscribes, billing continues indefinitely.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| 12/15/2024 | 12/15/2024 | -- | N/A | -- | -- | -- |
*Action:* The user is unsubscribed on 1/15/2025.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| 12/15/2024 | 12/15/2024 | -- | N/A | `1/15/2025` | `No` | `1/31/2025` |
#### Scenario 2: How the license token affects user subscription and billing
The following scenario shows how the license token expiration affects the user subscription for an Active Directory (AD) user who is subscribed on 9/15/2024 and logs into a domain-joined subscription product instance the same day.
*Action:* Initial subscription and login for AD user.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| 9/15/2024 | 9/15/2024 | 9/15/2024 | 11/15/2024 | -- | -- | -- |
*Action:* The same AD user is unsubscribed on 10/19/2024. However, since the user wasn't removed from the directory, billing continues until the end of the month during which the license token expires.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| 9/15/2024 | 9/15/2024 | 9/15/2024 | 11/15/2024 | `10/19/2024` | -- | `11/30/2024` |
*Alternative action:* The AD administrator removes the user from the directory on 10/20/2024, and then unsubscribes the user on the following day. In this case, billing stops at the end of the month during which the user is removed from the directory.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| 9/15/2024 | 9/15/2024 | 9/15/2024 | 11/15/2024 | 10/21/2024 | `10/20/2024` | `10/31/2024` |
#### Scenario 3: Unsubscribed user is resubscribed
The following scenario shows how an unsubscribed Active Directory (AD) user whose license token has expired is automatically resubscribed when they access a domain-joined subscription product instance.
*Action:* Initial subscription and login for AD user.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| 9/15/2024 | 9/15/2024 | 9/15/2024 | 11/15/2024 | -- | -- | -- |
*Action:* The same AD user is unsubscribed on 10/19/2024. However, since the user wasn't removed from the directory, billing continues until the end of the month during which the license token expires.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| 9/15/2024 | 9/15/2024 | 9/15/2024 | 11/15/2024 | `10/19/2024` | -- | `11/30/2024` |
*Action:* The same AD user accesses a domain-joined subscription product instance after their previous license token expires but before billing ends. Billing continues until the user is unsubscribed again and their new token expires.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| `11/20/2024 (re-subscribed)` | `billing continues` | `11/20/2024` | `1/20/2025` | -- | -- | -- |
#### Scenario 4: Automatic subscription on instance access
The following scenario shows how an Active Directory (AD) user who was never subscribed to RDS SAL is automatically subscribed when they log into a domain-joined subscription product instance.
*Action:* An AD user who was never subscribed to RDS SAL logs into a domain-joined subscription product instance on 9/15/2024, and is auto-subscribed. Billing begins, and continues until the user is unsubscribed and their new token expires.
| AD user subscribed | Billing starts | CAL issued | CAL expires | User unsubscribed | User removed from AD | Billing ends |
| --- | --- | --- | --- | --- | --- | --- |
| 9/15/2024 (auto-subscribed) | 9/15/2024 | 9/15/2024 | 11/15/2024 | -- | -- | -- |
For more information about how Microsoft RDS per user CALs work, see the **Per User CALs** section in the [License your Remote Desktop deployment](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license) article on the *Microsoft Learn* website.
## Prerequisites to create user-based subscriptions in License Manager
The following prerequisites must be implemented in your environment before you can create user-based subscriptions.
**Contents**
+ [IAM roles and permissions](#usubs-prereq-iam)
+ [AWS KMS Key policy for License Server credentials](#usubs-prereq-iam-rdslic)
+ [Active Directory](#usubs-prereq-ad)
+ [Security groups](#usubs-prereq-sg)
+ [Network configuration](#usubs-prereq-network)
+ [Instances that provide user-based subscription products](#usubs-prereq-instance)
+ [Microsoft Remote Desktop Services](#usubs-prereq-rds)
+ [Administrative credentials secret](#usubs-prereq-rds-secret)
### IAM roles and permissions
You must allow License Manager to create a service-linked role in order to onboard your AWS account for user-based subscriptions. In the License Manager console, a prompt appears in **User-based subscriptions** if the role hasn't been created yet. After you respond to the prompt and agree to allow License Manager to create the role, choose **Create** to continue. For more information, see [Using service-linked roles for License Manager](using-service-linked-roles.md).
To create user-based subscriptions, your user or role must have the following permissions:
+ **Amazon EC2** – Work with network interfaces and subnets.
+ `ec2:CreateNetworkInterface`
+ `ec2:DeleteNetworkInterface`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:CreateNetworkInterfacePermission`
+ `ec2:DescribeSubnets`
+ **Directory Service** – Administer Active Directories.
+ `ds:DescribeDirectories`
+ `ds:AuthorizeApplication`
+ `ds:UnauthorizeApplication`
+ `ds:GetAuthorizedApplicationDetails`
+ `ds:DescribeDomainControllers`
+ **Route 53** – Configure routing.
+ `route53:DeleteHealthCheck`
+ `route53:ChangeResourceRecordSets`
+ `route53:GetHostedZone`
+ `route53:ListHostedZonesByName`
+ `route53:ListHostedZones`
+ `route53:ListHostedZonesByVPC`
+ `route53:CreateHostedZone`
+ `route53:DeleteHostedZone`
+ `route53:ListResourceRecordSets`
+ `route53:GetHealthCheckCount`
+ `route53:AssociateVPCWithHostedZone`
To create user-based subscriptions for Microsoft Office products, your user or role must also have these additional permissions:
+ `ec2:CreateVpcEndpoint`
+ `ec2:DeleteVpcEndpoints`
+ `ec2:DescribeVpcEndpoints`
+ `ec2:ModifyVpcEndpoint`
+ `ec2:DescribeSecurityGroups`
#### AWS KMS Key policy for License Server credentials
To use your own KMS key to encrypt and decrypt the administrative credentials secret for Microsoft RDS License Server, you must attach a policy to the role that you use for accessing License Manager operations. The following example shows a policy that grants permission for Secrets Manager to access the KMS key to encrypt and decrypt the Microsoft RDS License Server credential secret.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "key-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/RoleName"
},
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": "secretsmanager.*.amazonaws.com"
}
}
},
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/aws-service-role/license-manager-user-subscriptions.amazonaws.com/AWSServiceRoleForAWSLicenseManagerUserSubscriptionsService"
},
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": "secretsmanager.*.amazonaws.com"
}
}
}
]
}
```
------
### Active Directory
To use License Manager user-based subscriptions, you must create an Active Directory (AD) that contains user information for the subscription product users. Depending on your configuration, you can use an AWS Managed Microsoft AD, or a self-managed AD.
If you use both AWS managed and self-managed Active directories, you must establish a two-way forest trust between the directories. For more information, see [Tutorial: Create a trust relationship between your AWS Managed Microsoft AD and your self-managed Active Directory domain](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust.html) in the *AWS Directory Service Administration Guide*.
**Note**
Subnets that are configured for your directory must all be from the same VPC for your AWS account. Shared subnets are not supported.
AWS managed Active Directories have the following restrictions.
+ Directories that are shared with you are only supported if the directory is onboarded in the primary account first, then you can onboard it in a shared account.
+ Multi-factor authentication is not supported
**Prerequisite for tag-based filters**
If you will use tag-based filters for your Active Directory, you must first onboard to the AWS Resource Explorer service, as follows:
1. Open the Resource Explorer console at [https://resource-explorer.console.aws.amazon.com/resource-explorer](https://resource-explorer.console.aws.amazon.com/resource-explorer).
1. Choose **Turn on Resource Explorer**.
1. In the **Set up Resource Explorer** page, choose a setup option, as follows.
**Quick setup**
Select this option for basic configuration.
**Advanced setup**
Select this option for custom configuration. Ensure that you create an index for at least the Region where your Active Directory resides.
1. Select a Region for the **Aggregator index Region**.
1. Choose **Turn on Resource Explorer** to save your settings.
1. In the navigation pane, select **Views**, then choose **Create view**.
**Note**
To show the navigation pane if it's hidden, choose the menu icon (three horizontal bars).
1.
1. In the **Create view** page, enter **license-manager-user-subscriptions-view** in the **Name**.
1. Verify that the **Resources filter** is set to **Include all resources**.
1. In the **Additional resource attributes** section, verify that the **Tags** checkbox is selected.
1. Choose **Create view** to finish.
For more information about creating an AWS Managed Microsoft AD directory, see [AWS Managed Microsoft AD prerequisites](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_prereqs.html) and [Create your AWS Managed Microsoft AD directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_create_directory.html) in the *AWS Directory Service User Guide*.
To associate users with AWS Managed Microsoft AD, you must provision users in your AWS Managed Microsoft AD directory. For more information, see [Manage users and groups in AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_manage_users_groups.html) in the *AWS Directory Service Administration Guide*.
### Security groups
Security groups control the network traffic that's allowed into and out of the resources on your network. To ensure that resources in your user-based subscription environment can communicate, your security groups must meet the following criteria.
**Security group for VPC endpoints**
Identify or create a security group that permits **inbound** TCP port `1688` connectivity. When you configure your VPC settings, you'll specify this security group. For more information, see [Work with security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#working-with-security-groups).
License Manager associates this security group to the VPC endpoints it creates on your behalf while configuring the VPC. For more information about VPC endpoints, see [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the *AWS PrivateLink Guide*.
**Security group for Active Directory domain controllers**
Ensure that the security group that you use for your AD domain controllers allows outbound traffic to each domain controller's network interface IP address. In addition, the domain controller security group should allow communication on all Active Directory related ports including TCP 9389. Port 9389 is required for Active Directory Web Services (ADWS), which is used by the Active Directory PowerShell module and other management tools to communicate with domain controllers.
**Security group requirements for "Register your Active Directory" step**
During onboarding your Active Directory to License Manager, we create a network interface in your supplied subnets which gets tagged with the default security group of the VPC. Please make sure that this security group is allowed access to your Active Directory domain controllers. This can be replaced with a group of your choice after onboarding is complete but will still require network access to the domain controllers.
**Security group requirements for "Configure RDS license server" step**
During license server configuration, License Manager creates two network interfaces in the subnets you provide. These network interfaces are automatically tagged with a newly created security group that includes all required port configurations. Ensure that your Active Directory domain controller security groups allow bidirectional traffic from the subnet CIDRs on all Active Directory related ports, including TCP port 9389. Port 9389 is required for Active Directory Web Services (ADWS), which is used by the Active Directory PowerShell module and other management tools to communicate with domain controllers.
**Security group for user-based subscription instances**
Identify or create a security group that permits the following access to and from your instance. For more information, see [Work with security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#working-with-security-groups).
+ **Inbound** TCP port `3389` connectivity from your approved connection sources.
+ **Outbound** TCP port `1688` connectivity to reach the VPC endpoints, and to communicate with AWS Systems Manager.
### Network configuration
License Manager creates two network interfaces which use the default security group of the VPC where your AWS Managed Microsoft AD is provisioned. These interfaces are used for the service to interact with your directory. For more information, see [Step 2: Register your Active Directory in License Manager](user-based-subscriptions-getting-started.md#user-based-subscriptions-configure-ad) and [What gets created](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.html) in the *AWS Directory Service Administration Guide*.
After the provisioning process is complete, you can associate a different security group to the interfaces created by License Manager.
**DNS resolution**
The Active Directory that you've registered for user-based subscriptions must be accessible from any VPCs and subnets that you've configured in License Manager settings. To ensure that Active Directory nodes are accessible, configure DNS resolution as follows:
+ Configure DNS forwarding between the VPCs and Active Directories that are configured in your License Manager settings for user-based subscriptions.You can use Amazon Route 53 or another DNS service for DNS forwarding. For more information, see the blog post [Integrating your Directory Service’s DNS resolution with Amazon Route 53 Resolvers](https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/).
+ Enable **DNS hostnames** and **DNS resolution** for your VPC. For more information, see [View and update DNS attributes for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating).
### Instances that provide user-based subscription products
For your user-based subscription instances to function as expected, you must meet the following prerequisites:
+ Set up a security group for your instances as described in [Security groups](#usubs-prereq-sg).
+ Ensure that the instances launched to provide user-based subscriptions with Microsoft Office have a route to the subnet where the VPC endpoints are provisioned.
+ Instances that provide user-based subscriptions must be managed by AWS Systems Manager in order to have a healthy status. Additionally, your instances must be able to activate their user-based subscription licensing to remain in compliance after license activation.
**Note**
License Manager will attempt to recover unhealthy instances, but instances that are not able to be return to a healthy status will be terminated. For troubleshooting information on keeping your instances managed by Systems Manager, and instance compliance, see the [Troubleshoot user-based subscriptions in License Manager](user-based-subscriptions-troubleshoot.md) section of this guide.
+ You must have an instance profile role attached to instances providing the user-based subscription products that allows for the resource to be managed by AWS Systems Manager. For more information, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*.
+ You must [Disassociate users from an instance](usubs-disassociate-users.md) prior to terminating the instance.
### Microsoft Remote Desktop Services
The Microsoft Remote Desktop Services license server requires an administrative user that's defined in the associated Active Directory. That user must be able to perform the following tasks:
+ Create an OU under the Active Directory domain
+ Domain join instances (create Computer) inside of the OU that is created
+ Add a computer object to a Terminal servers group within the Active Directory domain
+ Have delegated control for user objects in the Active Directory domain to read and write Terminal Server license server, in order to generate license server reports.
To learn more about delegation, see [Delegation of Control in Active Directory Domain Services](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/delegation-control-wizard).
#### Administrative credentials secret
License Manager uses AWS Secrets Manager to manage the credentials needed for user administration tasks on the Microsoft Remote Desktop Services license server. Before you can set up the license server, you must create a secret in Secrets Manager that contains the credentials for the user who performs user administration tasks on the license server. When you configure the license server settings, you must provide the ID of the secret that you created.
**Note**
This must be the same user that you've defined for RDS license server report generation.
To create a secret, follow detailed instructions on the [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) page in the *Secrets Manager User Guide*, with the following settings that are specific to License Manager.
**Important**
To use the secret, License Manager depends on the exact key names, the username value, and the encryption key that are specified in the following list. The secret name must begin with the following prefix: `license-manager-user-`.
On the **Choose secret type** page:
+ **Secret type** – Choose **Other type of secret**.
+ **Key/value pairs** – Specify the following key pairs to store in the secret.
Username
+ Key: `username`
+ Value: `Administrator`
Password
+ Key: `password`
+ Value: *The password*
+ **Encryption key** – To specify a KMS key other than the `aws/secretsmanager` key, you must attach a policy to the role that you use for accessing License Manager operations. For more information, see [IAM roles and permissions](#usubs-prereq-iam).
On the **Configure secret** page:
+ **Secret name** – Specify a name for your secret that begins with the prefix that License Manager uses to identify license server credential secrets. For example:
```
license-manager-user-admin-credentials
```
These instructions assume that you are using the AWS Management Console to create your secret. The Secrets Manager User Guide also includes detailed instructions for other methods. For more information about Secrets Manager, see [What Is Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/). For information specifically related to costs, see [Pricing for AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html#asm_pricing) in the *Secrets Manager User Guide*.
## Supported software products for user-based subscriptions in License Manager
AWS License Manager supports user-based subscriptions for Microsoft Visual Studio, and Microsoft Office. Supported software utilization is tracked by License Manager. A single subscription to Windows Server Remote Desktop Services Subscriber Access License (RDS SAL) is required for each user to access a license-included instance that provides a user-based subscription product. For more information, see [Get started with user-based subscriptions in License Manager](user-based-subscriptions-getting-started.md).
**Supported Windows operating system (OS) platforms**
You can find Windows AMIs that include products covered by the RDS SAL license for the following Windows OS platforms:
+ Windows Server 2025
+ Windows Server 2022
+ Windows Server 2019
### Supported software for user-based subscriptions
**Contents**
+ [Microsoft Visual Studio](#user-subs-visual-studio)
+ [Microsoft Office](#user-subs-ms-office)
#### Microsoft Visual Studio
Microsoft Visual Studio is an integrated development environment (IDE) that enables developers to create, edit, debug, and publish applications. The provided Microsoft Visual Studio AMIs include the [AWS Toolkit for .NET Refactoring](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html) and the [AWS Toolkit for Visual Studio](https://aws.amazon.com/visualstudio/).
**Supported editions**
+ Visual Studio Professional 2022
+ Visual Studio Enterprise 2022
The following table details the software subscription names and their associated product value used for License Manager user-based subscription API operations.
| Software subscription name | Product value |
| --- | --- |
| Visual Studio Enterprise 2022 | `VISUAL_STUDIO_ENTERPRISE` |
| Visual Studio Professional 2022 | `VISUAL_STUDIO_PROFESSIONAL` |
#### Microsoft Office
Microsoft Office is a collection of software developed by Microsoft for various productivity use cases including working with documents, spreadsheets, and slide show presentations.
**Supported editions**
+ Office LTSC Professional Plus 2021
+ Office LTSC Professional Plus 2024
+ Office LTSC Professional Plus 2021 32-bit (x86)
+ Office LTSC Professional Plus 2024 32-bit (x86)
+ Office LTSC Standard 2021
+ Office LTSC Standard 2024
+ Office LTSC Standard 2021 32-bit (x86)
+ Office LTSC Standard 2024 32-bit (x86)
The following table details the software subscription names and their associated product value used for License Manager user-based subscription API operations.
| Software subscription name | Product value |
| --- | --- |
| Office LTSC Professional Plus 2021 | `OFFICE_PROFESSIONAL_PLUS` |
| Office LTSC Professional Plus 2024 | `OFFICE_PROFESSIONAL_PLUS` |
| Office LTSC Standard 2021 | `OFFICE_STANDARD` |
| Office LTSC Standard 2024 | `OFFICE_STANDARD` |
## Active Directory
License Manager supports user-based subscriptions for Microsoft Visual Studio, Microsoft Office, and Remote Desktop Services Subscriber Access License (RDS SAL). Products may support either AWS Managed Microsoft AD or a self-managed active directory that is either deployed within your AWS environment or has network connectivity to a VPC in your AWS environment.
This table indicates which types of Active Directory are supported by each software product when used with user-based subscriptions:.
| Software product | AWS Managed Microsoft AD | Self-managed AD |
| --- | --- | --- |
| Microsoft Visual Studio | Supported | Not supported |
| Microsoft Office | Supported | Not supported |
| RDS SAL Product | Supported | Supported |
## Additional software
You can install additional software on your instances that aren't available as user-based subscriptions. Additional software installations aren't tracked by License Manager. These installations must be performed using the administrative account for your Active Directory. If you use an AWS Managed Microsoft AD, the administrative account (Admin) is created by default in your directory. For more information, see [Admin account](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.html) in the *Directory Service Administration Guide*.
To install additional software with the Active Directory administrative account, you must:
+ Subscribe the administrative account to the product provided by the instance.
+ Associate the administrative account to the instance.
+ Connect to the instance using the administrative account to perform the installation.
For more information, see [Get started with user-based subscriptions in License Manager](user-based-subscriptions-getting-started.md).
# Get started with user-based subscriptions in License Manager
The following steps detail how you can get started with using user-based subscriptions. These steps assume you have already implemented the required prerequisites. For more information, see the [Prerequisites to create user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-prerequisites).
**Contents**
+ [Step 1: Subscribe to a product](#user-based-subscriptions-subscribe-products)
+ [Step 2: Register your Active Directory in License Manager](#user-based-subscriptions-configure-ad)
+ [Step 3: Configure RDS license server](#usubs-configure-rds)
+ [Step 4: Launch an instance to provide user-based subscriptions](#user-based-subscriptions-launch-instance)
+ [Step 5: Associate users to a user-based subscription instance](#user-based-subscriptions-associate-users)
## Step 1: Subscribe to a product
Microsoft products like Office or Visual Studio require an active subscription before you can associate Active Directory users to an instance that includes those products. Subscription products that display a **Subscribe in AWS Marketplace** button in the **Marketplace Subscription Status** column are not subscribed yet.
When you subscribe to a Microsoft user-based subscription product from the AWS Marketplace, License Manager automatically adds a subscription to Microsoft Remote Desktop Services (RDS) for your account, if you don't already have one. RDS is required in order to remotely access the graphical desktops and subscription based Windows applications on EC2 instances launched from license-included AMIs.
You can subscribe to your products directly on the AWS Marketplace using the following links:
+ [Visual Studio Professional](https://aws.amazon.com/marketplace/pp/prodview-zo3zltrbpgr5i)
+ [Visual Studio Enterprise](https://aws.amazon.com/marketplace/pp/prodview-dzstlnjdl3izg)
+ [Office LTSC Professional Plus](https://aws.amazon.com/marketplace/pp/prodview-bh46d5p2hapns)
+ [Office LTSC Standard](https://aws.amazon.com/marketplace/pp/prodview-4riznyn4eqlbw)
+ [Win Remote Desktop Services SAL](https://aws.amazon.com/marketplace/pp/prodview-buamtl3v3xaes)
**Discover and subscribe to products from the License Manager console**
You can also discover the required products to subscribe to from the License Manager console.
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the left navigation pane, under **User-based subscriptions**, choose **Products**.
1. Choose a product’s name or choose the **Subscribe in AWS Marketplace** button to display subscription details.
1. For each of the listed Marketplace products, select **View subscription options**. Review the terms and choose **Subscribe** to proceed.
If you accept the terms, the product subscription will need to be processed. The subscription will have an in progress message until it completes. You can repeat these steps for any other configured products you require. Once all of the required products have an active subscription, you can proceed with registering your Active Directory with the product.
**Note**
Your estimated bill for charges on the number of users and related costs takes 48 hours to appear for billing periods that haven't closed (marked as **Pending** billing status) in AWS Billing. For more information, see [Viewing your monthly charges](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/invoice.html) in the *AWS Billing User Guide*.
## Step 2: Register your Active Directory in License Manager
License Manager requires that subscription users are defined in Active Directory in order to associate the users with user-based subscriptions. This can be either an AWS Managed Microsoft AD or a self-managed Active Directory, depending on your subscriptions.
+ If you subscribe only to stand-alone Microsoft Office or Visual Studio products, you must configure an AWS Managed Microsoft AD.
+ If you subscribe to [Win Remote Desktop Services SAL](https://aws.amazon.com/marketplace/pp/prodview-buamtl3v3xaes), then you can use either an AWS Managed Microsoft AD or a self-managed Active Directory.
To use Microsoft Office with user-based subscriptions, you must grant License Manager permission to update your VPC configuration. When you configure your VPC, License Manager creates [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) on your behalf. These endpoints are required for your resources to connect to activation servers and remain in compliance.
You must configure DNS forwarding for any additional VPCs that you register for user-based subscriptions. If you have user-based subscriptions in multiple AWS Regions, each Region must have its own Active Directory with DNS forwarding configured.
**Important**
You must allow License Manager to create the required [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) before you can proceed. For more information, see the [Prerequisites to create user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-prerequisites).
Registration steps differ in the console, depending on which products you've subscribed to. If you've subscribed to `Win Remote Desktop Services SAL`, select the **Microsoft RDS SAL** tab. If you subscribe to Microsoft Office or Visual Studio and do NOT subscribe to RDS SAL, select the **Stand-alone MSO subscriptions** tab.
**Important**
If you have already registered one Microsoft Office product type (either Office LTSC Professional Plus or Office LTSC Standard) with an Active Directory in a VPC, and you are registering the other Microsoft Office product type with the same Active Directory in the same VPC, you must use the same subnets and security group as the existing identity provider configuration.
------
#### [ Microsoft RDS SAL ]
**Register AWS Managed Microsoft AD**
To register AWS Managed Microsoft AD as your Active Directory for user-based subscriptions, follow these steps:
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Navigate to **User-based subscriptions** under **Settings** in the left navigation pane.
1. In the **Remote Desktop Services (RDS)** tab on the **User based subscriptions** page, choose **Register Active Directory**.
1. Select the **AWS Managed Active Directory** option to enter details.
1. Select your managed directory from the **AWS Active Directory** list, or create a new managed directory and then come back and select it.
1. Choose **Register** to register your AWS Managed Active Directory.
**Register self-managed Active Directory**
To register a self-managed Active Directory for user-based subscriptions, follow these steps:
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Navigate to **User-based subscriptions** under **Settings** in the left navigation pane.
1. In the **Remote Desktop Services (RDS)** tab on the **User based subscriptions** page, choose **Register Active Directory**.
1. Select the **Self-managed Active Directory** option to enter details.
1. Enter the **Active Directory domain**.
1. Select the version for your **Active Directory IP Addresses**, then enter the primary and secondary IP addresses for your directory.
1. In the **Networking** section, select the **VPC** and two **Subnets** where your Active Directory resides.
1. Select the administrative credentials **Secret** that you created as part of the prerequisites for your Microsoft RDS subscription.
------
#### [ Stand-alone MSO subscriptions ]
**Register AWS Managed Microsoft AD**
To register AWS Managed Microsoft AD as your Active Directory for user-based Microsoft Office and Visual Studio subscriptions, follow these steps:
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Navigate to **User-based subscriptions** under **Settings** in the left navigation pane.
1. On the **User based subscriptions** page, select the tab for the Microsoft Office or Visual Studio subscription product that you want to register, and then choose **Register Active Directory**.
1. Select your managed directory from the **AWS Active Directory** list, or create a new managed directory and then come back and select it.
1. Choose **Register** to register your AWS Managed Active Directory.
When you register your Active Directory, License Manager creates two network interfaces so that the service can communicate with your directory. The network interface will have a description similar to *AWS created network interface for LicenseManager ***.
------
**Active Directory registration from the AWS CLI**
You can register your Active Directory as the identity provider for user-based subscriptions with the [https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_RegisterIdentityProvider.html](https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_RegisterIdentityProvider.html) operation.
```
aws license-manager-user-subscriptions register-identity-provider --product "" --identity-provider "ActiveDirectoryIdentityProvider={DirectoryId=}"
```
**Configure Active Directory and your VPC for user-based subscriptions (AWS CLI)**
You can register your Active Directory as the identity provider and configure your VPC for user-based subscriptions with the [https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_RegisterIdentityProvider.html](https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_RegisterIdentityProvider.html) operation.
```
aws license-manager-user-subscriptions register-identity-provider --product "" --identity-provider "ActiveDirectoryIdentityProvider={DirectoryId=}" --settings "Subnets=[subnet-1234567890abcdef0,subnet-021345abcdef6789],SecurityGroupId=sg-1234567890abcdef0"
```
For more information about the available software products, see [Supported software products for user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-software).
**Note**
Registering the same Active Directory for the same product more than once in the same region may result in duplicate user subscription charges.
## Step 3: Configure RDS license server
The Microsoft Remote Desktop Services (RDS) license server issues Subscriber Access Licenses (SALs) to Active Directory users when they access EC2 instances that provide user-based subscription Microsoft products. After you've completed steps 1 and 2, you can configure your license server, as follows.
Ensure that you've completed the [User-based subscription prerequisites](user-based-subscriptions.md#usubs-prerequisites) for RDS before you begin. This process assumes that you have already set up your Active Directory.
**Configure RDS license server for user-based subscriptions (Console)**
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Navigate to the **User-based subscriptions** page, under **Settings** in the left navigation pane.
1. On the **Remote Desktop Services (RDS)** tab, you should see one or more Active Directories in the list. There may be a prompt displayed to let you know that you need to configure RDS for your Active Directory.
1. From the prompt or from the **Actions** menu, choose **Configure RDS License Server**.
1. In the **Configure RDS License Server** dialog, You can configure the following settings:
**Active Directory**
This section has key details for the directory that's connected to the RDS license server that you configure.
**Secret**
You must choose an existing secret or create a new one for the credentials that are used for user administration tasks on the license server. The first part of the secret name must follow the pattern that's described in Administrative credentials secret section of the [User-based subscription prerequisites](user-based-subscriptions.md#usubs-prerequisites).
**Tags**
You can optionally enter tags for your license server resource.
1. Choose **Configure** to save your settings.
## Step 4: Launch an instance to provide user-based subscriptions
After you have subscribed to a product, you must launch instances for your users to connect to from the AWS Marketplace AMI that includes the product. After you launch an instance, AWS Systems Manager attempts to join the instance to the Active Directory domain and perform additional configuration and hardening on the resource. The configurations to make the instance ready to use can take around 20 minutes to complete. You can confirm the resource is ready to use from the **User association** page of the License Manager console by checking for a **Health status** of **Active** for the instance.
To launch an instance with user-based subscriptions, see [Launch an instance from a license included AMI](usubs-launch-instance.md).
## Step 5: Associate users to a user-based subscription instance
Once you have subscribed to the required product’s AWS Marketplace AMI, you can subscribe users to a product and associate them to an instance that provides the product. You can subscribe users to products and associate them with an instance in a single step, or separately. When you subscribe a user, the directory is checked to ensure that the user identity is present. One subscription is created for each user you subscribe to the product.
Each user must have a subscription to both Windows Server Remote Desktop Services Subscriber Access License (RDS SAL) and the product they will use.
When your account has subscribed to RDS SAL as detailed in [Step 1: Subscribe to a product](#user-based-subscriptions-subscribe-products), License Manager automatically subscribes the users in your Active Directory to RDS SAL when they subscribe to a user-based subscription product.
**Note**
If a user who has never subscribed logs into an instance that is associated with RDS SAL, License Manager automatically subscribes them and begins Microsoft RDS billing. Billing continues until they are unsubscribed and their license token that was issued by the RDS SAL license server expires.
Similarly, if a previously subscribed user unsubscribes, but continues to log in after their RDS SAL license token expires, they are automatically re-subscribed, and billing continues until they are again unsubscribed and their token expires.
For more information about subscription charges and billing, see [Subscription charges in License Manager](user-based-subscriptions.md#usubs-subscription-charges).
The **Products** page in License Manager displays active subscriptions by listing their **Marketplace subscription status** as **Active**. In the product details page, License Manager displays active user subscriptions with a **Status** of **Subscribed**.
**Important**
If your Active Directory is not configured with the product, a notification bar appears at the top of the console advising you to adjust the directory settings. On the notification bar, choose **Open settings** to access the **Settings** page in License Manager and edit your directory.
Each user must have a subscription to both RDS SAL and the product they will use. Subscribing users to a product in which the **Marketplace subscription status** is **Inactive** will fail.
### Subscribe users to a product and associate them to an instance
When you select an instance to associate users to, you can optionally subscribe them to the products that the instance provides if they're not already subscribed. Use one of the following methods to subscribe and associate users.
------
#### [ Console ]
To associate users to an instance, follow these steps:
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the left navigation pane, under **User-based subscriptions**, choose **User association**.
1. Select the instance that you want to associate users with, then choose one of the following options:
**Associate users**
Specify up to 5 user names that exist in your directory, including the **Domain name** if they exist in a trusted domain, and choose **Associate**. *If you use this method, users must already be subscribed to the products that the instance provides.*
**Subscribe & Associate users**
Specify up to 5 user names that exist in your directory, including the **Domain name** if they exist in a trusted domain, and choose **Subscribe & Associate**.
**(Optional) Review user associations**
On the **User association** page, the users you selected are displayed under **Users** with an **Association Status** of ** Associated**.
**(Optional) Review subscribed users**
On the **Products** page, choose the **Product name**. Subscribed users are displayed under **Users** with a **Status** of **Subscribed**.
------
#### [ AWS CLI ]
You can associate users with an instance launched to provide the user-based subscription with the [https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_AssociateUser.html](https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_AssociateUser.html) operation.
```
aws license-manager-user-subscriptions associate-user --username --instance-id --identity-provider ""ActiveDirectoryIdentityProvider" = {"DirectoryId" = ""}"
```
**To associate self-managed Active Directory users to an instance (AWS CLI)**
You can associate users from your self-managed Active Directory with an instance launched to provide the user-based subscription with the [https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_AssociateUser.html](https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_AssociateUser.html) operation.
```
aws license-manager-user-subscriptions associate-user --username --instance-id --identity-provider ""ActiveDirectoryIdentityProvider" = {"DirectoryId" = ""}" --domain
```
------
For more information about the available software products, see [Supported software products for user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-software).
### Subscribe users to a product
You can subscribe users to a product using one of the following methods.
------
#### [ Console ]
**Subscribe users to a product (Console)**
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the left navigation pane, under **User-based subscriptions**, choose **Products**.
1. Select a product to subscribe users to in which the **Marketplace subscription status** is **Active**.
1. If the product is Microsoft RDS, select the registered Active Directory that contains the users to subscribe.
1. Choose **Subscribe user** to continue.
1. Specify up to 20 user names that exist in your directory, including the **Domain name** if they exist in a trusted domain, and choose **Subscribe**.
Users that have a subscription are displayed under **Users** with a **Status** of **Subscribed**.
------
#### [ AWS CLI ]
**Subscribe users to a product (AWS CLI)**
You can subscribe users to a product that is registered with your identity provider using the [https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_StartProductSubscription.html](https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_StartProductSubscription.html) operation.
```
aws license-manager-user-subscriptions start-product-subscription --username --product --identity-provider ""ActiveDirectoryIdentityProvider" = {"DirectoryId" = ""}"
```
**Subscribe users to a product with a self-managed Active Directory (AWS CLI)**
You can subscribe users from your self-managed Active Directory to a product that is registered with your AWS Managed Microsoft AD directory using the [https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_StartProductSubscription.html](https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/API_StartProductSubscription.html) operation.
```
aws license-manager-user-subscriptions start-product-subscription --username --product --identity-provider 'ActiveDirectoryIdentityProvider" = {"DirectoryId" = ""}' --domain
```
------
For more information about the available software products, see [Supported software products for user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-software).
Users that have a subscription will be displayed under **Users** with a **Status** of **Subscribed**.
# Configure Active Directory GPO for more active remote user sessions
By default, Microsoft RDS allows a maximum of two user sessions at the same time on an EC2 Windows instance that provides user-based subscription products. After you've configured your RDS License Server endpoints, you can configure Microsoft RDS to allow more than two user sessions at the same time with an Active Directory Group Policy Object (GPO), as follows.
**Prerequisite**
You must have created a license server in your environment. To create a license server, see [Step 3: Configure RDS license server](user-based-subscriptions-getting-started.md#usubs-configure-rds).
1. The tool that you use to configure your GPO depends on where you run it from, as follows:
Central configuration from your domain controller
Log into your Active Directory domain controller as an administrator, and open the Windows Group Policy Management Console.
Configure group policy on the session host
Log into your License Server as an administrator, and open the Local Group Policy Editor.
1. From the management console or policy editor, edit the group policy to specify the session hosts that connect through Microsoft RDS. You can find the endpoint for your RDS License Server in the License Manager product details page, or with the [list-license-server-endpoints](https://docs.aws.amazon.com/cli/latest/reference/license-manager-user-subscriptions/list-license-server-endpoints.html) command in the AWS CLI.
1. Set the licensing mode for the Remote Desktop Session Host to `Per User`, and save.
For more information about configuring your RDS License Server for License Manager, see [Step 3: Configure RDS license server](user-based-subscriptions-getting-started.md#usubs-configure-rds) in the Get started topic. For more information about configuration for Microsoft RDS session hosts, see [License Remote Desktop session hosts](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-license-session-hosts).
# Get Started with Cross-Account AWS License Manager using Shared AWS Managed Microsoft AD
AWS License Manager supports cross-account functionality using a shared AWS Managed Microsoft AD, enabling organizations to centrally manage user subscriptions from a directory owner account while deploying instances across multiple accounts.
## Terminology
+ **Directory owner account** - license admin account where the managed AD exists and that is also responsible for managing subscriptions.
+ **Directory consumer account** - AWS accounts where you wat to launch user subscriptions instances using shared AD.
## Prerequisites
Before you begin, ensure you have:
+ An AWS Managed Microsoft AD in the directory owner account - set up in directory owner account/license admin account from which you want to control subscriptions.
+ Network connectivity between your directory owner account and all of your directory consumer accounts.
+ Required IAM permissions - see [User-based subscription IAM roles](https://docs.aws.amazon.com/license-manager/latest/userguide/user-based-subscription-role.html).
+ Subscriptions to the required License Manager products in AWS Marketplace in the directory owner account:
+ [Visual Studio Professional 2022](https://aws.amazon.com/Marketplace/pp/prodview-zo3zltrbpgr5i)
+ [Visual Studio Enterprise 2022](https://aws.amazon.com/Marketplace/pp/prodview-dzstlnjdl3izg)
+ [Office LTSC Professional Plus](https://aws.amazon.com/Marketplace/pp/prodview-bh46d5p2hapns)
+ [Office LTSC Standard](https://aws.amazon.com/Marketplace/pp/prodview-4riznyn4eqlbw)
## Limitations
+ User subscriptions management is restricted to the directory owner account.
+ Cross-region sharing is not supported.
+ Consolidated billing through directory owner account - all subscription costs are billed to the directory owner account, though subscriptions can exist in multiple accounts.
+ Network connectivity is required between accounts.
## Network Architecture
![\[alt text not found\]](http://docs.aws.amazon.com/license-manager/latest/userguide/images/cross-account.png)
## How to set up cross-account License Manager functionality
To set up cross-account License Manager functionality:
1. Set up the directory owner account/license admin account.
1. Configure directory consumer accounts.
1. Establish network connectivity.
1. Deploy instances and manage user associations.
### Step 1: Set up the Directory Owner/license admin account
#### Create and share AWS Managed Microsoft AD
1. Create an AWS Managed Microsoft AD in your VPC if it doesn't exist.
1. Share the directory with directory consumer accounts, as described in [Sharing your directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html).
1. Ensure that the directory is properly configured with the required users and groups.
#### Subscribe to products
1. Navigate to AWS Marketplace.
1. Locate and subscribe to your needed products, Visual Studio or Office and RDS SAL.
1. Share the Visual Studio or Office subscription with the directory consumer accounts using License Manager **Create Grants**. Alternatively, you can subscribe to AWS Marketplace products in these accounts as this does not impact billing. See [Granted licenses](https://docs.aws.amazon.com/license-manager/latest/userguide/granted-licenses.html).
1. Verify that the subscription status is active.
#### Register with License Manager
1. Open the License Manager console.
1. Navigate to **User-based subscriptions settings**.
1. Select **Register Identity Provider**.
1. Choose your AWS Managed Microsoft AD.
1. Complete the registration process.
### Step 2: Configure directory consumer accounts - accounts with shared AD
#### Accept shared directory
1. Open the AWS Directory Service console.
1. Navigate to **Shared directories**.
1. Locate and accept the shared directory invitation.
1. Note the new directory ID assigned in your account.
#### Accept MP subscription
In License Manager **Grants** accept the grant for AWS Marketplace products. Alternatively subscribe to AWS Marketplace products. Learn more in [CreateGrant API](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_CreateGrant.html)).
#### Register with License Manager
1. Open the License Manager console.
1. Navigate to **User-based subscriptions** and choose product.
1. Register using the shared directory ID and product.
1. Verify the registration status.
### Step 3: Establish networking connectivity between VPCs
To domain-join your Amazon Amazon EC2 instances to your directory, you need to establish networking connectivity between the VPCs. There are several options for establishing networking connectivity between two VPCs. This section shows you how to use Amazon VPC peering.
#### Set up VPC peering
1. [Create one VPC peering connection](https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html#create-vpc-peering-connection-remote) between the directory owner VPC-0 and directory consumer VPC-1, then create another connection between the directory owner VPC-0 and directory consumer VPC-2.
1. Enable [traffic routing between the peered VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html#route-tables-vpc-peering) by adding a route to your VPC route table that points to the VPC peering connection to route traffic to the other VPC in the peering connection.
1. Configure each of the directory consumer VPC route tables by adding the peering connection with the directory owner VPC-0. If you want, you can also create and attach an Internet Gateway to your directory consumer VPCs. This enables the instances in the directory consumer VPCs to communicate with the Amazon EC2 Systems Manager agent that performs the domain join.
#### Configure security groups
Configure your directory consumer VPCs' [security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) to enable outbound traffic by adding the [AWS Managed Microsoft AD protocols and ports](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_prereqs.html) to the outbound rules table. Also, configure your directory domain controllers VPCs' security group to enable inbound traffic by adding the AWS Managed Microsoft AD protocols and ports to the inbound rules table, to allow traffic from directory consumer accounts.
##### Security group requirements
**Consumer Account VPCs:**
+ Enable outbound traffic to directory owner VPC
+ Allow communication on required AD ports
**Directory Owner VPC:**
+ Configure inbound traffic from consumer VPCs
+ Add necessary AWS Managed Microsoft AD protocols and ports including:
+ TCP 53 (DNS)
+ UDP 53 (DNS)
+ TCP 88 (Kerberos)
+ UDP 88 (Kerberos)
+ TCP 135 (RPC)
+ TCP 389 (LDAP)
+ UDP 389 (LDAP)
+ TCP 445 (SMB)
+ TCP 464 (Kerberos Password)
+ UDP 464 (Kerberos Password)
+ TCP 636 (LDAPS)
+ TCP 9389 (Active Directory Web Services)
+ TCP 3268-3269 (Global Catalog)
+ TCP 1024-65535 (Dynamic RPC)
Port 9389 is required for Active Directory Web Services (ADWS), which is used by the Active Directory PowerShell module and other management tools to communicate with domain controllers.
### Step 4: Deploy instances and manage user associations
#### Subscribe users (directory owner account only)
1. Open the License Manager console.
1. Navigate to **User-based subscriptions**.
1. Select **Subscribe Users**
1. Enter AWS Managed Microsoft AD user identifiers
1. Choose the product and confirm subscription.
#### Launch instances
Perform this step in any account.
1. Navigate to Amazon EC2 console.
1. Choose **Launch Instance**.
1. Select appropriate License Manager AMI.
1. Configure networking settings.
1. Review and launch.
#### Associate users with instances
Perform this step in any account where the instance exists.
1. Open License Manager console.
1. Navigate to **User Associations**.
1. Select target instance.
1. Choose **Associate Users**.
1. Enter AWS Managed Microsoft AD usernames.
1. Confirm association.
## Troubleshooting
Common issues and solutions:
### Domain join failures
1. Verify network connectivity between accounts.
1. Check security group configurations.
1. Confirm DNS resolution is working.
1. Validate route table entries.
### User subscription issues
1. Confirm user exists in AWS Managed Microsoft AD.
1. Verify subscription status in directory owner account.
1. Check network connectivity.
1. Review error logs.
### Network connectivity issues
1. Test VPC peering connection status.
1. Verify route table configurations.
1. Check security group rules.
1. Confirm DNS resolution.
### DNS resolution problems
1. Verify DHCP option sets.
1. Check DNS server configurations.
1. Test name resolution from consumer instances.
## Additional resources
+ [AWS License Manager User Guide](https://docs.aws.amazon.com/license-manager/latest/userguide/user-based-subscriptions.html)
+ [AWS Directory Service Documentation](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html)
+ [Sharing your directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html)
+ [How to domain join Amazon EC2 instances to AWS Managed Microsoft AD directory across multiple accounts and VPCs](https://aws.amazon.com/blogs/security/how-to-domain-join-amazon-ec2-instances-aws-managed-microsoft-ad-directory-multiple-accounts-vpcs/)
+ [Granted licenses](https://docs.aws.amazon.com/license-manager/latest/userguide/granted-licenses.html)
# Launch an instance from a license included AMI
After you have subscribed to a product, you must launch instances for your users to connect to from the AWS Marketplace AMI that includes the product. After you launch an instance, AWS Systems Manager attempts to join the instance to the Active Directory domain and perform additional configuration and hardening on the resource. The configurations to make the instance ready to use can take around 20 minutes to complete. You can confirm the resource is ready to use from the **User association** page of the License Manager console by checking for a **Health status** of **Active** for the instance.
**Important**
The instances you launch must meet the required prerequisites to be in compliance. Resources that are unable to complete the initial configuration are terminated. For more information, see the [Prerequisites to create user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-prerequisites) and [Troubleshoot user-based subscriptions in License Manager](user-based-subscriptions-troubleshoot.md).
**Launch an instance with user-based subscriptions**
1. Access the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. Under **Images**, choose **AMI Catalog**.
1. Choose **AWS Marketplace AMIs**.
1. Enter the product name into the search box and press enter. For example, you might search for **Visual Studio**.
1. Under **Publisher**, select **Amazon Web Services**.
1. Choose **Select** for the product that you want to launch an instance to provide user-based subscriptions.
1. Choose **Continue** to proceed.
1. Choose **Launch Instance with AMI**.
1. Complete the wizard while ensuring that you:
1. Choose a Nitro based instance type that is not Graviton based.
1. Choose a VPC and subnet from which your instance can connect to your AWS Managed Microsoft AD directory.
1. Choose a security group that permits connectivity from your instance to your Active Directory.
1. Expand **Advanced details** and choose an IAM role that allows Systems Manager functionality for your instance.
1. Choose **Launch instance**.
When you have running instances from the AWS Marketplace AMI, you must subscribe users to the product and associate them with instances, which provide the product so that they can use it.
## Launch an instance from a specific operating system version AMI
When you launch an instance from an AMI that supports Office LTSC Professional Plus, Office LTSC Standard, or Microsoft Visual Studio, the launch defaults to the latest Windows operating system version of the AMI (for example Windows Server 2025). To launch with a specific operating system version AMI, follow these steps.
1. Open the AWS Marketplace console at [https://console.aws.amazon.com/marketplace](https://console.aws.amazon.com/marketplace).
1. Choose **Manage subscriptions** from the navigation pane.
1. To streamline subscription results, you can search for all or part of the subscription name. For example, `Office LTSC Professional Plus`, `Office LTSC Standard`, or `Visual Studio Enterprise`.
1. Select **Launch new instance** from the subscription panel. This opens a launch configuration page.
1. To launch an instance from an AMI that's based on an earlier version of the Windows OS platform, select the **full AWS Marketplace website** link, located under the **Software version**. This takes you to a configuration page where you can select from a list of versions.
1. The list shows the latest AMI versions for the supported Windows OS platforms. Select the Windows OS version that you want to launch from.
# Connect to a user-based subscription instance with RDP
Once you have associated users with the instance providing the product, they can connect to the instance if the **Health status** of the instance is **Active**. The users will need to connect with their user credentials for the domain to use the product with their associated identity.
**Important**
The process of creating the EC2 instance and preparing it for users can take around 20 minutes. The **Association status** of the instance must be **Active** in order to access it and use the product.
**To connect to instances with a user-based subscription**
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the left navigation pane, under **User-based subscriptions**, choose **User association**.
1. On the **User association** page, confirm the instance’s **Health status** is **Active**.
1. Make note of the instance ID as you will need it to gather connection details.
1. Follow the steps listed in [Connect to your Windows instance using RDP](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html#connect-rdp) while ensuring to specify the fully qualified user name of the associated user.
# Modify firewall settings for your Microsoft Office subscription
A firewall protects your network resources from unauthorized inbound or outbound traffic. The rules that you define for your security group act as the firewall for the VPC resources that work together to provide user-based subscriptions Microsoft Office on EC2 Windows instances.
You can use the following steps to edit the subnets and security group. License Manager uses your settings to provision endpoints for Microsoft Office with AWS PrivateLink. For more information about VPC endpoints, see [What is AWS PrivateLink?](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) in the *Amazon Virtual Private Cloud* documentation.
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Navigate to the **User-based subscriptions** page, under **Settings** in the left navigation pane.
1. To edit firewall settings, select the Microsoft Office subscription product tab, and then choose **Edit** from the top of the **Firewall** section. This opens the **Edit Firewall** dialog.
1. After you change your settings, choose **Save** to update, or **Cancel** to keep your current settings.
It might take a few minutes for License Manager to complete changes for these settings.
# Manage subscription users for License Manager user-based subscriptions
To ensure the accuracy of billing and reporting for Microsoft Office and Visual Studio product subscriptions in License Manager, and to prevent unauthorized access to subscription resources, you can manage user access as follows.
[Disassociate users from an instance](usubs-disassociate-users.md)
Disassociate a user from an instance that hosts a License Manager user-based Microsoft Office or Visual Studio product subscription to remove access to the resource.
[Unsubscribe users](usubs-unsubscribe-users.md)
Unsubscribe users from user-based Microsoft Office or Visual Studio product subscriptions in AWS License Manager to stop incurring subscription charges for those individuals.
**Note**
Deleting a user from Active Directory will not alter user associations or subscriptions for Microsoft Office and Visual Studio products. You must disassociate the user in License Manager from the subscription product details page to remove their association with an instance. Then you must unsubscribe the user.
This topic does not cover Active Directory administration.
**Topics**
+ [Disassociate users from an instance](usubs-disassociate-users.md)
+ [Unsubscribe users](usubs-unsubscribe-users.md)
# Disassociate users from an instance that provides License Manager user-based subscriptions
To remove user access to an instance that provides License Manager user-based subscriptions, you can disassociate the subscribed user from that instance. This change does not affect the user's subscription status. To unsubscribe a user and stop subscription charges for that individual, see [Unsubscribe users from user-based product subscriptions in License Manager](usubs-unsubscribe-users.md).
**Disassociate subscription users from an instance**
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the left navigation pane, under **User-based subscriptions**, choose **User association**.
1. Select the instance that you want to disassociate users from.
1. Select the user names to disassociate, then choose **Disassociate users**.
# Unsubscribe users from user-based product subscriptions in License Manager
You must unsubscribe a user from a Microsoft Office or Visual Studio user-based subscription product to stop incurring charges for them. Microsoft RDS is billed on a per user, per month basis based on a combination of the user subscription and the client access license (CAL) token that's issued from the license server when the user connects to an instance that provides the subscription product. For more information, see [Microsoft RDS billing in License Manager](user-based-subscriptions.md#usubs-billing-rds).
**Important**
For Microsoft Office or Visual Studio user-based subscription products, you must first disassociate the Active Directory user from all instances where they are currently associated before you can unsubscribe them.
**Unsubscribe users from user-based product subscriptions**
1. Open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the left navigation pane, under **User-based subscriptions**, choose **Products**.
1. Select the product that you want to unsubscribe users from.
1. Select the user names to unsubscribe, then choose **Unsubscribe users**.
# Deregister an Active Directory from License Manager settings
You can deregister your Active Directory from License Manager settings if you no longer want to use it for user-based subscriptions. Deregistering the directory configuration from License Manager settings doesn't delete the directory. When you deregister the directory from the settings, you can no longer associate users from that directory for user-based subscriptions in License Manager.
**Prerequisites**
Before you deregister the directory from License Manager settings, you must perform the following tasks:
1. [Disassociate users from an instance](usubs-disassociate-users.md) from each instance that references the directory that you want to deregister.
1. After all of the subscription users are disassociated from the instance, terminate the instance. Repeat until all instances that refer to the Active Directory are terminated.
1. You also need to [Unsubscribe users](usubs-unsubscribe-users.md) that belong to the Active Directory you will deregister to stop incurring changes for them.
**Deregister**
**Important**
If your Active Directory is used for Microsoft RDS SAL users, you must delete the associated license server endpoint before you deregister and delete the AD.
**Deregister the Active Directory from License Manager settings**
After you've completed all of the prerequisite tasks, open the License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the left navigation pane, choose **Settings**.
1. On the **Settings** page, under the AWS Managed Microsoft AD section, choose **Remove**.
1. Enter the required text to confirm that you want to remove the directory and choose **Remove**.
After you choose **Remove**, the **AWS Managed Microsoft AD** section on the **Settings** page displays your **Directory ID** with the **Status** of **Configuring**. Once the configuration process is complete, the directory is removed from the **AWS Managed Microsoft AD** section.
# Troubleshoot user-based subscriptions in License Manager
The following are troubleshooting tips to help solve issues that can occur with user-based subscriptions in AWS License Manager.
**Contents**
+ [Troubleshoot instance compliance](#user-based-subscriptions-troubleshoot-instance-compliance)
+ [Troubleshoot user subscription product configuration failures](#product_configuration_failing)
+ [Troubleshoot user subscription instances launch failures](#instance_launch_failures)
+ [Troubleshoot license compliance](#user-based-subscriptions-troubleshoot-license-compliance)
+ [Troubleshoot instance connectivity](#user-based-subscriptions-troubleshoot-instance-connectivity)
+ [Troubleshoot failures to join the domain](#user-based-subscriptions-troubleshoot-domain-join)
+ [Troubleshoot Systems Manager connectivity](#user-based-subscriptions-troubleshoot-systems-manager-connectivity)
+ [Troubleshoot Systems Manager Run Command](#user-based-subscriptions-troubleshoot-systems-manager-commands)
+ [Troubleshoot Microsoft RDS Licensing failures](#usubs-troubleshoot-rds-licensing)
+ [Troubleshoot Microsoft Office activation failures](#usubs-troubleshoot-office-activation)
+ [Troubleshoot the inability to delete Active Directory](#delete_active_directory)
+ [Troubleshoot inability to delete AWSServiceRoleForAWSLicenseManagerUserSubscriptionsService Service Linked Role (SLR)](#delete_service_linked_role)
+ [Troubleshoot *subscription is not present* error for RDS SAL product](#rds_sal_subscription_error)
+ [Troubleshoot license counts not showing up correctly](#license_counts_not_showing)
+ [Troubleshoot RDS License Diagnoser issues](#rds_licensing_mode_error)
+ [Troubleshoot trusts](#troubleshoot_trusts)
+ [Troubleshoot billing issues for user subscriptions](#billing_user_subscriptions)
+ [Troubleshoot inactive marketplace subscription status](#inactive_marketplace_status)
+ [Troubleshoot user limits per instance](#user_limits_per_instance)
+ [Troubleshoot CAL token not vended after migration to RDS SAL](#cal_token)
+ [Seamless domain join not working for EC2 instances with user subscription products](#seamless_domain_join)
+ [VPC endpoint was created in my account](#vpc_endpoint_created)
+ [Remove all VPC endpoint resources created by License Manager](#remove_vpc_endpoint)
+ [Change a username on Managed Active Directory](#change_username)
+ [Dissociate users from a terminated instance](#dissociate_terminated_instance)
+ [Install additional software on user subscription instances](#additional_software)
+ [Japanese Language Packs on user subscription instances](#japanese_language_packs)
+ [Local Administrator user on user subscription instances](#local_admin_user)
+ [Number of users that can RDP to a user subscriptions instance](#rdp_user_limit)
+ [Users in my self-managed AD for Office and Visual Studio products](#self_managed_ad)
+ [Supported Windows operating systems](#supported_os)
+ [Supported versions of Office and Visual Studio](#supported_software)
+ [Using user subscription with older Windows Server versions](#older_windows_versions)
+ [Using License Manager user subscriptions across accounts or regions](#unsupported_scenarios)
+ [Tips for contacting AWS Support](#aws_support_tips)
## Troubleshoot instance compliance
Instances providing user-based subscriptions must remain in a healthy status to be in compliance. Instances that are marked as unhealthy no longer meet the required prerequisites. License Manager will attempt to return the instance to a healthy status, but instances that are not able to return to a healthy status are terminated.
Instances which are launched to provide user-based subscriptions and are unable to complete the initial configuration will be terminated. You must correct the configuration issue and launch new instances to provide user-based subscriptions in this scenario. For more information, see the [Prerequisites to create user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-prerequisites).
## Troubleshoot user subscription product configuration failures
Your product configuration may be failing due to issues with outbound network access. To address this, ensure that the default security group permits outbound traffic to the IP addresses of each domain controller's network interface as well as SSM.
+ Verify that default security group settings facilitate outbound traffic to the IP addresses of domain controller network interfaces.
+ License Manager creates two network interfaces which use the default security group of the VPC where your AWS Managed Microsoft AD is provisioned. These interfaces are used for required service functionality with your directory. Ensure that your default security group allows outbound traffic to each domain controller's network interface IP address, or the security group used by the domain controllers. For more information, see [Prerequisites to create user-based subscriptions](user-based-subscriptions.html#usubs-prerequisites) and [What gets created](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.html) in the Directory Service Administration Guide.
+ Configure outbound internet access from instances providing user-based subscriptions or VPC endpoints.
+ Outbound internet access from the instances providing user-based subscriptions, or VPC endpoints, must be configured for your instances to communicate with SSM. For more information, see [Setting up Systems Manager for EC2 instances](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-ec2.html) in the AWS Systems Manager User Guide.
Once the provisioning process is complete, you can associate a different security group to the interfaces created by License Manager. The security group you select must also allow the required traffic to each domain controller's network interface IPv4 address or security group. For more information, see [Work with security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the Amazon Virtual Private Cloud User Guide.
## Troubleshoot user subscription instances launch failures
Your instance launches can be failing due to multiple reasons. Here are some of the common issues for which an instance launch may fail:
+ Ensure your instance is discoverable by SSM, see [Troubleshoot instance connectivity](#user-based-subscriptions-troubleshoot-instance-connectivity).
+ Ensure your instance is able to join your domain, see [Troubleshoot failures to join the domain](#user-based-subscriptions-troubleshoot-domain-join).
+ Ensure that the Route53 outbound resolver endpoint rule is set. For more information, see the blog post [Integrating your Directory Service's DNS resolution with Amazon Route 53 Resolvers](https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/).
+ If launching instances from custom AMIs created on top of User subscription AMIs, please make sure to perform Sysprep and ensure unique computer names when creating and launching instances from custom AMIs.
## Troubleshoot license compliance
If you configured your Active Directory to provide user-based subscriptions with Microsoft Office, you must ensure your resources can connect to the VPC endpoints License Manager creates. The endpoints require inbound traffic on TCP port 1688 from the instances providing user-based subscriptions.
You can use [Reachability Analyzer](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html) to help confirm that the networking configuration from your instances providing user-based subscriptions and the VPC endpoints are configured properly. You can specify an instance ID launched in a subnet providing user-based subscriptions as the source, and a VPC endpoint provisioned for Microsoft Office products as the destination. Specify TCP as the protocol and 1688 for the destination port for the path to analyze. For more information, see [How can I troubleshoot connectivity issues over my gateway and interface VPC endpoints?](https://aws.amazon.com/premiumsupport/knowledge-center/vpc-fix-gateway-or-interface-endpoint/).
## Troubleshoot instance connectivity
Users must be able to use RDP to connect to the instances providing user-based subscriptions in order to use the products within. For more information on troubleshooting instance connectivity, see [Troubleshoot connecting to your Windows instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshoot-connect-windows-instance.html) in the *Amazon EC2 User Guide*.
## Troubleshoot failures to join the domain
Users must be able to connect to the instances providing the user-based subscription products with their user identities from the Active Directory configured in the License Manager settings. Instances that fail to join the domain will be terminated.
To troubleshoot, you may need to launch an instance and [manually join the domain](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html) so that the resource is not terminated before you can investigate. The instance must receive and execute the Systems Manager Run Command successfully, and the instance must also be able to complete the domain join within the operating system. For more information, see [Understanding command statuses](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitor-commands.html) in the *AWS Systems Manager User Guide* and [How to troubleshoot errors that occur when you join Windows-based computers to a domain](https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/troubleshoot-errors-join-computer-to-domain) on the Microsoft website.
If you launch instances from a custom AMI that uses a user-based subscription product AMI as its base image, you must perform Sysprep steps on the custom AMI to ensure a unique computer name at launch. Before you run Sysprep with /generalize, ensure that the machine is removed from the domain.
## Troubleshoot Systems Manager connectivity
Instances that provide user-based subscriptions must be managed by AWS Systems Manager or they will be terminated. For more information, see [Troubleshooting SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-ssm-agent.html) and [Troubleshooting managed node availability](https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-managed-instances.html) in the *AWS Systems Manager User Guide*.
## Troubleshoot Systems Manager Run Command
Run Command, a capability of Systems Manager, is used with instances providing user-based subscriptions to join the domain, harden the operating system, and perform access audits for the included product. For more information, see [Understanding command statuses](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitor-commands.html) in the *AWS Systems Manager User Guide*.
## Troubleshoot Microsoft RDS Licensing failures
If you experience issues with CAL (Client Access License) issuance, check whether there are additional Microsoft RDS licensing servers present in your server farm or Terminal Servers group. We do not recommend having additional licensing servers in these locations, as that can interfere with CAL issuance and lead to licensing complications.
To resolve this issue, ensure that only the intended Microsoft RDS servers remain in your server farm and Terminal Servers group.
When troubleshooting licensing issues, be aware that connections using the /admin flag bypass standard licensing checks, as this flag is intended for administrative purposes, and doesn't consume a CAL. This can mask underlying licensing problems. To diagnose licensing issues, verify that standard user connections (without the /admin flag) are functioning correctly for license management.
## Troubleshoot Microsoft Office activation failures
If Microsoft Office activation fails, verify that your instance has access to the VPC that's defined for License Manager. Either of the following options satisfies this requirement:
+ Your instance is running in the VPC that's onboarded with License Manager (through VPC endpoint)
+ Your instance is running in a VPC that's peered with the License Manager onboarded VPC.
To resolve this issue, ensure that your instance is moved to the correct VPC, or establish VPC peering with the License Manager onboarded VPC.
## Troubleshoot the inability to delete Active Directory
License Manager is registered as an authorized application with Directory Service during configuration, thereby safeguarding active directories from deletion once configured. As part of the standard procedure, customers need to first remove all instances, instance associations, and user subscriptions. Following this, they can proceed with removing the active directory from the License Manager and subsequently delete the directory itself.
## Troubleshoot inability to delete AWSServiceRoleForAWSLicenseManagerUserSubscriptionsService Service Linked Role (SLR)
License Manager requires the "AWSServiceRoleForAWSLicenseManagerUserSubscriptionsService" service-linked role for managing AWS resources that will provide user-based subscriptions. A service-linked role makes setting up License Manager easier because you don't have to manually add the necessary permissions. License Manager defines the permissions of its service-linked roles, and unless defined otherwise, only License Manager can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For more information, see [Prerequisites to create user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-prerequisites) and [License Manager – User-based subscription role](https://docs.aws.amazon.com/license-manager/latest/userguide/user-based-subscription-role.html) and [Service-linked roles](https://docs.aws.amazon.com/singlesignon/latest/userguide/slrconcept.html).
## Troubleshoot *subscription is not present* error for RDS SAL product
Your account must have a subscription to Windows Server Remote Desktop Services Subscriber Access License (RDS SAL). All users associated with instances providing user-based subscription products must have a single active subscription to this license in addition to any other products they would like to use. Your user will be subscribed to RDS SAL on their behalf when they subscribe to a user-based subscription product.
But if this has been unsubscribed or removed due to other compliance reasons, you might have to resubscribe. If you are already subscribed, you can try unsubscribing and resubscribing, which will not affect your License Manager user subscriptions.
## Troubleshoot license counts not showing up correctly
After initial setup or configuration changes, it can take up to 24 hours for the license server to display accurate license counts for all license types in the License Diagnoser.
What to do:
+ Wait up to 24 hours after setup before expecting accurate license count reporting
This delay is normal and allows the license server sufficient time to properly synchronize and update all license information across different license types. If you run into an error please refer [Troubleshoot RDS License Diagnoser issues](#rds_licensing_mode_error).
## Troubleshoot RDS License Diagnoser issues
These errors are typically caused by credential or permission issues. To resolve:
1. **Verify user credentials:** Ensure you are using the same user account that was provided to License Manager during onboarding
1. **Check session credentials:** If you see **"Credentials not available"** against the server in the summary section:
1. Click on the license server in the summary section that shows **"Credentials not available"**
1. In the right-hand side menu that opens, add the credentials of the user that was onboarded to License Manager
1. Click **"Refresh"**
If the issue persists, follow the additional troubleshooting steps outlined in Microsoft's documentation: [Cannot connect to RDS - No license server](https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/cannot-connect-rds-no-license-server)
This should resolve most credential and permission-related issues with the License Diagnoser.
## Troubleshoot trusts
Based on our experience working with many customers, the vast majority of trust configuration issues are either DNS resolution or networking connectivity errors. These are some troubleshooting steps to help you resolve common issues:
+ Check whether you allowed outbound networking traffic on the AWS Managed Microsoft AD.
+ If the DNS server or the network for your on-premises domain uses a public (non-RFC 1918) IP address space, follow these steps:
+ In the Directory Service console, go to the IP routing section for your directory, choose **Actions**, and then choose **Add route**.
+ Enter the IP address block of your DNS server or on-premises network using CIDR format, for example 203.0.113.0/24.
+ This step isn't necessary if both your DNS server and your on-premises network are using RFC 1918 private IP address spaces.
+ After you verify the security group and check whether any applicable routes are required, launch a Windows Server instance and join it to the AWS Managed Microsoft AD directory. Once the instance is launched:
+ Run this PowerShell command to test DNS connectivity:
```
Resolve-DnsName -Name 'example.local' -DnsOnly
```
You should also look through the message explanations in the [Trust creation status reasons guide](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/ms_ad_troubleshooting_trust_creation.html) in the Directory Service documentation.
## Troubleshoot billing issues for user subscriptions
AWS will bill you through a monthly subscription, based on the number of users associated with the license included Microsoft Office or Visual Studio instances. These per-user charges are billed per calendar month, and the billing starts from the time you subscribe to the product. If you remove access to a user during the existing month, you will be billed for the user for the remainder of the month. You will stop incurring charges for the user the following month.
Furthermore:
+ Billing is based on a per-user basis within User subscriptions. Only users who are subscribed to the product will incur charges, not all users in the active directory.
+ Billing operates on a monthly cycle, starting from the first day of each calendar month. Charges are levied for the entire month, regardless of the specific date of subscription activation.
+ You need an RDS SAL for each user who needs to access your Office/VS instances.
+ To stop incurring charges for user-based subscriptions, you must disassociate the user from all instances they are associated with. Deleting a user from Active Directory does not disassociate the user from instances. For more information, see [Disassociate users from an instance that provides License Manager user-based subscriptions](usubs-disassociate-users.md).
+ A user is only counted once. You get charged per user for Microsoft Office and Visual Studio, irrespective of the number of EC2 instances the user connects to. Users are charged for their subscription once, regardless of their usage of multiple instances.
## Troubleshoot inactive marketplace subscription status
After you configure your directory with the required products, you would need to subscribe to the required products. Products with a Marketplace Subscription Status of Inactive require you to subscribe before you can associate users to an instance and utilize them.
## Troubleshoot user limits per instance
There is a limit of 25 instances per user. In case you need adjustment, please reach out to AWS Support. Users are charged for their subscription once, regardless of their usage of multiple instances.
## Troubleshoot CAL token not vended after migration to RDS SAL
If you use your own Microsoft RDS license servers, any Client Access License (CAL) tokens already issued remain valid until they expire. During this period users with valid CAL tokens are not automatically subscribed to the RDS SAL product. New user sessions are not automatically subscribed to RDS SAL even though License Manager is configured. License Manager does not override existing CAL tokens issued by your own license servers. The service-managed license server begins issuing tokens and handling new requests only after the existing CAL tokens expire. Once the currently issued CAL tokens reach their expiration date, new token requests are handled by the service-managed license server, and users are auto-subscribed to the RDS SAL product as needed.
## Seamless domain join not working for EC2 instances with user subscription products
License Manager needs to perform domain join on these instances using SSM to allow authorized access to only users subscribed to the product. As a result, the seamless domain join feature is deactivated.
## VPC endpoint was created in my account
License Manager creates VPC endpoints required for your resources to connect to activation servers and remain in compliance when you configure your VPC.
## Remove all VPC endpoint resources created by License Manager
In order to delete the VPC endpoint resources, you must perform the following actions:
+ Disassociate all users from their user-based subscriptions. For more information, see [Disassociate users from an instance that provides License Manager user-based subscriptions](usubs-disassociate-users.md).
+ Remove any directory that is configured from the License Manager settings. For more information, see [Deregister an Active Directory from License Manager settings](usubs-deregister-ad.md).
+ Terminate all instances providing user-based subscription products. For more information, see [Launch an instance from a license included AMI](usubs-launch-instance.md).
## Change a username on Managed Active Directory
Changing a username has no effect on their ability to RDP into associated instances. The associated users should be able to use their updated login details to RDP into user subscription instances.
## Dissociate users from a terminated instance
Whenever a user subscriptions instance is terminated, all the users that are associated to the instance are disassociated. You do not have to manually disassociate the user.
**Note**
Users are not dissociated if the instance is stopped.
## Install additional software on user subscription instances
You can install additional software on your instances that aren't available as user-based subscriptions. Additional software installations aren't tracked by License Manager. These installations must be performed using the Admin account which is created by default in your AWS Managed Microsoft AD directory. For more information, see [Admin account](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.html) in the Directory Service Administration Guide.
To install additional software with the Admin account, you must:
+ Subscribe the Admin account to the product provided by the instance.
+ Associate the Admin account to the instance.
+ Connect to the instance using the Admin account to perform the installation.
For more information, see [Get started with user-based subscriptions in License Manager](user-based-subscriptions-getting-started.md).
## Japanese Language Packs on user subscription instances
Japanese language pack installation is supported with User subscription instances.
## Local Administrator user on user subscription instances
We only allow users under the users managed active directory domain to be associated with user subscription instances to prevent unauthorized access to these Microsoft products. When you create local users with administrator privileges on instances that provide user-based subscriptions, the instance's health status changes to unhealthy.
## Number of users that can RDP to a user subscriptions instance
Instances that provide user-based subscriptions support up to two active user sessions at a time as stated in [Use License Manager user-based subscriptions for supported software products](https://docs.aws.amazon.com/license-manager/latest/userguide/user-based-subscriptions.html). By default, Windows allows up to 2 Remote Desktop connections including an Admin connection at any given time, in all editions of Windows server. For using more than 2 concurrent users, customers need to setup an RDS Licensing server.
## Users in my self-managed AD for Office and Visual Studio products
To associate users in your self-managed directory, you must establish a two-way forest trust between your self-managed directory and your AWS Managed Microsoft AD directory. For more information, see [Tutorial: Create a trust relationship between your AWS Managed Microsoft AD and your self-managed Active Directory domain](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust.html) in the Directory Service Administration Guide.
## Supported Windows operating systems
For information about supported Windows operating system platforms, see [Supported software products for user-based subscriptions in License Manager](user-based-subscriptions.md#usubs-software).
## Supported versions of Office and Visual Studio
For information about supported software for user-based subscriptions, see [Supported software for user-based subscriptions](user-based-subscriptions.md#usubs-software-supported).
## Using user subscription with older Windows Server versions
When you launch an instance from an AMI that supports Office LTSC Professional Plus, Office LTSC Standard, or Microsoft Visual Studio, the launch defaults to the latest Windows OS platform version of the AMI (for example Windows Server 2022). To launch with an earlier OS platform version, follow these steps:
1. Open the AWS Marketplace console at [https://console.aws.amazon.com/marketplace](https://console.aws.amazon.com/marketplace).
1. Choose **Manage subscriptions** from the navigation pane.
1. To streamline subscription results, you can search for all or part of the subscription name. For example, Office LTSC Professional Plus, Office LTSC Standard, or Visual Studio Enterprise.
1. Select **Launch new instance** from the subscription panel. This opens a launch configuration page.
1. To launch an instance from an AMI that's based on an earlier version of the Windows OS platform, select the full AWS Marketplace website link, located under the Software version. This takes you to a configuration page where you can select from a list of versions.
1. The list shows the latest AMI versions for the supported Windows OS platforms. Select the Windows OS version that you want to launch from.
## Using License Manager user subscriptions across accounts or regions
These scenarios are supported:
+ Using License Manager user subscriptions across accounts
+ Using License Manager user subscriptions with shared Active Directory
These scenarios are not supported:
+ Using License Manager user subscriptions across regions
## Tips for contacting AWS Support
+ When contacting AWS support, please create an instance with the same settings as a terminated instance and enable instance termination protection for a quick response.
+ For any RDP related issues we would require RDP related logs to help debug these issues. Please utilize the 'AWSSupport-RunEC2RescueForWindowsTool' for environments with internet access. For more information, see [EC2Rescue for Windows Server](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-ssm.html).
+ By using an Office instance as a working instance and mounting a volume restored from a snapshot of the original instance's volume, it is possible to collect data even in an environment without internet access.
+ Troubleshooting Instance Launches from Backup AMIs: If you launch an instance from a backup AMI, you must terminate the original instance.