Ingest and migrate EC2 Windows instances into an AWS Managed Services account - AWS Prescriptive Guidance

Ingest and migrate EC2 Windows instances into an AWS Managed Services account

Created by Anil Kunapareddy (AWS) and Venkatramana Chintha (AWS)

Environment: Production

Source: VPC in AWS Cloud

Target: VPC Managed by AWS Managed Services

R Type: Rehost

Workload: Microsoft

Technologies: Migration; Operations; Security, identity, compliance; Cloud-native

AWS services: AWS Managed Services


This pattern explains the step-by-step process of migrating and ingesting Amazon Elastic Compute Cloud (Amazon EC2) Windows instances into an Amazon Web Services (AWS) Managed Services (AMS) account. AMS can help you manage the instance more efficiently and securely. AMS provides operational flexibility, enhances security and compliance, and helps you optimize capacity and reduce costs.

This pattern starts with an EC2 Windows instance that you have migrated to a staging subnet in your AMS account. A variety of migration services and tools are available to perform this task, such as AWS Application Migration Service.

To make a change to your AMS-managed environment, you create and submit a request for change (RFC) for a particular operation or action. Using an AMS workload ingest (WIGS) RFC, you ingest the instance into the AMS account and create a custom Amazon Machine Image (AMI). You then create the AMS-managed EC2 instance by submitting another RFC to create an EC2 stack. For more information, see AMS Workload Ingest in the AMS documentation.

Prerequisites and limitations


  • An active, AMS-managed AWS account

  • An existing landing zone

  • Permissions to make changes in the AMS-managed VPC

  • An Amazon EC2 Windows instance in a staging subnet in your AMS account

  • Completion of the general prerequisites for migrating workloads using AMS WIGS

  • Completion of the Windows prerequisites for migrating workloads using AMS WIGS


  • This pattern is for EC2 instances operating Windows Server. This pattern doesn’t apply to instances running other operating systems, such as Linux.


Source technology stack

Amazon EC2 Windows instance in a staging subnet in your AMS account

Target technology stack

Amazon EC2 Windows instance managed by AWS Managed Services (AMS)

Target architecture


AWS services

  • Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud. You can use Amazon EC2 to launch as many or as few virtual servers as you need, and you can scale out or scale in.

  • AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.

  • AWS Managed Services (AMS) helps you operate more efficiently and securely by providing ongoing management of your AWS infrastructure, including monitoring, incident management, security guidance, patch support, and backup for AWS workloads.

Other services

  • PowerShell is a Microsoft automation and configuration management program that runs on Windows, Linux, and macOS.


TaskDescriptionSkills required

Change the DNS Client settings.

  1. On the source EC2 instance, open Command Prompt as an administrator, type gpedit.msc, and then press Enter.

  2. In the Local Group Policy Editor, navigate to Computer Configuration, Administrative Templates,Network, DNS Client.

  3. For Primary DNS suffix, choose Not configured.

  4. For Primary DNS suffix devolution, choose Not configured

Migration engineer

Change the Windows Update settings.

  1. In the Local Group Policy Editor, navigate to Computer Configuration, Administrative Templates, Windows Components, Windows Update.

  2. For Specify intranet Microsoft update service location, choose Not configured.

  3. For Configure Automatic Updates, choose Not configured.

  4. For Automatic Updates detection frequency, choose Not configured.

  5. Close the Local Group Policy Editor.

Migration engineer

Enable the firewall.

  1. On the source EC2 instance, open Command Prompt as an administrator, type services.msc, and then press Enter.

  2. In Windows Services, enable Firewall.

  3. Close Windows Services.

Migration engineer
TaskDescriptionSkills required

Clean up and prepare the instance.

  1. Using a bastion host and local credentials, create a Remote Desktop Protocol (RDP) connection to the EC2 instance in the staging subnet.

  2. Remove all legacy software, antivirus software, and backup solutions that aren’t required in AMS. 

Migration engineer

Repair the sppnp.dll file.

  1. Go to C:\Windows\System32\sppnp.dll.

  2. Rename sppnp.dll to sppnp_old.dll.

  3. Using PowerShell and administrator credentials, enter the following commands:

    dism /online /cleanup-image /restorehealth sfc /scannnow
  4. Restart the EC2 Windows instance.

Migration engineer

Run the pre-WIG validation script.

  1. Download the Windows WIGS Pre-ingestion Validation zip file ( from Migrating workloads: Windows pre-ingestion validation in the AMS documentation.

  2. Run the Windows pre-WIG validation script and verify the results.

  3. If the validation fails, fix the issue, and rerun the validation script until the validation succeeds.

Migration engineer

Create the failsafe AMI.

After the pre-WIG validation passes, create a pre-ingestion AMI as follows:

  1. Choose Deployment, Advanced stack components, AMI, Create.

  2. During creation, add a tag Key=Name, Value=APPLICATION-ID_IngestReady.

  3. Wait until AMI is created before proceeding.

For more information, see AMI | Create in the AMS documentation.

Migration engineer
TaskDescriptionSkills required

Submit the RFC to create the workload ingest stack.

Submit a request for change (RFC) to start the AMS WIGS. For instructions, see Workload Ingest Stack: Creating in the AMS documentation. This starts the workload ingestion and installs all the software required by AMS, including backup tools, Amazon EC2 management software, and antivirus software.

Migration engineer

Validate successful migration.

After the workload ingestion is complete, you can see the AMS-managed instance and AMS-ingested AMI.

  1. Log in to the AMS-managed instance with domain credentials.

  2. Validate the domain joining as follows:

    1. In Windows Explorer, right-click This PC, and then choose Properties.

    2. In the Device Specification section, confirm that the domain appears in the Full device name.

  3. Validate the source and target disk drives.

Migration engineer
TaskDescriptionSkills required

Submit the RFC to create an EC2 stack.

  1. Using the AMS-ingested AMI of the Windows instance, prepare an RFC for an EC2 stack according to the instructions in Create EC2 stack instance in AMS documentation. In the EC2 stack RFC, provide all the parameters, including the server name, tags, target VPC, target subnet, instance type, target security groups, ingestion AMI, and role.

  2. Submit the RFC for the EC2 stack, and then wait for the instance to be successfully created.

Migration engineer

Related resources

AWS Prescriptive Guidance

AMS documentation

Marketing resources