Menu
Amazon Elastic Compute Cloud
User Guide for Windows Instances

AWS Windows AMI Version History

AWS provides Amazon Machine Images (AMIs) that contain versions of Windows Server, known as the AWS Windows AMIs. Some AWS Windows AMIs also come configured with Microsoft SQL Server or Internet Information Services (IIS). You can use an AMI with Microsoft SQL Server and IIS already configured, or you can start from a basic Windows AMI, and then install Microsoft SQL Server and enable IIS on the instance. For more information, see AWS Windows AMIs.

Configuration Settings and Drivers

The AWS Windows AMIs are generally configured the same way as a Windows Server that you install from Microsoft-issued media. There are, however, a few differences in the installation defaults.

AWS Windows AMIs come with an additional service installed, the EC2Config service. The EC2Config service runs in the local system account and is primarily used during the initial setup. For information about the tasks that EC2Config performs, see Overview of EC2Config Tasks.

After you launch your Windows instance with its initial configuration, you can use the EC2Config service to change the configuration settings as part of the process of customizing and creating your own AMI. Instances launched from your customized AMI are launched with the new configuration.

AWS Windows AMIs contain a set of drivers to permit access to Xen virtualized hardware. These drivers are used by Amazon EC2 to map instance store and Amazon EBS volumes to their devices. For more information, see Paravirtual Drivers.

Updating Your Windows Instance

After you launch a Windows instance, you are responsible for installing updates on it. You can manually install only the updates that interest you, or you can start from a current AWS Windows AMI and build a new Windows instance. For information about finding the current AWS Windows AMIs, see Finding a Windows AMI.

For Windows instances, you can install updates to the following services or applications:

You can reboot a Windows instance after installing updates. For more information, see Reboot Your Instance.

Upgrading or Migrating a Windows Server Instance

For information about how to upgrade or migrate an instance to a newer version of Windows, see Upgrading a Windows Server EC2 Instance to a Newer Version of Windows Server.

Determining Your Instance Version

The AWS Management Console provides details about the AMI that you use to create an Amazon EC2 instance. The AMI ID field on the Description tab contains information including the Windows Server SKU, the architecture (32-bit or 64-bit), the date the AMI was created, and an AMI ID.


                    EC2 console showing AMI ID

If an AMI has been made private or replaced by later versions and is no longer listed in the catalog, the AMI ID field states, "Cannot load detail for ami-xxxxx. You may not be permitted to view it." To determine which AMI was used to create the instance, you must open the system log. In the EC2 console, choose an instance, and from the context-menu (right-click) choose Instance Settings and then choose Get System Log. The date the AMI was created and the SKU are listed in the AMI Origin Version and AMI Origin Name fields.


                    System log output showing AMI origin version and name

Note

The AMI Origin Version and AMI Origin Name are displayed in the system log only if the EC2Config service is running version 2.1.19 or later and the AMI was created after 2013.11.13.

Subscribing to Windows AMI Notifications

If you want to be notified when new AMIs are released or when the previous AMIs are made private, you can subscribe to these notifications using Amazon SNS.

To subscribe to Windows AMI notifications

  1. Open the Amazon SNS console.

  2. In the navigation bar, change the region to US East (N. Virginia), if necessary. You must select this region because the SNS notifications that you are subscribing to were created in this region.

  3. In the navigation pane, click Subscriptions.

  4. Click Create Subscription.

  5. In the Create Subscription dialog box, do the following:

    1. In TopicARN, enter one of the following Amazon Resource Names (ARNs):

      • arn:aws:sns:us-east-1:801119661308:ec2-windows-ami-update

      • arn:aws:sns:us-east-1:801119661308:ec2-windows-ami-private

    2. In Protocol, select Email.

    3. In Endpoint, enter an email address that you can use to receive the notifications.

    4. Click Subscribe.

  6. You'll receive a confirmation email with the subject line AWS Notification - Subscription Confirmation. Open the email and click Confirm subscription to complete your subscription.

Whenever new Windows AMIs are released, we send notifications to subscribers of the ec2-windows-ami-update topic. Whenever new Windows AMIs are made private, we send notifications to subscribers of the ec2-windows-ami-private topic. If you no longer want to receive these notifications, use the following procedure to unsubscribe.

To unsubscribe from Windows AMI notifications

  1. Open the Amazon SNS console.

  2. In the navigation pane, click Subscriptions.

  3. Select the subscription and then click Delete Subscriptions When prompted for confirmation, click Yes, Delete.

Image Changes

The following changes are applied to each Amazon-provided image.

  • Allow Internet Control Message Protocol (ICMP) traffic through firewall

  • Set performance options for best performance

  • Set power setting to high performance

  • Disable screensaver password

  • Disable hibernation

  • Disable clearing page file at shutdown

  • Add links to desktop EC2 Windows Guide (http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html) and EC2 Feedback (https://aws.qualtrics.com/se/?sid=sv_e5mofjhv18gtayw)

  • Set timezone to UTC

  • Configure page file (512 MB to 8 GB)

  • Install PowerShell tools (https://aws.amazon.com/powershell)

  • Install the latest version of the EC2Config service

  • Disable Windows network location profile selection prompt

  • Install Cloud Formation tools (https://aws.amazon.com/developertools/aws-cloudformation/4026240853893296)

  • Disable IPv6 in network adapters

  • Disable NetBIOS in network adapters

  • Install PowerShell 3.0 for images earlier than Windows Server 2012

  • Enable remote PowerShell

  • Enable file and printer sharing

  • Open port 1433 for images that include SQL Server

  • Enable notification of Windows updates

  • Sync time daily via NTP

  • Disable Windows Internet Explorer RunOnce

  • Apply the following hotfixes for Windows Server 2008 or Server 2008 R2 images:

    • GARP (http://support.microsoft.com/kb/2582281)

    • Microsoft DST (http://support.microsoft.com/kb/2800213)

    • Microsoft RTIU clock sync (http://support.microsoft.com/kb/2922223)

    • ELB (http://support.microsoft.com/kb/2634328)

    • TCP scaling (http://support.microsoft.com/kb/2780879)

    • SMB2 (http://support.microsoft.com/kb/2394911)

  • Attach instance storage volumes to extended mount points (25)

  • Install latest Windows updates

Details About AWS Windows AMI Versions

AWS provides updated, fully-patched Windows AMIs within five business days of Microsoft's patch Tuesday (the second Tuesday of each month). The new AMIs are available immediately through the Images page in the Amazon EC2 console. The new AMIs are available in the AWS Marketplace and the Quick Start tab of the launch instance wizard within a few days of their release. AWS makes the previously published Windows AMIs private within 10 business days after publishing updated Windows AMIs, to ensure that customers have the latest security updates by default.

The Windows AMIs in each release have new AMI IDs. Therefore, we recommend that you write scripts that locate the latest AWS Windows AMIs by their names, rather than by their IDs. For more information, see Get-EC2ImageByName in the AWS Tools for Windows PowerShell User Guide. You can also create a Lambda function to perform this task with Amazon EC2 and other services such as AWS CloudFormation. For more information, see Create a Lambda Function.

The following tables summarize the changes to each release of the AWS Windows AMIs. Note that some changes apply to all AWS Windows AMIs while others apply to only a subset of these AMIs.

Latest AMIS

Release Changes
2017.3.15

All AMIs

  • EC2Config version 4.7.1631

  • SSM Agent 2.0.682.0

  • SSM Agent 2.0.706.0 (Server 2016)

  • EC2Launch v1.3.540 (Server 2016)

  • Microsoft security updates current to March 14, 2017

  • Current AWS Tools for Windows PowerShell

  • Current AWS CloudFormation templates

2017.2.21

Microsoft recently announced that they will not release monthly patches or security updates for the month of February. All February patches and security updates will be included in the March update.

Amazon Web Services will not release updated Windows Server AMIs in February. Instead, we will resume shipping updated Windows Server AMIs in March.

2017.1.11

All AMIs

  • EC2Config version 4.2.1442

  • SSM Agent 2.0.599.0

  • Microsoft security updates current to January 10, 2017

  • Current AWS Tools for Windows PowerShell

  • Current AWS CloudFormation templates

AMIs Released in 2016

Release Changes
2016.12.14

All AMIs

  • Released EC2Config version 4.1.1396

  • Microsoft security updates current to December 13, 2016

  • Elastic Network Adapter (ENA) driver 1.0.9.0 (Windows 2008 R2 only)

  • Current AWS Tools for Windows PowerShell

New AMIs now available in all regions

  • Windows_Server-2016-English-Core-Base

  • Windows_Server-2016-English-Nano-Base (Late December release because of a known issue where a small number of launches would fail to generate a login password.)

Microsoft SQL Server

All Microsoft SQL Server AMIs with the latest service pack are now public in all regions. These new AMIs replace old SQL Service Pack AMIs going forward.

New SQL AMI names:

  • Windows_Server-2008-R2_SP1-English-64Bit-SQL_2012_SP3_edition-2016.12.14

  • Windows_Server-2012-RTM-English-64Bit-SQL_2012_SP3_edition-2016.12.14

  • Windows_Server-2012-R2_RTM-English-64Bit-SQL_2014_SP2_edition-2016.12.14

  • Windows_Server-2012-RTM-English-64Bit-SQL_2014_SP2_edition-2016.12.14

  • Windows_Server-2012-R2_RTM-English-64Bit-SQL_2016_SP1_edition-2016.12.14

  • Windows_Server-2016-English-Full-SQL_2016_SP1_edition-2016.12.14

SQL Server 2016 SP1 is a major release. The following features, which were previously available in Enterprise edition only, are now enabled in Standard, Web, and Express editions with SQL Server 2016 SP1:

  • Row-level security

  • Dynamic Data Masking

  • Change Data Capture

  • Database snapshot

  • Column store

  • Partitioning

  • Compression

  • In Memory OLTP

  • Always Encrypted

2016.11.23
  • Released EC2Config version 4.1.1378.

  • The Windows Server 2003-2012 R2 AMIs released this month, and going forward, use the EC2Config service to process boot-time configurations and Amazon EC2 Systems Manager (SSM) Agent to process Amazon EC2 Run Command and SSM Config requests. EC2Config no longer processes requests for Run Command and SSM Config. The latest EC2Config installer installs SSM Agent side-by-side with the EC2Config service. For more information, see EC2Config and Amazon EC2 Systems Manager (SSM).

2016.11.09

All AMIs

  • Released AWS PV driver, version 7.4.3.0 for Windows 2008 R2 and newer

  • Windows Server 2016 added to patch release cycle.

  • Microsoft security updates current to November 8 2016.

  • Current AWS Tools for Windows PowerShell

2016.10.18

Released new AMIs for Windows Server 2016. AMIs that use Windows Server 2016 include significant changes. For example, these AMIs don't include the EC2Config service and you can't connect to Windows Server 2016 Nano Server by using Remote Desktop. You must remotely administer Nano Server by using Windows PowerShell. Before you use a Windows Server 2016 AMI, read about all of the changes and how to work with these AMIs. For more information, see Changes in Windows Server 2016 AMIs.

All AMIs

  • Microsoft security updates current to October 12, 2016.

  • Current AWS Tools for Windows PowerShell

2016.9.14

ALL AMIs

  • Microsoft security updates current to September 13, 2016.

  • Current AWS Tools for Windows PowerShell

  • Renamed AMI: Windows_Server-2012-RTM-Japanese-64Bit-SQL_2008_R3_SP2_Standard to Windows_Server-2012-RTM-Japanese-64Bit-SQL_2008_R2_SP3_Standard

2016.8.26 All Windows Server 2008 R2 AMIs dated 2016.08.11 were updated to fix a known issue. New AMIs are dated 2016.08.25.
2016.8.11

ALL AMIs

  • Ec2Config v3.19.1153

  • Microsoft security updates current to August 10, 2016.

  • Enabled the registry key User32 exception handler hardening feature in Internet Explorer for MS15-124.

Server 2008 R2, Server 2012 RTM, and Server 2012 R2 AMIs

  • Elastic Network Adapter (ENA) Driver 1.0.8.0

  • ENA AMI property set to enabled.

Note

AWS PV Driver for Windows Server 2008 R2 was re-released this month because of a known issue. Windows Server 2008 R2 AMI's were removed in July because of this issue.

2016.8.2 Windows Server 2008 R2 AMIs

All Windows Server 2008 R2 AMIs for July were removed and rolled back to AMIs dated 2016.06.15, because of an issue discovered in the AWS PV driver. The AWS PV driver issue has been fixed. The August AMI release will include Windows Server 2008 R2 AMIs with the fixed AWS PV driver and July/August Windows updates.

2016.7.26

ALL AMIs

  • Ec2Config v3.18.1118

  • Microsoft security updates current to July 2016.

    2016.07.13 AMIs were missing security patches. AMIs were re-patched. Additional processes were put in place to verify successful patch installations going forward.

2016.7.13

ALL AMIs

  • Microsoft security updates current to July 2016

  • Current AWS Tools for Windows PowerShell

  • Updated AWS PV Driver 7.4.2.0

  • AWS PV Driver for Windows Server 2008 R2

2016.6.16
  • Microsoft security updates current to June 2016

  • Current AWS Tools for Windows PowerShell

  • EC2Config service version 3.17.1032

  • Released 10 new AMIs that include 64-bit versions of Microsoft SQL Server 2016. You can launch an instance from one of these AMIs from the EC2 console, CLI, or API. If using the console, navigate to EC2 > Images > AMIs, choose Public Images, and enter “Windows_Server-2012-R2_RTM-English-64Bit-SQL_2016_Standard” in the search bar. For more information about SQL Server 2016, see What's New in SQL Server 2016 on MSDN.

2016.5.11

ALL AMIs

  • Microsoft security updates current to May 2016

  • Current AWS Tools for Windows PowerShell

  • EC2Config service version 3.16.930

  • MS15-011 Active Directory patch installed

  • Intel SRIOV driver for Windows Server 2012 R2 based AMIs. Version 1.0.16.1 (03/04/2014)

2016.4.13

ALL AMIs

  • Microsoft security updates current to April 2016

  • Current AWS Tools for Windows PowerShell

  • EC2Config service version 3.15.880

2016.3.9

ALL AMIs

  • Microsoft security updates current to March 2016

  • Current AWS Tools for Windows PowerShell

  • EC2Config service version 3.14.786

2016.2.10

ALL AMIs

  • Microsoft security updates current to February 2016

  • Current AWS Tools for Windows PowerShell

  • EC2Config service version 3.13.727

2016.1.25

ALL AMIs

  • Microsoft security updates current to January 2016

  • Current AWS Tools for Windows PowerShell

  • EC2Config service version 3.12.649

2016.1.5

ALL AMIs

  • Current AWS Tools for Windows PowerShell

AMIs Released in 2015

Release Changes
2015.12.15

ALL AMIs

  • Microsoft security updates current to December 2015

  • Current AWS Tools for Windows PowerShell

2015.11.11

ALL AMIs

  • Microsoft security updates current to November 2015

  • Current AWS Tools for Windows PowerShell

  • EC2Config service version 3.11.521

  • CFN Agent updated to latest version

2015.10.26

Corrected boot volume sizes of base AMIs to be 30GB instead of 35GB

2015.10.14

ALL AMIs

  • Microsoft security updates current to October 2015

  • EC2Config service version 3.10.442

  • Current AWS Tools for Windows PowerShell

  • Updated SQL Service Packs to latest versions for all SQL variants

  • Removed old entries in Event Logs

  • AMI Names have been changed to reflect the latest service pack. For example, the latest AMI with Server 2012 and SQL 2014 Standard is named “Windows_Server-2012-RTM-English-64Bit-SQL_2014_SP1_Standard-2015.10.26“, not “Windows_Server-2012-RTM-English-64Bit-SQL_2014_RTM_Standard-2015.10.26“.

2015.9.9

ALL AMIs

  • Microsoft security updates current to September 2015

  • EC2Config service version 3.9.359

  • Current AWS Tools for Windows PowerShell

  • Current AWS CloudFormation helper scripts

2015.8.18

ALL AMIs

  • Microsoft security updates current to August 2015

  • EC2Config service version 3.8.294

  • Current AWS Tools for Windows PowerShell

Only AMIs with Windows Server 2012 and Windows Server 2012 R2

  • AWS PV Driver 7.3.2

2015.7.21

ALL AMIs

  • Microsoft security updates current to July 2015

  • EC2Config service version 3.7.308

  • Current AWS Tools for Windows PowerShell

  • Modified AMI descriptions of SQL images for consistency

2015.6.10

ALL AMIs

  • Microsoft security updates current to June 2015

  • EC2Config service version 3.6.269

  • Current AWS Tools for Windows PowerShell

  • Current AWS CloudFormation helper scripts

Only AMIs with Windows Server 2012 R2

  • AWS PV Driver 7.3.1

2015.5.13

All AMIs

  • Microsoft security updates current to May 2015

  • EC2Config service version 3.5.228

  • Current AWS Tools for Windows PowerShell

2015.04.15

All AMIs

  • Microsoft security updates current to April 2015

  • EC2Config service version 3.3.174

  • Current AWS Tools for Windows PowerShell

2015.03.11

All AMIs

  • Microsoft security updates current to March 2015

  • EC2Config service version 3.2.97

  • Current AWS Tools for Windows PowerShell

Only AMIs with Windows Server 2012 R2

  • AWS PV Driver 7.3.0

2015.02.11

All AMIs

  • Microsoft security updates current to February 2015

  • EC2Config service version 3.0.54

  • Current AWS Tools for Windows PowerShell

  • Current AWS CloudFormation helper scripts

2015.01.14

All AMIs

  • Microsoft security updates current to January 2015

  • EC2Config service version 2.3.313

  • Current AWS Tools for Windows PowerShell

  • Current AWS CloudFormation helper scripts

AMIs Released in 2014

Release Changes
2014.12.10

All AMIs

  • Microsoft security updates current to December 2014

  • EC2Config service version 2.2.12

  • Current AWS Tools for Windows PowerShell

2014.11.19

All AMIs

  • Microsoft security updates current to November 2014

  • EC2Config service version 2.2.11

  • Current AWS Tools for Windows PowerShell

2014.10.15

All AMIs

  • Microsoft security updates current to October 2014

  • EC2Config service version 2.2.10

  • Current AWS Tools for Windows PowerShell

Only AMIs with Windows Server 2012 R2

  • AWS PV Driver 7.2.4.1 (resolves the issues with Plug and Play Cleanup, which is now enabled by default)

2014.09.10

All AMIs

  • Microsoft security updates current to September 2014

  • EC2Config service version 2.2.8

  • Current AWS Tools for Windows PowerShell

Only AMIs with Windows Server 2012 R2

  • Disable Plug and Play Cleanup (see Important information)

  • AWS PV Driver 7.2.2.1 (resolves issues with the uninstaller)

2014.08.13

All AMIs

  • Microsoft security updates current to August 2014

  • EC2Config service version 2.2.7

  • Current AWS Tools for Windows PowerShell

Only AMIs with Windows Server 2012 R2

  • AWS PV Driver 7.2.2.1 (improves disk performance, resolves issues with reconnecting multiple network interfaces and lost network settings)

2014.07.10

All AMIs

  • Microsoft security updates current to July 2014

  • EC2Config service version 2.2.5

  • Current AWS Tools for Windows PowerShell

2014.06.12

All AMIs

  • Microsoft security updates current to June 2014

  • EC2Config service version 2.2.4

  • Removed NVIDIA drivers (except for Windows Server 2012 R2 AMIs)

  • Current AWS Tools for Windows PowerShell

2014.05.14

All AMIs

  • Microsoft security updates current to May 2014

  • EC2Config service version 2.2.2

  • Current AWS Tools for Windows PowerShell

  • AWS CloudFormation helper scripts version 1.4.0

2014.04.09

All AMIs

  • Microsoft security updates current to April 2014

  • Current AWS Tools for Windows PowerShell

  • Current AWS CloudFormation helper scripts

2014.03.12

All AMIs

  • Microsoft security updates current to March 2014

2014.02.12

All AMIs

  • Microsoft security updates current to February 2014

  • EC2Config service version 2.2.1

  • Current AWS Tools for Windows PowerShell

  • KB2634328

  • Remove the BCDEdit useplatformclock value

Only AMIs with Microsoft SQL Server

  • Microsoft SQL Server 2012 SP1 cumulative update package 8

  • Microsoft SQL Server 2008 R2 cumulative update package 10

AMIs Released in 2013

Release Changes
2013.11.13

All AMIs

  • Microsoft security updates current to November 2013

  • EC2Config service version 2.1.19

  • Current AWS Tools for Windows PowerShell

  • Configure NTP to synchronize the time once a day (the default is every seven days)

Only AMIs with Windows Server 2012

  • Clean up the WinSXS folder using the following command: dism /online /cleanup-image /StartComponentCleanup

2013.09.11

All AMIs

  • Microsoft security updates current to September 2013

  • EC2Config service version 2.1.18

  • Current AWS Tools for Windows PowerShell

  • AWS CloudFormation helper scripts version 1.3.15

2013.07.10

All AMIs

  • Microsoft security updates current to July 2013

  • EC2Config service version 2.1.16

  • Expanded the root volume to 50 GB

  • Set the page file to 512 MB, expanding to 8 GB as needed

  • Current AWS Tools for Windows PowerShell

2013.06.12

All AMIs

  • Microsoft security updates current to June 2013

  • Current AWS Tools for Windows PowerShell

Only AMIs with Microsoft SQL Server

  • Microsoft SQL Server 2012 SP1 with cumulative update package 4

2013.05.15

All AMIs

  • Microsoft security updates current to May 2013

  • EC2Config service version 2.1.15

  • All instance store volumes attached by default

  • Remote PowerShell enabled by default

  • Current AWS Tools for Windows PowerShell

2013.04.14

All AMIs

  • Microsoft security updates current to April 2013

  • Current AWS Tools for Windows PowerShell

  • AWS CloudFormation helper scripts version 1.3.14

2013.03.14

All AMIs

  • Microsoft security updates current to March 2013

  • EC2Config service version 2.1.14

  • Citrix Agent with CPU heartbeat fix

  • Current AWS Tools for Windows PowerShell

  • AWS CloudFormation helper scripts version 1.3.11

2013.02.22

All AMIs

  • Microsoft security updates current to February 2013

  • KB2800213

  • Windows PowerShell 3.0 upgrade

  • EC2Config service version 2.1.13

  • Citrix Agent with time fix

  • Citrix PV drivers dated 2011.07.19

  • Current AWS Tools for Windows PowerShell

  • AWS CloudFormation helper scripts version 1.3.8

Only AMIs with Microsoft SQL Server

  • Microsoft SQL Server 2012 cumulative update package 5

AMIs Released in 2012

Release Changes
2012.12.12

All AMIs

  • Microsoft security updates current to December 2012

  • Set the ActiveTimeBias registry value to 0

  • Disable IPv6 for the network adapter

  • EC2Config service version 2.1.9

  • Add AWS Tools for Windows PowerShell and set the policy to allow import-module

2012.11.15

All AMIs

  • Microsoft security updates current to November 2012

  • EC2Config service version 2.1.7

2012.10.10

All AMIs

  • Microsoft security updates current to October 2012

2012.08.15

All AMIs

  • Microsoft security updates current to August 2012

  • EC2Config service version 2.1.2

  • KB2545227

2012.07.11

All AMIs

  • Microsoft security updates current to July 2012

2012.06.12

All AMIs

  • Microsoft security updates current to June 2012

  • Set page file to 4 GB

  • Remove installed language packs

  • Set performance option to "Adjust for best performance"

  • Set the screen saver to no longer display the logon screen on resume

  • Remove previous RedHat driver versions using pnputil

  • Remove duplicate bootloaders and set bootstatuspolicy to ignoreallfailures using bcdedit

2012.05.10

All AMIs

  • Microsoft security updates current to May 2012

  • EC2Config service version 2.1.0

2012.04.11

All AMIs

  • Microsoft security updates current to April 2012

  • KB2582281

  • Current version of EC2Config

  • System time in UTC instead of GMT

2012.03.13

All AMIs

  • Microsoft security updates current to March 2012

2012.02.24

All AMIs

  • Microsoft security updates current to February 2012

  • Standardize AMI names and descriptions

2012.01.12

All AMIs

  • Microsoft security updates current to January 2012

  • RedHat PV driver version 1.3.10

AMIs Released in 2011 and earlier

Release Changes
2011.09.11

All AMIs

  • Microsoft security updates current to September 2011

1.04

All AMIs

  • Current Microsoft security updates

  • Update network driver

  • Fix issue with instances in a VPC losing connectivity when changing the time zone of the instance

1.02

All AMIs

  • Current Microsoft security updates

  • Update network driver

  • Add support for licensing activation for instances in a VPC

1.01

All AMIs

  • Current Microsoft security updates

  • Fix issue with password improperly generated while waiting for network availability

1.0

All AMIs

  • Initial release

Changes in Windows Server 2016 AMIs

AWS provides AMIs for Windows Server 2016. These AMIs include the following high-level changes from earlier Windows AMIs.

  • To accommodate the change from .NET Framework to .NET Core, the EC2Config service has been deprecated on Windows Server 2016 AMIs and replaced by EC2Launch. EC2Launch is a bundle of Windows PowerShell scripts that perform many of the tasks performed by the EC2Config service. For more information, see Configuring a Windows Instance Using EC2Launch.

  • The Windows Server 2016 Nano Server installation option (Nano Server) does not support Remote Desktop connections. The Connection option is available in the EC2 console, but the connection fails. You must remotely connect to your instance using Windows PowerShell. For more information, see Connect to a Windows Server 2016 Nano Server Instance.

  • On earlier versions of Windows Server AMIs, you can use the EC2Config service to join an EC2 instance to a domain and configure integration with Amazon CloudWatch. On Windows Server 2016 AMIs, the Amazon EC2 Systems Manager (SSM) agent performs these tasks. This means that you must use either Amazon EC2 Run Command or SSM Config to join an EC2 instance to a domain or configure integration with Amazon CloudWatch on Windows Server 2016 instances. For more information about configuring instances to send log data to CloudWatch, see Sending Logs, Events, and Performance Counters to Amazon CloudWatch For information about joining an EC2 instance to a domain, see Joining EC2 Instances to a Domain (Run Command) or Joining a Windows Instance to an AWS Directory Service Domain (SSM Config).

    Other Differences

    Note these additional important differences for instances created from Windows Server 2016 AMIs.

    • By default, EC2Launch does not initialize secondary EBS volumes. You can configure EC2Launch to initialize disks automatically by either scheduling the script to run or by calling EC2Launch in user data. For the procedure to initialize disks using EC2Launch, see "Initialize Drives and Drive Letter Mappings" in Configuring EC2Launch.

    • Nano Server does not support online domain joining. You must perform an offline domain join instead. For more information, see Offline Domain Join (Djoin.exe) Step-by-Step Guide on Microsoft TechNet.

    • If you previously enabled CloudWatch integration on your instances by using a local configuration file (AWS.EC2.Windows.CloudWatch.json), you can configure the file to work with the SSM agent on instances created from Windows Server 2016 AMIs. For more information, see Windows Server 2016.

For more information about Windows Server 2016, see What's New with Windows Server 2016 and Getting Started with Nano Server on Microsoft.com.

Docker Container Conflict on Windows Server 2016 Instances

If you run the Docker service on Windows Server 2016 AMIs, the service is configured to use a different CIDR value than the default internal IP address prefix value. The default value is 172.16.0.0/12. Windows Server 2016 AMIs use 172.17.0.0/16 to avoid a conflict with the default Amazon EC2 VPC/subnet. If you don't change VPC/subnet settings for your EC2 instances, then you don't need to do anything. The conflict is essentially avoided because of the different CIDR values. If you do change VPC/subnet settings, be aware of these internal IP address prefix values and avoid creating a conflict. For more information, read the following section.

Important

If you plan to run Docker on a Windows Server 2016 instance, you must create the instance from the following Amazon Machine Image (AMI) or an AMI based on this image:

“Windows_Server-2016-English-Full-Containers-2016.10.18”

If you create the instance from another Windows Server 2016 AMI, instances fail to boot correctly after installing Docker and then running Sysprep.

Technical Details About the Conflict

In the networking context, Windows containers function like virtual machines. Each container has a virtual network adapter that is connected to a virtual switch. Inbound and outbound traffic is forwarded over this switch. Windows Server containers use a host virtual network interface controller (vNIC) to attach to the virtual switch.

When the Docker service starts for the first time on Windows Server 2016, the Docker engine creates a network address translation (NAT) network. By default, all container endpoints are connected to the default NAT network. The Docker internal IP address prefix is 172.16.0.0/12. If the container host IP address is in this same prefix, then NAT network creation fails because of the conflict between overlapping IP address spaces.

On Amazon EC2, default VPCs are assigned a CIDR range of 172.31.0.0/16. Default subnets within a default VPC are assigned /20 netblocks within the VPC CIDR range. There is an address space overlap between the default Amazon EC2 VPC and the default internal prefix used by Docker. Therefore, AWS embeds a new CIDR value of 172.17.0.0/16 in the Docker config file daemon.json. This file is located in the following directory: C:\ProgramData\Docker\config\daemon.json. The daemon.json file uses the fixed-cidr: < IP Prefix > / Mask option to create the default NAT network with the IP address prefix and match specified, thereby avoiding any address space conflicts. If you change your VPC and subnet settings, you must stop the Docker service, update the daemon.json file with the new CIDR range, and restart the service.