Create a custom Windows AMI - Amazon Elastic Compute Cloud

Create a custom Windows AMI

You can launch an instance from an existing Windows AMI, customize the instance, and then save this updated configuration as a custom AMI. Instances launched from this new custom AMI include the customizations that you made when you created the AMI.

To help categorize and manage your AMIs, you can assign custom tags to them. For more information, see Tag your Amazon EC2 resources.

To create a custom Linux AMI, use the procedure for the type of volume for the instance. For more information, see Create an Amazon EBS-backed Linux AMI or Create an instance store-backed Linux AMI in the Amazon EC2 User Guide for Linux Instances.

How the creation of a custom AMI works

First, launch an instance from an AMI that's similar to the AMI that you'd like to create. You can connect to your instance and customize it. When the instance is set up the way you want it, ensure data integrity by stopping the instance before you create an AMI and then create the image. We automatically register the AMI for you.

During the AMI-creation process, Amazon EC2 creates snapshots of your instance's root volume and any other EBS volumes attached to your instance. You're charged for the snapshots until you deregister the AMI and delete the snapshots. For more information, see Deregister your AMI. If any volumes attached to the instance are encrypted, the new AMI only launches successfully on instance types that support Amazon EBS encryption. For more information, see Amazon EBS encryption in the Amazon EBS User Guide.

Depending on the size of the volumes, it can take several minutes for the AMI-creation process to complete (sometimes up to 24 hours). You may find it more efficient to create snapshots of your volumes prior to creating your AMI. This way, only small, incremental snapshots need to be created when the AMI is created, and the process completes more quickly (the total time for snapshot creation remains the same).

After the process completes, you have a new AMI and snapshot created from the root volume of the instance. When you launch an instance using the new AMI, we create a new EBS volume for its root volume using the snapshot.

Note

A Windows AMI must be created from an Amazon EC2 instance. Creation of a Windows AMI from an EBS snapshot is currently not supported as it might cause issues with billing, performance, and general operation.

If you add instance store volumes or Amazon Elastic Block Store (Amazon EBS) volumes to your instance in addition to the root device volume, the block device mapping for the new AMI contains information for these volumes, and the block device mappings for instances that you launch from the new AMI automatically contain information for these volumes. The instance store volumes specified in the block device mapping for the new instance are new and don't contain any data from the instance store volumes of the instance you used to create the AMI. The data on EBS volumes persists. For more information, see Block device mappings.

Note

When you create a new instance from a custom AMI, you should initialize both its root volume and any additional EBS storage before putting it into production. For more information, see Initialize Amazon EBS volumes.

Create a Windows AMI from a running instance

You can create an AMI using the AWS Management Console or the command line. The following diagram summarizes the process for creating an AMI from a running EC2 instance. Start with an existing AMI, launch an instance, customize it, create a new AMI from it, and finally launch an instance of your new AMI. The steps in the following diagram match the steps in the procedure below.

Note

If you already have a running Windows instance, you can go directly to step 5.


					Workflow for creating an AMI from an instance
To create an AMI from an instance using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under Images, choose AMIs.

  3. Use the Filter options to scope the list of AMIs to the Windows AMIs that meet your needs. For example, to view the Windows AMIs provided by AWS, choose Public images from the drop-down list. Choose the Search bar, and then from the menu, choose Owner alias, then =, and then amazon. Choose Source from the menu and enter one of the following, depending on the version of Windows Server that you need:

    • amazon/Windows_Server-2022

    • amazon/Windows_Server-2019

    • amazon/Windows_Server-2016

    • amazon/Windows_Server-2012

    Add any other filters that you need. When you have chosen an AMI, select its check box.

  4. Choose Launch instance from AMI (new console) or Launch (old console). Accept the default values as you step through the wizard. For more information, see Launch an instance using the new launch instance wizard. When the instance is ready, connect to it. For more information, see Connect to your Windows instance.

  5. Once you connect to the instance, you can perform any of the following actions to customize it for your needs:

    • Install software and applications

    • Copy data

    • Reduce start time by deleting temporary files and defragmenting your hard drive

    • Attach additional EBS volumes

    • Create a new user account and add it to the Administrators group

      If you are sharing your AMI, these credentials can be supplied for RDP access without disclosing your default administrator password.

    • [Windows Server 2022 and later] Configure settings using EC2Launch v2. To generate a random password at launch time, configure the setAdminAccount task. For more information, see setAdminAccount.

    • [Windows Server 2016 and 2019] Configure settings using EC2Launch. To generate a random password at launch time, use the adminPasswordType setting. For more information, see Configure EC2Launch.

    • [Windows Server 2012 R2 and earlier] Configure settings using EC2Config. To generate a random password at launch time, enable the Ec2SetPassword plugin; otherwise, the current administrator password is used. For more information, see EC2Config settings files.

  6. In the navigation pane, choose Instances and select your instance. Choose Actions, Image and templates, and Create image.

    Tip

    If this option is disabled, your instance isn't an Amazon EBS-backed instance.

  7. Specify a unique name for the image and an optional description (up to 255 characters).

    By default, when Amazon EC2 creates the new AMI, it reboots the instance so that it can take snapshots of the attached volumes while data is at rest, in order to ensure a consistent state. For the No reboot setting, you can select the Enable check box to prevent Amazon EC2 from shutting down and rebooting the instance.

    Warning

    If you choose to enable No reboot, we can't guarantee the file system integrity of the created image.

    (Optional) Modify the root volume, EBS volumes, and instance store volumes as needed. For example:

    • To change the size of the root volume, locate the Root volume in the Type column, and fill in the Size field.

    • To suppress an EBS volume specified by the block device mapping of the AMI used to launch the instance, locate the EBS volume in the list and choose Delete.

    • To add an EBS volume, choose Add New Volume, Type, and EBS, and fill in the fields. When you then launch an instance from your new AMI, these additional volumes are automatically attached to the instance. Empty volumes must be formatted and mounted. Volumes based on a snapshot must be mounted.

    • To suppress an instance store volume specified by the block device mapping of the AMI used to launch the instance, locate the volume in the list and choose Delete.

    • To add an instance store volume, choose Add New Volume, Type, and Instance Store, and select a device name from the Device list. When you launch an instance from your new AMI, these additional volumes are automatically initialized and mounted. These volumes don't contain data from the instance store volumes of the running instance from which you based your AMI.

    When you are finished, choose Create Image.

  8. While your AMI is being created, you can choose AMIs in the navigation pane to view its status. Clear your previous filters, and choose Owned by me from the drop-down list. Initially, the status is pending. After a few minutes, the status should change to available.

    (Optional) Choose Snapshots in the navigation pane to view the snapshot that was created for the new AMI. When you launch an instance from this AMI, we use this snapshot to create its root device volume.

  9. Launch an instance from your new AMI. For more information, see Launch an instance using the new launch instance wizard. The new running instance contains all of the customizations you applied in previous steps, and any additional customization you add when launching the instance, such as user data (scripts that run when the instance starts).

Create an AMI from an instance using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

Create a standardized Amazon Machine Image (AMI) using Sysprep

The Microsoft System Preparation (Sysprep) tool simplifies the process of duplicating a customized installation of Windows. You can use Sysprep to create a standardized Amazon Machine Image (AMI). You can then create new Amazon EC2 instances for Windows from this standardized image.

We recommend that you use EC2 Image Builder to automate the creation, management, and deployment of customized, secure, and up-to-date "golden" server images that are pre-installed and preconfigured with software and settings.

If you use Sysprep to create a standardized AMI, we recommend that you run Sysprep with EC2Launch v2. If you are still using the EC2Config (Windows Server 2012 R2 and earlier) or EC2Launch (Windows Server 2016 and 2019) agents, see the documentation for using Sysprep with EC2Config and EC2Launch below.

Important

Do not use Sysprep to create an instance backup. Sysprep removes system-specific information; removing this information might have unintended consequences for an instance backup.

To troubleshoot Sysprep, see Troubleshoot Sysprep.

Before you begin

  • Before performing Sysprep, we recommend that you remove all local user accounts and all account profiles other than a single administrator account under which Sysprep will be run. If you perform Sysprep with additional accounts and profiles, unexpected behavior could result, including loss of profile data or failure to complete Sysprep.

  • Learn more about Sysprep on Microsoft TechNet.

  • Learn which server roles are supported for Sysprep.

Use Sysprep with EC2Launch v2

This section contains details about the different Sysprep execution phases and the tasks performed by the EC2Launch v2 service as the image is prepared. It also includes the steps to create a standardized AMI using Sysprep with the EC2Launch v2 service.

Sysprep phases

Sysprep runs through the following phases:

  • Generalize: The tool removes image-specific information and configurations. For example, Sysprep removes the security identifier (SID), the computer name, the event logs, and specific drivers, to name a few. After this phase is completed, the operating system (OS) is ready to create an AMI.

    Note

    When you run Sysprep with the EC2Launch v2 service, the system prevents drivers from being removed because the PersistAllDeviceInstalls setting is set to true by default.

  • Specialize: Plug and Play scans the computer and installs drivers for any detected devices. The tool generates OS requirements, like the computer name and SID. Optionally, you can run commands in this phase.

  • Out-of-Box Experience (OOBE): The system runs an abbreviated version of Windows Setup and asks you to enter information such as system language, time zone, and registered organization. When you run Sysprep with EC2Launch v2, the answer file automates this phase.

Sysprep actions

Sysprep and EC2Launch v2 perform the following actions when preparing an image.

  1. When you choose Shutdown with Sysprep in the EC2Launch settings dialog box, the system runs the ec2launch sysprep command.

  2. EC2Launch v2 edits the content of the unattend.xml file by reading the registry value at HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName. This file is located in the following directory: C:\ProgramData\Amazon\EC2Launch\sysprep.

  3. The system run the BeforeSysprep.cmd. This command creates a registry key as follows:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

    The registry key disables RDP connections until they are re-enabled. Disabling RDP connections is a necessary security measure because, during the first boot session after Sysprep has run, there is a short period of time where RDP allows connections and the Administrator password is blank.

  4. The EC2Launch v2 service calls Sysprep by running the following command:

    sysprep.exe /oobe /generalize /shutdown /unattend: "C:\ProgramData\Amazon\EC2Launch\sysprep\unattend.xml"

Generalize phase
  • EC2Launch v2 removes image-specific information and configurations, such as the computer name and the SID. If the instance is a member of a domain, it is removed from the domain. The unattend.xml answer file includes the following settings that affect this phase:

    • PersistAllDeviceInstalls: This setting prevents Windows Setup from removing and reconfiguring devices, which speeds up the image preparation process because Amazon AMIs require certain drivers to run and re-detection of those drivers would take time.

    • DoNotCleanUpNonPresentDevices: This setting retains Plug and Play information for devices that are not currently present.

  • Sysprep shuts down the OS as it prepares to create the AMI. The system either launches a new instance or starts the original instance.

Specialize phase

The system generates OS-specific requirements, such as a computer name and an SID. The system also performs the following actions based on configurations that you specify in the unattend.xml answer file.

  • CopyProfile: Sysprep can be configured to delete all user profiles, including the built-in Administrator profile. This setting retains the built-in Administrator account so that any customizations you make to that account are carried over to the new image. The default value is True.

    CopyProfile replaces the default profile with the existing local administrator profile. All accounts that you log in to after running Sysprep receive a copy of that profile and its contents at first login.

    If you don’t have specific user-profile customizations that you want to carry over to the new image, then change this setting to False. Sysprep will remove all user profiles (this saves time and disk space).

  • TimeZone: The time zone is set to Coordinate Universal Time (UTC) by default.

  • Synchronous command with order 1: The system runs the following command, which enables the administrator account and specifies the password requirement:

    net user Administrator /ACTIVE:YES /LOGONPASSWORDCHG:NO /EXPIRES:NEVER /PASSWORDREQ:YES

  • Synchronous command with order 2: The system scrambles the administrator password. This security measure is designed to prevent the instance from being accessible after Sysprep completes if you did not enable the ec2setpassword setting.

    C:\Program Files\Amazon\Ec2ConfigService\ScramblePassword.exe" -u Administrator

  • Synchronous command with order 3: The system runs the following command:

    C:\Program Files\Amazon\Ec2ConfigService\Scripts\SysprepSpecializePhase.cmd

    This command adds the following registry key, which re-enables RDP:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

OOBE phase
  1. The system specifies the following configurations using the EC2Launch v2 answer file:

    • <InputLocale>en-US</InputLocale>

    • <SystemLocale>en-US</SystemLocale>

    • <UILanguage>en-US</UILanguage>

    • <UserLocale>en-US</UserLocale>

    • <HideEULAPage>true</HideEULAPage>

    • <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>

    • <ProtectYourPC>3</ProtectYourPC>

    • <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>

    • <TimeZone>UTC</TimeZone>

    • <RegisteredOrganization>Amazon.com</RegisteredOrganization>

    • <RegisteredOwner>EC2</RegisteredOwner>

    Note

    During the generalize and specialize phases, EC2Launch v2 monitors the status of the OS. If EC2Launch v2 detects that the OS is in a Sysprep phase, then it publishes the following message to the system log:

    Windows is being configured. SysprepState=IMAGE_STATE_UNDEPLOYABLE

  2. The system runs EC2Launch v2.

Post Sysprep

After Sysprep completes, EC2Launch v2 sends the following message to the console output:

Windows sysprep configuration complete.

EC2Launch v2 then performs the following actions:

  1. Reads the content of the agent-config.yml file and runs configured tasks.

  2. Executes all tasks in the preReady stage.

  3. After it is finished, sends a Windows is ready message to the instance system logs.

  4. Executes all tasks in the PostReady stage.

For more information about EC2Launch v2 , see Configure a Windows instance using EC2Launch v2.

Run Sysprep with EC2Launch v2

Use the following procedure to create a standardized AMI using Sysprep with EC2Launch v2.

  1. In the Amazon EC2 console, locate or create an AMI that you want to duplicate.

  2. Launch and connect to your Windows instance.

  3. Customize it.

  4. From the Windows Start menu, search for and choose Amazon EC2Launch settings. For more information about the options and settings in the Amazon EC2Launch settings dialog box, see EC2Launch v2 settings.

  5. Select Shutdown with Sysprep or Shutdown without Sysprep.

When you are asked to confirm that you want to run Sysprep and shut down the instance, click Yes. EC2Launch v2 runs Sysprep. Next, you are logged off the instance, and the instance shuts down. If you check the Instances page in the Amazon EC2 console, the instance state changes from Running to Stopping to Stopped. At this point, it's safe to create an AMI from this instance.

You can manually invoke the Sysprep tool from the command line using the following command:

"%programfiles%\amazon\ec2launch\ec2launch.exe" sysprep --shutdown=true

Use Sysprep with EC2Launch

EC2Launch offers a default answer file and batch files for Sysprep that automate and secure the image-preparation process on your AMI. Modifying these files is optional. These files are located in the following directory by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep.

Important

Do not use Sysprep to create an instance backup. Sysprep removes system-specific information. If you remove this information there might be unintended consequences for an instance backup.

EC2Launch answer and batch files for Sysprep

The EC2Launch answer file and batch files for Sysprep include the following:

Unattend.xml

This is the default answer file. If you run SysprepInstance.ps1 or choose ShutdownWithSysprep in the user interface, the system reads the setting from this file.

BeforeSysprep.cmd

Customize this batch file to run commands before EC2Launch runs Sysprep.

SysprepSpecialize.cmd

Customize this batch file to run commands during the Sysprep specialize phase.

Run Sysprep with EC2Launch

On the full installation of Windows Server 2016 and later (with a desktop experience), you can run Sysprep with EC2Launch manually or by using the EC2 Launch Settings application.

To run Sysprep using the EC2Launch Settings application
  1. In the Amazon EC2 console, locate or create a Windows Server 2016 or later AMI.

  2. Launch a Windows instance from the AMI.

  3. Connect to your Windows instance and customize it.

  4. Search for and run the EC2LaunchSettings application. It is located in the following directory by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Settings.

    
							EC2 Launch Settings application
  5. Select or clear options as needed. These settings are stored in the LaunchConfig.json file.

  6. For Administrator Password, do one of the following:

    • Choose Random. EC2Launch generates a password and encrypts it using the user's key. The system disables this setting after the instance is launched so that this password persists if the instance is rebooted or stopped and started.

    • Choose Specify and type a password that meets the system requirements. The password is stored in LaunchConfig.json as clear text and is deleted after Sysprep sets the administrator password. If you shut down now, the password is set immediately. EC2Launch encrypts the password using the user's key.

    • Choose DoNothing and specify a password in the unattend.xml file. If you don't specify a password in unattend.xml, the administrator account is disabled.

  7. Choose Shutdown with Sysprep.

To manually run Sysprep using EC2Launch
  1. In the Amazon EC2 console locate or create a Windows Server 2016 or later Datacenter edition AMI that you want to duplicate.

  2. Launch and connect to your Windows instance.

  3. Customize the instance.

  4. Specify settings in the LaunchConfig.json file. This file is located in the C:\ProgramData\Amazon\EC2-Windows\Launch\Config directory by default.

    For adminPasswordType, specify one of the following values:

    Random

    EC2Launch generates a password and encrypts it using the user's key. The system disables this setting after the instance is launched so that this password persists if the instance is rebooted or stopped and started.

    Specify

    EC2Launch uses the password you specify in adminPassword. If the password does not meet the system requirements, EC2Lauch generates a random password instead. The password is stored in LaunchConfig.json as clear text and is deleted after Sysprep sets the administrator password. EC2Launch encrypts the password using the user's key.

    DoNothing

    EC2Launch uses the password you specify in the unattend.xml file. If you don't specify a password in unattend.xml, the administrator account is disabled.

  5. (Optional) Specify settings in unattend.xml and other configuration files. If plan to attend to the installation, then you don't need to make changes in these files. The files are located in the following directory by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep.

  6. In Windows PowerShell, run ./InitializeInstance.ps1 -Schedule. The script is located in the following directory, by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts. This script schedules the instance to initialize during the next boot. You must run this script before you run the SysprepInstance.ps1 script in the next step.

  7. In Windows PowerShell, run ./SysprepInstance.ps1. The script is located in the following directory by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts.

You are logged off the instance and the instance shuts down. If you check the Instances page in the Amazon EC2 console, the instance state changes from Running to Stopping, and then to Stopped. At this point, it is safe to create an AMI from this instance.

Update metadata/KMS routes for Server 2016 and later when launching a custom AMI

To update metadata/KMS routes for Server 2016 and later when launching a custom AMI, do one of the following:

  • Run the EC2LaunchSettings GUI (C:\ProgramData\Amazon\EC2-Windows\Launch\Settings\Ec2LaunchSettings.exe) and select the option to shut down with Sysprep.

  • Run EC2LaunchSettings and shut down without Sysprep before creating the AMI. This sets the EC2 Launch Initialize tasks to run at the next boot, which will set routes based on the subnet for the instance.

  • Manually reschedule EC2 Launch initialize tasks before creating an AMI from PowerShell.

    Important

    Take note of the default password reset behavior before rescheduling tasks.

  • To update the routes on a running instance that is experiencing Windows activation or communication with instance metadata failures, see "Unable to activate Windows".

Use Sysprep with EC2Config

This section contains details about the different Sysprep execution phases and the tasks performed by the EC2Config service as the image is prepared. It also includes the steps to create a standardized AMI using Sysprep with the EC2Config service.

Sysprep phases

Sysprep runs through the following phases:

  • Generalize: The tool removes image-specific information and configurations. For example, Sysprep removes the security identifier (SID), the computer name, the event logs, and specific drivers, to name a few. After this phase is completed, the operating system (OS) is ready to create an AMI.

    Note

    When you run Sysprep with the EC2Config service, the system prevents drivers from being removed because the PersistAllDeviceInstalls setting is set to true by default.

  • Specialize: Plug and Play scans the computer and installs drivers for any detected devices. The tool generates OS requirements like the computer name and SID. Optionally, you can run commands in this phase.

  • Out-of-Box Experience (OOBE): The system runs an abbreviated version of Windows Setup and asks the user to enter information such as a system language, the time zone, and a registered organization. When you run Sysprep with EC2Config, the answer file automates this phase.

Sysprep actions

Sysprep and the EC2Config service perform the following actions when preparing an image.

  1. When you choose Shutdown with Sysprep in the EC2 Service Properties dialog box, the system runs the ec2config.exe -sysprep command.

  2. The EC2Config service reads the content of the BundleConfig.xml file. This file is located in the following directory, by default: C:\Program Files\Amazon\Ec2ConfigService\Settings.

    The BundleConfig.xml file includes the following settings. You can change these settings:

    • AutoSysprep: Indicates whether to use Sysprep automatically. You do not need to change this value if you are running Sysprep from the EC2 Service Properties dialog box. The default value is No.

    • SetRDPCertificate: Sets a self-signed certificate for the Remote Desktop server. This enables you to securely use the Remote Desktop Protocol (RDP) to connect to the instance. Change the value to Yes if new instances should use a certificate. This setting is not used with Windows Server 2008 or Windows Server 2012 instances because these operating systems can generate their own certificates. The default value is No.

    • SetPasswordAfterSysprep: Sets a random password on a newly launched instance, encrypts it with the user launch key, and outputs the encrypted password to the console. Change the value to No if new instances should not be set to a random encrypted password. The default value is Yes.

    • PreSysprepRunCmd: The location of the command to run. The command is located in the following directory, by default: C:\Program Files\Amazon\Ec2ConfigService\Scripts\BeforeSysprep.cmd

  3. The system runs BeforeSysprep.cmd. This command creates a registry key as follows:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

    The registry key disables RDP connections until they are re-enabled. Disabling RDP connections is a necessary security measure because, during the first boot session after Sysprep has run, there is a short period of time where RDP allows connections and the Administrator password is blank.

  4. The EC2Config service calls Sysprep by running the following command:

    sysprep.exe /unattend: "C:\Program Files\Amazon\Ec2ConfigService\sysprep2008.xml" /oobe /generalize /shutdown
Generalize phase
  • The tool removes image-specific information and configurations such as the computer name and the SID. If the instance is a member of a domain, it is removed from the domain. The sysprep2008.xml answer file includes the following settings that affect this phase:

    • PersistAllDeviceInstalls: This setting prevents Windows Setup from removing and reconfiguring devices, which speeds up the image preparation process because Amazon AMIs require certain drivers to run and re-detection of those drivers would take time.

    • DoNotCleanUpNonPresentDevices: This setting retains Plug and Play information for devices that are not currently present.

  • Sysprep shuts down the OS as it prepares to create the AMI. The system either launches a new instance or starts the original instance.

Specialize phase

The system generates OS specific requirements such as a computer name and a SID. The system also performs the following actions based on configurations that you specify in the sysprep2008.xml answer file.

  • CopyProfile: Sysprep can be configured to delete all user profiles, including the built-in Administrator profile. This setting retains the built-in Administrator account so that any customizations you made to that account are carried over to the new image. The default value is True.

    CopyProfile replaces the default profile with the existing local administrator profile. All accounts logged into after running Sysprep will receive a copy of that profile and its contents at first login.

    If you don’t have specific user-profile customizations that you want to carry over to the new image then change this setting to False. Sysprep will remove all user profiles; this saves time and disk space.

  • TimeZone: The time zone is set to Coordinate Universal Time (UTC) by default.

  • Synchronous command with order 1: The system runs the following command that enables the administrator account and specifies the password requirement.

    net user Administrator /ACTIVE:YES /LOGONPASSWORDCHG:NO /EXPIRES:NEVER /PASSWORDREQ:YES

  • Synchronous command with order 2: The system scrambles the administrator password. This security measure is designed to prevent the instance from being accessible after Sysprep completes if you did not enable the ec2setpassword setting.

    C:\Program Files\Amazon\Ec2ConfigService\ScramblePassword.exe" -u Administrator

  • Synchronous command with order 3: The system runs the following command:

    C:\Program Files\Amazon\Ec2ConfigService\Scripts\SysprepSpecializePhase.cmd

    This command adds the following registry key, which re-enables RDP:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

OOBE phase
  1. Using the EC2Config service answer file, the system specifies the following configurations:

    • <InputLocale>en-US</InputLocale>

    • <SystemLocale>en-US</SystemLocale>

    • <UILanguage>en-US</UILanguage>

    • <UserLocale>en-US</UserLocale>

    • <HideEULAPage>true</HideEULAPage>

    • <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>

    • <NetworkLocation>Other</NetworkLocation>

    • <ProtectYourPC>3</ProtectYourPC>

    • <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>

    • <TimeZone>UTC</TimeZone>

    • <RegisteredOrganization>Amazon.com</RegisteredOrganization>

    • <RegisteredOwner>Amazon</RegisteredOwner>

    Note

    During the generalize and specialize phases the EC2Config service monitors the status of the OS. If EC2Config detects that the OS is in a Sysprep phase, then it publishes the following message to the system log:

    EC2ConfigMonitorState: 0 Windows is being configured. SysprepState=IMAGE_STATE_UNDEPLOYABLE

  2. After the OOBE phase completes, the system runs SetupComplete.cmd from the following location: C:\Windows\Setup\Scripts\SetupComplete.cmd. In Amazon public AMIs before April 2015 this file was empty and ran nothing on the image. In public AMIs dated after April 2015, the file includes the following value: call "C:\Program Files\Amazon\Ec2ConfigService\Scripts\PostSysprep.cmd".

  3. The system runs PostSysprep.cmd, which performs the following operations:

    • Sets the local Administrator password to not expire. If the password expired, Administrators might not be able to log on.

    • Sets the MSSQLServer machine name (if installed) so that the name will be in sync with the AMI.

Post Sysprep

After Sysprep completes, the EC2Config services sends the following message to the console output:

Windows sysprep configuration complete.
			Message: Sysprep Start
			Message: Sysprep End

EC2Config then performs the following actions:

  1. Reads the content of the config.xml file and lists all enabled plug-ins.

  2. Executes all “Before Windows is ready” plug-ins at the same time.

    • Ec2SetPassword

    • Ec2SetComputerName

    • Ec2InitializeDrives

    • Ec2EventLog

    • Ec2ConfigureRDP

    • Ec2OutputRDPCert

    • Ec2SetDriveLetter

    • Ec2WindowsActivate

    • Ec2DynamicBootVolumeSize

  3. After it is finished, sends a “Windows is ready” message to the instance system logs.

  4. Runs all “After Windows is ready” plug-ins at the same time.

    • Amazon CloudWatch Logs

    • UserData

    • AWS Systems Manager (Systems Manager)

For more information about Windows plug-ins, see Configure a Windows instance using the EC2Config service (legacy).

Run Sysprep with the EC2Config service

Use the following procedure to create a standardized AMI using Sysprep and the EC2Config service.

  1. In the Amazon EC2 console, locate or create an AMI that you want to duplicate.

  2. Launch and connect to your Windows instance.

  3. Customize it.

  4. Specify configuration settings in the EC2Config service answer file:

    C:\Program Files\Amazon\Ec2ConfigService\sysprep2008.xml

  5. From the Windows Start menu, choose All Programs, and then choose EC2ConfigService Settings.

  6. Choose the Image tab in the Ec2 Service Properties dialog box. For more information about the options and settings in the Ec2 Service Properties dialog box, see Ec2 Service Properties.

  7. Select an option for the Administrator password, and then select Shutdown with Sysprep or Shutdown without Sysprep. EC2Config edits the settings files based on the password option that you selected.

    • Random: EC2Config generates a password, encrypts it with user's key, and displays the encrypted password to the console. We disable this setting after the first launch so that this password persists if the instance is rebooted or stopped and started.

    • Specify: The password is stored in the Sysprep answer file in unencrypted form (clear text). When Sysprep runs next, it sets the Administrator password. If you shut down now, the password is set immediately. When the service starts again, the Administrator password is removed. It's important to remember this password, as you can't retrieve it later.

    • Keep Existing: The existing password for the Administrator account doesn't change when Sysprep is run or EC2Config is restarted. It's important to remember this password, as you can't retrieve it later.

  8. Choose OK.

When you are asked to confirm that you want to run Sysprep and shut down the instance, click Yes. You'll notice that EC2Config runs Sysprep. Next, you are logged off the instance, and the instance is shut down. If you check the Instances page in the Amazon EC2 console, the instance state changes from Running to Stopping, and then finally to Stopped. At this point, it's safe to create an AMI from this instance.

You can manually invoke the Sysprep tool from the command line using the following command:

"%programfiles%\amazon\ec2configservice\"ec2config.exe -sysprep""
Note

The double quotation marks in the command are not required if your CMD shell is already in the C:\Program Files\Amazon\EC2ConfigService\ directory.

However, you must be very careful that the XML file options specified in the Ec2ConfigService\Settings folder are correct; otherwise, you might not be able to connect to the instance. For more information about the settings files, see EC2Config settings files. For an example of configuring and then running Sysprep from the command line, see Ec2ConfigService\Scripts\InstallUpdates.ps1.