Managed AWS Windows AMIs
AWS provides managed Amazon Machine Images (AMIs) that include various versions and configurations of Windows Server. In general, the AWS Windows AMIs are configured with the default settings used by the Microsoft installation media. However, there are customizations. For example, the AWS Windows AMIs come with the following software and drivers:
-
EC2Launch v2 (Windows Server 2022)
-
EC2Launch (Windows Server 2016 and 2019)
-
AWS Systems Manager
-
AWS CloudFormation
-
AWS Tools for Windows PowerShell
-
Network drivers (SRIOV, ENA, Citrix PV)
-
Storage drivers (NVMe, AWS PV, Citrix PV)
-
Graphics drivers (NVidia GPU, Elastic GPU)
-
Spot Instance hibernation
For information about other customizations, see AWS Windows AMIs.
Managed Windows AMIs topics
Details about AWS Windows AMI versions
Where AWS gets the Windows Server installation media
When a new version of Windows Server is released, we download the Windows ISO from Microsoft and validate the hash Microsoft publishes. An initial AMI is then created from the Windows distribution ISO. The drivers needed to boot on EC2 are included in addition to our EC2 launch agent. To prepare this initial AMI for public release, we perform automated processes to convert the ISO to an AMI. This prepared AMI is used for the monthly automated update and release process.
What to expect in an official AWS Windows AMI
AWS provides AMIs with a variety of configurations for popular versions of Microsoft supported Windows Server Operating Systems. As outlined in the previous section, we start with the Windows Server ISO from Microsoft’s Volume Licensing Service Center (VLSC) and validates the hash to ensure it matches Microsoft’s documentation for new Windows Server operating systems.
We perform the following changes using automation on AWS to take the current Windows Server AMIs and update them:
-
Install all Microsoft recommended Windows security patches. We release images shortly after the monthly Microsoft patches are made available.
-
Install the latest drivers for AWS hardware, including network and disk drivers, EC2WinUtil for troubleshooting, as well as GPU drivers in selected AMIs.
-
Include the following AWS launch agent software by default:
-
EC2Launch v2 for Windows Server 2022 and optionally for Windows Server 2019 and 2016 with specific AMIs. For more information, see Configure a Windows instance using EC2Launch v2.
-
EC2Launch for Windows Server 2016 and 2019.
-
-
Configure Windows Time to use the Amazon Time Sync Service.
-
Make changes in all power schemes to set the display to never turn off.
-
Perform minor bug fixes – generally one-line registry changes to enable or disable features that we have found to improve performance on AWS.
-
Tests and validates AMIs across new and existing EC2 platforms to ensure compatibility, stability, and consistency prior to release.
-
Other than the previously mentioned changes, we keep the AMIs as close as possible to the Microsoft default installation of Windows Server. For example, we keep the PowerShell and .NET Framework installations as they are and don't install additional Windows roles, role services, or features.
How AWS validates security, integrity, and authenticity of software on AMIs
We take a number of steps during the image build process, to maintain the security, integrity, and authenticity of AWS provided Windows AMIs. A few examples include:
-
AWS provided Windows AMIs are built using source media obtained directly from Microsoft.
-
Windows Updates are downloaded directly from Microsoft’s Windows Update Service by Windows, and installed on the instance used to create the AMI during the image build process.
-
AWS Software is downloaded from secure S3 buckets and installed in the AMIs.
-
Drivers—such as for the chipset and GPU—are obtained directly from the vendor, stored in secure S3 buckets, and installed on the AMIs during the image build process.
How AWS decides which Windows AMIs to offer
Each AMI is extensively tested prior to release to the general public. We periodically streamline our AMI offerings to simplify customer choice and to reduce costs.
-
New AMI offerings are created for new OS releases. You can count on AWS releasing “Base,” “Core/Container,” and “SQL Express/Standard/Web/Enterprise” offerings in English and other widely used languages. The primary difference between Base and Core offerings is that Base offerings have a desktop/GUI whereas Core offerings are PowerShell command line only. For more information about Windows Server Core, see https://docs.microsoft.com/en-us/windows-server/administration/server-core/what-is-server-core
. -
New AMI offerings are created to support new platforms – for example, the Deep Learning and “NVidia” AMIs were created to support customers using our GPU-based instance types (P2 and P3, and G3, and more).
-
Less popular AMIs are sometimes removed. If we see a particular AMI is launched only a few times in its entire lifespan, we will remove it in favor of more widely used options.
If there is an AMI variant that you would like to see, let us know by filing a
ticket with Cloud Support, or by providing feedback through one
of our established channels
Patches, security updates, and AMI IDs
AWS provides updated, fully-patched Windows AMIs within five business days of Microsoft's patch Tuesday (the second Tuesday of each month). The new AMIs are available immediately from the Images page in the Amazon EC2 console. The new AMIs are available in the AWS Marketplace and the Quick Start tab of the launch instance wizard within a few days of their release.
Note
Instances launched from Windows Server 2019 and later AMIs may show a Windows Update dialog message stating "Some settings are managed by your organization." This message appears as a result of changes in Windows Server 2019 and does not impact the behavior of Windows Update or your ability to manage update settings.
To remove this warning, see "Some settings are managed by your organization".
To ensure that customers have the latest security updates by default, AWS keeps Windows AMIs available for three months. After releasing new Windows AMIs, AWS makes the Windows AMIs that are older than three months private within 10 days. After an AMI has been made private, when you look at an instance launched from that AMI in the console, the AMI ID field states, "Cannot load detail for ami-xxxxx. You may not be permitted to view it." You can still retrieve the AMI ID using the AWS CLI or an AWS SDK.
The Windows AMIs in each release have new AMI IDs. Therefore, we recommend that you write scripts that locate the latest AWS Windows AMIs by their names, rather than by their IDs. For more information, see the following examples:
-
Get-EC2ImageByName (AWS Tools for Windows PowerShell)
-
Query for the Latest Windows AMI Using Systems Manager Parameter Store
-
Walkthrough: Looking Up Amazon Machine Image IDs (AWS Lambda, AWS CloudFormation)
Configuration changes for AWS Windows AMIs
The following configuration changes are applied to each AWS Windows AMI.
Clean and prepare | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Change | Applies to | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Check for pending file renames or reboots, and reboot as needed | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Delete |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Delete logs (event logs, Systems Manager, EC2Config) | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Delete temporary folders and files for Sysprep | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Perform virus scan | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Pre-compile queued .NET assemblies (before Sysprep) | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Restore default values for Internet Explorer | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Reset the Windows wallpaper | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Run Sysprep | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set EC2Launch to run at the next launch | Windows Server 2016 and 2019 |
Install and configure | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Change | Applies to | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Secure Time Seeding | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Add links to the Amazon EC2 Windows Guide | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Attach instance storage volumes to extended mount points | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Install the current AWS Tools for Windows PowerShell | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Install the current AWS CloudFormation helper scripts | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable RunOnce for Internet Explorer |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Enable remote PowerShell |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable hibernation and delete the hibernation file | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable the Connected User Experiences and Telemetry service | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set the performance options for best performance | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set the power setting to high performance | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable the screen saver password | All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set the RealTimeIsUniversal registry key |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set the timezone to UTC |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Windows updates and notifications |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Run Windows Update and reboot until there are no pending updates |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set the display in all power schemes to never turn off |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set the PowerShell execution policy to "Unrestricted" |
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
If Microsoft SQL Server is installed:
|
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Configure a paging file on the system volume as follows:
|
All AMIs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Install the current EC2Launch v2 and SSM Agent | Windows Server 2022 and later | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Install the current EC2Launch and SSM Agent | Windows Server 2016 and 2019 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Install the current SRIOV drivers | Windows Server 2012 R2 and later | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Install the current EC2WinUtil driver |
Windows Server 2008 R2 and later |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Install the current AWS PV, ENA, and NVMe drivers | Windows Server 2008 R2 and later |
Update your Windows instance
After you launch a Windows instance, you are responsible for installing updates on it. For more information, see Update management in Amazon EC2.
You can manually install only the updates that interest you, or you can start from a current AWS Windows AMI and build a new Windows instance. For information about finding the current AWS Windows AMIs, and keeping your AMIs up to date, see Find a Windows AMI and Keep your AMIs up to date.
Note
Instances should be stateless when updating. For more information, see Managing Your AWS Infrastructure at Scale
For Windows instances, you can install updates to the following services or applications:
We recommend that you reboot your Windows instance after installing updates. For more information, see Reboot your instance.
Upgrade or migrate to a newer version of Windows Server
For information about how to upgrade or migrate a Windows instance to a newer version of Windows Server, see Upgrade an Amazon EC2 Windows instance to a newer version of Windows Server.
Subscribe to Windows AMI notifications
To be notified when new AMIs are released or when previously released AMIs are made private, subscribe to notifications using Amazon SNS.
To subscribe to Windows AMI notifications
-
Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home
. -
In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must use this Region because the SNS notifications that you are subscribing to were created in this Region.
-
In the navigation pane, choose Subscriptions.
-
Choose Create subscription.
-
For the Create subscription dialog box, do the following:
-
For Topic ARN, copy and paste one of the following Amazon Resource Names (ARNs):
-
arn:aws:sns:us-east-1:801119661308:ec2-windows-ami-update
-
arn:aws:sns:us-east-1:801119661308:ec2-windows-ami-private
For AWS GovCloud (US):
arn:aws-us-gov:sns:us-gov-west-1:077303321853:ec2-windows-ami-update
-
-
For Protocol, choose Email.
-
For Endpoint, type an email address that you can use to receive the notifications.
-
Choose Create subscription.
-
-
You'll receive a confirmation email with the subject line
AWS Notification - Subscription Confirmation
. Open the email and choose Confirm subscription to complete your subscription.
Whenever Windows AMIs are released, we send notifications to the subscribers of
the ec2-windows-ami-update
topic. Whenever released Windows AMIs are
made private, we send notifications to the subscribers of the
ec2-windows-ami-private
topic. If you no longer want to receive
these notifications, use the following procedure to unsubscribe.
To unsubscribe from Windows AMI notifications
-
Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home
. -
In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must use this Region because the SNS notifications were created in this Region.
-
In the navigation pane, choose Subscriptions.
-
Select the subscriptions and then choose Delete. When prompted for confirmation, choose Delete.
Changes in Windows Server 2016 and later AMIs
AWS provides AMIs for Windows Server 2016 and later. These AMIs include the following high-level changes from earlier Windows AMIs:
-
To accommodate the change from .NET Framework to .NET Core, the EC2Config service has been deprecated on Windows Server 2016 AMIs and replaced by EC2Launch. EC2Launch is a bundle of Windows PowerShell scripts that perform many of the tasks performed by the EC2Config service. For more information, see Configure a Windows instance using EC2Launch. EC2Launch v2 replaces EC2Launch in Windows Server 2022 and later. For more information, see Configure a Windows instance using EC2Launch v2.
-
On earlier versions of Windows Server AMIs, you can use the EC2Config service to join an EC2 instance to a domain and configure integration with Amazon CloudWatch. On Windows Server 2016 and later AMIs, you can use the CloudWatch agent to configure integration with Amazon CloudWatch. For more information about configuring instances to send log data to CloudWatch, see Collect Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent. For information about joining an EC2 instance to a domain, see Join an Instance to a Domain Using the
AWS-JoinDirectoryServiceDomain
JSON Document in the AWS Systems Manager User Guide.
Other differences
Note the following additional important differences for instances created from Windows Server 2016 and later AMIs.
-
By default, EC2Launch does not initialize secondary EBS volumes. You can configure EC2Launch to initialize disks automatically by either scheduling the script to run or by calling EC2Launch in user data. For the procedure to initialize disks using EC2Launch, see "Initialize Drives and Drive Letter Mappings" in Configure EC2Launch.
-
If you previously enabled CloudWatch integration on your instances by using a local configuration file (
AWS.EC2.Windows.CloudWatch.json
), you can configure the file to work with the SSM Agent on instances created from Windows Server 2016 and later AMIs.
For more information, see Windows
Server