Managed AWS Windows AMIs - Amazon Elastic Compute Cloud
Details about AWS Windows AMI versionsConfiguration changes for AWS Windows AMIsUpdate your Windows instanceUpgrade or migrate to a newer version of Windows ServerSubscribe to Windows AMI notificationsChanges in Windows Server 2016 and later AMIs

Managed AWS Windows AMIs

AWS provides managed Amazon Machine Images (AMIs) that include various versions and configurations of Windows Server. In general, the AWS Windows AMIs are configured with the default settings used by the Microsoft installation media. However, there are customizations. For example, the AWS Windows AMIs come with the following software and drivers:

  • EC2Launch v2 (Windows Server 2022)

  • EC2Launch (Windows Server 2016 and 2019)

  • AWS Systems Manager

  • AWS CloudFormation

  • AWS Tools for Windows PowerShell

  • Network drivers (SRIOV, ENA, Citrix PV)

  • Storage drivers (NVMe, AWS PV, Citrix PV)

  • Graphics drivers (NVidia GPU, Elastic GPU)

  • Spot Instance hibernation

For information about other customizations, see AWS Windows AMIs.

Details about AWS Windows AMI versions

Where AWS gets the Windows Server installation media

When a new version of Windows Server is released, we download the Windows ISO from Microsoft and validate the hash Microsoft publishes. An initial AMI is then created from the Windows distribution ISO. The drivers needed to boot on EC2 are included in addition to our EC2 launch agent. To prepare this initial AMI for public release, we perform automated processes to convert the ISO to an AMI. This prepared AMI is used for the monthly automated update and release process.

What to expect in an official AWS Windows AMI

AWS provides AMIs with a variety of configurations for popular versions of Microsoft supported Windows Server Operating Systems. As outlined in the previous section, we start with the Windows Server ISO from Microsoft’s Volume Licensing Service Center (VLSC) and validates the hash to ensure it matches Microsoft’s documentation for new Windows Server operating systems.

We perform the following changes using automation on AWS to take the current Windows Server AMIs and update them:

  • Install all Microsoft recommended Windows security patches. We release images shortly after the monthly Microsoft patches are made available.

  • Install the latest drivers for AWS hardware, including network and disk drivers, EC2WinUtil for troubleshooting, as well as GPU drivers in selected AMIs.

  • Include the following AWS launch agent software by default:

  • Configure Windows Time to use the Amazon Time Sync Service.

  • Make changes in all power schemes to set the display to never turn off.

  • Perform minor bug fixes – generally one-line registry changes to enable or disable features that we have found to improve performance on AWS.

  • Tests and validates AMIs across new and existing EC2 platforms to ensure compatibility, stability, and consistency prior to release.

  • Other than the previously mentioned changes, we keep the AMIs as close as possible to the Microsoft default installation of Windows Server. For example, we keep the PowerShell and .NET Framework installations as they are and don't install additional Windows roles, role services, or features.

How AWS validates security, integrity, and authenticity of software on AMIs

We take a number of steps during the image build process, to maintain the security, integrity, and authenticity of AWS provided Windows AMIs. A few examples include:

  • AWS provided Windows AMIs are built using source media obtained directly from Microsoft.

  • Windows Updates are downloaded directly from Microsoft’s Windows Update Service by Windows, and installed on the instance used to create the AMI during the image build process.

  • AWS Software is downloaded from secure S3 buckets and installed in the AMIs.

  • Drivers—such as for the chipset and GPU—are obtained directly from the vendor, stored in secure S3 buckets, and installed on the AMIs during the image build process.

How AWS decides which Windows AMIs to offer

Each AMI is extensively tested prior to release to the general public. We periodically streamline our AMI offerings to simplify customer choice and to reduce costs.

  • New AMI offerings are created for new OS releases. You can count on AWS releasing “Base,” “Core/Container,” and “SQL Express/Standard/Web/Enterprise” offerings in English and other widely used languages. The primary difference between Base and Core offerings is that Base offerings have a desktop/GUI whereas Core offerings are PowerShell command line only. For more information about Windows Server Core, see https://docs.microsoft.com/en-us/windows-server/administration/server-core/what-is-server-core.

  • New AMI offerings are created to support new platforms – for example, the Deep Learning and “NVidia” AMIs were created to support customers using our GPU-based instance types (P2 and P3, and G3, and more).

  • Less popular AMIs are sometimes removed. If we see a particular AMI is launched only a few times in its entire lifespan, we will remove it in favor of more widely used options.

If there is an AMI variant that you would like to see, let us know by filing a ticket with Cloud Support, or by providing feedback through one of our established channels.

Patches, security updates, and AMI IDs

AWS provides updated, fully-patched Windows AMIs within five business days of Microsoft's patch Tuesday (the second Tuesday of each month). The new AMIs are available immediately from the Images page in the Amazon EC2 console. The new AMIs are available in the AWS Marketplace and the Quick Start tab of the launch instance wizard within a few days of their release.

Note

Instances launched from Windows Server 2019 and later AMIs may show a Windows Update dialog message stating "Some settings are managed by your organization." This message appears as a result of changes in Windows Server 2019 and does not impact the behavior of Windows Update or your ability to manage update settings.

To remove this warning, see "Some settings are managed by your organization".

To ensure that customers have the latest security updates by default, AWS keeps Windows AMIs available for three months. After releasing new Windows AMIs, AWS makes the Windows AMIs that are older than three months private within 10 days. After an AMI has been made private, when you look at an instance launched from that AMI in the console, the AMI ID field states, "Cannot load detail for ami-xxxxx. You may not be permitted to view it." You can still retrieve the AMI ID using the AWS CLI or an AWS SDK.

The Windows AMIs in each release have new AMI IDs. Therefore, we recommend that you write scripts that locate the latest AWS Windows AMIs by their names, rather than by their IDs. For more information, see the following examples:

Configuration changes for AWS Windows AMIs

The following configuration changes are applied to each AWS Windows AMI.

Clean and prepare
Change Applies to
Check for pending file renames or reboots, and reboot as needed All AMIs

Delete .dmp files

 All AMIs
Delete logs (event logs, Systems Manager, EC2Config) All AMIs
Delete temporary folders and files for Sysprep All AMIs
Perform virus scan All AMIs
Pre-compile queued .NET assemblies (before Sysprep) All AMIs
Restore default values for Internet Explorer All AMIs
Reset the Windows wallpaper All AMIs
Run Sysprep All AMIs
Set EC2Launch to run at the next launch Windows Server 2016 and 2019
Install and configure
Change Applies to
Disable Secure Time Seeding All AMIs
Add links to the Amazon EC2 Windows Guide All AMIs
Attach instance storage volumes to extended mount points All AMIs
Install the current AWS Tools for Windows PowerShell All AMIs
Install the current AWS CloudFormation helper scripts All AMIs

Disable RunOnce for Internet Explorer

 All AMIs

Enable remote PowerShell

 All AMIs
Disable hibernation and delete the hibernation file All AMIs
Disable the Connected User Experiences and Telemetry service All AMIs
Set the performance options for best performance All AMIs
Set the power setting to high performance All AMIs
Disable the screen saver password All AMIs

Set the RealTimeIsUniversal registry key

 All AMIs

Set the timezone to UTC

 All AMIs

Disable Windows updates and notifications

 All AMIs

Run Windows Update and reboot until there are no pending updates

 All AMIs

Set the display in all power schemes to never turn off

 All AMIs

Set the PowerShell execution policy to "Unrestricted"

 All AMIs

If Microsoft SQL Server is installed:

  • Install service packs

  • Configure to start automatically

  • Add BUILTIN\Administrators to the SysAdmin role

  • Open TCP port 1433 and UDP port 1434

 All AMIs

Configure a paging file on the system volume as follows:

  • Windows Server 2016 and later - Managed by the system

 All AMIs
Install the current EC2Launch v2 and SSM Agent Windows Server 2022 and later
Install the current EC2Launch and SSM Agent Windows Server 2016 and 2019
Install the current SRIOV drivers Windows Server 2012 R2 and later

Install the current EC2WinUtil driver

Windows Server 2008 R2 and later
Install the current AWS PV, ENA, and NVMe drivers Windows Server 2008 R2 and later

Update your Windows instance

After you launch a Windows instance, you are responsible for installing updates on it. For more information, see Update management in Amazon EC2.

You can manually install only the updates that interest you, or you can start from a current AWS Windows AMI and build a new Windows instance. For information about finding the current AWS Windows AMIs, and keeping your AMIs up to date, see Find a Windows AMI and Keep your AMIs up to date.

Note

Instances should be stateless when updating. For more information, see Managing Your AWS Infrastructure at Scale.

For Windows instances, you can install updates to the following services or applications:

We recommend that you reboot your Windows instance after installing updates. For more information, see Reboot your instance.

Upgrade or migrate to a newer version of Windows Server

For information about how to upgrade or migrate a Windows instance to a newer version of Windows Server, see Upgrade an Amazon EC2 Windows instance to a newer version of Windows Server.

Subscribe to Windows AMI notifications

To be notified when new AMIs are released or when previously released AMIs are made private, subscribe to notifications using Amazon SNS.

To subscribe to Windows AMI notifications

  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  2. In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must use this Region because the SNS notifications that you are subscribing to were created in this Region.

  3. In the navigation pane, choose Subscriptions.

  4. Choose Create subscription.

  5. For the Create subscription dialog box, do the following:

    1. For Topic ARN, copy and paste one of the following Amazon Resource Names (ARNs):

      • arn:aws:sns:us-east-1:801119661308:ec2-windows-ami-update

      • arn:aws:sns:us-east-1:801119661308:ec2-windows-ami-private

      For AWS GovCloud (US):

      arn:aws-us-gov:sns:us-gov-west-1:077303321853:ec2-windows-ami-update

    2. For Protocol, choose Email.

    3. For Endpoint, type an email address that you can use to receive the notifications.

    4. Choose Create subscription.

  6. You'll receive a confirmation email with the subject line AWS Notification - Subscription Confirmation. Open the email and choose Confirm subscription to complete your subscription.

Whenever Windows AMIs are released, we send notifications to the subscribers of the ec2-windows-ami-update topic. Whenever released Windows AMIs are made private, we send notifications to the subscribers of the ec2-windows-ami-private topic. If you no longer want to receive these notifications, use the following procedure to unsubscribe.

To unsubscribe from Windows AMI notifications

  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  2. In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must use this Region because the SNS notifications were created in this Region.

  3. In the navigation pane, choose Subscriptions.

  4. Select the subscriptions and then choose Delete. When prompted for confirmation, choose Delete.

Changes in Windows Server 2016 and later AMIs

AWS provides AMIs for Windows Server 2016 and later. These AMIs include the following high-level changes from earlier Windows AMIs:

Other differences

Note the following additional important differences for instances created from Windows Server 2016 and later AMIs.

  • By default, EC2Launch does not initialize secondary EBS volumes. You can configure EC2Launch to initialize disks automatically by either scheduling the script to run or by calling EC2Launch in user data. For the procedure to initialize disks using EC2Launch, see "Initialize Drives and Drive Letter Mappings" in Configure EC2Launch.

  • If you previously enabled CloudWatch integration on your instances by using a local configuration file (AWS.EC2.Windows.CloudWatch.json), you can configure the file to work with the SSM Agent on instances created from Windows Server 2016 and later AMIs.

For more information, see Windows Server on Microsoft.com.