Connect to your Windows instance

You can connect to Amazon EC2 instances created from most Windows Amazon Machine Images (AMIs) using Remote Desktop. Remote Desktop uses the Remote Desktop Protocol (RDP) to connect to and use your instance in the same way you use a computer sitting in front of you (local computer). It is available on most editions of Windows and is also available for Mac OS.

The license for the Windows Server operating system allows two simultaneous remote connections for administrative purposes. The license for Windows Server is included in the price of your Windows instance. If you require more than two simultaneous remote connections, you must purchase a Remote Desktop Services (RDS) license. If you attempt a third connection, an error occurs.

If you need to connect to your instance in order to troubleshoot boot, network configuration, and other issues for instances built on the AWS Nitro System, you can use the EC2 Serial Console for Windows instances.

For information about connecting to a Linux instance, see Connect to your Linux instance in the Amazon EC2 User Guide for Linux Instances.

Prerequisites

• Install an RDP client

  • [Windows] Windows includes an RDP client by default. To verify, type mstsc at a Command Prompt window. If your computer doesn't recognize this command, see the Windows home page and search for the download for the Microsoft Remote Desktop app.

  • [Mac OS X] Download the Microsoft Remote Desktop app from the Mac App Store.

  • [Linux] Use Remmina.

• Locate the private key

  Get the fully-qualified path to the location on your computer of the .pem file for the key pair that you specified when you launched the instance. For more information, see Identify the public key specified at launch. If you can't find your private key file, see I've lost my private key. How can I connect to my Windows instance?

• Enable inbound RDP traffic from your IP address to your instance

  Ensure that the security group associated with your instance allows incoming RDP traffic (port 3389) from your IP address. The default security group does not allow incoming RDP traffic by default. For more information, see Authorize inbound traffic for your Windows instances.

Connect to your Windows instance using RDP

To connect to a Windows instance, you must retrieve the initial administrator password and then enter this password when you connect to your instance using Remote Desktop. It takes a few minutes after instance launch before this password is available.

The name of the administrator account depends on the language of the operating system. For example, for English, it's Administrator, for French it's Administrateur, and for Portuguese it's Administrador. For more information, see Localized Names for Administrator Account in Windows in the Microsoft TechNet Wiki.

If you've joined your instance to a domain, you can connect to your instance using domain credentials you've defined in AWS Directory Service. On the Remote Desktop login screen, instead of using the local computer name and the generated password, use the fully-qualified user name for the administrator (for example, corp.example.com\Admin), and the password for this account.

If you receive an error while attempting to connect to your instance, see Remote Desktop can't connect to the remote computer.

New console

To connect to your Windows instance using an RDP client

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the navigation pane, select Instances. Select the instance and then choose Connect.

3. On the Connect to instance page, choose the RDP client tab, and then choose Get password.

   

4. Choose Browse and navigate to the private key (.pem) file you created when you launched the instance. Select the file and choose Open to copy the entire contents of the file to this window.

5. Choose Decrypt Password. The console displays the default administrator password for the instance under Password, replacing the Get password link shown previously. Save the password in a safe place. This password is required to connect to the instance.

   

6. Choose Download remote desktop file. Your browser prompts you to either open or save the RDP shortcut file. When you have finished downloading the file, choose Cancel to return to the Instances page.

   • If you opened the RDP file, you'll see the Remote Desktop Connection dialog box.

   • If you saved the RDP file, navigate to your downloads directory, and open the RDP file to display the dialog box.

7. You may get a warning that the publisher of the remote connection is unknown. Choose Connect to continue to connect to your instance.

   

8. The administrator account is chosen by default. Copy and paste the password that you saved previously.

   Tip

   If you receive a "Password Failed" error, try entering the password manually. Copying and pasting content can corrupt it.

9. Due to the nature of self-signed certificates, you may get a warning that the security certificate could not be authenticated. Use the following steps to verify the identity of the remote computer, or simply choose Yes (Windows) or Continue (Mac OS X) if you trust the certificate.

   

   1. If you are using Remote Desktop Connection on a Windows computer, choose View certificate. If you are using Microsoft Remote Desktop on a Mac, choose Show Certificate.

   2. Choose the Details tab, and scroll down to Thumbprint (Windows) or SHA1 Fingerprints (Mac OS X). This is the unique identifier for the remote computer's security certificate.

   3. In the Amazon EC2 console, select the instance, choose Actions, Monitor and troubleshoot, Get system log.

   4. In the system log output, look for RDPCERTIFICATE-THUMBPRINT. If this value matches the thumbprint or fingerprint of the certificate, you have verified the identity of the remote computer.

   5. If you are using Remote Desktop Connection on a Windows computer, return to the Certificate dialog box and choose OK. If you are using Microsoft Remote Desktop on a Mac, return to the Verify Certificate and choose Continue.

   6. [Windows] Choose Yes in the Remote Desktop Connection window to connect to your instance.

      [Mac OS X] Log in as prompted, using the default administrator account and the default administrator password that you recorded or copied previously. Note that you might need to switch spaces to see the login screen. For more information, see Add spaces and switch between them.

Old console

To connect to your Windows instance using an RDP client

1. In the Amazon EC2 console, select the instance, and then choose Connect.

2. In the Connect To Your Instance dialog box, choose Get Password (it will take a few minutes after the instance is launched before the password is available).

3. Choose Browse and navigate to the private key (.pem) file you created when you launched the instance. Select the file and choose Open to copy the entire contents of the file into the Contents field.

4. Choose Decrypt Password. The console displays the default administrator password for the instance in the Connect To Your Instance dialog box, replacing the link to Get Password shown previously with the actual password.

5. Record the default administrator password, or copy it to the clipboard. You need this password to connect to the instance.

6. Choose Download Remote Desktop File. Your browser prompts you to either open or save the .rdp file. Either option is fine. When you have finished, you can choose Close to dismiss the Connect To Your Instance dialog box.

   • If you opened the .rdp file, you'll see the Remote Desktop Connection dialog box.

   • If you saved the .rdp file, navigate to your downloads directory, and open the .rdp file to display the dialog box.

7. You may get a warning that the publisher of the remote connection is unknown. You can continue to connect to your instance.

8. When prompted, log in to the instance, using the administrator account for the operating system and the password that you recorded or copied previously. If your Remote Desktop Connection already has an administrator account set up, you might have to choose the Use another account option and type the user name and password manually.

   Note

   Sometimes copying and pasting content can corrupt data. If you encounter a "Password Failed" error when you log in, try typing in the password manually.

9. Due to the nature of self-signed certificates, you may get a warning that the security certificate could not be authenticated. Use the following steps to verify the identity of the remote computer, or simply choose Yes or Continue to continue if you trust the certificate.

   1. If you are using Remote Desktop Connection from a Windows PC, choose View certificate. If you are using Microsoft Remote Desktop on a Mac, choose Show Certificate.

   2. Choose the Details tab, and scroll down to the Thumbprint entry on a Windows PC, or the SHA1 Fingerprints entry on a Mac. This is the unique identifier for the remote computer's security certificate.

   3. In the Amazon EC2 console, select the instance, choose Actions, and then choose Get System Log.

   4. In the system log output, look for an entry labeled RDPCERTIFICATE-THUMBPRINT. If this value matches the thumbprint or fingerprint of the certificate, you have verified the identity of the remote computer.

   5. If you are using Remote Desktop Connection from a Windows PC, return to the Certificate dialog box and choose OK. If you are using Microsoft Remote Desktop on a Mac, return to the Verify Certificate and choose Continue.

   6. [Windows] Choose Yes in the Remote Desktop Connection window to connect to your instance.

      [Mac OS] Log in as prompted, using the default administrator account and the default administrator password that you recorded or copied previously. Note that you might need to switch spaces to see the login screen. For more information about spaces, see support.apple.com/en-us/HT204100.

   7. If you receive an error while attempting to connect to your instance, see Remote Desktop can't connect to the remote computer.

Connect to your Windows instance using RDP with Amazon EC2 Systems Manager Fleet Manager

You can use Amazon EC2 Systems Manager Fleet Manager, a capability of AWS Systems Manager, to connect to your Windows instances using the Remote Desktop Protocol (RDP). These Remote Desktop sessions powered by NICE DCV provide secure connections to your instances directly from your browser. With Fleet Manager, you can connect a maximum of four instances per browser window. When connecting to your instance, you can use Windows credentials or the Amazon EC2 key pair (.pem file) associated with the instance for authentication. For information about Amazon EC2 key pairs, see Amazon EC2 key pairs and Linux instances and Amazon EC2 key pairs and Windows instances in the Amazon EC2 User Guide for Linux Instances and Amazon EC2 User Guide for Windows Instances.

Alternatively, if you're authenticated to the AWS Management Console using AWS IAM Identity Center (successor to AWS Single Sign-On), Fleet Manager integrates with IAM Identity Center so you can connect to your instances without providing additional credentials. Fleet Manager; supports IAM Identity Center authenticated RDP connections in the same AWS Region where you enabled IAM Identity Center and user names can be a maximum of 16 characters. For IAM Identity Center authenticated RDP connections, Fleet Manager creates a local user on the instance that persists after the connection ends. IAM Identity Center authenticated RDP connections are not supported for nodes that are Microsoft Active Directory domain controllers.

Because Fleet Manager uses Amazon EC2 Systems Manager Session Manager to connect to Windows instances using RDP, you must complete the prerequisites for Session Manager before using this feature. Session Manager is a capability of AWS Systems Manager. Session preferences in the AWS account and AWS Region are applied when connecting to your instances using RDP. For information about setting up Session Manager, see Setting up Session Manager.

In addition to the required AWS Identity and Access Management (IAM) permissions for Systems Manager and Session Manager, the user or role you use to access the console must allow the following actions:

• ssm-guiconnect:CancelConnection

• ssm-guiconnect:GetConnection

• ssm-guiconnect:StartConnection

To connect to instances using RDP with Fleet Manager

1. Open the Amazon EC2 Systems Manager console at https://console.aws.amazon.com/systems-manager/.

2. In the navigation pane, choose Fleet Manager.

3. Choose Get started.

4. Select the check box next to the instance that you want to connect to using RDP.

5. In the Node actions menu, select Connect with Remote Desktop.

6. Choose your preferred Authentication type. If you choose User credentials, enter the user name and password for the Windows user account that you want to use when connecting to the instance. If you choose Key pair, choose the Browse local machine option to browse your local machine and choose the PEM key associated with your instance, or copy and paste the contents into the empty field after choosing the Paste key pair content option.

7. Select Connect.

Connect to a Windows instance using its IPv6 address

If you've enabled your VPC for IPv6 and assigned an IPv6 address to your Windows instance, you can use an RDP client to connect to your instance using its IPv6 address (for example, 2001:db8:1234:1a00:9691:9503:25ad:1761) instead of using its public IPv4 address or public DNS hostname.

To connect to your Windows instance using its IPv6 address

1. Get the initial administrator password for your instance, as described in Connect to your Windows instance using RDP. This password is required to connect to your instance.

2. [Windows] Open the RDP client on your Windows computer, choose Show Options, and do the following:

   

   • For Computer, enter the IPv6 address of your Windows instance.

   • For User name, enter Administrator.

   • Choose Connect.

   • When prompted, enter the password that you saved previously.

   [Mac OS X] Open the RDP client on your computer and do the following:

   • Choose New.

   • For PC Name, enter the IPv6 address of your Windows instance.

   • For User name, enter Administrator.

   • Close the dialog box. Under My Desktops, select the connection, and choose Start.

   • When prompted, enter the password that you saved previously.

3. Due to the nature of self-signed certificates, you may get a warning that the security certificate could not be authenticated. If you trust the certificate, you can choose Yes or Continue. Otherwise, you can verify the identity of the remote computer, as described in Connect to your Windows instance using RDP.

Connect to a Windows instance using Session Manager

Session Manager is a fully-managed AWS Systems Manager capability for managing your Amazon EC2 instances through an interactive, one-click, browser-based shell, or through the AWS CLI. You can use Session Manager to start a session with an instance in your account. After the session is started, you can run PowerShell commands as you would for any other connection type. For more information about Session Manager, see AWS Systems Manager Session Manager in the AWS Systems Manager User Guide.

Before attempting to connect to an instance using Session Manager, ensure that the necessary setup steps have been completed. For more information, see Setting up Session Manager.

To connect to a Windows instance using Session Manager on the Amazon EC2 console

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the navigation pane, choose Instances.

3. Select the instance and choose Connect.

4. For Connection method, choose Session Manager.

5. Choose Connect.

   
   Tip

   If you receive an error that you’re not authorized to perform one or more Systems Manager actions (ssm:command-name), then you must update your policies to allow you to start sessions from the Amazon EC2 console. For more information and instructions, see Quickstart default IAM policies for Session Manager in the AWS Systems Manager User Guide.

Configure your accounts

After you connect, we recommend that you perform the following:

• Change the administrator password from the default value. You can change the password while you are logged on to the instance itself, just as you would on any computer running Windows Server.

• Create another user account with administrator privileges on the instance. This is a safeguard in case you forget the administrator password or have a problem with the administrator account. The new user account must have permission to access the instance remotely. Open System Properties by right-clicking on the This PC icon on your Windows desktop or File Explorer and selecting Properties. Choose Remote settings, and choose Select Users to add the user to the Remote Desktop Users group.

  

Transfer files to Windows instances

You can work with your Windows instance in the same way that you would work with any Windows server. For example, you can transfer files between a Windows instance and your local computer using the local file sharing feature of the Microsoft Remote Desktop Connection software. You can access local files on hard disk drives, DVD drives, portable media drives, and mapped network drives.

To access your local files from your Windows instances, you must enable the local file sharing feature by mapping the remote session drive to your local drive. The steps are slightly different depending on whether your local computer operating system is Windows or macOS X.

Windows

To map the remote session drive to your local drive on your local Windows computer

1. Open the Remote Desktop Connection client.

2. Choose Show Options.

3. Add the instance host name to the Computer field and user name to the User name field, as follows:

   1. Under Connection settings, choose Open..., and browse to the RDP shortcut file that you downloaded from the Amazon EC2 console. The file contains the Public IPv4 DNS host name, which identifies the instance, and the Administrator user name.

   2. Select the file and choose Open. The Computer and User name fields are populated with the values from the RDP shortcut file.

   3. Choose Save.

4. Choose the Local Resources tab.

5. Under Local devices and resources, choose More...

   

6. Open Drives and select the local drive to map to your Windows instance.

7. Choose OK.

   

8. Choose Connect to connect to your Windows instance.

macOS X

To map the remote session drive to your local folder on your local macOS X computer

1. Open the Remote Desktop Connection client.

2. Browse to the RDP file that you downloaded from the Amazon EC2 console (when you initially connected to the instance), and drag it onto the Remote Desktop Connection client.

3. Right-click the RDP file, and choose Edit.

4. Choose the Folders tab, and select the Redirect folders check box.

   

5. Choose the + icon at bottom left, browse to the folder to map, and choose Open. Repeat this step for every folder to map.

6. Choose Save.

7. Choose Connect to connect to your Windows instance. You'll be prompted for the password.

8. On the instance, in File Explorer, expand This PC, and find the shared folder from which you can access your local files. In the following screenshot, the Desktop folder on the local computer was mapped to the remote session drive on the instance.

   

For more information on making local devices available to a remote session on a Mac computer, see Get started with the macOS client.