Update Windows workstation AMI - Amazon Nimble Studio

Update Windows workstation AMI

This tutorial covers the steps to update a Windows workstation Amazon Machine Image (AMI) with new software.

Note

This tutorial applies to both WindowsServer2019 AMIs and WindowsServer2022 AMIs.

Prerequisites

  • Complete the prerequisites and follow the steps in the Update AMIs: Setting up tutorial.

  • Check your service quota for running On-Demand Instances (limit name “G”). For instructions on how to do that, see Check AWS service quotas.

  • This tutorial uses NICE DCV to connect to an instance. Download the latest DCV client and install it on your local machine before you begin. For more information, see the NICE DCV User Guide.

Step 1: Create a customer managed key

Create a customer managed key that will be used to encrypt your AMI. You only need to create a customer managed key one time. If you already created one, you can reuse it and skip to Step 2: Launch an instance with Windows AMI.

Follow the instructions in the Creating symmetric encryption KMS keys (console) tutorial in the AWS Key Management Service Developer Guide. Follow these additional steps:

  1. For the Alias in the Add labels section, include the name of your studio, and mention custom AMI. For example: <your_studio_name>-customAMI-key

  2. For Key administrators in the Define key administrative permissions section, enter and select the name of the admin user that you used to log in to the AWS Management Console. For example: aws-admin

  3. For This account in the Define key usage permissions section, enter and select the the same admin user that you selected in the previous step.

Step 2: Launch an instance with Windows AMI

To launch an instance using a Windows AMI that you want to update, you have two choices:

Start with the default Windows AMI from StudioBuilder

  1. Go to the AWS Marketplace.

  2. Search for Nimble Studio Windows Workstation.

  3. Choose Nimble Studio Windows Workstation from the search results.

    1. You can select a WindowsServer2019 AMI or a WindowsServer2022 AMI.

  4. On the AWS Marketplace page for the Nimble Studio Windows Workstation, select Continue to Subscribe.

  5. Read the terms and conditions and then select Accept Terms.

    
                     AWS Marketplace accept terms
  6. After the subscribe request has finished processing, select Continue to Configuration.

  7. In the Region dropdown menu, select the AWS Region that your studio is located in and select Continue to Launch.

    
                     AWS Marketplace region selector
  8. In the Choose Action dropdown menu, select Launch through EC2 and select Launch.

    
                     AWS Marketplace launch through EC2
    1. The Amazon EC2 console will open and will guide you through the rest of the launch process.

After the launch process is complete, go directly to the To launch an instance in the default Amazon VPC section to continue.

Start with another Windows AMI already created in your account

If you already know the AMI ID for the AMI that you would like to update in your account, skip to following section of this tutorial: To find the AMI ID of the Windows AMI to update.

Otherwise, to find the AMI ID by looking at the launch profile that uses it, continue directly below.

To find the AMI ID of the Windows AMI to update

  1. Sign in to the AWS Management Console and open the Nimble Studio console.

  2. Choose Launch profiles in the left navigation pane.

  3. Choose the name or ID of a launch profile that contains the Windows AMI that you would like to update.

  4. On the Launch profile details page, under Amazon Machine Images (AMIs), choose the Windows AMI that you would like to update.

    
                     Nimble Studio console launch profile details
  5. On the Amazon Machine Image details page, notice the AMI ID.

    
                     Nimble Studio console Windows workstation AMI details

To search for the AMI ID

  1. Go to the EC2 Dashboard.

  2. Choose AMIs in the left navigation pane under Images.

  3. Paste the AMI ID that you copied into the filter field.

    1. If you see the message, No AMIs found matching your filter criteria, open the dropdown to the left of the search field and select one of these filter options: Owned by me, Public images, or Private images.

  4. In the EC2 console, select the AMI from the search results, and then choose Launch instance from AMI.

    
                     Nimble Studio console Windows workstation AMI details

To launch an instance in the default Amazon VPC

  1. Enter WinWorkstationAMIBuilder as the Name.

  2. Select g4dn.xlarge for the Instance type.

    1. If your service quota for On-demand G4 Instances is high enough, you can select an instance with more than four vCPUs. If you’re unsure of your quota value, refer to Amazon Nimble Studio service quotas in the Setting up tutorial for instructions on how to check it.

    2. If you want to use the EnableFastLaunch feature to launch your Windows AMIs faster, ensure that you have enough vCPU limits to launch temporary instances that create snapshots. At minimum, you need 5 times vCPU for the required instance types to use EnableFastLaunches.

  3. If you already have an existing key pair that you created and downloaded previously, select it from the Key pair (login) dropdown. If you don’t have a key pair, follow these instructions to create one:

    1. To create a new key pair, select Create a new key pair.

    2. Enter a name for your key pair.

    3. Choose Download Key Pair and save the downloaded file in a location on your local computer that you can retrieve later. AWS stores the public key file for you, but you need to store the private key file.

  4. In the Network settings section, choose Edit and ensure the following parameters are selected.

    1. For Network, ensure that the default virtual private cloud (VPC) is selected in the dropdown. Its name will end in “(default)”.

    2. Set Auto-assign Public IP to Enable to ensure that your instance receives a public IP address that you will use when connecting to it later.

    3. Under Firewall (security groups), choose Select an existing security group. Then choose the Nimble_Studio_Build_AMI security group that you created in the Step 2: Create IAM policies section of the Update AMIs: Setting up tutorial.

  5. In the Configure storage section, check that the size of your instance’s root volume is large enough to accommodate all the new software that you’re installing.

    1. You might need to increase the size of the root volume to ensure that you have enough space available.

  6. Choose Advanced to the right of Configure storage

    1. Select the dropdown next to the storage volume.

    2. Under Encryption, select Yes.

    3. Choose your AMI encryption key from the KMS key dropdown dialogue box.

  7. Select the dropdown in the Advanced details section. For IAM instance profile, choose the Nimble_Studio_Build_AMI role that you created in Step 2: Create IAM policies of the Update AMIs: Setting up tutorial.

  8. Choose Launch.

    Note

    If there is a warning near the top of the window stating that your security group is open to the world, this is because you used a source value of “Anywhere” when creating your security group. We recommend that you don’t use a source value of “Anywhere” because that allows any IP to connect to your rule’s port(s). For instructions on updating your security group, see the Update AMIs: Setting up tutorial.

    1. If warning message pops up that says you can’t connect to your instance because port 3389 isn't open, choose Continue. Ignore this message. You will be connecting to the instance using Session Manager, which doesn't require port 3389 to be open.

  9. On the Launch Status page, scroll to the bottom and choose View instances.

Since you’re using this instance for setup only, you’re launching it in the default VPC that you got with your AWS account. While this isn't the same as your studio’s VPC, check with your studio administrator and IT team before making security decisions. You can also choose to limit which IP addresses can access this instance. Learn to change the inbound rules for your security group in the Step 4: Create a security group section of the Updating Amazon Machine Images tutorial.

(Optional) Configure faster launching for Windows AMIs

Follow the instructions in the Start faster launching for Windows AMIs to enable faster launches.

Step 3: Restart the NICE DCV session as Administrator

Before you can connect to your instance with NICE DCV, close the existing NICE DCV session on your instance and restart it as an administrator. Logging in as Administrator later gives you the privileges that you need to install software.

After your instance has initialized, you will connect to it so that you can install the new software.

  1. Wait for the Instance state of your WinWorkstationAMIBuilder instance to change from Initializing to Running, and for the Status check to change from Initializing to 2/2 checks passed. You might need to refresh the page to see the status change.

    
                  WinWorkstationAMIBuilder instance running
  2. Select the instance and choose Connect.

  3. Make sure the Session Manager tab is selected and then choose Connect.

    1. If the Connect button is grayed out, or if you see a warning message, wait a few minutes for Session Manager to finish initializing on your instance, and then try again.

  4. In the Session Manager browser tab that opens, run the following commands:

    cd 'C:\Program Files\NICE\DCV\Server\bin\'

    .\dcv close-session console

    .\dcv create-session --owner Administrator console

    
                  Commands to run in Session Manager
  5. After all three commands have been run, close the Session Manager tab.

  6. In the Connect to instance browser tab, choose Cancel to close the connection options and return to the list of instances.

Step 4: Connect with NICE DCV

Now that you have restarted NICE DCV, you can connect to your instance as Administrator and install new software. To connect with NICE DCV, you will need to find the public IP address of your instance, and then decrypt the password.

To find the public IP address

  1. In the list of instances in the EC2 console, make sure that your WinWorkstationAMIBuilder instance is selected, then look in the Details tab.

  2. Find the entry for Public IPv4 address and copy it to the clipboard. As a shortcut, you can choose the copy icon located to the left of the address.

    
                     Public Ipv4 address copy icon
  3. Open the NICE DCV client on your local computer.

  4. Paste the Public IPv4 address that you copied into the Hostname/IP Address field in the NICE DCV client window and choose Connect.

    
                     NICE DCV client window hostname
  5. In the window that says Your connection isn't secure choose Trust (or Proceed if on MacOS) to trust the connection and continue.

    1. By default, NICE DCV generates a self-signed certificate that is used to secure traffic between the NICE DCV client on your local computer and the server on your workstation. If you would like to use your own certificate, choose Go Back instead and see Changing the TLS Certificate - NICE DCV in the NICE DCV Administrator Guide.

  6. For Username, enter Administrator.

    
                     NICE DCV client window username

To decrypt the Administrator password and connect

Next, you will need to get the unique Administrator password assigned to your instance, and then decrypt it using the key pair that you chose when launching the instance.

  1. Back in the EC2 console, make sure that your WinWorkstationAMIBuilder instance is selected.

  2. Choose Actions. Then choose Security and Get Windows password.

    
                     EC2 console get Windows password
  3. Choose Browse and then open the key pair file that you chose when launching your instance.

  4. Choose Decrypt Password.

    
                     Amazon EC2 console decrypt password
  5. Copy the decrypted password to the clipboard by choosing the copy icon to the left of the password.

  6. Back in the NICE DCV client window, paste the Administrator password into the password field and choose Login.

    1. After a moment, NICE DCV will connect and your Windows virtual workstation desktop will appear.

Step 5: Download and run installers

After you have connected to, and logged in to your virtual workstation, you can download and install software. One way is from the public internet, and the other is by copying installers that you stored in an Amazon Simple Storage Service (Amazon S3) bucket.

We recommend that you use an S3 bucket to store the installers for the software that your studio will use. This conveniently eliminates any need to search online for the installer. This will also help ensure that consistent versions of software are installed on the different AMIs in your studio.

If you don’t already have an S3 bucket with your installers, follow the Update AMIs: Setting up tutorial to create one.

Open PowerShell and connect to Amazon S3

  1. Go to the Start Menu and search for PowerShell.

  2. Select Windows PowerShell from the list.

  3. Verify that your virtual workstation can access your installers S3 bucket. Replace <BUCKET-NAME> with the name of your installer’s S3 bucket.

    aws s3 ls s3://<BUCKET-NAME>

  4. PowerShell will return a list of the contents of your installers bucket.

    
                     Amazon S3 buckets listed
  5. Change to the Administrator\Downloads folder by running the following command:

    cd C:\Users\Administrator\Downloads

Find the installers in your S3 bucket

If you’re comfortable using the command-line tools to locate the file path to the installers in your S3 bucket, you can skip this section and go to Download installers from your S3 bucket. Otherwise, here we’ll show you how to find the file paths using the Amazon S3 console.

  1. Sign in to the AWS Management Console and open the Amazon S3 console.

  2. Find the bucket for installers that you created in the Update AMIs: Setting up tutorial.

  3. Navigate to the first installer that you want to install on your virtual workstation.

  4. Choose the Name of the installer file.

  5. In the Object overview section, copy your S3 URI so that you can paste it in the next step.

Download installers from your S3 bucket

On your virtual workstation, you will run commands to download the installer that you located in Amazon S3.

  1. Run the following command in PowerShell to download the installer that you just located in Amazon S3: aws s3 cp S3-URI.

    1. Replace S3-URI with the URI that you just copied from the Amazon S3 console.

  2. Ensure that the command prompt displays a confirmation that the download was successful. If not, check that you ran the aws s3 cp command using the correct S3 URI and try again.

    
                     Amazon S3 URI downloaded
  3. Open File Explorer and navigate to Downloads to verify that the downloaded file is there. If not, check that you ran the aws s3 cp command from the C:\Users\Administrators\Downloads folder and try again.

  4. Repeat this process for any other installers that you want to download.

  5. After you have downloaded the installers, run them to install or update software on the virtual workstation.

Note

If any software that you install requires a restart of the virtual workstation, the restart will disconnect the NICE DCV session that you set up to run as administrator. To reconnect to the virtual workstation with NICE DCV, first repeat the steps in Step 3: Restart the NICE DCV session as Administrator.

Software specific installation tips

Some software requires that you complete extra steps for it to work correctly as part of an AMI. For more information, including currently-known software that requires specific install instructions, see the Software specific installation tips tutorial.

Step 6: Prepare your instance for AMI creation

After installing software, the next steps will make sure that your virtual workstation is prepared for AMI creation. These steps include removing any installers from the C: drive of the virtual workstation, and cleaning up any information that you don’t want duplicated when the AMI is created.

Disconnect network drives

Unless you manually mapped network drives to this virtual workstation on your own, there shouldn’t be any network drives connected to it. However, leaving network drives connected can cause problems.

  1. Open File Explorer.

  2. Choose This PC from the navigation pane.

  3. Scroll down to the Devices and drives section to see if you have any network drives to disconnect.

    1. If you only see the C: drive listed, you can skip this step and proceed to Remove installers and unneeded files.

    2. If you have drives other than the C: drive, disconnect those, as follows:

      1. Select each drive and open the context menu (right-click).

      2. Choose Disconnect for each of the drives, so that only the C: drive remains.

Remove installers and unneeded files

The files that you created or downloaded on the C: drive of your virtual workstation will be copied during the AMI creation process. These files will appear on any other virtual workstations that are launched using that AMI. For that reason, remove any installers or other files that you don’t want copied.

  1. In File Explorer, check the C:\Users\Administrator\Downloads folder for any installers that you downloaded in previous steps.

  2. Check the following folders for files that you might want to delete.

    1. C:\Users\Administrator\Documents

    2. The Desktop

    3. The Recycle Bin

Run Sysprep using EC2LaunchSettings

After you have removed the extra files from your virtual workstation, you’re ready to run a special application to complete the preparation process.

Windows 2019
  1. Open the Start Menu, search for EC2LaunchSettings, and then choose it from the list.

  2. In the EC2 Launch Settings window, ensure that Administrator password settings is set to Random (retrieve from console).

  3. Next, go to the bottom of the list and select Run EC2Launch on every boot. Then choose Shutdown with Sysprep.

    
                              The EC2 Launch Settings window. The boxes next to Set
                                 Wallpaper
  4. In the Sysprep Confirmation window, choose Yes.

  5. After a few minutes, your virtual workstation will shut down, and your Remote Desktop session will disconnect.

Windows 2022
  1. Open the Start Menu, search for EC2LaunchSettings, and then choose it from the list.

  2. In the EC2 Launch Settings window, ensure that Administrator password settings is set to Random (retrieve from console).

  3. In the Prapare for imaging section, choose Shutdown with Sysprep.

    
                              The EC2 Launch Settings window. The boxes next to Set
                                 Wallpaper
  4. In the Sysprep Confirmation window, choose Yes.

  5. After a few minutes, your virtual workstation will shut down, and your Remote Desktop session will disconnect.

Step 7: Create a new AMI

Note

Before adding AMIs to your studio, check that these don’t exceed 500 GB (size) and 10 (quantity). For detailed instructions, see Reduce the AMI size. and Remove AMIs or increasing your quota. in the Updating Amazon Machine Images (AMIs) tutorial.

Now that your virtual workstation has shut down, you can create an AMI from it.

  1. Go to the EC2 console.

  2. Choose Instances in the left navigation pane.

  3. Wait for the Instance state of your instance to change to Stopped.

  4. Choose the instance. Then choose Actions, Images and templates , and Create image.

    
                  Amazon EC2 Instances console with the Actions dropdown with the Image and
                     templates submenu open and the Create image button selected.
  5. Enter an Image name:

    1. To help you keep track of the different AMIs that you create, it’s a good idea to give them descriptive names. Descriptive names should include the operating system, intended use (workstation), the department that will use the AMI, and a date or version number. Example: <your-studio-name>-win-workstation-animation-2021-03-11

  6. Enter an Image description:

    1. To make your image description, you might want to include what you changed on this AMI, such as what makes it unique, or the new software that you installed. Example: Windows workstation for animation with Blender 2.92.0

  7. Scroll to the bottom, then choose Create image.

  8. Choose AMIs in the left navigation pane under Images.

  9. You will see your new AMI in the list with a Status of pending. When the status changes to available, you can continue with the next step. This process takes 10-20 minutes, depending on the amount of software installed on your instance.

  10. You might also want to add a name to your AMI by hovering over the Name field and choosing the edit icon.

Step 8: Update launch profiles

Now that your new AMI is encrypted, you will need to add it to Nimble Studio and update your launch profiles so that your artists can use it.

Add AMI to Nimble Studio

  1. Sign in to the AWS Management Console and open the Nimble Studio console.

  2. Choose Studio resources in the left navigation pane.

  3. Choose Add on the Studio resources page, under Amazon Machine Image (AMI).

  4. Enter an AMI name. You can use any name that you like, but we suggest copying the name that you originally chose when creating your AMI for the first time. For example: <your-studio-name> Win Workstation - Animation.

  5. Enter the AMI ID for the encrypted AMI that you just created in the last step.

  6. (Optional) Enter an AMI description.

  7. Choose Next.

    
                     Nimble Studio console add AMI configuration
  8. Under Check encryption, you will see a message saying that your encrypted AMI can be added to Nimble Studio.

    
                     Nimble Studio console add AMI check encryption
  9. Choose Add AMI.

Update launch profiles

Follow the steps in the Creating launch profiles tutorial to create and share a new launch profile, or update an existing launch profile to use the encrypted AMI that you just created. When you get to the step where you choose AMIs for your launch profile, make sure that your new AMI is selected.

Step 9: Update the DCV server

Important

Before you update the NICE DCV server, first log out of NICE DCV. As an alternative, you can use a different Remote Desktop Service during the update.

This section provides PowerShell commands that will help you update your NICE DCV server without accidentally resetting your registry keys.

If you have ever tried updating your NICE DCV server but encountered issues with your AMI or stream afterward, it was due to those registry keys. To remedy this issue, run the following PowerShell commands.

$autoConsoleSessionRegKey = "HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware link \dcv\session-management\automatic-console-session" $connectivityKey = "HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\connectivity" $displayRegKey = "HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\display" reg DELETE $autoConsoleSessionRegKey /v owner /f reg DELETE $autoConsoleSessionRegKey /v storage-root /f reg DELETE $displayRegKey /v target-fps /f reg DELETE $displayRegKey /v quality /f reg DELETE $displayRegKey /v frames-in-transit /f reg DELETE $displayRegKey /v frame-queue-weights /f reg DELETE $displayRegKey /v web-client-max-head-resolution /f reg ADD $autoConsoleSessionRegKey /v owner /d "ec2-nimble" /f reg ADD $autoConsoleSessionRegKey /v storage-root /d "C:\Users\ec2-nimble\Downloads" /f reg ADD $displayRegKey /v target-fps /t REG_DWORD /d 0 /f reg ADD $displayRegKey /v quality /d "(20, 100)" /f reg ADD $displayRegKey /v frames-in-transit /d "(1, 10)" /f reg ADD $displayRegKey /v frame-queue-weights /d "(5, 3, 1)" /f reg ADD $displayRegKey /v web-client-max-head-resolution /d "(4096, 2160)" /f

Troubleshooting

Reconnecting to a virtual workstation.

I had to restart my virtual workstation as part of installing new software and now NICE DCV won’t connect.

Restarting your virtual workstation will disconnect the NICE DCV session that you set up to run as Administrator. To reconnect to the virtual workstation with NICE DCV, you will first need to repeat the steps in Step 3: Restart the NICE DCV session as Administrator. Then you will be able to reconnect using NICE DCV.