This topic describes how to install AWS Systems Manager SSM Agent on Windows Server machines in a hybrid and multicloud environment. For information about installing SSM Agent on EC2 instances for Windows Server, see Manually installing and uninstalling SSM Agent on EC2 instances for Windows Server.
Before you begin, locate the Activation Code and Activation ID that were generated during the hybrid activation process, as described in Create a hybrid activation to register nodes with Systems Manager. You specify the Code and ID in the following procedure.
To install SSM Agent on non-EC2 Windows Server machines in a hybrid and multicloud environment
-
Log on to a server or VM in your hybrid and multicloud environment.
-
If you use an HTTP or HTTPS proxy, you must set the
http_proxyorhttps_proxyenvironment variables in the current shell session. If you aren't using a proxy, you can skip this step.For an HTTP proxy server, set this variable:
http_proxy=http://hostname:porthttps_proxy=http://hostname:portFor an HTTPS proxy server, set this variable:
http_proxy=http://hostname:porthttps_proxy=https://hostname:port -
Open Windows PowerShell in elevated (administrative) mode.
-
Copy and paste the following command block into Windows PowerShell. Replace each
example resource placeholderwith your own information. For example, the Activation Code and Activation ID generated when you create a hybrid activation, and with the identifier of the AWS Region you want to download SSM Agent from.Important
Note the following important details:
-
Using
ssm-setup-clifor non-EC2 installations maximizes the security of your Systems Manager installation and configuration. -
ssm-setup-clisupports amanifest-urloption that determines the source where the agent is downloaded from. Don't specify a value for this option unless required by your organization. -
You can use the script provided here
to validate the signature of ssm-setup-cli. -
When registering instances, only use the provided download link provided for
ssm-setup-cli.ssm-setup-clishouldn’t be stored separately for future use.
regionrepresents the identifier for an AWS Region supported by AWS Systems Manager, such asus-east-2for the US East (Ohio) Region. For a list of supportedregionvalues, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.Additionally,
ssm-setup-cliincludes the following options:-
version- Valid values arelatestandstable. -
downgrade- Reverts the agent to an earlier version. -
skip-signature-validation- Skips the signature validation during the download and installation of the agent.
[System.Net.ServicePointManager]::SecurityProtocol = 'TLS12' $code = "activation-code" $id = "activation-id" $region = "us-east-1" $dir = $env:TEMP + "\ssm" New-Item -ItemType directory -Path $dir -Force cd $dir (New-Object System.Net.WebClient).DownloadFile("https://amazon-ssm-$region.s3.$region.amazonaws.com/latest/windows_amd64/ssm-setup-cli.exe", $dir + "\ssm-setup-cli.exe") ./ssm-setup-cli.exe -register -activation-code="$code" -activation-id="$id" -region="$region" Get-Content ($env:ProgramData + "\Amazon\SSM\InstanceData\registration") Get-Service -Name "AmazonSSMAgent" -
-
Press
Enter.
Note
If the command fails, verify that you are running the latest version of AWS Tools for PowerShell.
The command does the following:
-
Downloads and installs SSM Agent onto the machine.
-
Registers the machine with the Systems Manager service.
-
Returns a response to the request similar to the following:
Directory: C:\Users\ADMINI~1\AppData\Local\Temp\2 Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 07/07/2018 8:07 PM ssm {"ManagedInstanceID":"mi-008d36be46EXAMPLE","Region":"us-east-2"} Status : Running Name : AmazonSSMAgent DisplayName : Amazon SSM Agent
The machine is now a managed node. These managed nodes are now identified with the prefix "mi-". You can view managed nodes on the Managed node page in Fleet Manager, by using the AWS CLI command describe-instance-information, or by using the API command DescribeInstanceInformation.
Setting up private key
auto rotation
To strengthen your security posture, you can configure AWS Systems Manager Agent (SSM Agent) to automatically rotate the private key for a hybrid and multicloud environment. You can access this feature using SSM Agent version 3.0.1031.0 or later. Turn on this feature using the following procedure.
To configure SSM Agent to rotate the private key for a hybrid and multicloud environment
-
Navigate to
/etc/amazon/ssm/on a Linux machine orC:\Program Files\Amazon\SSMfor a Windows Server machine. -
Copy the contents of
amazon-ssm-agent.json.templateto a new file namedamazon-ssm-agent.json. Saveamazon-ssm-agent.jsonin the same directory whereamazon-ssm-agent.json.templateis located. -
Find
Profile,KeyAutoRotateDays. Enter the number of days that you want between automatic private key rotations. -
Restart SSM Agent.
Every time you change the configuration, restart SSM Agent.
You can customize other features of SSM Agent using the same procedure. For an
up-to-date list of the available configuration properties and their default values,
see Config Property Definitions
Deregister and reregister a managed node (Windows Server)
You can deregister a managed node by calling the DeregisterManagedInstance API operation from either the AWS CLI or Tools for Windows PowerShell. Here's an example CLI command:
aws ssm deregister-managed-instance --instance-id
"mi-1234567890"
To remove the remaining registration information for the agent, remove the
IdentityConsumptionOrder key in the
amazon-ssm-agent.json file. Then run the following
command:
amazon-ssm-agent -register -clear
To reregister a managed node on a Windows Server hybrid machine
You can reregister a machine after you deregister it. However, you must use a different Activation Code and Activation ID than were used previously to register the machine.
-
Connect to your machine.
-
Run the following command. Be sure to replace the placeholder values with the Activation Code and Activation ID generated when you create a hybrid activation, and with the identifier of the Region you want to download the SSM Agent from.
'yes' | & Start-Process ./ssm-setup-cli.exe -ArgumentList @("-register", "-activation-code=$code", "-activation-id=$id", "-region=$region") -Wait Get-Content ($env:ProgramData + "\Amazon\SSM\InstanceData\registration") Get-Service -Name "AmazonSSMAgent"
