Create an Amazon EC2 AMI using Windows Sysprep - Amazon Elastic Compute Cloud
Windows Sysprep phasesBefore you beginUse Windows Sysprep with a launch agent

Create an Amazon EC2 AMI using Windows Sysprep

The Microsoft System Preparation (Windows Sysprep) tool creates a generalized version of the operating system, with instance-specific system configuration removed before it captures a new image.

We recommend that you use EC2 Image Builder to automate the creation, management, and deployment of customized, secure, and up-to-date "golden" server images that are pre-installed and preconfigured with software and settings.

You can also use Windows Sysprep to create a standardized AMI using the Windows launch agents. For more information, see Use Windows Sysprep with a launch agent.

Important

Do not use Windows Sysprep to create an instance backup. Windows Sysprep removes system-specific information; removing this information might have unintended consequences for an instance backup.

To troubleshoot Windows Sysprep, see Troubleshoot Sysprep issues with Amazon EC2 Windows instances.

Windows Sysprep phases

Windows Sysprep runs through the following phases:

  • Generalize: The Sysprep tool removes image-specific information and configurations. For example, Windows Sysprep removes the security identifier (SID), the computer name, the event logs, and specific drivers, to name a few. After this phase is completed, the operating system (OS) is ready to create an AMI.

    Note

    When you run Windows Sysprep with the Windows launch agents, the system prevents drivers from being removed because PersistAllDeviceInstalls is set to true by default.

  • Specialize: Plug and Play scans the computer and installs drivers for any detected devices. The Sysprep tool generates OS requirements, like the computer name and SID. Optionally, you can run commands in this phase.

  • Out-of-Box Experience (OOBE): The system runs an abbreviated version of Windows Setup and asks you to enter information such as system language, time zone, and registered organization. When you run Windows Sysprep with Windows launch agents, the answer file automates this phase.

Before you begin

  • Before performing Windows Sysprep, we recommend that you remove all local user accounts and all account profiles other than a single administrator account under which Windows Sysprep will be run. If you perform Windows Sysprep with additional accounts and profiles, unexpected behavior could result, including loss of profile data or failure to complete Windows Sysprep.

  • Learn more about Sysprep Overview.

  • Learn which Sysprep Support for Server Roles.

Use Windows Sysprep with a launch agent

You can use Windows Sysprep to create a standardized Amazon Machine Image (AMI) when you start with an AMI that has one of the Windows launch agents installed.

This section contains details about the tasks performed by the EC2Launch v2 service as the image is prepared. It also includes the steps to create a standardized AMI using Windows Sysprep with the EC2Launch v2 service.

Windows Sysprep actions

Windows Sysprep and EC2Launch v2 perform the following actions when preparing an image.

  1. When you choose Shutdown with Sysprep in the EC2Launch settings dialog box, the system runs the ec2launch sysprep command.

  2. EC2Launch v2 edits the content of the unattend.xml file by reading the registry value at HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName. This file is located in the following directory: C:\ProgramData\Amazon\EC2Launch\sysprep.

  3. The system run the BeforeSysprep.cmd. This command creates a registry key as follows:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

    The registry key disables RDP connections until they are re-enabled. Disabling RDP connections is a necessary security measure because, during the first boot session after Windows Sysprep has run, there is a short period of time where RDP allows connections and the Administrator password is blank.

  4. The EC2Launch v2 service calls Windows Sysprep by running the following command:

    sysprep.exe /oobe /generalize /shutdown /unattend: "C:\ProgramData\Amazon\EC2Launch\sysprep\unattend.xml"

Generalize phase

  • EC2Launch v2 removes image-specific information and configurations, such as the computer name and the SID. If the instance is a member of a domain, it is removed from the domain. The unattend.xml answer file includes the following settings that affect this phase:

    • PersistAllDeviceInstalls: This setting prevents Windows Setup from removing and reconfiguring devices, which speeds up the image preparation process because Amazon AMIs require certain drivers to run and re-detection of those drivers would take time.

    • DoNotCleanUpNonPresentDevices: This setting retains Plug and Play information for devices that are not currently present.

  • Windows Sysprep shuts down the OS as it prepares to create the AMI. The system either launches a new instance or starts the original instance.

Specialize phase

The system generates OS-specific requirements, such as a computer name and an SID. The system also performs the following actions based on configurations that you specify in the unattend.xml answer file.

  • CopyProfile: Windows Sysprep can be configured to delete all user profiles, including the built-in Administrator profile. This setting retains the built-in Administrator account so that any customizations you make to that account are carried over to the new image. The default value is True.

    CopyProfile replaces the default profile with the existing local administrator profile. All accounts that you log in to after running Windows Sysprep receive a copy of that profile and its contents at first login.

    If you don’t have specific user-profile customizations that you want to carry over to the new image, then change this setting to False. Windows Sysprep will remove all user profiles (this saves time and disk space).

  • TimeZone: The time zone is set to Coordinate Universal Time (UTC) by default.

  • Synchronous command with order 1: The system runs the following command, which enables the administrator account and specifies the password requirement:

    net user Administrator /ACTIVE:YES /LOGONPASSWORDCHG:NO /EXPIRES:NEVER /PASSWORDREQ:YES

  • Synchronous command with order 2: The system scrambles the administrator password. This security measure is designed to prevent the instance from being accessible after Windows Sysprep completes if you did not configure the setAdminAccount task.

    The system runs the following command from your local launch agent directory (C:\Program Files\Amazon\EC2Launch\).

    EC2Launch.exe internal randomize-password --username Administrator

  • To enable remote desktop connections, the system sets the Terminal Server fDenyTSConnections registry key to false.

OOBE phase

  1. The system specifies the following configurations using the EC2Launch v2 answer file:

    • <InputLocale>en-US</InputLocale>

    • <SystemLocale>en-US</SystemLocale>

    • <UILanguage>en-US</UILanguage>

    • <UserLocale>en-US</UserLocale>

    • <HideEULAPage>true</HideEULAPage>

    • <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>

    • <ProtectYourPC>3</ProtectYourPC>

    • <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>

    • <TimeZone>UTC</TimeZone>

    • <RegisteredOrganization>Amazon.com</RegisteredOrganization>

    • <RegisteredOwner>EC2</RegisteredOwner>

    Note

    During the generalize and specialize phases, EC2Launch v2 monitors the status of the OS. If EC2Launch v2 detects that the OS is in a Sysprep phase, then it publishes the following message to the system log:

    Windows is being configured. SysprepState=IMAGE_STATE_UNDEPLOYABLE

  2. The system runs EC2Launch v2.

Post Sysprep

After Windows Sysprep completes, EC2Launch v2 sends the following message to the console output:

Windows sysprep configuration complete.

EC2Launch v2 then performs the following actions:

  1. Reads the content of the agent-config.yml file and runs configured tasks.

  2. Executes all tasks in the preReady stage.

  3. After it is finished, sends a Windows is ready message to the instance system logs.

  4. Executes all tasks in the PostReady stage.

For more information about EC2Launch v2 , see Use the EC2Launch v2 agent to perform tasks during EC2 Windows instance launch.

Run Windows Sysprep with EC2Launch v2

Use the following procedure to create a standardized AMI using Windows Sysprep with EC2Launch v2.

  1. In the Amazon EC2 console, locate an AMI that you want to duplicate.

  2. Launch and connect to your Windows instance.

  3. Customize it.

  4. From the Windows Start menu, search for and choose Amazon EC2Launch settings. For more information about the options and settings in the Amazon EC2Launch settings dialog box, see Configure EC2Launch v2 settings for Windows instances.

  5. Select Shutdown with Sysprep or Shutdown without Sysprep.

When you are asked to confirm that you want to run Windows Sysprep and shut down the instance, click Yes. EC2Launch v2 runs Windows Sysprep. Next, you are logged off the instance, and the instance shuts down. If you check the Instances page in the Amazon EC2 console, the instance state changes from Running to Stopping to Stopped. At this point, it's safe to create an AMI from this instance.

You can manually invoke the Windows Sysprep tool from the command line using the following command:

"%programfiles%\amazon\ec2launch\ec2launch.exe" sysprep --shutdown=true

EC2Launch offers a default answer file and batch files for Windows Sysprep that automate and secure the image-preparation process on your AMI. Modifying these files is optional. These files are located in the following directory by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep.

Important

Do not use Windows Sysprep to create an instance backup. Windows Sysprep removes system-specific information. If you remove this information there might be unintended consequences for an instance backup.

EC2Launch answer and batch files for Windows Sysprep

The EC2Launch answer file and batch files for Windows Sysprep include the following:

Unattend.xml

This is the default answer file. If you run SysprepInstance.ps1 or choose ShutdownWithSysprep in the user interface, the system reads the setting from this file.

BeforeSysprep.cmd

Customize this batch file to run commands before EC2Launch runs Windows Sysprep.

SysprepSpecialize.cmd

Customize this batch file to run commands during the Windows Sysprep specialize phase.

Run Windows Sysprep with EC2Launch

On the full installation of Windows Server 2016 and later (with a desktop experience), you can run Windows Sysprep with EC2Launch manually or by using the EC2 Launch Settings application.

To run Windows Sysprep using the EC2Launch Settings application

  1. In the Amazon EC2 console, locate or create a Windows Server 2016 or later AMI.

  2. Launch a Windows instance from the AMI.

  3. Connect to your Windows instance and customize it.

  4. Search for and run the EC2LaunchSettings application. It is located in the following directory by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Settings.

    EC2 Launch Settings application

  5. Select or clear options as needed. These settings are stored in the LaunchConfig.json file.

  6. For Administrator Password, do one of the following:

    • Choose Random. EC2Launch generates a password and encrypts it using the user's key. The system disables this setting after the instance is launched so that this password persists if the instance is rebooted or stopped and started.

    • Choose Specify and type a password that meets the system requirements. The password is stored in LaunchConfig.json as clear text and is deleted after Windows Sysprep sets the administrator password. If you shut down now, the password is set immediately. EC2Launch encrypts the password using the user's key.

    • Choose DoNothing and specify a password in the unattend.xml file. If you don't specify a password in unattend.xml, the administrator account is disabled.

  7. Choose Shutdown with Sysprep.

To manually run Windows Sysprep using EC2Launch

  1. In the Amazon EC2 console locate or create a Windows Server 2016 or later Datacenter edition AMI that you want to duplicate.

  2. Launch and connect to your Windows instance.

  3. Customize the instance.

  4. Specify settings in the LaunchConfig.json file. This file is located in the C:\ProgramData\Amazon\EC2-Windows\Launch\Config directory by default.

    For adminPasswordType, specify one of the following values:

    Random

    EC2Launch generates a password and encrypts it using the user's key. The system disables this setting after the instance is launched so that this password persists if the instance is rebooted or stopped and started.

    Specify

    EC2Launch uses the password you specify in adminPassword. If the password does not meet the system requirements, EC2Lauch generates a random password instead. The password is stored in LaunchConfig.json as clear text and is deleted after Windows Sysprep sets the administrator password. EC2Launch encrypts the password using the user's key.

    DoNothing

    EC2Launch uses the password you specify in the unattend.xml file. If you don't specify a password in unattend.xml, the administrator account is disabled.

  5. (Optional) Specify settings in unattend.xml and other configuration files. If plan to attend to the installation, then you don't need to make changes in these files. The files are located in the following directory by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep.

  6. In Windows PowerShell, run ./InitializeInstance.ps1 -Schedule. The script is located in the following directory, by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts. This script schedules the instance to initialize during the next boot. You must run this script before you run the SysprepInstance.ps1 script in the next step.

  7. In Windows PowerShell, run ./SysprepInstance.ps1. The script is located in the following directory by default: C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts.

You are logged off the instance and the instance shuts down. If you check the Instances page in the Amazon EC2 console, the instance state changes from Running to Stopping, and then to Stopped. At this point, it is safe to create an AMI from this instance.

Update metadata/KMS routes for Server 2016 and later when launching a custom AMI

To update metadata/KMS routes for Server 2016 and later when launching a custom AMI, do one of the following:

  • Run the EC2LaunchSettings GUI (C:\ProgramData\Amazon\EC2-Windows\Launch\Settings\Ec2LaunchSettings.exe) and select the option to shut down with Windows Sysprep.

  • Run EC2LaunchSettings and shut down without Windows Sysprep before creating the AMI. This sets the EC2 Launch Initialize tasks to run at the next boot, which will set routes based on the subnet for the instance.

  • Manually reschedule EC2 Launch initialize tasks before creating an AMI from PowerShell.

    Important

    Take note of the default password reset behavior before rescheduling tasks.

  • To update the routes on a running instance that is experiencing Windows activation or communication with instance metadata failures, see "Unable to activate Windows".

This section contains details about the tasks performed by the EC2Config service as the image is prepared. It also includes the steps to create a standardized AMI using Windows Sysprep with the EC2Config service.

Windows Sysprep actions

Windows Sysprep and the EC2Config service perform the following actions when preparing an image.

  1. When you choose Shutdown with Sysprep in the EC2 Service Properties dialog box, the system runs the ec2config.exe -sysprep command.

  2. The EC2Config service reads the content of the BundleConfig.xml file. This file is located in the following directory, by default: C:\Program Files\Amazon\Ec2ConfigService\Settings.

    The BundleConfig.xml file includes the following settings. You can change these settings:

    • AutoSysprep: Indicates whether to use Windows Sysprep automatically. You do not need to change this value if you are running Windows Sysprep from the EC2 Service Properties dialog box. The default value is No.

    • SetRDPCertificate: Sets a self-signed certificate for the Remote Desktop server. This enables you to securely use the Remote Desktop Protocol (RDP) to connect to the instance. Change the value to Yes if new instances should use a certificate. This setting is not used with Windows Server 2012 instances because these operating systems can generate their own certificates. The default value is No.

    • SetPasswordAfterSysprep: Sets a random password on a newly launched instance, encrypts it with the user launch key, and outputs the encrypted password to the console. Change the value to No if new instances should not be set to a random encrypted password. The default value is Yes.

    • PreSysprepRunCmd: The location of the command to run. The command is located in the following directory, by default: C:\Program Files\Amazon\Ec2ConfigService\Scripts\BeforeSysprep.cmd

  3. The system runs BeforeSysprep.cmd. This command creates a registry key as follows:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

    The registry key disables RDP connections until they are re-enabled. Disabling RDP connections is a necessary security measure because, during the first boot session after Windows Sysprep has run, there is a short period of time where RDP allows connections and the Administrator password is blank.

  4. The EC2Config service calls Windows Sysprep by running the following command:

    sysprep.exe /unattend: "C:\Program Files\Amazon\Ec2ConfigService\sysprep2008.xml" /oobe /generalize /shutdown
Generalize phase

  • The tool removes image-specific information and configurations such as the computer name and the SID. If the instance is a member of a domain, it is removed from the domain. The sysprep2008.xml answer file includes the following settings that affect this phase:

    • PersistAllDeviceInstalls: This setting prevents Windows Setup from removing and reconfiguring devices, which speeds up the image preparation process because Amazon AMIs require certain drivers to run and re-detection of those drivers would take time.

    • DoNotCleanUpNonPresentDevices: This setting retains Plug and Play information for devices that are not currently present.

  • Windows Sysprep shuts down the OS as it prepares to create the AMI. The system either launches a new instance or starts the original instance.

Specialize phase

The system generates OS specific requirements such as a computer name and a SID. The system also performs the following actions based on configurations that you specify in the sysprep2008.xml answer file.

  • CopyProfile: Windows Sysprep can be configured to delete all user profiles, including the built-in Administrator profile. This setting retains the built-in Administrator account so that any customizations you made to that account are carried over to the new image. The default value is True.

    CopyProfile replaces the default profile with the existing local administrator profile. All accounts logged into after running Windows Sysprep will receive a copy of that profile and its contents at first login.

    If you don’t have specific user-profile customizations that you want to carry over to the new image then change this setting to False. Windows Sysprep will remove all user profiles; this saves time and disk space.

  • TimeZone: The time zone is set to Coordinate Universal Time (UTC) by default.

  • Synchronous command with order 1: The system runs the following command that enables the administrator account and specifies the password requirement.

    net user Administrator /ACTIVE:YES /LOGONPASSWORDCHG:NO /EXPIRES:NEVER /PASSWORDREQ:YES

  • Synchronous command with order 2: The system scrambles the administrator password. This security measure is designed to prevent the instance from being accessible after Windows Sysprep completes if you did not enable the ec2setpassword setting.

    C:\Program Files\Amazon\Ec2ConfigService\ScramblePassword.exe" -u Administrator

  • Synchronous command with order 3: The system runs the following command:

    C:\Program Files\Amazon\Ec2ConfigService\Scripts\SysprepSpecializePhase.cmd

    This command adds the following registry key, which re-enables RDP:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

OOBE phase

  1. Using the EC2Config service answer file, the system specifies the following configurations:

    • <InputLocale>en-US</InputLocale>

    • <SystemLocale>en-US</SystemLocale>

    • <UILanguage>en-US</UILanguage>

    • <UserLocale>en-US</UserLocale>

    • <HideEULAPage>true</HideEULAPage>

    • <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>

    • <NetworkLocation>Other</NetworkLocation>

    • <ProtectYourPC>3</ProtectYourPC>

    • <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>

    • <TimeZone>UTC</TimeZone>

    • <RegisteredOrganization>Amazon.com</RegisteredOrganization>

    • <RegisteredOwner>Amazon</RegisteredOwner>

    Note

    During the generalize and specialize phases the EC2Config service monitors the status of the OS. If EC2Config detects that the OS is in a Sysprep phase, then it publishes the following message to the system log:

    EC2ConfigMonitorState: 0 Windows is being configured. SysprepState=IMAGE_STATE_UNDEPLOYABLE

  2. After the OOBE phase completes, the system runs SetupComplete.cmd from the following location: C:\Windows\Setup\Scripts\SetupComplete.cmd. In Amazon public AMIs before April 2015 this file was empty and ran nothing on the image. In public AMIs dated after April 2015, the file includes the following value: call "C:\Program Files\Amazon\Ec2ConfigService\Scripts\PostSysprep.cmd".

  3. The system runs PostSysprep.cmd, which performs the following operations:

    • Sets the local Administrator password to not expire. If the password expired, Administrators might not be able to log on.

    • Sets the MSSQLServer machine name (if installed) so that the name will be in sync with the AMI.

Post Sysprep

After Windows Sysprep completes, the EC2Config services sends the following message to the console output:

Windows sysprep configuration complete.
			Message: Sysprep Start
			Message: Sysprep End

EC2Config then performs the following actions:

  1. Reads the content of the config.xml file and lists all enabled plug-ins.

  2. Executes all “Before Windows is ready” plug-ins at the same time.

    • Ec2SetPassword

    • Ec2SetComputerName

    • Ec2InitializeDrives

    • Ec2EventLog

    • Ec2ConfigureRDP

    • Ec2OutputRDPCert

    • Ec2SetDriveLetter

    • Ec2WindowsActivate

    • Ec2DynamicBootVolumeSize

  3. After it is finished, sends a “Windows is ready” message to the instance system logs.

  4. Runs all “After Windows is ready” plug-ins at the same time.

    • Amazon CloudWatch Logs

    • UserData

    • AWS Systems Manager (Systems Manager)

For more information about Windows plug-ins, see Use the EC2Config service to perform tasks during EC2 legacy Windows operating system instance launch.

Run Windows Sysprep with the EC2Config service

Use the following procedure to create a standardized AMI using Windows Sysprep and the EC2Config service.

  1. In the Amazon EC2 console, locate or create an AMI that you want to duplicate.

  2. Launch and connect to your Windows instance.

  3. Customize it.

  4. Specify configuration settings in the EC2Config service answer file:

    C:\Program Files\Amazon\Ec2ConfigService\sysprep2008.xml

  5. From the Windows Start menu, choose All Programs, and then choose EC2ConfigService Settings.

  6. Choose the Image tab in the Ec2 Service Properties dialog box. For more information about the options and settings in the Ec2 Service Properties dialog box, see Ec2 Service Properties.

  7. Select an option for the Administrator password, and then select Shutdown with Sysprep or Shutdown without Sysprep. EC2Config edits the settings files based on the password option that you selected.

    • Random: EC2Config generates a password, encrypts it with user's key, and displays the encrypted password to the console. We disable this setting after the first launch so that this password persists if the instance is rebooted or stopped and started.

    • Specify: The password is stored in the Windows Sysprep answer file in unencrypted form (clear text). When Windows Sysprep runs next, it sets the Administrator password. If you shut down now, the password is set immediately. When the service starts again, the Administrator password is removed. It's important to remember this password, as you can't retrieve it later.

    • Keep Existing: The existing password for the Administrator account doesn't change when Windows Sysprep is run or EC2Config is restarted. It's important to remember this password, as you can't retrieve it later.

  8. Choose OK.

When you are asked to confirm that you want to run Windows Sysprep and shut down the instance, click Yes. You'll notice that EC2Config runs Windows Sysprep. Next, you are logged off the instance, and the instance is shut down. If you check the Instances page in the Amazon EC2 console, the instance state changes from Running to Stopping, and then finally to Stopped. At this point, it's safe to create an AMI from this instance.

You can manually invoke the Windows Sysprep tool from the command line using the following command:

"%programfiles%\amazon\ec2configservice\"ec2config.exe -sysprep""
Note

The double quotation marks in the command are not required if your CMD shell is already in the C:\Program Files\Amazon\EC2ConfigService\ directory.

However, you must be very careful that the XML file options specified in the Ec2ConfigService\Settings folder are correct; otherwise, you might not be able to connect to the instance. For more information about the settings files, see EC2Config settings files. For an example of configuring and then running Windows Sysprep from the command line, see Ec2ConfigService\Scripts\InstallUpdates.ps1.