AWS Cloud Operations & Migrations Blog

Windows AMI Patching and Maintenance with Amazon EC2 Systems Manager

The Automation service, which is part of Amazon EC2 Systems Manager, helps you save time and the effort associated with routine management operations. Automation workflows are streamlined, repeatable, and auditable. For example, you can easily automate manual tasks such as golden image creation, baking applications into Amazon Machine Images (AMIs), or patching and updating agents.

In a recent post on the AWS Blog (Streamline AMI Maintenance and Patching Using Amazon EC2 Systems Manager), AWS announced the availability of the first public Document for Automation: AWS-UpdateLinuxAmi. This Document streamlines patching for Linux AMIs, allowing you to get started quickly with a predefined Automation workflow managed by AWS.

Today, AWS announces the updated availability of the Windows equivalent: AWS-UpdateWindowsAmi. The AWS-UpdateWindowsAmi Document is a great fit for building a hardened AMI from the monthly Windows AMI release, applying Windows patches and AWS agent updates to your proprietary Windows AMI, or baking applications into a golden Windows AMI as part of your CI/CD pipeline. You can also use your custom AMIs as a source for images that meet organizational IT policies. Documents help centrally create, manage, and share code for IT Ops and the management tasks that Systems Manager can perform on your managed infrastructure.

The AWS-UpdateWindowsAmi Document automates the following workflow:

  1. Launch a temporary EC2 instance from a source Windows AMI.
  2. Perform Operating System compatibility checks.
  3. (Optional) Invoke a user-provided, pre-update hook script.
  4. Update EC2Config or EC2Launch (determined by the version of Windows launched in step 1).
  5. Update the SSM Agent.
  6. Update the AWS PV driver.
  7. Install Windows updates.
  8. (Optional) Invoke a user-provided, pre-update hook script on the instance.
  9. Run Sysprep /generalize.
  10. Stop the temporary instance.
  11. Create a new AMI from the stopped instance.
  12. Terminate the instance.


If you haven’t used Automation before, you must configure IAM roles and permissions. This CloudFormation template completes the required prerequisite actions. After logging on to your AWS account, choose Launch Stack. The template:

  • Creates a service role for Automation.
  • Grants PassRole permission to authorize a user to provide the service role.
  • Creates an instance role to enable instance management under Systems Manager.

Executing Automation

1. In the EC2 console, choose Systems Manager, Automations.

2. Choose Run automation document.

3. Under Document name, choose AWS-UpdateWindowsAmi. Use the $DEFAULT document version.

4. For the SourceAmiId variable, enter the ID of the Windows AMI to update. This is the only required field. The InstanceIamRole and AutomationAssumeRole variables are assigned default values that match the resource IDs generated by the CloudFormation template executed earlier.

Optionally, specify values for the following (descriptions for each variable are listed in the console):

  • Target AMI name
  • Instance type
  • KBs to include or exclude
  • Update categories (Critical Update, Security Update)
  • Severity levels (MSRC level such as Critical, Important, Low)
  • Any pre– or post-update scripts to run

5. Choose Run Automation.

6. Monitor progress in the Automation Steps tab, and view the step-level outputs.

After execution is complete, you can view any outputs returned by the workflow in the Description tab. In this example, AWS-UpdateWindowsAmi returns the new AMI ID and is tagged with your source AMI ID.

Next, choose Images, AMIs to view your new AMI.

Any resources created by a workflow incur published usage charges. If you terminate AWS-UpdateWindowsAmi before reaching the “Terminate Instance” step, you should shut down the temporary instance created by the workflow.


Now that you’ve successfully run AWS-UpdateWindowsAmi, you may want to create default values for the service and instance roles. You can customize your workflow by creating your own Automation Document based on AWS-UpdateWindowsAmi. For more details, see Create an Automation Document. After you’ve created your Document, you can write additional steps and add them to the workflow.

Example steps include:
• Updating an Auto Scaling group with the new AMI ID (aws:invokeLambdaFunction action type)
• Creating an encrypted copy of your new AMI (aws:encryptedCopy action type)
• Validating your new AMI using Run Command with the RunPowerShellScript Document (aws:runCommand action type)
Automation also makes a great addition to a CI/CD pipeline for application bake-in, and can be invoked as a CLI build step in Jenkins. For details on these examples, see the Systems Manager Automation technical documentation. Be sure to follow the Management Tools blog for additional deep dives on maintaining Windows AMIs using AWS-UpdateWindowsAmi.

About the author

Venkat Krishnamachari is a Product Manager in the Amazon EC2 Systems Manager team. Venkat is excited by the opportunities presented by cloud computing, and loves helping customers realize the value of efficient infrastructure and management. In his personal time Venkat volunteers with NGOs and loves producing live theater and music shows.