# Create an AMI using Windows Sysprep with EC2Config
<a name="sysprep-using"></a>

When you create an image from an instance with the EC2Config service installed, EC2Config performs specific tasks as the image is prepared. This includes working with Windows Sysprep. For more information, see [Windows Sysprep phases](ami-create-win-sysprep.md#sysprep-phases).

**Topics**
+ [Windows Sysprep actions](#sysprep-actions)
+ [Post Sysprep](#sysprep-post)
+ [Run Windows Sysprep with the EC2Config service](#sysprep-gui-procedure)

## Windows Sysprep actions
<a name="sysprep-actions"></a>

Windows Sysprep and the EC2Config service perform the following actions when preparing an image.

1. When you choose **Shutdown with Sysprep** in the **EC2 Service Properties** dialog box, the system runs the **ec2config.exe -sysprep** command.

1. The EC2Config service reads the content of the `BundleConfig.xml` file. This file is located in the following directory, by default: `C:\Program Files\Amazon\Ec2ConfigService\Settings`.

    The `BundleConfig.xml` file includes the following settings. You can change these settings:
   + **AutoSysprep**: Indicates whether to use Windows Sysprep automatically. You do not need to change this value if you are running Windows Sysprep from the EC2 Service Properties dialog box. The default value is `No`.
   + **SetRDPCertificate**: Sets a self-signed certificate for the Remote Desktop server. This enables you to securely use the Remote Desktop Protocol (RDP) to connect to the instance. Change the value to `Yes` if new instances should use a certificate. This setting is not used with Windows Server 2012 instances because these operating systems can generate their own certificates. The default value is `No`.
   + **SetPasswordAfterSysprep**: Sets a random password on a newly launched instance, encrypts it with the user launch key, and outputs the encrypted password to the console. Change the value to `No` if new instances should not be set to a random encrypted password. The default value is `Yes`.
   +  **PreSysprepRunCmd**: The location of the command to run. The command is located in the following directory, by default: `C:\Program Files\Amazon\Ec2ConfigService\Scripts\BeforeSysprep.cmd`

1. The system runs `BeforeSysprep.cmd`. This command creates a registry key as follows:

   ```
   reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
   ```

   The registry key disables RDP connections until they are re-enabled. Disabling RDP connections is a necessary security measure because, during the first boot session after Windows Sysprep has run, there is a short period of time where RDP allows connections and the Administrator password is blank.

1. The EC2Config service calls Windows Sysprep by running the following command:

   ```
   sysprep.exe /unattend: "C:\Program Files\Amazon\Ec2ConfigService\sysprep2008.xml" /oobe /generalize /shutdown
   ```

### Generalize phase
<a name="sysprep-generalize"></a>
+ The tool removes image-specific information and configurations such as the computer name and the SID. If the instance is a member of a domain, it is removed from the domain. The `sysprep2008.xml` answer file includes the following settings that affect this phase: 
  + **PersistAllDeviceInstalls**: This setting prevents Windows Setup from removing and reconfiguring devices, which speeds up the image preparation process because Amazon AMIs require certain drivers to run and re-detection of those drivers would take time.
  + **DoNotCleanUpNonPresentDevices**: This setting retains Plug and Play information for devices that are not currently present.
+ Windows Sysprep shuts down the OS as it prepares to create the AMI. The system either launches a new instance or starts the original instance.

### Specialize phase
<a name="sysprep-specialize"></a>

The system generates OS specific requirements such as a computer name and a SID. The system also performs the following actions based on configurations that you specify in the sysprep2008.xml answer file.
+ **CopyProfile**: Windows Sysprep can be configured to delete all user profiles, including the built-in Administrator profile. This setting retains the built-in Administrator account so that any customizations you made to that account are carried over to the new image. The default value is True.

  **CopyProfile** replaces the default profile with the existing local administrator profile. All accounts logged into after running Windows Sysprep will receive a copy of that profile and its contents at first login. 

  If you don’t have specific user-profile customizations that you want to carry over to the new image then change this setting to False. Windows Sysprep will remove all user profiles; this saves time and disk space. 
+ **TimeZone**: The time zone is set to Coordinate Universal Time (UTC) by default.
+ **Synchronous command with order 1**: The system runs the following command that enables the administrator account and specifies the password requirement.

  **net user Administrator /ACTIVE:YES /LOGONPASSWORDCHG:NO /EXPIRES:NEVER /PASSWORDREQ:YES**
+ **Synchronous command with order 2**: The system scrambles the administrator password. This security measure is designed to prevent the instance from being accessible after Windows Sysprep completes if you did not enable the ec2setpassword setting.

  C:\$1Program Files\$1Amazon\$1Ec2ConfigService\$1ScramblePassword.exe" -u Administrator
+ **Synchronous command with order 3**: The system runs the following command:

  C:\$1Program Files\$1Amazon\$1Ec2ConfigService\$1Scripts\$1SysprepSpecializePhase.cmd

   This command adds the following registry key, which re-enables RDP:

  reg add "HKEY\$1LOCAL\$1MACHINE\$1SYSTEM\$1CurrentControlSet\$1Control\$1Terminal Server" /v fDenyTSConnections /t REG\$1DWORD /d 0 /f

### OOBE phase
<a name="sysprep-oobe"></a>

1. Using the EC2Config service answer file, the system specifies the following configurations:
   + <InputLocale>en-US</InputLocale>
   + <SystemLocale>en-US</SystemLocale>
   + <UILanguage>en-US</UILanguage>
   + <UserLocale>en-US</UserLocale>
   + <HideEULAPage>true</HideEULAPage>
   + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
   + <NetworkLocation>Other</NetworkLocation>
   + <ProtectYourPC>3</ProtectYourPC>
   + <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>
   + <TimeZone>UTC</TimeZone>
   + <RegisteredOrganization>Amazon.com</RegisteredOrganization>
   + <RegisteredOwner>Amazon</RegisteredOwner>
**Note**  
During the generalize and specialize phases the EC2Config service monitors the status of the OS. If EC2Config detects that the OS is in a Sysprep phase, then it publishes the following message to the system log:  
EC2ConfigMonitorState: 0 Windows is being configured. SysprepState=IMAGE\$1STATE\$1UNDEPLOYABLE

1. After the OOBE phase completes, the system runs `SetupComplete.cmd` from the following location: `C:\Windows\Setup\Scripts\SetupComplete.cmd`. In Amazon public AMIs before April 2015 this file was empty and ran nothing on the image. In public AMIs dated after April 2015, the file includes the following value: **call "C:\$1Program Files\$1Amazon\$1Ec2ConfigService\$1Scripts\$1PostSysprep.cmd"**.

1. The system runs `PostSysprep.cmd`, which performs the following operations:
   + Sets the local Administrator password to not expire. If the password expired, Administrators might not be able to log on.
   + Sets the MSSQLServer machine name (if installed) so that the name will be in sync with the AMI.

## Post Sysprep
<a name="sysprep-post"></a>

After Windows Sysprep completes, the EC2Config services sends the following message to the console output:

```
Windows sysprep configuration complete.
			Message: Sysprep Start
			Message: Sysprep End
```

EC2Config then performs the following actions:

1. Reads the content of the config.xml file and lists all enabled plug-ins. 

1. Executes all “Before Windows is ready” plug-ins at the same time.
   + Ec2SetPassword
   + Ec2SetComputerName
   + Ec2InitializeDrives
   + Ec2EventLog
   + Ec2ConfigureRDP
   + Ec2OutputRDPCert
   + Ec2SetDriveLetter
   + Ec2WindowsActivate
   + Ec2DynamicBootVolumeSize

1. After it is finished, sends a “Windows is ready” message to the instance system logs.

1. Runs all “After Windows is ready” plug-ins at the same time.
   + Amazon CloudWatch Logs 
   + UserData
   + AWS Systems Manager (Systems Manager) 

For more information about Windows plug-ins, see [Use the EC2Config service to perform tasks during EC2 legacy Windows operating system instance launch](ec2config-service.md).

## Run Windows Sysprep with the EC2Config service
<a name="sysprep-gui-procedure"></a>

Use the following procedure to create a standardized AMI using Windows Sysprep and the EC2Config service.

1. In the Amazon EC2 console, locate or [create](creating-an-ami-ebs.md) an AMI that you want to duplicate.

1. Launch and connect to your Windows instance.

1. Customize it.

1. Specify configuration settings in the EC2Config service answer file:

   `C:\Program Files\Amazon\Ec2ConfigService\sysprep2008.xml`

1. From the Windows **Start** menu, choose **All Programs**, and then choose **EC2ConfigService Settings**. 

1. Choose the **Image** tab in the **Ec2 Service Properties** dialog box. For more information about the options and settings in the Ec2 Service Properties dialog box, see [Ec2 Service Properties](ec2config-service.md).

1. Select an option for the Administrator password, and then select **Shutdown with Sysprep** or **Shutdown without Sysprep**. EC2Config edits the settings files based on the password option that you selected.
   + **Random**: EC2Config generates a password, encrypts it with user's key, and displays the encrypted password to the console. We disable this setting after the first launch so that this password persists if the instance is rebooted or stopped and started.
   + **Specify**: The password is stored in the Windows Sysprep answer file in unencrypted form (clear text). When Windows Sysprep runs next, it sets the Administrator password. If you shut down now, the password is set immediately. When the service starts again, the Administrator password is removed. It's important to remember this password, as you can't retrieve it later.
   + **Keep Existing**: The existing password for the Administrator account doesn't change when Windows Sysprep is run or EC2Config is restarted. It's important to remember this password, as you can't retrieve it later.

1. Choose **OK**.

When you are asked to confirm that you want to run Windows Sysprep and shut down the instance, click **Yes**. You'll notice that EC2Config runs Windows Sysprep. Next, you are logged off the instance, and the instance is shut down. If you check the **Instances** page in the Amazon EC2 console, the instance state changes from `Running` to `Stopping`, and then finally to `Stopped`. At this point, it's safe to create an AMI from this instance.

You can manually invoke the Windows Sysprep tool from the command line using the following command:

```
"%programfiles%\amazon\ec2configservice\"ec2config.exe -sysprep"" 
```

**Note**  
The double quotation marks in the command are not required if your CMD shell is already in the C:\$1Program Files\$1Amazon\$1EC2ConfigService\$1 directory.

However, you must be very careful that the XML file options specified in the `Ec2ConfigService\Settings` folder are correct; otherwise, you might not be able to connect to the instance. For more information about the settings files, see [EC2Config settings files](ec2config-service.md#UsingConfigXML_WinAMI). For an example of configuring and then running Windows Sysprep from the command line, see `Ec2ConfigService\Scripts\InstallUpdates.ps1`.