Operating Systems

Windows Server 2019 User Guide

| Product: Windows Server 2019

Overview

This guide covers the deployment and configuration of Windows Server 2019 using cloudimg AMIs from the AWS Marketplace. Windows Server 2019 builds on the foundation of Windows Server 2016 with improvements to hybrid cloud integration, security features including Windows Defender Advanced Threat Protection, and enhanced container support with smaller base images and improved Linux container compatibility.

What's included in this AMI:

  • Windows Server 2019 preconfigured and patched
  • AWS CLI v2 for interacting with AWS services from the command line
  • AWS CloudWatch Agent for monitoring metrics and collecting logs
  • AWS Systems Manager Agent (SSM) for remote management and automation
  • Latest security patches applied at build time
  • 24/7 cloudimg support with guaranteed 24 hour response SLA

Prerequisites

Before launching this AMI, ensure you have:

  1. An active AWS account
  2. An active subscription to the Windows Server 2019 listing on AWS Marketplace
  3. An EC2 key pair for decrypting the Administrator password
  4. A Remote Desktop client (Microsoft Remote Desktop, mRemoteNG, or similar)

Recommended Instance Type: t3.large (2 vCPU, 8 GB RAM) for general workloads.

Minimum Requirements: 1 vCPU, 512 MB RAM, and 30 GB disk space.

Step 1: Launch the AMI

  1. Navigate to the AWS Marketplace and search for "Windows Server 2019 cloudimg"
  2. Click Continue to Subscribe, accept the terms, then Continue to Configuration
  3. Select your preferred Region and Software Version
  4. Click Continue to Launch
  5. Choose Launch through EC2 for full control over instance configuration
  6. Select your instance type (t3.large recommended)
  7. Configure storage: 30 GB gp3 minimum for the C:\ drive. Add additional EBS volumes as needed for application data
  8. Configure your Security Group with the following inbound rules:
Port Protocol Source Purpose
3389 TCP Your IP Remote Desktop (RDP) access

Important: Restrict RDP port 3389 to your specific IP address or corporate VPN range only. Never expose RDP to the public internet (0.0.0.0/0).

  1. Select your EC2 key pair and launch the instance

Step 2: Retrieve the Administrator Password

Once the instance has passed both status checks (2/2), retrieve the Administrator password. Allow 4 to 5 minutes after launch for the password to become available.

  1. Open the EC2 Console and navigate to Instances
  2. Select your newly launched Windows Server instance
  3. Click Actions > Security > Get Windows Password
  4. Click Browse and upload the .pem key pair file you selected at launch
  5. Click Decrypt Password
  6. Copy the decrypted Administrator password and store it securely

Important: The password will not be available immediately after launch. Wait for the instance to reach 2/2 status checks and allow at least 4 minutes before attempting to decrypt.

Step 3: Connect via Remote Desktop (RDP)

  1. Open your Remote Desktop client application
  2. Create a new connection and enter the public IP address of your EC2 instance (use the private IP if connecting via VPN to your VPC)
  3. When prompted, enter the following credentials:
  4. Username: Administrator
  5. Password: the decrypted value from Step 2
  6. If you receive a certificate warning, click Continue to proceed. This is expected for self signed certificates on new instances

You are now connected to your Windows Server 2019 instance.

Step 4: Verify Installed Components

Open a Command Prompt or PowerShell window and verify the AWS tooling:

Check AWS CLI version:

aws --version

Check CloudWatch Agent status:

Get-Service AmazonCloudWatchAgent

Check Systems Manager Agent status:

Get-Service AmazonSSMAgent

Server Components

Component Version Install Path
AWS CLI 2.8.2 System PATH
AWS CloudWatch Agent 1.3.5 C:\Program Files\Amazon\AmazonCloudWatchAgent
AWS Systems Manager Agent 3.1.1 C:\Program Files\Amazon\SSM

Note: Component versions reflect the build time installation. These may be updated by Windows Update or manual upgrades.

Filesystem Layout

Drive Description
C:\ System drive containing Windows Server OS, installed programs, and user data

Tip: For production workloads, consider attaching additional EBS volumes (D:\, E:\, etc.) for application data, databases, or log files to separate them from the operating system drive.

Managing Services

Windows services can be managed via the Services management console or PowerShell.

Open Services console:

services.msc

List all running services in PowerShell:

Get-Service | Where-Object {$_.Status -eq 'Running'}

Start a service:

Start-Service -Name "ServiceName"

Stop a service:

Stop-Service -Name "ServiceName"

Restart a service:

Restart-Service -Name "ServiceName"

Using AWS CLI

The AWS CLI is available from any Command Prompt or PowerShell session. Verify it is working:

aws --help

To configure credentials for AWS CLI, either attach an IAM instance profile (recommended) or run:

aws configure

Configuring CloudWatch Agent

The CloudWatch Agent wizard allows you to create a custom configuration for monitoring metrics and logs. To launch it:

cd "C:\Program Files\Amazon\AmazonCloudWatchAgent"
amazon-cloudwatch-agent-config-wizard.exe

Follow the interactive prompts to select the metrics and logs you wish to collect. Once configured, start the CloudWatch Agent via PowerShell:

& "C:\Program Files\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent-ctl.ps1" -a fetch-config -m ec2 -s -c file:configuration-file-path

Replace configuration-file-path with the full path to your generated configuration file.

Scripts and Log Files

Log Path Description
Windows Event Viewer eventvwr.msc System, application, and security event logs
CloudWatch Agent logs C:\ProgramData\Amazon\AmazonCloudWatchAgent\Logs CloudWatch Agent operational logs
SSM Agent logs C:\ProgramData\Amazon\SSM\Logs Systems Manager Agent logs

Troubleshooting

Cannot connect via RDP

  1. Wait for the EC2 instance to reach 2/2 status checks
  2. Verify your security group allows port 3389 from your IP
  3. Wait at least 4 to 5 minutes after launch before decrypting the password
  4. Confirm you are using the correct key pair for password decryption
  5. Check that the instance has a public IP address (or connect via private IP through VPN)

Password decryption fails

  1. Ensure you are using the exact .pem key pair file that was selected at launch
  2. Wait at least 4 minutes after instance launch; the password is not available immediately
  3. If you have changed the Administrator password, the AWS Console can no longer retrieve it

RDP session disconnects or freezes

  1. Check the instance status in the EC2 Console for any impaired status checks
  2. Verify your internet connection is stable
  3. Reduce the display resolution and colour depth in your RDP client settings
  4. Consider using AWS Systems Manager Session Manager as an alternative connection method

AWS CLI not recognised

  1. Open a new Command Prompt window (the PATH may not be set in existing sessions)
  2. Verify the installation: where aws
  3. If missing, reinstall from https://aws.amazon.com/cli/

High CPU or memory usage

  1. Open Task Manager (Ctrl+Shift+Esc) to identify resource consuming processes
  2. Check Windows Update is not running a large update cycle in the background
  3. Review Windows Defender scan schedules which may consume resources during scans
  4. Consider upgrading to a larger instance type if resources are consistently insufficient

Security Recommendations

  • Restrict RDP access: Only allow port 3389 from your specific IP or VPN CIDR range; never allow 0.0.0.0/0
  • Change the Administrator password: Change the default decrypted password to a strong, unique password after first login
  • Enable Network Level Authentication (NLA): Ensure NLA is enabled for RDP connections to provide an additional authentication layer
  • Keep Windows updated: Regularly apply Windows security updates and patches
  • Use IAM instance profiles: Attach IAM roles to the instance instead of storing AWS access keys on the server
  • Enable Windows Firewall: Ensure Windows Firewall is enabled with appropriate rules
  • Leverage Windows Defender: Windows Server 2019 includes Windows Defender Advanced Threat Protection; ensure it remains enabled and up to date
  • Configure CloudWatch monitoring: Set up CloudWatch Agent to monitor CPU, memory, and disk metrics and alert on anomalies
  • Enable AWS Systems Manager: Use SSM for patching, inventory, and remote access without opening RDP to the internet
  • Use encrypted EBS volumes: Enable EBS encryption for data at rest protection
  • Configure backups: Set up AWS Backup or EBS snapshots for regular server backups

Support

If you encounter any issues with this product, contact cloudimg support:

  • Email: support@cloudimg.co.uk
  • Website: www.cloudimg.co.uk
  • Support hours: 24/7 with guaranteed 24 hour response SLA