enable WinRM on Windows Server 2012 R2 for automated installation with packer


I use packer to build windows private AMIs. My code works perfectly for Windows Server 2019 and 2022.

Today, I must build a Windows Server 2012 AMI. When I start packer, everything is going fine until WinRM is supposed to be activated. But it never becomes available. Here is the output of my script:

30/03/2023 15:03:01
We are building a Windows template
lets build AWS12
packer build -on-error=cleanup -force -color=false -var-file ./production.pkrvars.hcl -only=amazon-ebs.windows             -var AWS_Region=eu-west-1             -var AWS_Subnet=subnet-09dea1005b9e039ce             -var AWS_VPC=vpc-07a597dbe1bc6d0a0             -var aws_os_filter=Windows_Server-2012-R2-English-STIG-Full-202*             -var InstanceType=t3.medium             -var VMNAME=Windows-W2K12-230330             -var-file=W2K12.pkrvars.hcl             ./Windows
==> amazon-ebs.windows: Force Deregister flag found, skipping prevalidating AMI Name
    amazon-ebs.windows: Found Image ID: ami-05ea5147aa6a82322
==> amazon-ebs.windows: Creating temporary keypair: packer_6425a4a6-c2b5-fb0b-1e41-2a23d9f6d4fd
    amazon-ebs.windows: Found Security Group(s): sg-0416234d02eef67b3, sg-075f33d2f0f72757c
==> amazon-ebs.windows: Launching a source AWS instance...
    amazon-ebs.windows: Instance ID: i-0a954ed5f7ff8d54c
==> amazon-ebs.windows: Waiting for instance (i-0a954ed5f7ff8d54c) to become ready...
==> amazon-ebs.windows: Waiting for auto-generated password for instance...
    amazon-ebs.windows: It is normal for this process to take up to 15 minutes,
    amazon-ebs.windows: but it usually takes around 5. Please wait.
    amazon-ebs.windows: Password retrieved!
==> amazon-ebs.windows: Using WinRM communicator to connect:
==> amazon-ebs.windows: Waiting for WinRM to become available...

real    8m21.604s
user    0m0.450s
sys     0m0.319s

I use the very same powershell script to enable WinRM. For other Windows Operating Systems, it works.


#    "winrm_username": "Administrator",
#    "winrm_insecure": true,
#    "winrm_use_ssl": true,

write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"

# $ThePwd=ConvertTo-SecureString -String 'Azerty0IsGood!' -AsPlainText -Force
# New-LocalUser "PackerUser" -AccountNeverExpires -PasswordNeverExpires -FullName "User for packer" -Description "User for packer" -Password $ThePwd
# Add-LocalGroupMember -Group 'Administrators' -Member "PackerUser"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm


I quickly created an T3.medium EC2 running Windows Server 2012 R2, and executed the script above, without any error.

My security groups open ports TCP/3389 and TCP/5986

  • How can I enable WinRM on Windows Server 2012 R2 ?
asked a year ago321 views
1 Answer

To diagnose that issue run packer with the debug flag. packer build -debug template.json

Grab the Administrator login from the Packer output, you will need it. Then add an inbound RDP rule on the Packer build instance’s security group so you can RDP to it. Look for the log at C:\Program Files\Amazon\Ec2ConfigService\Logs\Ec2ConfigLog.txt. You may need to add logging in the script to figure out what is going wrong.

Please note that AWS does not have access to look inside your resources.

If you still need help, you can reach out to support teams via your Support Center: http://go.aws/support-center.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions