I receive the following error in AWS Systems Manager when I try to run the Automation runbook AWS-UpdateWindowsAMI or document AWSEC2-RunSysprep: "Sysprep failed with error: LogonUser failed with error code : 1385." How do I troubleshoot this?
Short description
If you try to run the AWS-UpdateWindowsAMI Automation runbook or AWSEC2-RunSysprep document without the necessary administrative privileges, they will fail. You will also see at least one error message describing this failure.
In the Systems Manager Automation (SSM Automation) output, you receive the following error:
Sysprep failed with error: LogonUser failed with error code : 1385
In the Systems Manager Agent (SSM Agent) logs, you receive the following error:
"RunSysprep": {
"status": "Failed",
"code": 4294967295
"output": Start of Start-AwsUwiSysprep\r\n Sysprep failed with error: LogonUser failed with error code : 1385\r\n\n----------ERROR-------\nfailed to run commands: exit status 4294967295",
"standardError": " failed to run commands: exit status 4294967295"
}
In the output of the command ID that appears for AWS-UpdateWindowsAMI or AWSEC2-RunSysprep, you receive the following error:
Info | Start of Start-AwsUwiSysprep
Info | Starting EC2Launch method of sysprep.
Error | Sysprep failed with error: LogonUser failed with error code : 1385
This issue occurs when the Administrator isn't added to the group policy setting LogOnAsABatchJob. In this case, the Administrator is the user against which the SSM Documents are being executed.
To change the policy settings and resolve this issue, follow these steps.
Resolution
If the instance is part of a local workgroup:
- Connect to your Windows instance using Remote Desktop or Fleet Manager, a capability of AWS Systems Manager.
Note: Log in with an account with administrative privileges.
- Run a command prompt window.
- Enter gpedit.msc to open the Local Group Policy Editor window.
- Navigate to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
- Choose LogOnAsABatchJob, and then select the Add User or Group button.
- Enter Administrator in the text box, and then select Check Names to search for this role.
- Highlight the role with Administrator as the Logon Name, and then select OK.
- In the command prompt window, enter the following:
gpupdate /force /target:computer
This command reapplies the group policies immediately after the Group Policy Object (GPO) settings are updated.
In the Systems Manager console, run your Systems Manager runbook or document: AWS-UpdateWindowsAMI or AWSEC2-RunSysprep.
If the instance is part of a domain:
- Log in to any instance that is joined to the domain where the error occurred. Log in using Remote Desktop or Fleet Manager.
Note: Log in as a user that is part of Domain Administrators group.
- Open a command prompt window.
- Enter gpedit.msc to open the Local Group Policy Editor window.
- Navigate to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
- Choose LogOnAsABatchJob, and then select the Add User or Group button.
- Enter Administrator in the text box, and then select Check Names to search for this role.
- Highlight the role with Administrator as the Logon Name, and then select OK.
- In the command prompt window, enter the following:
gpupdate /force /target:computer
This command reapplies the group policies immediately after the GPO settings area updated.
- In the Systems Manager console, run your Systems Manager runbook or document: AWS-UpdateWindowsAMI or AWSEC2-RunSysprep.
Related information
AWS-UpdateWindowsAmi
Using managed policies for EC2 Image Builder
Log on as a batch job