By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I resolve a 1385 error code in Systems Manager after failing to run AWS-UpdateWindowsAMI or AWSEC2-RunSysprep?

3 minute read
0

I receive the following error in AWS Systems Manager when I try to run the Automation runbook AWS-UpdateWindowsAMI or document AWSEC2-RunSysprep: "Sysprep failed with error: LogonUser failed with error code : 1385." How do I troubleshoot this?

Short description

If you try to run the AWS-UpdateWindowsAMI Automation runbook or AWSEC2-RunSysprep document without the necessary administrative privileges, they will fail. You will also see at least one error message describing this failure.

In the Systems Manager Automation (SSM Automation) output, you receive the following error:

Sysprep failed with error: LogonUser failed with error code : 1385

In the Systems Manager Agent (SSM Agent) logs, you receive the following error:

"RunSysprep": {
"status": "Failed",
"code": 4294967295
"output": Start of Start-AwsUwiSysprep\r\n Sysprep failed with error: LogonUser failed with error code : 1385\r\n\n----------ERROR-------\nfailed to run commands: exit status 4294967295",
"standardError": " failed to run commands: exit status 4294967295"
}

In the output of the command ID that appears for AWS-UpdateWindowsAMI or AWSEC2-RunSysprep, you receive the following error:

Info | Start of Start-AwsUwiSysprep
Info | Starting EC2Launch method of sysprep.
Error | Sysprep failed with error: LogonUser failed with error code : 1385

This issue occurs when the Administrator isn't added to the group policy setting LogOnAsABatchJob. In this case, the Administrator is the user against which the SSM Documents are being executed.

To change the policy settings and resolve this issue, follow these steps.

Resolution

If the instance is part of a local workgroup:

  1. Connect to your Windows instance using Remote Desktop or Fleet Manager, a capability of AWS Systems Manager.
    Note: Log in with an account with administrative privileges.
  2. Run a command prompt window.
  3. Enter gpedit.msc to open the Local Group Policy Editor window.
  4. Navigate to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  5. Choose LogOnAsABatchJob, and then select the Add User or Group button.
  6. Enter Administrator in the text box, and then select Check Names to search for this role.
  7. Highlight the role with Administrator as the Logon Name, and then select OK.
  8. In the command prompt window, enter the following:
gpupdate /force /target:computer

This command reapplies the group policies immediately after the Group Policy Object (GPO) settings are updated.

In the Systems Manager console, run your Systems Manager runbook or document: AWS-UpdateWindowsAMI or AWSEC2-RunSysprep.

If the instance is part of a domain:

  1. Log in to any instance that is joined to the domain where the error occurred. Log in using Remote Desktop or Fleet Manager.
    Note: Log in as a user that is part of Domain Administrators group.
  2. Open a command prompt window.
  3. Enter gpedit.msc to open the Local Group Policy Editor window.
  4. Navigate to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  5. Choose LogOnAsABatchJob, and then select the Add User or Group button.
  6. Enter Administrator in the text box, and then select Check Names to search for this role.
  7. Highlight the role with Administrator as the Logon Name, and then select OK.
  8. In the command prompt window, enter the following:
gpupdate /force /target:computer

This command reapplies the group policies immediately after the GPO settings area updated.

  • In the Systems Manager console, run your Systems Manager runbook or document: AWS-UpdateWindowsAMI or AWSEC2-RunSysprep.

Related information

AWS-UpdateWindowsAmi

Using managed policies for EC2 Image Builder

Log on as a batch job

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago