Introduction

In today's rapidly evolving technological world, ensuring that your computer's operating system (OS) is up-to-date is more critical than ever. Whether you're using a personal computer, managing a server, or overseeing an entire fleet of enterprise devices, regular OS upgrades are a cornerstone of digital health.

• Security Enhancements - The most compelling reason for many to update their OS is enhanced security. Cyber threats continuously evolve, and older OS versions can become susceptible to new vulnerabilities. With each OS upgrade, developers fix known vulnerabilities, introduce improved security protocols, and provide tools to help users keep their data safe. Ignoring these updates can leave your system exposed to cyberattacks, data breaches, and ransomware.
• Performance Improvements - Operating systems, like any software, are not perfect when they're initially released. Over time, developers identify areas for optimization, leading to smoother and faster performance in subsequent versions. By keeping your OS updated, you'll often experience quicker boot times, more efficient battery use, and improved application performance.
• Access to New Features - Upgrades often introduce new features, tools, and capabilities. This could be anything from improved virtual assistants, enhanced graphic displays, new productivity tools, or better integration with other devices. By delaying upgrades, you're missing out on these potential benefits and advancements in technology.
• Compatibility - As software and applications are updated, many will optimize for the latest OS versions. This means that if you're running an older OS, you might find that some applications no longer work or don't provide the latest features. By keeping your OS current, you ensure maximum compatibility with the newest apps and tools.
• Support and Community Assistance - Older OS versions eventually reach what's called 'end-of-life' (EOL). When this happens, the developers no longer provide official support or updates for these versions. This can be problematic for users who encounter issues or vulnerabilities, as they're left without any official recourse. The vibrant community discussions that surround newer OS versions also taper off for older versions, making it harder to find solutions to issues.
• Business Continuity and Reputation - For businesses, an outdated OS can not only lead to direct threats like data breaches but can also harm their reputation. Customers and partners want to work with companies that prioritize data protection. By maintaining updated systems, businesses showcase their commitment to security and reliability.

If you are running unsupported Operating Systems or just want to upgrade your existing EC2 instances to the latest, Systems Manager will help you automate this process (there is a manual process which I will cover in another blog post).

Prerequisites

Source Server

Make sure you have more than 10 GB of free space on root drive of the server you are upgrading.

Install Systems Manager agent (run the below in PowerShell as administrator):

[System.Net.ServicePointManager]::SecurityProtocol = 'TLS12'
$progressPreference = 'silentlyContinue'
Invoke-WebRequest `
    https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe `
    -OutFile $env:USERPROFILE\Desktop\SSMAgent_latest.exe
Start-Process `
    -FilePath $env:USERPROFILE\Desktop\SSMAgent_latest.exe `
    -ArgumentList "/S"
restart-service AmazonSSMAgent

AWS

Create EC2 Role for SSM Service

1. Sign in to the AWS Management Console - Open your browser, navigate to the AWS Management Console, and sign in with your AWS account.
2. Open the IAM Dashboard - Search or navigate to the "IAM" service.
3. Create a New Role - In the left sidebar, click on "Roles", then click "Create role".
4. Select Trusted Entity Type - Choose "AWS service", then select "EC2" from the list. This allows EC2 instances to call AWS services on your behalf. Click "Next: Permissions".
5. Attach the Required Policy - Search for "AmazonSSMManagedInstanceCore", check the box next to it, and click "Next: Tags".
6. (Optional) Add Tags - Add any key-value pair tags to help manage the role, then click "Next: Review".
7. Review and Create the Role - Name your role ssmEC2Role, verify settings are correct, and click "Create role".
8. Verify the Policy is Attached - Click on the role name ssmEC2Role in the list and confirm the AmazonSSMManagedInstanceCore policy appears in the "Permissions" tab.

Attach Role to EC2 Instance

1. Navigate to EC2 - From the AWS Management Console, go to the "EC2" service.
2. Locate Your Instance - In the left sidebar, click "Instances", find the instance you want to upgrade, and select it by clicking the checkbox.
3. Attach the IAM Role - Click "Actions" from the top menu, navigate to "Security", then click "Modify IAM role". Select ssmEC2Role from the dropdown and click "Apply".
4. Verify the Role Attachment - Select your instance and open the "Security" tab. Confirm the role is listed under "IAM role".

Systems Manager

1. Navigate to Systems Manager - From the AWS Management Console, go to the "Systems Manager" service.
2. Open Automation - Under Change Management, click on "Automation", then click "Execute automation".
3. Select the Automation Document - Search for "AWSEC2-CloneInstanceAndUpgradeWindows" and select it.
4. Click Next - Verify "Simple execution" is selected.
5. Configure Input Parameters:
   • Select the EC2 instance you want upgraded
   • Enter ssmEC2Role for IamInstanceProfile
   • Enter the same subnet ID as the source EC2 for SubnetId
   • Select your target OS version for TargetWindowVersion
   • Set KeepPreUpgradeImageBackup to True (you can manually delete the AMI after confirming tests pass)
   • Keep RebootInstanceBeforeTakingImage as False if you do not want the server to reboot during image creation
6. Execute - Click "Execute". The process takes 2-3 hours and creates an AMI named AWSEC2_UPGRADED_AMI_TO_2022_FOR_INSTANCE_xxx (where xxx is the source instance ID).

Create New Server

1. Document Source Server Configuration - Note the subnet, EC2 instance type/family, and all security groups associated with the source server.
2. Stop or Terminate the Original Server
   • If you want to keep the same IP address, you must terminate the original server
   • Before terminating, verify an AMI was created during the upgrade (look for images named AWSEC2_ImageFromOriginalInstance_xxx)
3. Launch New EC2 Instance - Use the upgraded AMI (AWSEC2_UPGRADED_AMI_TO_2022_FOR_INSTANCE_xxx) with:
   • Same instance type as the source server
   • Same subnet as the source server
   • Same security groups as the source server
4. Connect - Once fully booted, connect to your upgraded OS server.

Troubleshooting

Running into issues? Here are the most common problems and their solutions:

• Instance not showing in Systems Manager - Verify the SSM agent is running (Get-Service AmazonSSMAgent), the IAM role is attached, and your security group allows outbound HTTPS (port 443) to SSM endpoints.
• Automation fails at "createImage" step - Usually means insufficient disk space. Ensure at least 10 GB free on the root volume before starting.
• Upgrade completes but instance won't boot - Check the backup AMI (AWSEC2_ImageFromOriginalInstance_xxx) was created. You can launch from this to restore to pre-upgrade state.
• SSM agent won't install - Make sure you're running PowerShell as Administrator and that TLS 1.2 is enabled (the script handles this, but older systems may have issues).
• Timeout errors during automation - The automation has built-in timeouts. If your instance is particularly large or slow, consider upgrading the instance type temporarily for faster processing.

Conclusion

While the allure of the "If it ain't broke, don't fix it" mentality can be strong, especially if your current OS seems to be running smoothly, the risks of not upgrading far outweigh the temporary convenience of maintaining the status quo. By keeping your OS updated, you're taking a proactive step towards ensuring optimal performance, enjoying the latest features, and, most importantly, safeguarding your data against ever-present cyber threats. Always remember, in the digital age, staying updated is staying protected.