Unable to Retrieve Default Windows Administrator Password in AWS EC2

Question

I'm building an AWS CloudFormation automation document which creates a custom Windows 2016 AMI for me.

If I spin up an EC2 instance based on this AMI, I'm unable to retrieve the password.

Password not available yet. Please wait at least 4 minutes after launching an instance before trying to retrieve the auto-generated password.

Note: Passwords are generated during the launch of Amazon Windows AMIs or custom AMIs that have been configured to enable this feature. Instances launched from a custom AMI without this feature enabled use the username and password of the AMI’s parent instance.

There's also nothing shown in the AWS System Log:

The CloudFormation template looks like this:

AWSTemplateFormatVersion: "2010-09-09"
Description: "SSM Automation Document"
Parameters:
  SubnetId:
    Description: "ID of subnet to use for launching EC2 instance"
    Type: "AWS::EC2::Subnet::Id"
  KeyPairName:
    Description: "Name of EC2 key pair for logging in to the instance"
    Type: "String"
  SecurityGroupIds:
    Description: "The IDs of security groups that are permitted access to EC2 instance"
    Type: "List<AWS::EC2::SecurityGroup::Id>"
Outputs:
  AmiAutomationDocumentName:
    Value: !Ref "AmiAutomationDoc"
Resources:
  AutomationRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/"
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "ssm.amazonaws.com"
        Version: "2012-10-17"
      Policies:
        - PolicyName: "PassRole"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Action:
                  - "iam:PassRole"
                Effect: "Allow"
                Resource: "*"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
  InstanceProfileRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/"
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "ssm.amazonaws.com"
        Version: "2012-10-17"
      Policies:
        - PolicyName: "PassRole"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Action:
                  - "iam:PassRole"
                Effect: "Allow"
                Resource: "*"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
  InstanceProfile:
    Properties:
      Path: "/"
      Roles:
        - !Ref "InstanceProfileRole"
    Type: "AWS::IAM::InstanceProfile"
  AmiAutomationDoc:
    Type: "AWS::SSM::Document"
    Properties:
      DocumentType: "Automation"
      Content: 
        schemaVersion: "0.3"
        description: "Create a new AMI"
        parameters:
          SourceAmiId:
            type: "String"
            description: "AMI to patch"
          TargetAmiName:
            type: "String"
            description: "Name of new AMI"
            default: "NewAMI_{{ global:DATE_TIME }}_{{ SourceAmiId }}"
        assumeRole: !GetAtt "AutomationRole.Arn"
        mainSteps:
          - name: "startInstance"
            action: "aws:runInstances"
            timeoutSeconds: 360
            maxAttempts: 1
            onFailure: "Abort"
            inputs:
              ImageId: "{{ SourceAmiId }}"
              InstanceType: "t2.micro"
              IamInstanceProfileArn: !GetAtt "InstanceProfile.Arn"
              KeyName: !Ref "KeyPairName"
              SecurityGroupIds: !Ref "SecurityGroupIds"
              SubnetId: !Ref "SubnetId"
              MinInstanceCount: 1
              MaxInstanceCount: 1
          - name: "stopInstance"
            action: "aws:changeInstanceState"
            maxAttempts: 1
            onFailure: "Continue"
            inputs:
              InstanceIds:
                - "{{ startInstance.InstanceIds }}"
              DesiredState: "stopped"
          - name: "createImage"
            action: "aws:createImage"
            maxAttempts: 1
            onFailure: "Continue"
            inputs:
              InstanceId: "{{ startInstance.InstanceIds }}"
              ImageName: "{{ TargetAmiName }}"
              ImageDescription: "AMI based on base image {{ SourceAmiId }}"
        outputs:
          - createImage.ImageId
          - startInstance.InstanceIds

Answer 1

With Windows 2016 new Powershell scripts have been introduced. These need to be scheduled when building the AMI.

To accomplish this add:

- name: "installServices"
  action: "aws:runCommand"
  maxAttempts: 1
  onFailure: "Abort"
  inputs:
    DocumentName: !Ref "InstallServicesCommand"
    InstanceIds:
      - "{{ startInstance.InstanceIds }}"

and then:

InstallServicesCommand:
  Type: "AWS::SSM::Document"
  Properties:
    DocumentType: "Command"
    Content: 
      schemaVersion: "1.2"
      description: "Install base services"
      runtimeConfig:
        aws:runPowerShellScript:
          properties:
            - runCommand:
              - C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
              - C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SendWindowsIsReady.ps1 -Schedule