Updating an EC2 Windows Instance's Device Drivers

Applying available updates is one of the most critical tasks in keeping the Windows OS healthy. Although security updates seem to receive the most attention, there are various other types of updates. These can include things like bug fixes, feature updates and even updated device drivers. Bug fixes, security updates and feature updates are delivered through Windows Update, but if you are running Windows on an EC2 instance, then drivers need to be updated in a completely different way.

Some may be quick to point out that Microsoft does deliver updated device drivers through Windows Update. The problem however, is that Microsoft's driver updates are not comprehensive. There are some devices for which Microsoft simply does not provide a driver. In these types of situations, the normal course of action is to simply download the updated driver from the hardware vendor's web site.

Even so, EC2 instances present a special situation with regard to device driver updates. Specifically, Windows is running on virtual hardware, and therefore requires virtual device drivers. This means that you can't simply download the drivers from a hardware vendor's web site, because the hardware is virtual. It also means that you can't count on Microsoft to supply the drivers, because the Windows instance is not running on Hyper-V or Azure.

Amazon uses a collection of virtual device drivers, which it refers to as paravirtual drivers, or AWS PV drivers. There are a couple of different ways that you can update these drivers. Before you attempt to update your instance's PV drivers however, it is a good idea to back up the instance in case anything goes wrong.

The easiest option for updating the PV drivers within a Windows instance is to use AWS Systems Managers. You can find the Systems Manager in the Management and Governance section within the list of services. When the Systems Manager opens, select the State Manager tab (found in the Node Manager section on the left side of the screen). When the State Manager screen appears, click the Create Association button, shown in Figure 1.

[Click on image for larger view.] Figure 1: Select the State Manager tab and then click the Create Association button.

At this point, you will be taken to the Create Association screen. The first thing that you will need to do is enter a name for the association that you are creating. For example, you could use a name such as WindowsDriverUpdate.

Next, you will need to select the association document that you want to use. In this case, the required document is AWS-ConfigureAWSPackage. Now, set the Action option to Install and set the Installation type to Uninstall and Reinstall. You will also need to enter AWSPVDriver into the Name field. You can see what this looks like in Figure 2.

[Click on image for larger view.] Figure 2: The AWS-ConfigureAWSPackage document is used for automated driver updates.

Now scroll down to the Target Selection section. Here you will need to specify the instances that you want to update. You can specify instances manually, by their tags, by the resource group used, or you can choose all instances. It doesn't matter which method you use, but keep in mind that the driver updates will only be applied to Windows instances. If Linux instances are included in your selection, updates will fail on those instances.

Now simply tell AWS Systems Manager how frequently you want to check for updates and then click the Create Association button. There are several other options available on the Create Association screen, but the remaining options are optional. When you return to the Associations screen, you should see that the association that you have created has a status of Success (though you may have to refresh the console).

[Click on image for larger view.] Figure 3: The association was applied successfully.

The other option for updating the PV drivers within a Windows instance is to perform a manual driver update using PowerShell. Before I show you how to perform the update, it is worth noting that this technique should not be used on domain controllers.

So with that said, log in to your instance using the RDP client. Now, open an elevated PowerShell session and enter the following command:

Get-ItemProperty HKLM:\SOFTWARE\Amazon\PVDriver

This command will show you the PV driver version that is currently in use on the instance. In Figure 4 for example, the instance is using version 8.4.3.

[Click on image for larger view.] Figure 4: You can use PowerShell to check the PV driver version.

Next, download the latest drivers by entering this command:

Invoke-WebRequest -outfile $env:USERPROFILE\

This command downloads a ZIP file called and stores it in your user profile folder (C:\Users\Administrator by default, assuming that you are logged in as Administrator). You will need to extract the zip file's contents before you will be able to install the new drivers. To do so, use this command:

Expand-Archive $env:userprofile\ -DestinationPath $env:userprofile\pv_drivers

This command creates a folder called pv_drivers (the full default path is C:\Users\Administrator\pv_drivers). All you need to do now is to navigate to this folder and run the AWSPCDriverSetup.msi file. It is worth noting that executing this file will eventually cause the instance to reboot. Before the reboot however, you will see a prompt like the one shown in Figure 5, asking you if you want to repair or remove the AWS PV drivers. Choose the Repair option and click Finish.

[Click on image for larger view.] Figure 5: Select the option to repair the AWS PV Drivers..

When the system reboots, reconnect to it, log in and open PowerShell once again. You can use the Get-ItemProperty HKLM:\SOFTWARE\Amazon\PVDriver command once again as a way of confirming that the drivers have been updated to a new version.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


Subscribe on YouTube