| 1 min read
When launching a Windows instance via an AWS AMI, a password is automatically generated, and encrypted using the keypair associated with the instance.
As a best practice, this generated password should be changed. Many folks choose to create a new local administrator account with a unique username, and additionally many teams choose to join the instance to a domain, and let the domain handle authentication.
Finally, starting with Windows Server 2016, AMIs maintained by AWS are configured to allow generated passwords to expire.