diff --git a/images/windows-core-2019/windows-provisioner.ps1 b/images/windows-core-2019/windows-provisioner.ps1
index a192d7e983..8c12dce527 100644
--- a/images/windows-core-2019/windows-provisioner.ps1
+++ b/images/windows-core-2019/windows-provisioner.ps1
@@ -22,17 +22,20 @@ Set-Content -Path "$PsHome\Microsoft.PowerShell_profile.ps1" -Value $ChocoProfil
 
 refreshenv
 
-Write-Host "Installing cloudwatch agent..."
+Write-Host "Installing cloudwatch agent, part 1"
 Invoke-WebRequest -Uri https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/amazon-cloudwatch-agent.msi -OutFile C:\amazon-cloudwatch-agent.msi
-$cloudwatchParams = '/i', 'C:\amazon-cloudwatch-agent.msi', '/qn', '/L*v', 'C:\CloudwatchInstall.log'
-Start-Process "msiexec.exe" $cloudwatchParams -Wait -NoNewWindow
-Remove-Item C:\amazon-cloudwatch-agent.msi
 
 # Install dependent tools
 Write-Host "Installing additional development tools"
 choco install git awscli -y
 refreshenv
 
+Write-Host "Installing cloudwatch agent, part 2"
+# Delayed part 2 to ensure the download from part 1 completed and was written to disk
+$cloudwatchParams = '/i', 'C:\amazon-cloudwatch-agent.msi', '/qn', '/L*v', 'C:\CloudwatchInstall.log'
+Start-Process "msiexec.exe" $cloudwatchParams -Wait -NoNewWindow
+Remove-Item C:\amazon-cloudwatch-agent.msi
+
 Write-Host "Creating actions-runner directory for the GH Action installtion"
 New-Item -ItemType Directory -Path C:\actions-runner ; Set-Location C:\actions-runner
 
@@ -49,4 +52,4 @@ $action = New-ScheduledTaskAction -WorkingDirectory "C:\actions-runner" -Execute
 $trigger = New-ScheduledTaskTrigger -AtStartup
 Register-ScheduledTask -TaskName "runnerinit" -Action $action -Trigger $trigger -User System -RunLevel Highest -Force
 
-C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
\ No newline at end of file
+C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
diff --git a/images/windows-core-2022/windows-provisioner.ps1 b/images/windows-core-2022/windows-provisioner.ps1
index a192d7e983..8c12dce527 100644
--- a/images/windows-core-2022/windows-provisioner.ps1
+++ b/images/windows-core-2022/windows-provisioner.ps1
@@ -22,17 +22,20 @@ Set-Content -Path "$PsHome\Microsoft.PowerShell_profile.ps1" -Value $ChocoProfil
 
 refreshenv
 
-Write-Host "Installing cloudwatch agent..."
+Write-Host "Installing cloudwatch agent, part 1"
 Invoke-WebRequest -Uri https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/amazon-cloudwatch-agent.msi -OutFile C:\amazon-cloudwatch-agent.msi
-$cloudwatchParams = '/i', 'C:\amazon-cloudwatch-agent.msi', '/qn', '/L*v', 'C:\CloudwatchInstall.log'
-Start-Process "msiexec.exe" $cloudwatchParams -Wait -NoNewWindow
-Remove-Item C:\amazon-cloudwatch-agent.msi
 
 # Install dependent tools
 Write-Host "Installing additional development tools"
 choco install git awscli -y
 refreshenv
 
+Write-Host "Installing cloudwatch agent, part 2"
+# Delayed part 2 to ensure the download from part 1 completed and was written to disk
+$cloudwatchParams = '/i', 'C:\amazon-cloudwatch-agent.msi', '/qn', '/L*v', 'C:\CloudwatchInstall.log'
+Start-Process "msiexec.exe" $cloudwatchParams -Wait -NoNewWindow
+Remove-Item C:\amazon-cloudwatch-agent.msi
+
 Write-Host "Creating actions-runner directory for the GH Action installtion"
 New-Item -ItemType Directory -Path C:\actions-runner ; Set-Location C:\actions-runner
 
@@ -49,4 +52,4 @@ $action = New-ScheduledTaskAction -WorkingDirectory "C:\actions-runner" -Execute
 $trigger = New-ScheduledTaskTrigger -AtStartup
 Register-ScheduledTask -TaskName "runnerinit" -Action $action -Trigger $trigger -User System -RunLevel Highest -Force
 
-C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
\ No newline at end of file
+C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
diff --git a/modules/runners/templates/start-runner.ps1 b/modules/runners/templates/start-runner.ps1
index ae2eeff3c9..af544d564f 100644
--- a/modules/runners/templates/start-runner.ps1
+++ b/modules/runners/templates/start-runner.ps1
@@ -4,6 +4,8 @@
 function Tag-InstanceWithRunnerId {
     Write-Host "Checking for .runner file to extract agent ID"
 
+    # Note: $pwd is usually C:\actions-runner since the Scheduled Task that calls
+    # start-runner.ps1 sets that as the working directory.
     $runnerFilePath = "$pwd\.runner"
     if (-not (Test-Path $runnerFilePath)) {
         Write-Host "Warning: .runner file not found"
@@ -177,30 +179,52 @@ ConvertTo-Json -InputObject $jsonBody | Set-Content -Path "$pwd\.setup_info"
 Write-Host "Starting the runner in $agent_mode mode"
 Write-Host "Starting runner after $(((get-date) - (gcim Win32_OperatingSystem).LastBootUpTime).tostring("hh':'mm':'ss''"))"
 
+$taskExecutable = "run.cmd"
+$taskArgument = $null
+
 if ($agent_mode -eq "ephemeral") {
+    $startRunnerService = "start-runner-service.ps1"
+    $taskExecutable = "PowerShell.exe"
+    $taskArgument = "-File $startRunnerService"
+    if (Test-Path $startRunnerService) {
+	    Remove-Item "$startRunnerService"
+    }
     if ($enable_jit_config -eq "true") {
-        Write-Host "Starting with jit config"
-        Invoke-Expression ".\run.cmd --jitconfig $${config}"
+        Write-Output 'Write-Host "Starting with jit config"' | Out-File -Append -FilePath "$startRunnerService"
+        # Note: the double dollar signs are an artifact of Terraform since a single dollar sign and bracket would be
+        # interpreted by the template.
+        Write-Output ".\run.cmd --jitconfig $${config}" | Out-File -Append -FilePath "$startRunnerService"
     }
     else {
-        Write-Host "Starting without jit config"
-        Invoke-Expression ".\run.cmd"
+        Write-Output 'Write-Host "Starting without jit config"' | Out-File -Append -FilePath "$startRunnerService"
+        Write-Output ".\run.cmd" | Out-File -Append -FilePath "$startRunnerService"
     }
-    Write-Host "Runner has finished"
 
     if ($enable_cloudwatch_agent)
     {
-        Write-Host "Stopping CloudWatch Agent"
-        & 'C:\Program Files\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent-ctl.ps1' -a stop
+        $outputstring = @"
+Write-Host `"Stopping CloudWatch Agent`"
+& 'C:\Program Files\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent-ctl.ps1' -a stop
+"@
+
+        $outputstring | Out-File -Append -FilePath "$startRunnerService"
     }
 
-    Write-Host "Terminating instance"
-    aws ec2 terminate-instances --instance-ids "$InstanceId" --region "$Region"
-} else {
-    Write-Host  "Installing the runner as a service"
+        $outputstring = @"
+Write-Host `"Terminating instance`"
+aws ec2 terminate-instances --instance-ids `"$InstanceId`" --region `"$Region`"
+"@
+    $outputstring | Out-File -Append -FilePath "$startRunnerService"
+}
 
-    $action = New-ScheduledTaskAction -WorkingDirectory "$pwd" -Execute "run.cmd"
-    $trigger = Get-CimClass "MSFT_TaskRegistrationTrigger" -Namespace "Root/Microsoft/Windows/TaskScheduler"
-    Register-ScheduledTask -TaskName "runnertask" -Action $action -Trigger $trigger -User $username -Password $password -RunLevel Highest -Force
-    Write-Host "Starting runner after $(((get-date) - (gcim Win32_OperatingSystem).LastBootUpTime).tostring("hh':'mm':'ss''"))"
+Write-Host  "Installing the runner as a service"
+
+if ( $taskArgument ) {
+    $action = New-ScheduledTaskAction -WorkingDirectory "$pwd" -Execute "$taskExecutable" -Argument "$taskArgument"
+  }
+else {
+    $action = New-ScheduledTaskAction -WorkingDirectory "$pwd" -Execute "$taskExecutable"
 }
+$trigger = Get-CimClass "MSFT_TaskRegistrationTrigger" -Namespace "Root/Microsoft/Windows/TaskScheduler"
+Register-ScheduledTask -TaskName "runnertask" -Action $action -Trigger $trigger -User $username -Password $password -RunLevel Highest -Force
+Write-Host "Starting runner after $(((get-date) - (gcim Win32_OperatingSystem).LastBootUpTime).tostring("hh':'mm':'ss''"))"
diff --git a/modules/runners/templates/start-runner.sh b/modules/runners/templates/start-runner.sh
index 7f2c0f82c5..92b2c63bc0 100644
--- a/modules/runners/templates/start-runner.sh
+++ b/modules/runners/templates/start-runner.sh
@@ -254,6 +254,8 @@ if [[ "$enable_jit_config" == "false" || $agent_mode != "ephemeral" ]]; then
   else
       extra_flags=""
   fi
+  # Note: the double dollar signs are an artifact of Terraform since a single dollar sign and bracket would be
+  # interpreted by the template
   sudo --preserve-env=RUNNER_ALLOW_RUNASROOT -u "$run_as" -- ./config.sh $${extra_flags} --unattended --name "$runner_name_prefix$instance_id" --work "_work" $${config}
 
   # Tag instance with GitHub runner agent ID for non-JIT runners