2 - Patching Windows Servers and Microsoft Workloads at Scale on AWS

Author: Dean Suzuki, Siavash Irani, Barret Newman (Last Updated: 8/12/20)


When you manage a fleet of servers, a common operation is the need to patch them with the latest security patches. AWS provides a suite of tools to help you with keeping your servers patched. In this step, you will be getting experience with the following AWS Systems Manager capabilities:

  • Patch Manager: Automates the process of patching managed instances

  • Inventory: Collect metadata from your managed instances

  • Compliance: Scan your fleet of managed instances for patch compliance and configuration inconsistencies

  • Maintenance Windows: Define a schedule for when to perform potentially disruptive actions on your instances


Before you can use this lab, the lab environment must be setup.

  • If the lab was setup by the AWS team, then the CloudFormation template should have been run by the lab setup.

  • You can check if the lab was setup by checking the EC2 instances. If the WEB01 and WEB02 are present, then the lab was setup.

  • If the lab wasn’t setup, then you can setup the environment using CloudFormation. Here is the template: CloudFormation-Template.

  • NOTE: Both the Remote Management using Session Manager and Run Command and Patching Windows Server and Microsoft Workloads at Scale on AWS utilize the same base CloudFormation Template. This CloudFormation template only needs to be deployed once, and can be used across both lab modules without having to be deleted or re-created.

Use Systems Manager Patch Manager to configure patching

AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), CentOS, Amazon Linux, and Amazon Linux 2. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.

In addition to Patch Manager, we will also be making use of the Maintenance Windows capability in AWS Systems Manager for this portion of the lab.

AWS Systems Manager Maintenance Windows let you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, or installing software or patches. Maintenance Windows also lets you schedule actions on numerous other AWS resource types, such as Amazon Simple Storage Service (Amazon S3) buckets, Amazon Simple Queue Service (Amazon SQS) queues, AWS Key Management Service (AWS KMS) keys, and many more.

  1. Open Systems Manager and choose Patch Manager from the left navigation.

  2. Click Configure patching button

  3. Enter “OperatingSystem” as the tag key and “Windows” as the tag value

  4. Click the Add button

  5. Scroll to the Patching schedule and choose Schedule in a new Maintenance Window

  6. Review the fields available to set a Maintenance Window. You can use Maintenance Windows to define a Maintenance Window to do the patching.

  7. Go back to the Patching Schedule and select Skip scheduling and patch instances now. Since this is a lab, we are going to force the patching to occur right now.

  8. Scroll to the bottom and click the Configure Patching.

  9. Right-click on Run Command in the left navigation and open in a new tab. In Run Command, you can see the command running.

  10. Once the command finishes, you can select the Command History tab to see the results of the patching.

    NOTE: In the real-world application you would likely not patch immediately. For example, you could schedule patching for 2AM on the weekend. To perform this operation, you could create a Maintenance Window for the patching to occur at that time.

When a patching operation is performed on a Windows instance, the instance requests a snapshot of the appropriate patch baseline from Systems Manager. This snapshot contains the list of all updates available in the patch baseline that have been approved for deployment. This list of updates is sent to the Windows Update API, which determines which of the updates are applicable to the instance and installs them as needed. If any updates are installed, the instance is rebooted afterwards, as many times as necessary to complete all necessary patching. See the Patch Manager documentation for more information.

Please note that the patching may take some time to complete depending upon how many Microsoft patches has been released. Please continue forward with the next section.

Use Systems Manager Inventory to configure inventory

AWS Systems Manager Inventory provides visibility into your Amazon EC2 and on-premises computing environment. You can use Inventory to collect metadata from your managed instances. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which instances are running the software and configurations required by your software policy, and which instances need to be updated. You can configure Inventory on all of your managed instances by using a one-click procedure. You can also configure and view inventory data from multiple AWS Regions and accounts.

  1. Choose Inventory from the left navigation. NOTE: you may see a red error at the top of this page. This will not impact your ability to configure inventory.
  2. Click Setup Inventory button.
  3. Scroll down to Targets and choose Specifying a tag
  4. Enter “OperatingSystem” as the tag key and “Windows” as the tag value
  5. Scroll to the bottom and click the Setup Inventory

Explore the Results

NOTE: It will take a few minutes to collect Inventory information from the instances.

  1. Choose Managed Instances from the left navigation. Managed Instances are instances that have the System Manager agent and have been configured for AWS System Manager. These machines could be EC2 instances or on-premises machines in a hybrid environment (see here for more information).
  2. Click the link in the Instance ID column of either instance
  3. Choose the Inventory tab at the top of the page to view inventory
  4. Use the Inventory Type dropdown to explore the information collected
  5. Choose the Patch tab at the top of the page to view patching status
  6. Explore the patches that have been applied to the instance
  7. Choose the Configuration Compliance tab at the top of the page
  8. From here you track the compliance with your patching and other policies
  9. Optionally return to the Inventory page to see an aggregate view across many instances

Check Compliance

AWS Systems Manager Configuration Compliance can be used to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant.

NOTE: It will take a few minutes to collect Compliance information from the instances. If a page opens up with more information on how to set up Compliance, wait 2-5 minutes and re-try to access Compliance from the left navigation.

  1. Choose Compliance from the left navigation.
  2. Notice the Compliance resource summary dashboard.
  3. With Patch Manager, you can define different compliance levels (e.g. Critical) for different types of patches. If a system is missing these patches, then they will show up on the compliance dashboard. This dashboard makes it easy for you to identify which systems are missing critical patches. A State Manager association is a configuration associated to your managed instance. See here for more information.
  4. Congratulations! You have successfully completed this lab on patching Windows Servers and Microsoft workloads at scale on AWS.