Why is my Amazon EC2 Windows instance missing a patch even after a successful Patch Manager patching operation?

Short description

Your Windows instance patch might be missing for the following reasons:

• The patch isn't applicable for the instance operating system (OS) type.
• The Microsoft Knowledge Base (KB) package details don't match the baseline configuration.
• A later patch is already released.
• The patch isn't available in the Windows Server Update Services (WSUS) release channel.
• The patch is already installed on the instance.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version. Verify that you installed AWS Tools for PowerShell on your local machine or on the instance.

Check whether the patch is applicable for the instance OS type

Complete the following steps:

1. To identify the OS of your managed node, see Find information about your Windows device on the Microsoft website.
2. Open the Microsoft update catalog on the Microsoft website.
3. Enter the patch ID in the search bar to search for the Microsoft KB article IDs.
4. Under Product, check for your node's OS. Not all patches apply to all OS.

Check whether the KB classification, severity, and release date match the baseline configuration

Complete the following steps to check the KB package details:

1. Open the AWS Systems Manager console.
2. In the navigation pane, choose Run Command.
3. Choose the Command history tab.
4. Choose the Command ID for the AWS-RunPatchBaseline operation, and then select the managed node.
5. Choose Output, and then review the configuration in the Baseline parameter.
   The classification, severity, and approval delay date must match the package details from the Microsoft update catalog on the Microsoft website. If you use the default patch baseline and the patch classification is different than the baseline, then you must create a custom patch baseline.

To check whether Patch Manager approved a specific KB, run the following describe-effective-patches-for-patch-baseline AWS CLI command:

aws ssm describe-effective-patches-for-patch-baseline --baseline-id pb-abdce123456789fgh --query "EffectivePatches[][Patch][?KbNumber=='KB1234567'][]"

Note: Replace KB1234567 with your KB number and pb-abdce123456789fgh with the patch baseline ID.

Check whether a later patch is already released

Complete the following steps.

1. Open the Microsoft update catalog on the Microsoft website.
2. Enter the patch ID in the search bar to search for the Microsoft KB article IDs.
3. Under Product, for your managed node's OS, select Title to open the Update Details window.
4. Choose the Package Details tab.
5. Under This update has been replaced by the following updates, check whether there's a new patch. If there's a later patch available, then you can manually install it. Or, wait for Patch Manager to automatically install it after Systems Manager adds the patch to the patch list.

Check whether the patch is available in the WSUS release channel

For the Windows OS, Patch Manager retrieves a list of available updates that Microsoft publishes to Microsoft Update and are automatically available to WSUS. If the patch isn't available in the WSUS release channel, then Patch Manager doesn't use that patch.

To verify the availability of the patch, complete the following steps:

1. Open the Microsoft update catalog on the Microsoft website.
2. Enter the patch ID in the search bar to search for the Microsoft KB article IDs.
3. Under More Information, choose the support article. For an example, see July 12, 2022-KB5015808 (OS Build 14393.5246) on the Microsoft website.
4. In the Microsoft support article, under Install this update, check the Release Channel. Verify that the Available column for Windows Server Update Services (WSUS) is Yes. If the patch isn't available through WSUS, then you must use another channel to download and install the update.

Check whether you already installed the patch on the instance

If you already manually installed a patch on the instance, then you can't update the patch through Patch Manager.

To check whether the patch is already installed on the instance, use one of the following methods.

Check the Windows Update OS logs

To get the list of installed updates, use the Get-Hotfix PowerShell command or the PSWindowsUpdate module.

The following example command uses the PSWindowsUpdate module to download the WindowsUpdates.txt file to your desktop:

Install-Module PSWindowsUpdateGet-WUHistory | ForEach-Object { new-object psobject -Property @{Date = $_.Date; KB = $_.KB; Title = ($_ | Select-Object -ExpandProperty Title) } } | Out-File $env:UserProfile\Desktop\WindowsUpdates.txt

For information about the Get-Hotfix command, see Get-HotFix on the Microsoft website.

Check the Fleet Manager console

Complete the following steps to use Fleet Manager, a capability of AWS Systems Manager, to check whether you already installed the patch on the instance:

1. Open the Systems Manager console.
2. In the navigation pane, choose Fleet Manager.
3. Choose the managed node, and then choose the Node overview.
4. Under Patches, search for the patch ID.

Run the describe-instance-patches command

To check whether the patch is installed without the need to log in to the instance, run the following describe-instance-patches command:

aws ssm describe-instance-patches --instance-id "i-12345abcdef12345" --filters "Key=KBId,Values=KB1234567"

Note: Replace i-12345abcdef12345 with your instance ID and KB1234567 with the patch ID.