AWS-ApplyPatchBaseline run command fails when running behind a proxy server

0

Hi everyone,

We are trying to Run a Command (AWS-ApplyPatchBaseline) on an EC2 instance running Win 2012 R2.

This EC2 instance has a Private IP (no public ip) and is using SQUID to connect to internet. We have defined Proxy at IE level and also SSM agent (in the registry) using powershell script provided by AWS.

We ave provided the EC2SSMFullAccess IAM role to this instance.

Running this command will always fail with this Output (see at end)

What we like to know is this SSM command not supported when running behind a proxy server?

Thanks

Patch Summary for
PatchGroup :
BaselineId :
SnapshotId :
OwnerInformation :
OperationType : Scan
OperationStartTime : 0001-01-01T00:00:00.0000000Z
OperationEndTime : 0001-01-01T00:00:00.0000000Z
InstalledCount : -1
InstalledOtherCount : -1
FailedCount : -1
MissingCount : -1
NotApplicableCount : -1

WIN-P5HSOSPN3J9 - PatchBaselineOperations Assessment Results - 2017-05-03T14:34:19.561

Scan found no missing updates.

----------ERROR-------
failed to run commands: exit status 4294967295
Invoke-PatchBaselineOperation : A WebException with status ConnectFailure was
thrown.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0dcd2ed49067b2cc8\document\orchestr
ation\f596754b-b9a2-4cc2-982c-c209a387d895\awsrunPowerShellScript\0.awsrunPower
ShellScript_script.ps1:155 char:13
+ $response = Invoke-PatchBaselineOperation -Operation Scan -SnapshotId ''
-Instan ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : OperationStopped: (Amazon.Patch.Ba...UpdateOpera
tion:FindWindowsUpdateOperation) [Invoke-PatchBaselineOperation], AmazonSe
rviceException
+ FullyQualifiedErrorId : PatchBaselineOperations,Amazon.Patch.Baseline.Op
erations.PowerShellCmdlets.InvokePatchBaselineOperation

Edited by: SMUnix on May 3, 2017 6:10 PM

SMUnix
asked 7 years ago3655 views
7 Answers
0
Accepted Answer

This will be addressed in the future releases. Meanwhile this work around might help.

_Please configuring the IE settings under the SYSTEM context via PSExec _
_PS C:\Users\Administrator\Downloads\PSTools> .\psexec -i -s -d cmd _
_Then in the System User Context CMD prompt; _
_C:\Windows\system32>whoami _
_nt authority\system _
_C:\Windows\system32>inetcpl.cpl _
Then configured the same settings that were stored in HKCU & re-ran the document.

answered 7 years ago
0

Thanks for this info.

SMUnix
answered 7 years ago
0

Hi I am facing the similar issue Here.
We are trying to use Patch Manager to do patching on an EC2 instance running Windows server 2016.
This EC2 instance has a Private IP (no public ip) and is using SQUID to connect to internet.

We have defined Proxy and also configuring the IE settings under the SYSTEM context via PSExec.
However, the Windows patching will always fail with this Output (see at end)
Any advise?

++The command output displays a maximum of 2500 characters. You can view the complete command output in either Amazon S3 or CloudWatch logs, if you specify an S3 bucket or a CloudWatch logs group when you run the command.++
++Patch Summary for++

++PatchGroup :++

++BaselineId :++

++SnapshotId :++

++OwnerInformation :++

++OperationType : Scan++

++OperationStartTime : 0001-01-01T00:00:00.0000000Z++

++OperationEndTime : 0001-01-01T00:00:00.0000000Z++

++InstalledCount : -1++

++InstalledRejectedCount : 0++

++InstalledOtherCount : -1++

++FailedCount : -1++

++MissingCount : -1++

++NotApplicableCount : -1++

++UnreportedNotApplicableCount : -1++

++STB-MM-2FA - PatchBaselineOperations Assessment Results - 2019-04-30T12:45:30.802++

++Scan found no missing updates.++

++----------ERROR-------++

++Invoke-PatchBaselineOperation : Instance Id i-0ca6ecd1648836185 doesn't match++

++the credentials++

++At C:\ProgramData\Amazon\SSM\InstanceData\i-0ca6ecd1648836185\document\orchestr++

++ation\349aa1e6-fd35-4687-a8b2-78db99323015\PatchWindows_script.ps1:195 char:13++

+++ $response = Invoke-PatchBaselineOperation -Operation Scan -SnapshotId ...++

+++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~++

+++ CategoryInfo : OperationStopped: (Amazon.Patch.Ba...UpdateOpera++

++tion:FindWindowsUpdateOperation) [Invoke-PatchBaselineOperation], AmazonSi++

++mpleSystemsManagementException++

+++ FullyQualifiedErrorId : PatchBaselineOperations,Amazon.Patch.Baseline.Op++

++erations.PowerShellCmdlets.InvokePatchBaselineOperation++

++failed to run commands: exit status 4294967295++

answered 5 years ago
0

Any idea when the fix will make it into the ssm agent? It's been 2 years since the original post about this and I just tried the suggested workaround but the ssm agent still seems to ignore the proxy settings and tries to communicate out directly to:
ssm.us-east-1.amazonaws.com

answered 5 years ago
0

Same issue - but we are not using any proxy server. The Invoke-PatchBaselineOperation fails for only one of the machines in the Patch Group with this error:

Invoke-PatchBaselineOperation : The install operation did not complete
successfully. Additional failure information from Windows Update:
HResult: -2145124318 | Result Code: orcFailed
At C:\ProgramData\Amazon\SSM\InstanceData\i-03a9dad67ec4ced1a\document\orchestr
ation\fbc6a0a2-c2ad-45ec-81ee-688711b881eb\PatchWindows_script.ps1:195 char:13

  • $response = Invoke-PatchBaselineOperation -Operation Install -Snapsho ...
  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    
    • CategoryInfo : OperationStopped: (Amazon.Patch.Ba...UpdateOpera
      tion:InstallWindowsUpdateOperation) [Invoke-PatchBaselineOperation], Excep
      tion

    • FullyQualifiedErrorId : Exception Level 1:
      Error Message: The install operation did not complete successfully. Addit
      ional failure information from Windows Update:
      HResult: -2145124318 | Result Code: orcFailed
      Stack Trace: at Amazon.Patch.Baseline.Operations.PatchNow.Implementati
      ons.InstallWindowsUpdateOperation.InstallUpdates(IEnumerable`1 filteredUpd
      ates)
      at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.InstallWi
      ndowsUpdateOperation.InstallUpdates()
      at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.InstallWi
      ndowsUpdateOperation.DoWindowsUpdateOperation()
      ,Amazon.Patch.Baseline.Operations.PowerShellCmdlets.InvokePatchBaselineOpe
      ration

failed to run commands: exit status 4294967295

SKulai
answered 5 years ago
0

I am using RunPatchbaseline for installing windows updates on the Windows server 2k12,2k16 and 2k19. It works fine with 2k12 and 2k19 however this fails in case of 2k16. Also, there are cases to be considered here. Below are my test cases.

  1. Server hosted in public subnet with outbound traffic enabled - Success
  2. Server hosted in public subnet with outbound traffic disabled - Success
  3. Server hosted in private subnet with outbound traffic enabled - Fail

I don't understand why it fails on windows server 2k16. Can anyone guide me in the right direction to get it resolved.

answered 4 years ago
0

I had a similar problem. Windows 2016 with no external address, accessing windows update via NAT. It turns out that windows firewall service must be enabled for windows update to download patches.
Once I started the windows firewall service the server was able to download patches.

I also had this message in the windows update log.

2020/04/02 08:26:21.6793588 1128 3080 DownloadManager BITS job {3E75293B-FE35-4A1B-9877-F624F4A18DA6} hit a transient error, updateId = {034DE509-A373-470E-A1D7-2432D5399D70}.201 <NULL>, error = 0x800706D9
2020/04/02 08:26:21.6803449 1128 3080 DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls.

Hope this helps you.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions