Comments on: Windows servers patching with AWS EC2 Systems Manager https://cloudar.be/awsblog/windows-servers-patching-with-aws-ec2-systems-manager/ 100% Focus On AWS // 100% Customer Obsession Mon, 06 Apr 2020 10:36:21 +0000 hourly 1 https://wordpress.org/?v=6.9.4 By: Rutger Beyen https://cloudar.be/awsblog/windows-servers-patching-with-aws-ec2-systems-manager/#comment-43 Mon, 06 Apr 2020 10:36:21 +0000 https://cloudar.be/?p=3733#comment-43 In reply to pradeep.

Hello Pradeep.

As far as my knowledge goes, there’s no such one-click solution available.
However, what we do here at Cloudar is running the SSM Maintenance Window task with the option “Enable SNS notifications” set to true. This will cause the results of the Maintenance Window to be delivered to an SNS topic. From this SNS topic you can either subscribe your email address, or a Lambda function which can further sanitize and cleanup the output according to your preferences, as by default you will get an ugly JSON.
Alternatively you can query your instance patch results using the CLI with ‘aws ssm describe-instance-patches’ or ‘aws ssm describe-instance-patch-states’.

Regards,
Rutger

]]> By: pradeep https://cloudar.be/awsblog/windows-servers-patching-with-aws-ec2-systems-manager/#comment-42 Mon, 06 Apr 2020 09:43:44 +0000 https://cloudar.be/?p=3733#comment-42 Hi There,

Is there any way after scanning the instances, Could we get the result to our Inbox.
For example like only Non-complaint issues in a particular instance.

]]> By: Rutger Beyen https://cloudar.be/awsblog/windows-servers-patching-with-aws-ec2-systems-manager/#comment-41 Thu, 04 Oct 2018 12:00:16 +0000 https://cloudar.be/?p=3733#comment-41 In reply to Ritul.

Hello Ritul,
Because the Windows Update API is used to download and install patches on the instances, all Group Policy settings for Windows Update that you have in place are respected. There are no Group Policy settings required to use Patch Manager, but any settings that you have defined will be applied, such as to direct instances to a WSUS server.
Regards,
Rutger

]]> By: Ritul https://cloudar.be/awsblog/windows-servers-patching-with-aws-ec2-systems-manager/#comment-40 Tue, 18 Sep 2018 06:53:42 +0000 https://cloudar.be/?p=3733#comment-40 In reply to Rutger Beyen.

Hey Rutger
How to configure a WSUS server to serve as a patch repository and configure instances to target that WSUS server ?
Please let me know the steps.

]]> By: Rutger Beyen https://cloudar.be/awsblog/windows-servers-patching-with-aws-ec2-systems-manager/#comment-39 Mon, 22 Jan 2018 14:54:00 +0000 https://cloudar.be/?p=3733#comment-39 In reply to Stuart Lupton.

Hello Stuart,
It depends on which “Document” you want the SSM Maintenance Window to execute, but it could be as simple as InstallMissingWindowsUpdates. It doesn’t necessarily has to be a Run command to compare you instance against a baseline.
The Windows Update API is used to download and install patches. By default Windows downloads all patches from the Windows Update site. As a result, the instance must be able to reach the Microsoft Windows Update site or patching will fail. Alternatively, you can configure a WSUS server to serve as a patch repository and configure your instances to target that WSUS server.

]]> By: Stuart Lupton https://cloudar.be/awsblog/windows-servers-patching-with-aws-ec2-systems-manager/#comment-38 Sat, 20 Jan 2018 19:17:38 +0000 https://cloudar.be/?p=3733#comment-38 Does this simply trigger a update and install command to the windows instance?

Does the client then have to have outbound 443 to msft?

Can you integrate with existing WUS servers?

]]>