By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I use the Microsoft KB number in Patch Manager to install a specific patch or set of patches?

5 minute read
0

I want to use the Microsoft Knowledge Base (KB) number in Patch Manager, a capability of AWS Systems Manager, to install a specific patch or a set of patches.

Short description

Patch Manager uses the appropriate built-in mechanism for an operating system (OS) type to install updates on a managed node.

There are a few ways to use the KB number in Patch Manager to install a specific patch or set of patches for Windows Server:

  • Use the Systems Manager document AWS-InstallWindowsUpdates, and specify the target KB numbers with the Include Kbs parameter.
  • Create a custom patch baseline, and add the target KB numbers in the Approved patches list. Then, choose this custom patch baseline for Windows Server when configuring your patch policy.
  • Use the Systems Manager document AWS-RunPatchBaseline, and specify a patch override list that contains the target KB numbers with the InstallOverrideList parameter.

Resolution

Use AWS-InstallWindowsUpdates

When you don't need the patch compliance information for the target instances, use AWS-InstallWindowsUpdates to install specific patches based on KB numbers.

Complete the following steps:

  1. Open AWS Systems Manager console.
  2. Choose the AWS Region where your target Windows servers are.
  3. In the navigation pane, choose Run Command.
  4. For Command document, select AWS-InstallWindowsUpdates.
  5. For Action, choose whether to perform a scan for missing updates, or perform a scan and install missing updates at the same time.
  6. For Include Kbs, enter the KB number of the specific patch to filter available patches. To specify a set of patches, separate each KB number with a comma.
  7. (Optional) Configure the remaining parameters based on your use case.
  8. Choose the target instances for the patch operation.
    Note: Target instances must be managed by Systems Manager and appear in Fleet Manager with an Online status.
  9. Choose Run to run the command.

The command run results for each target instance is located in the Targets and outputs section of the command detail page.

Create a patch policy with a custom patch baseline

When you need the patch compliance information for target instances, use a custom patch baseline to install specific patches based on their KB numbers.

Complete the following steps:

  1. Open AWS Systems Manager console.
  2. Choose the AWS Region where your target Windows servers are.
  3. In the navigation pane, choose Patch Manager.
  4. Choose the Patch baselines tab, and then choose Create patch baseline.
  5. Enter a name for the new custom patch baseline, and then choose Windows as the target operation system.
  6. For Patch exceptions, under Approved patches, add the KB numbers of the specific patches that you want to install. Separate each KB number by a comma.
    Note: To install only specific patches with KB numbers, remove all auto approval rules for this patch baseline.
  7. Choose Create.
  8. In the navigation pane, choose Patch Manager.
  9. For the patch baseline section, choose Custom patch baseline.
  10. Select the custom patch baseline that you created in steps 4—7 for the Windows Server operating system.
  11. Select the target instances to deploy the patch.
  12. (Optional) Configure the remaining parameters based on your use case.
  13. Choose Create to create the patch policy.

Systems Manager creates State Manager, a capability of AWS Systems Manager, associations to apply the patch policy to the target instances.

Use document AWS-RunPatchBaseline

To continue using the existing default patch baseline for Windows Server, store a patch override list in an Amazon Simple Storage Service (Amazon S3) bucket. You must include the KB ID of the target patch in the override list. You can use this option without creating a new custom patch baseline.

Note: The patches that are defined in the override list override the patches that are defined in the default patch baseline during patch installation. However, patch compliance information is still generated based on the patches that are defined in patch baseline.

To use AWS-RunPatchBasline, complete the following steps:

  1. Build a patch override list in YAML format, and store it in an Amazon S3 bucket. For more information, see Parameter name: InstallOverrideList.
  2. Open the AWS Systems Manager console.
  3. Choose the AWS Region where your target Windows servers are.
  4. In the navigation pane, choose Run Command.
  5. For Command document, select AWS-RunPatchBaseline.
  6. For Patch operation, choose Install and provide a value for the InstallOverrideList parameter (scan operations ignore the InstallOverrideList parameter).
    If your file is stored in a publicly available bucket, then you can specify either an HTTPs URL format or an Amazon S3 path-style URL.
    If your file is stored in a private bucket, then you must specify an Amazon S3 path-style URL.
  7. Choose the target instances for the patch operation.
  8. (Optional) Configure the remaining parameters based on your use case.
  9. Choose Run to run the command.

The command run results for each target instance is located in the Targets and outputs section of the command detail page.

Related information

About SSM documents for patching managed nodes

Using Quick Setup patch policies

Sample scenario for using the InstallOverrideList parameter in AWS-RunPatchBaseline or AWS-RunPatchBaselineAssociation

Topics
Management & Governance
Tags
AWS Systems Manager
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated a year ago
No comments

Relevant content