How do I troubleshoot a missing KB patch after a successful patching operation on EC2 Windows instances through Patch Manager?

Short description

The following scenarios are the most common reasons why a patch might be missing:

• The patch isn't applicable for the instance OS type.
• The Microsoft Knowledge Base (KB) package detail doesn't match the baseline configuration.
• A later patch is already released.
• The patch isn't available in the Windows Server Update Services (WSUS) release channel.
• The patch is already installed on the instance.

Resolution

The patch isn't applicable for the instance OS type

To check whether the patch is applicable for the instance, complete the following steps:

1. Open the Microsoft update catalog.
2. Use the patch ID to search the Microsoft KB article IDs. Example patch ID: KB3216916.
3. Under Product, check that the values match that of your managed node.
4. You can see the product name of your managed node from system settings (from the Microsoft website).

The KB package detail doesn't match the baseline configuration

To check if the KB classification, severity, and release date match the baseline configuration, complete the following steps:

1. Open the AWS Systems Manager console.
2. In the navigation pane, under Node Management, choose Run Command.
3. Choose the Command history tab.
4. Choose Command ID for patching, and then select the managed node.
5. Choose Output, and review the configuration in the Baseline parameter.

The classification, severity, and approval delay date must match the package details from the Microsoft Update Catalog. If you're using the default patch baseline and the patch classification is different than the baseline, then you must create a custom patch baseline.

Use one of the following methods to check if a particular KB is approved in the patch baseline:

Note: To run the following commands, install the latest AWS Command Line Interface (AWS CLI) and AWS Tools for PowerShell on your local machine or EC2 Instance.

describe-effective-patches-for-patch-baseline AWS CLI command

To check if a particular KB is approved in the Patch Baseline, run the describe-effective-patches-for-patch-baseline command.

The following example command checks whether the KB2124261 is approved in the patch baseline pb-abdce123456789fgh:

aws ssm describe-effective-patches-for-patch-baseline --baseline-id pb-abdce123456789fgh --query "EffectivePatches[][Patch][?KbNumber=='KB2124261'][]"

GetDeployablePatchSnapshotForInstance API

You can also use the GetDeployablePatchSnapshotForInstance API to generate a snapshot. The following example PowerShell commands download the snapshot file to the user desktop:

Note: Run the following PowerShell commands from the target EC2 instance with the credentials that are assumed from the attached IAM instance profile. If you don't run the commands from the target EC2 instance with the attached IAM instance profile, then you might receive invalid token request errors.

$instanceId = Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/instance-id
$snap = Get-SSMDeployablePatchSnapshotForInstance -SnapshotId '521c3536-930c-4aa9-950e-01234567abcd' -InstanceId $instanceId -Verbose 
(New-Object Net.WebClient).DownloadFile($snap.SnapshotDownloadUrl, "$env:UserProfile\Desktop\01-snapshot.json")

Note: You can replace the snapshot ID with any GUID. Use the New-GUID command to generate the snapshot ID replacement from PowerShell.

A later patch is already released

To check if a new patch was released, complete the following steps.

1. Open the Microsoft update catalog.
2. Use the patch ID to search the Microsoft KB article IDs. Example patch ID: KB5015808.
3. Under Product, check that the value matches that of your managed node. Then, select the corresponding Title to open a new Update Details window.
4. Choose the Package Details tab. Then, under This update has been replaced by the following updates, check if there's a new patch.

The patch isn't available in the WSUS release channel

On the Microsoft Windows OS, Patch Manager retrieves a list of available updates that Microsoft publishes to Microsoft Update and are automatically available to WSUS. If the patch isn't available in the WSUS release channel, then Patch Manager doesn't select that particular patch.

To verify the availability of the patch, complete the following steps:

1. Open the Microsoft update catalog.
2. Use the patch ID to search the Microsoft KB article IDs. Example patch ID: KB5015808.
3. Under More Information, select the support article. For example, see July 12, 2022—KB5015808 (OS Build 14393.5246).
4. In the Microsoft support article, locate the Release Channel section. Then, check if the patch is available under the Windows Server Update Services (WSUS) release channel.

The patch is already installed on the instance

A patch might already be installed on the instance, such as through manual patching. To check whether the patch is already installed on the instance, use one of the following methods:

Windows Update OS logs

You can get the list of installed updates through the Get-Hotfix PowerShell command or by using the PSWindowsUpdate module. The following example command uses the PSWindowsUpdate module. The command downloads the WindowsUpdates.txt file to your desktop.

Install-Module PSWindowsUpdate
Get-WUHistory | ForEach-Object { new-object psobject -Property @{Date = $_.Date; KB = $_.KB; Title = ($_ | Select-Object -ExpandProperty Title) } } | Out-File $env:UserProfile\Desktop\WindowsUpdates.txt

Fleet Manager console

You can use Fleet Manager, a capability of AWS Systems Manager, to check whether the patch is already installed on the instance. To use the Fleet Manager console, complete the following steps:

1. Open the AWS Systems Manager console.
2. In the navigation pane, choose Fleet Manager.
3. Choose the managed node, and then choose the Node overview.
4. Under Patches, search for the missing KB.

describe-instance-patches AWS CLI command

To check whether the patch is programmatically installed, run the describe-instance-patches command.

The following example AWS CLI command searches KB4521862:

aws ssm describe-instance-patches --instance-id "i-0b806abcdef12345" --filters "Key=KBId,Values=KB4521862"