Skip to main content

Scan & Install Windows Updates

SCAN_WINDOWS_UPDATES and INSTALL_WINDOWS_UPDATES actions allow you to scan for and install Microsoft Windows updates on managed Windows Server instances.

Fleet Control exposes this capability through the modified AWS-InstallWindowsUpdates AWS Systems Manager(SSM) document.
Unlike the standard PATCH and SCAN operations that depend on the AWS-RunPatchBaseline SSM document, these new actions bypass AWS Patch Manager’s baseline catalog. Instead, each instance queries the Microsoft Update Catalog (or its designated WSUS server) and filters updates based on configured parameters. As a result, they can detect or install updates that a baseline might otherwise suppress.

This design provides fine-grained, per-execution control over what is installed, without the overhead of filtering based on a fleet-wide patch baseline in AWS.

For detailed configuration guidance and parameter reference, consult the official AWS documentation.

info

PATCH and SCAN remain unchanged and support both Linux and Windows.
See the example to learn how you can use them in parallel with new INSTALL_WINDOWS_UPDATES and SCAN_WINDOWS_UPDATES actions to patch both OS types efficiently within a single plan in a batch.

Reporting under development

Support for reporting capabilities for these new actions is currently in progress.
At this time, the Report View does not reflect any updates performed by these actions.

Scan Windows Updates

This action scans a Windows Server managed node to identify available updates. It lists all installed updates, including their Knowledge Base (KB) IDs.

Running the scan does not install updates or reboot the instance.

This action is useful for reporting, compliance checks, or previewing which updates would be installed by the install action.

Install Windows Updates

This action installs applicable updates on a Windows Server managed node. It lists updates installed before and after the operation, and may reboot the instance if required and allowed by the Reboot Allowed parameter.

Configuration

Both actions have shared configuration options to filter the updates that are listed or installed.
The core functionality of the actions is coupled with the original AWS-InstallWindowsUpdates document parameter. Fleet Control uses a modified version of the document, but its main content is preserved. Subtle additions allow you to set proxy settings and set proper timeout to reflect the action window settings.

Update filtering

Microsoft classifies updates by categories and severity levels.
Fleet Control exposes all parameters defined in the AWS-InstallWindowsUpdates document as advanced action settings. These parameters let you fine-tune patching behavior. For example, installing only critical security updates, to align with compliance and operational policies.

  • Include Kbs: Comma-separated list of KB article IDs to include.
  • Exclude Kbs: Comma-separated list of KB article IDs to exclude.
  • Categories: List of update categories. Please check all supported categories.
  • Severity Levels: List of MSRC severity levels Please check all supported severity levels.
  • Published Days Old: Only include updates published at least this many days ago. Default is 0.
  • Published Date After: Only include updates published on or after this date (MM/DD/YYYY).
  • Published Date Before: Only include updates published on or before this date (MM/DD/YYYY).

Reboot Allowed parameter

By default, the instance will reboot if any updates are installed to ensure proper installation. You can control reboot behavior using the RebootAllowed parameter.

  • If Reboot Allowed is true (default), a reboot occurs after installing updates.
  • If Reboot Allowed is false, no reboot occurs after installing updates.
note

Some updates require a reboot to complete installation. If you disable reboot, those updates may not install successfully.

Proxy settings

The patching process requires internet access. If target virtual machines have their internet access restricted,
Http Proxy and Https Proxy parameters can be specified to configure a proxy server for the patching process.

To bypass the proxy server for specific traffic, use the No Proxy parameter to define a comma-separated list of domains or IP addresses.
The default value is set to 169.254.169.254, which is the IP address of the cloud metadata endpoint.
When specifying the No Proxy parameter, be aware that Fleet Control needs access to the instance metadata endpoint, and the default value should be included in the list of bypassed addresses.

info

Only the patching process's traffic is routed through the proxy server; the rest of the virtual machine's traffic is not affected.

Parameters format: <http or https>://<proxy server URL>:<port>
Examples: http://proxy.example.com:8080, https://10.0.0.42:3128

Updates categories and severity levels

Categories

You can specify which updates to scan or install using the following categories:

  • All
  • Application
  • Connectors
  • CriticalUpdates
  • DefinitionUpdates
  • DeveloperKits
  • Drivers
  • FeaturePacks
  • Guidance
  • Microsoft
  • SecurityUpdates
  • ServicePacks
  • Tools
  • UpdateRollups
  • Updates

Severity levels

You can specify which updates to scan or install using the following severity levels:

  • All
  • Critical
  • Important
  • Low
  • Moderate
  • Unspecified

Parallel patching on different OS types

You can patch Windows and Linux in parallel by creating a batch with both the PATCH and INSTALL_WINDOWS_UPDATES actions. Assign resources or groups by operating system to each action to patch both OS types at the same time.

See the example plan run below where both actions complete patching simultaneously:

Download or play the video here

System actions details via API

You can check all supported parameters and values via API query: System Actions query documentation.