Amazon EC2 Systems Manager
User Guide

Systems Manager Patch Management

Patch Manager automates the process of patching Windows managed instances. Use this feature of Amazon EC2 Systems Manager to scan instances for missing patches, or scan and install missing patches. You can install patches individually or to large groups of instances by using EC2 tags. Patch Manager uses patch baselines that include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. You can install patches on a regular basis by scheduling patching to run as a Systems Manager Maintenance Window task.

Patch Manager can patch Windows Server operating systems, versions 2008 through 2016 (including all R2 versions). Patch Manager provides all patches for supported operating systems within hours of their being made available by Microsoft.


AWS currently does not test the patches released by Microsoft before making them available in Patch Manager.

Patch Manager integrates with AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon CloudWatch Events to provide a secure patching experience that includes event notifications and the ability to audit usage.

Getting Started with Patch Manager

To get started with Patch Manager, complete the following tasks.

Task For More Information

Update the SSM Agent on your managed instances to the latest version.

Installing SSM Agent

Configure your on-premises servers and VMs for Systems Manager. After you configure them, they are described as managed instances.

Setting Up Systems Manager in Hybrid Environments

Verify Systems Manager prerequisites.

Systems Manager Prerequisites