AWS Systems Manager
User Guide

About Patch Compliance States

After you use Systems Manager Patch Manager to install patches on your instances, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API actions.


If you want to assign a specific patch compliance status to an instance, you can use the put-compliance-items CLI command or the PutComplianceItems API action. Assigning compliance status is not supported in the console.

Patch Compliance States

For all operating systems, the system reports one of the following compliance states for each patch:

  • INSTALLED: Either the patch was already installed, or Patch Manager installed it when the AWS-RunPatchBaseline document was run on the instance.

  • INSTALLED_OTHER: The patch is not in the baseline, but it is installed on the instance. An individual might have installed it manually.

  • INSTALLED_REJECTED: The patch is installed on the instance but is specified in a rejected patches list. This typically means the patch was installed before it was added to a list of rejected patches.

  • MISSING: The patch is approved in the baseline, but it's not installed on the instance. If you configure the AWS-RunPatchBaseline document task to scan (instead of install) the system reports this status for patches that were located during the scan, but have not been installed.

  • NOT_APPLICABLE: The patch is approved in the baseline, but the service or feature that uses the patch is not installed on the instance. For example, a patch for Internet Information Services (IIS) would show NOT_APPLICABLE if it was approved in the baseline, but IIS is not installed on the instance.


    This compliance state is only reported on Windows operating systems.

  • FAILED: The patch is approved in the baseline, but it could not be installed. To troubleshoot this situation, review the command output for information that might help you understand the problem.

On this page: