Sign In to the Console
AWS Systems Manager
User Guide

AWS Documentation » AWS Systems Manager » User Guide » AWS Systems Manager Instances & Nodes » AWS Systems Manager Patch Manager » About Patch Baselines » About Patching Applications on Windows Server
The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

About Patching Applications on Windows Server

For Windows Server, two predefined patch baselines are provided. The patch baseline AWS-WindowsPredefinedPatchBaseline-OS supports only operating system updates on the Windows operating system itself. It is used as the default patch baseline for Windows instances unless you specify a different patch baseline. The other predefined Windows patch baseline, AWS-WindowsPredefinedPatchBaseline-OS-Applications, can be used to apply patches to both the Windows Server operating system and supported Microsoft applications.

You can also create a custom patch baseline to update Microsoft applications on Windows Server machines.

To include Microsoft applications in your custom patch baseline, you must, at a minimum, specify the product that you want to patch. The following AWS CLI command demonstrates the minimal requirements to patch a product, such as Office 2016: 

aws ssm create-patch-baseline --name "My-Windows-App-Baseline" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=PRODUCT,Values='Office 2016'},{Key=PATCH_SET,Values='APPLICATION'}]},ApproveAfterDays=5}]"

If you specify the Microsoft application product family, each product you specify must be a supported member of the selected product family. For example, to patch the product "Active Directory Rights Management Services Client 2.0," you must specify its product family as "Active Directory" and not, for example, "Office" or "SQL Server." The following AWS CLI command demonstrates a match pairing of product family and product: 

aws ssm create-patch-baseline --name "My-Windows-App-Baseline" --approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=PRODUCT_FAMILY,Values='Active Directory'},{Key=PRODUCT,Values='Active Directory Rights Management Services Client 2.0'},{Key=PATCH_SET,Values='APPLICATION'}]},ApproveAfterDays=5}]"

Troubleshooting Mismatched Product Family/Product Pairs

When you create a patch baseline in the console, you specify a product family and a product. For example, you might choose:

  • Product family: Office

    Product: Office 2016

If you attempt to create a patch baseline with a mismatched product family/product pair, an error message is displayed. The following are reasons this can occur:

  • You selected a valid product family/product pair, but then removed the product family selection.

  • You chose a product from the Obsolete or mismatched options sublist instead of the Available and matching options sublist.

    Items in the product Obsolete or mismatched options sublist might have been entered in error through an SDK or AWS CLI create-patch-baseline command. This could mean a typo was introduced or a product was assigned to the wrong product family. A product also appears in the Obsolete or mismatched options sublist if it was specified for a previous patch baseline but currently has no patches available from Microsoft.

    To avoid this issue in the console, always choose options from the Currently available options sublists.

    You can also view the products that have currently available patches by using the describe-patch-properties command in the AWS CLI or the DescribePatchProperties API command.