Automate the process of applying Windows Updates from WSUS to multiple servers on AWS using RunCommand. Streamline your update management effortlessly. After having updates pushed to all servers from WSUS, in order to avoid the manual operation of installing updates, we can automate this process to a whole lot of servers on AWS using the RunCommand. To apply Updates on WSUS, use the run command. Please see How to Configure SSL between WSUS servers (Upstream and Downstream Servers), Handy WSUS Commands, Windows Server Update Services Commands, WAUACLT, PowerShell and USOClient.

For more articles I have written, see the following hyperlinks: Configuring WSUS Email Notification to Work With Office365, How to setup and configure Windows server update services (WSUS).

What to consider when applying WSUS updates

Some prerequisites must be met before applying Windows updates to production servers. They are as follows;

When applying Windows Updates from WSUS, make sure to deploy these updates to the Test-servers-group (Test servers). After applying updates on the test servers, access them via RDP before proceeding to update Production servers.

Other factors that must be considered:

Pull an AMI of all Production Server AMI (Ensure this is complete before applying windows updates)
Approve and install identical updates for the test-server-group. Once tested and applied, approve them for Production servers.

Step 2: Proceed to AWS

Access the RunCommand (within Systems Manager and Services) to seamlessly handle Windows Updates from WSUS for efficient management.

Choose AWS-ConfigureWindowsUpdates to enable automatic installation of Windows updates when triggered.

on the same page, select the instances.

Please see how to Start, Stop and Restart Windows Server Update Services (WSUS) via PowerShell and CMD, Windows Server Update Services: Windows 2016 Servers does not show up on WSUS console, and WSUS clients appear and disappear from the WSUS Update Services console.

The prerequisites to have these servers available are as follows

To maintain optimal performance, keep your EC2config for Windows Server 2008/2012 or EC2 Launch for Windows Server 2016 updated, including essential Windows Updates from WSUS.

The SSM agent attaches the appropriate role to all instances, ensuring correct configuration and functionality. You can never find the instances here if this is not the case.

And click on the run. Ensuring the installation of updates and automatic server reboot for seamless operation.

Other information

Note, you can view the status of the run command to see if any failed or succeeded as shown below

Check on the WSUS server after the updates are applied

Check the WSUS console; it should display servers fully patched, as shown below. Furthermore, I confirmed non-problematic updates and accessible servers through Remote Desktop Manager (RDP).

Note: Prerequisites determine an instance’s eligibility or discoverability via the run command. The RunCommand output will look like this below.

Also, see the “Important Areas to Master on WSUS (Installed and not applicable, Install 1/4, and Installed / Not applicable 100)”, Targeting WSUS Client with the Registry keys: How to configure WSUS Clients to get Updates from the WSUS server using Registry settings,

I hope you found this blog post on how to apply Windows Updates from WSUS to AWS instances helpful. If you have any questions, please let me know in the comment session.