AWS Systems Manager Patch Manager launches security updates notification for Windows
AWS Systems Manager announces the launch of security updates notification for Windows patching compliance, which helps customers identify security updates that are available but not approved by their patch baseline configuration. This feature introduces a new patch state called "AvailableSecurityUpdate" that reports security patches of all severity levels that are available to install on Windows instances but do not meet the approval rules in your patch baseline.
As organizations grow, administrators need to maintain secure systems while controlling when patches are applied. The security updates notification helps prevent situations where customers could unintentionally leave instances unpatched when using features like ApprovalDelay with large values. By default, instances with available security updates are marked as Non-Compliant, providing a clear signal that security patches require attention. Customers can also configure this behavior through their patch baseline settings to maintain existing compliance reporting if preferred.
This feature is available in all AWS Regions where AWS Systems Manager is available. To get started with security updates notification for Windows patching compliance, visit the AWS Systems Manager Patch Manager console. For more information about this feature, refer to our user documentation or update your patch baseline with the details here. There are no additional charges for using this feature beyond standard AWS Systems Manager pricing.