From https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works-installation.html
来自https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works-installation.html
When a patching operation is performed on a Windows instance, the instance requests a snapshot of the appropriate patch baseline from Systems Manager.在 Windows 实例上执行修补操作时,该实例会从 Systems Manager 请求相应补丁基准的快照。 This snapshot contains the list of all updates available in the patch baseline that have been approved for deployment.此快照包含已批准部署的补丁基准中可用的所有更新的列表。 This list of updates is sent to the Windows Update API, which determines which of the updates are applicable to the instance and installs them as needed.此更新列表将发送到 Windows 更新 API,它确定哪些更新适用于实例并根据需要安装它们。 If any updates are installed, the instance is rebooted afterwards, as many times as necessary to complete all necessary patching.如果安装了任何更新,则实例会在之后重启,根据需要多次重启以完成所有必要的修补。 The summary of the patching operation can be found in the output of the Run Command request.可以在 Run Command 请求的 output 中找到修补操作的摘要。 Additional logs can be found on the instance in the %PROGRAMDATA%\Amazon\PatchBaselineOperations\Logs folder.可以在 %PROGRAMDATA%\Amazon\PatchBaselineOperations\Logs 文件夹中的实例上找到其他日志。
Because the Windows Update API is used to download and install patches, all Group Policy settings for Windows Update are respected.由于 Windows 更新 API 用于下载和安装补丁程序,因此 Windows 更新的所有组策略设置都受到尊重。 No Group Policy settings are required to use Patch Manager, but any settings that you have defined will be applied, such as to direct instances to a Windows Server Update Services (WSUS) server.使用 Patch Manager 不需要组策略设置,但将应用您定义的任何设置,例如将实例定向到 Windows 服务器更新服务 (WSUS) 服务器。
Note笔记
By default, Windows downloads all patches from Microsoft's Windows Update site because Patch Manager uses the Windows Update API to drive the download and installation of patches.默认情况下,Windows 会从 Microsoft 的 Windows 更新站点下载所有补丁,因为 Patch Manager 使用 Windows 更新 ZDB974238714CA8DE634A7 来驱动下载1和安装3补丁。 As a result, the instance must be able to reach the Microsoft Windows Update site or patching will fail.因此,实例必须能够访问 Microsoft Windows 更新站点,否则修补将失败。 Alternatively, you can configure a WSUS server to serve as a patch repository and configure your instances to target that WSUS server instead using Group Policies.或者,您可以将 WSUS 服务器配置为充当修补程序存储库,并将您的实例配置为以该 WSUS 服务器为目标,而不是使用组策略。
