Skip to main content

SSM Patch Manager Windows Patch Scan Failure: Microsoft Update Service 503

Checo6/4/26About 2 minAWSWindowsAWSSSMPatch ManagerWindows Update

SSM Patch Manager Windows Patch Scan Failure: Microsoft Update Service 503

When using Systems Manager Patch Manager to scan Windows Server 2019 patches, if SSM Agent, network, and permissions are all normal, but WindowsUpdate.log shows the Microsoft update service returning 503, the root cause may be on Microsoft's side, not AWS's.

Symptoms

Executing AWS-RunPatchBaseline scan fails, returning something like:

The find operation did not complete successfully

The HResult may be:

-2145107934

Under the same network environment, Windows Server 2016 works normally while Windows Server 2019 fails.

Troubleshooting Process

1. Verify SSM Endpoints

Test-NetConnection ssm.<region>.amazonaws.com -Port 443
Test-NetConnection ssmmessages.<region>.amazonaws.com -Port 443
Test-NetConnection ec2messages.<region>.amazonaws.com -Port 443

If using China regions or VPC Endpoints, replace with the corresponding domain names.

2. Verify Windows Update Network

Test-NetConnection sls.update.microsoft.com -Port 443
Test-NetConnection download.windowsupdate.com -Port 80

Also check if WSUS is configured:

Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -ErrorAction SilentlyContinue

3. Export Windows Update Log

Get-WindowsUpdateLog

If the log contains:

The server returned HTTP status code '503'
The service is temporarily overloaded
*FAILED* [80244022] Web service call

This means the Windows Update client has connected to the Microsoft service, but the server returned an unavailable status.

Root Cause

Windows Server 2019 may be accessing a specific Microsoft update service domain, such as:

fe3.delivery.mp.microsoft.com

If that service endpoint is temporarily overloaded, it returns HTTP 503, corresponding to error code:

0x80244022

At the same time, Windows Server 2016 may work fine because it accesses a different set of update service domains that are not affected.

Workarounds

1. Wait for Microsoft Service Recovery

If you've confirmed that the network, SSM, and WSUS configuration are all normal, and the error is clearly 503, the most straightforward approach is to wait for the service to recover and retry.

2. Manually Download Patches

Download the .msu from Microsoft Update Catalog, then install via script or SSM Run Command:

https://www.catalog.update.microsoft.com/

3. Pre-cache Patches

Patch Manager itself does not provide a standard "download only, don't install" mode. You can use a custom SSM document to pre-download patches and execute installation during the maintenance window.

4. Deploy WSUS

For environments with strict patch window requirements, you can deploy an on-premises WSUS server to pre-sync patches locally, reducing dependency on the public Microsoft update service.

Summary

SSM Patch Manager scan failures are not necessarily SSM issues. When troubleshooting, work through the layers:

  1. Whether the SSM Agent is online.
  2. Whether AWS endpoints are reachable.
  3. Whether Windows Update endpoints are reachable.
  4. Whether WindowsUpdate.log shows a Microsoft server-side 503.

If the logs clearly show 0x80244022 and HTTP 503, it should generally be treated as a temporary Microsoft update service unavailability — consider retrying, manual patching, pre-caching, or WSUS.

Edit this page
Last Updated:
Contributors: sergioperezcheco
© 2026 Checo's Blog. All rights reserved.
Copyright © 2026 Checo