# Update organizations
<a name="ou-updates"></a>

The quickest way to update an organizational unit (OU) or to update multiple accounts within an OU is to perform one of the following actions: 
+ Re-register the OU if `AWSControlTowerBaseline` is enabled.
+ Reset enabled baselines or reset enabled controls if `AWSControlTowerBaseline` is not enabled.

# When to update AWS Control Tower OUs and accounts
<a name="update-existing-accounts"></a>

When you perform a landing zone update, you must update your enrolled accounts to apply new controls to those accounts.
+ You can perform an update to all accounts under an OU using the Re-Register or Reset option.
+ If you have more than one registered OU in your landing zone, re-register or reset all of your OUs to update all of your accounts.
+ To update a single account, you can update from the AWS Control Tower console, or you can select the **Update provisioned product** option in AWS Service Catalog if AWSControlTowerBaseline is enabled on the account. See [Update the account in the console](updating-account-factory-accounts.md#update-account-in-console).

# Update multiple accounts in the same OU
<a name="update-multiple-accounts"></a>

Repeat these steps for each OU in your AWS Control Tower organization, if you need to update all of your accounts and OUs.

**To update multiple accounts in one OU, with one action**

1. Sign in to the AWS Control Tower console at [https://console.aws.amazon.com/controltower](https://console.aws.amazon.com/controltower). 

1. In the left-pane navigation menu, choose **Organization **.

1. On the **Organization** page, choose any OU to view the **OU details** page.

1. If AWSControlTowerBaseline is enabled on the OU, select **Re-Register OU** under **Actions**. If AWSControlTowerBaseline is not enabled on the OU, select **Reset AWS Config baseline** under **Actions** to reset enabled baseline and select enabled controls and **Reset control** under "Enabled controls" section to reset enabled controls. 

Alternatively, you can select any account that shows a status of **Update available** and then choose **Update account**, for as many accounts as needed.

## What happens during re-registration
<a name="effects-of-re-registering"></a>

**When you re-register an OU:**
+ The **State** field indicates whether the account currently is enrolled with AWS Control Tower (**Enrolled**), whether the account has never been enrolled (**Not enrolled**), or whether enrollment failed previously (**Enrollment failed**).
+ When you re-register the OU, the `AWSControlTowerExecution` role is added to all accounts with status **Not enrolled** or **Enrollment failed**.
+ AWS Control Tower creates a single sign-on (IAM Identity Center) login for those new enrolled accounts.
+ **Enrolled** accounts are re-enrolled into AWS Control Tower.
+ Drift on any preventive controls applied to the OU is fixed, because the SCPs are returned to their default definitions.
+ All accounts are updated to reflect the latest landing zone changes.

For more information, see [About enrolling existing accounts](enroll-account.md).

**Tip**  
When you re-register an OU, or when you're updating your landing zone version and multiple member accounts, you may see a failure message mentioning the **StackSet-AWSControlTowerExecutionRole**. This StackSet in the management account can fail because the **AWSControlTowerExecution** IAM role already exists in all enrolled member accounts. This error message is expected behavior, and it can be disregarded.

# Update a single account
<a name="update-account-in-sc"></a>

**Note**  
Single account provision, update and customization must target an organizational unit (OU) with AWSControlTowerBaseline enabled. If an OU does not have the AWSControlTowerBaseline enabled, you can activate account auto-enrollment or use ResetEnabledBaseline and ResetEnabledControl APIs on EnabledBaselines and EnabledControls on that OU to enroll accounts. For details of AWSControlTowerBaseline, see: [Baseline types that apply at the OU level](types-of-baselines.md#ou-baseline-types). 

You can update individual AWS Control Tower accounts in the AWS Control Tower console, or in the Service Catalog console.

To update a single account in the AWS Control Tower console, see [Update the account in the console](updating-account-factory-accounts.md#update-account-in-console).

**To update a single account in AWS Service Catalog**

1. Go to AWS Service Catalog.

1. In the left-pane navigation menu, choose **Provisioned products**.

1. On the **Provisioned products** page, select the radio button next to the provisioned product you want to update.

1. In the upper right, choose the **Actions** dropdown to **Update**.

To learn more about updating in AWS Service Catalog, see [Update the provisioned product in Service Catalog](update-provisioned-product.md) and [Updating products](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/productmgmt-update.html) in the *Service Catalog Administrator Guide*.