• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Working with managed nodes
A *managed node* is any machine configured for AWS Systems Manager. You can configure the following machine types as managed nodes:
+ Amazon Elastic Compute Cloud (Amazon EC2) instances
+ Servers on your own premises (on-premises servers)
+ AWS IoT Greengrass core devices
+ AWS IoT and non-AWS edge devices
+ Virtual machines (VMs), including VMs in other cloud environments
In the Systems Manager console, any machine prefixed with "mi-" has been configured as a managed node using a [*hybrid activation*](activations.md). Edge devices display their AWS IoT Thing name.
**Note**
The only supported feature for macOS instances is viewing the file system.
**About Systems Manager instances tiers**
AWS Systems Manager offers a standard-instances tier and an advanced-instances tier. Both support managed nodes in your [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment. The standard-instances tier allows you to register a maximum of 1,000 machines per AWS account per AWS Region. If you need to register more than 1,000 machines in a single account and Region, then use the advanced-instances tier. You can create as many managed nodes as you like in the advanced-instances tier. All managed nodes configured for Systems Manager are priced on a pay-per-use basis. For more information about enabling the advanced instances tier, see [Turning on the advanced-instances tier](fleet-manager-enable-advanced-instances-tier.md). For more information about pricing, see [AWS Systems Manager Pricing](https://aws.amazon.com/systems-manager/pricing/).
Note the following additional information about the standard-instances tier and advanced-instances tier:
+ Advanced instances also allow you to connect to your non-EC2 nodes in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment by using AWS Systems Manager Session Manager. Session Manager provides interactive shell access to your instances. For more information, see [AWS Systems Manager Session Manager](session-manager.md).
+ The standard-instances quota also applies to EC2 instances that use a Systems Manager on-premises activation (which isn't a common scenario).
+ To patch applications released by Microsoft on virtual machines (VMs) on-premises instances, activate the advanced-instances tier. There is a charge to use the advanced-instances tier. There is no additional charge to patch applications released by Microsoft on Amazon Elastic Compute Cloud (Amazon EC2) instances. For more information, see [Patching applications released by Microsoft on Windows Server](patch-manager-patching-windows-applications.md).
**Display managed nodes**
If you don't see your managed nodes listed in the console, then do the following:
1. Verify that the console is open in the AWS Region where you created your managed nodes. You can switch Regions by using the list in the top, right corner of the console.
1. Verify that the setup steps for your managed nodes meet Systems Manager requirements. For information, see [Setting up managed nodes for AWS Systems Manager](systems-manager-setting-up-nodes.md).
1. For non-EC2 machines, verify that you completed the hybrid activation process. For more information, see [Managing nodes in hybrid and multicloud environments with Systems Manager](systems-manager-hybrid-multicloud.md).
Note the following additional information:
+ The Fleet Manager console does not display Amazon EC2 nodes that have been terminated.
+ Systems Manager requires accurate time references in order to perform operations on your machines. If the date and time aren't set correctly on your managed nodes, the machines might not match the signature date of your API requests. For more information, see [Use cases and best practices](systems-manager-best-practices.md).
+ When you create or edit tags, the system can take up to one hour to display changes in the table filter.
+ After the status of a managed node has been `Connection Lost` for at least 30 days, the node might no longer be listed in the Fleet Manager console. To restore it to the list, the issue that caused the lost connection must be resolved. For troubleshooting tips, see [Troubleshooting managed node availability](fleet-manager-troubleshooting-managed-nodes.md).
**Verify Systems Manager support on a managed node**
AWS Config provides AWS Managed Rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resource configurations comply with common best practices. AWS Config Managed Rules include the [ec2-instance-managed-by-systems-manager](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html) rule. This rule checks whether the Amazon EC2 instances in your account are managed by Systems Manager. For more information, see [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html).
**Increase security posture on managed nodes**
For information about increasing your security posture against unauthorized root-level commands on your managed nodes, see [Restricting access to root-level commands through SSM Agent](ssm-agent-restrict-root-level-commands.md).
**Deregister managed nodes**
You can deregister managed nodes at any time. For example, if you're managing multiple nodes with the same AWS Identity and Access Management (IAM) role and you notice any kind of malicious behavior, you can deregister any number of machines at any point. (In order to re-register the same machine, you must use a different hybrid Activation Code and Activation ID than previously used to register it.) For information about deregistering managed nodes, see [Deregistering managed nodes in a hybrid and multicloud environment](fleet-manager-deregister-hybrid-nodes.md).
**Topics**
+ [Configuring instance tiers](fleet-manager-configure-instance-tiers.md)
+ [Resetting passwords on managed nodes](fleet-manager-reset-password.md)
+ [Deregistering managed nodes in a hybrid and multicloud environment](fleet-manager-deregister-hybrid-nodes.md)
+ [Working with OS file systems using Fleet Manager](fleet-manager-file-system-management.md)
+ [Monitoring managed node performance](fleet-manager-monitoring-node-performance.md)
+ [Working with processes](fleet-manager-manage-processes.md)
+ [Viewing logs on managed nodes](fleet-manager-view-node-logs.md)
+ [Managing OS user accounts and groups on managed nodes using Fleet Manager](fleet-manager-manage-os-user-accounts.md)
+ [Managing the Windows registry on managed nodes](fleet-manager-manage-windows-registry.md)
# Configuring instance tiers
This topic describes the scenarios when you must activate the advanced-instanced tier.
AWS Systems Manager offers a standard-instances tier and an advanced-instances tier for non-EC2 machines in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment.
You can register up to 1,000 standard [hybrid-activated nodes](activations.md) per account per AWS Region at no additional cost. However, registering more than 1,000 hybrid nodes requires that you activate the advanced-instances tier. There is a charge to use the advanced-instances tier. For more information, see [AWS Systems Manager Pricing](https://aws.amazon.com/systems-manager/pricing/).
Even with fewer than 1,000 registered hybrid-activated nodes, two other scenarios require the advanced-instances tier:
+ You want to use Session Manager to connect to non-EC2 nodes.
+ You want to patch applications (not operating systems) released by Microsoft on non-EC2 nodes.
**Note**
There is no charge to patch applications released by Microsoft on Amazon EC2 instances.
## Advanced-instances tier detailed scenarios
The following information provides details on the three scenarios for which you must activate the advanced-instances tier.
Scenario 1: You want to register more than 1,000 hybrid-activated nodes
Using the standard-instances tier, you can register a maximum of 1,000 non-EC2 nodes in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment per AWS Region in a specific account without additional charge. If you need to register more than 1,000 non-EC2 nodes in a Region, you must use the advanced-instances tier. You can then activate as many machines for your hybrid and multicloud environment as you want. Charges for the advanced-instances tier are based on the number of advanced nodes activated as Systems Manager managed nodes and the hours those nodes are running.
All Systems Manager managed nodes that use the activation process described in [Create a hybrid activation to register nodes with Systems Manager](hybrid-activation-managed-nodes.md) are then subject to charge if you exceed 1,000 on-premises nodes in a Region in a specific account .
You can also activate existing Amazon Elastic Compute Cloud (Amazon EC2) instances using Systems Manager hybrid activations and work with them as non-EC2 instances, such as for testing. These also qualify as hybrid nodes. This isn't a common scenario.
Scenario 2: Patching Microsoft-released applications on hybrid-activated nodes
The advanced-instances tier is also required if you want to patch Microsoft-released applications on non-EC2 nodes in a hybrid and multicloud environment. If you activate the advanced-instances tier to patch Microsoft applications on non-EC2 nodes, charges are then incurred for all on-premises nodes, even if you have fewer than 1,000.
There is no additional charge to patch applications released by Microsoft on Amazon Elastic Compute Cloud (Amazon EC2) instances. For more information, see [Patching applications released by Microsoft on Windows Server](patch-manager-patching-windows-applications.md).
Scenario 3: Connecting to hybrid-activated nodes using Session Manager
Session Manager provides interactive shell access to your instances. To connect to hybrid-activated managed nodes using Session Manager, you must activate the advanced-instances tier. Charges are then incurred for all hybrid-activated nodes, even if you have fewer than 1,000.
**Summary: When do I need the advanced-instances tier?**
Use the following table to review when you must use the advanced-instances tier, and for which scenarios additional charges apply.
****
| Scenario | Advanced-instances tier required? | Additional charges apply? |
| --- | --- | --- |
| The number of hybrid-activated nodes in my Region in a specific account is more than 1,000. | Yes | Yes |
| I want to use Patch Manager to patch Microsoft-released applications on any number of hybrid-activated nodes, even less than 1,000. | Yes | Yes |
| I want to use Session Manager to connect to any number of hybrid-activated nodes, even less than 1,000. | Yes | Yes |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-configure-instance-tiers.html) | No | No |
**Topics**
+ [Advanced-instances tier detailed scenarios](#systems-manager-managed-instances-tier-scenarios)
+ [Turning on the advanced-instances tier](fleet-manager-enable-advanced-instances-tier.md)
+ [Reverting from the advanced-instances tier to the standard-instances tier](fleet-manager-revert-to-standard-tier.md)
# Turning on the advanced-instances tier
AWS Systems Manager offers a standard-instances tier and an advanced-instances tier for non-EC2 machines in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment. The standard-instances tier lets you register a maximum of 1,000 hybrid-activated machines per AWS account per AWS Region. The advanced-instances tier is also required to use Patch Manager to patch Microsoft-released applications on non-EC2 nodes, and to connect to non-EC2 nodes using Session Manager. For more information, see [Turning on the advanced-instances tier](#fleet-manager-enable-advanced-instances-tier).
This section describes how to configure your hybrid and multicloud environment to use the advanced-instances tier.
**Before you begin**
Review pricing details for advanced instances. Advanced instances are available on a per-use-basis. For more information see, [AWS Systems Manager Pricing](https://aws.amazon.com/systems-manager/pricing/).
## Configuring permissions to turn on the advanced-instances tier
Verify that you have permission in AWS Identity and Access Management (IAM) to change your environment from the standard-instances tier to the advanced-instances tier. You must either have the `AdministratorAccess` IAM policy attached to your user, group, or role, or you must have permission to change the Systems Manager activation-tier service setting. The activation-tier setting uses the following API operations:
+ [GetServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetServiceSetting.html)
+ [UpdateServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_UpdateServiceSetting.html)
+ [ResetServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_ResetServiceSetting.html)
Use the following procedure to add an inline IAM policy to a user account. This policy allows a user to view the current managed-instance tier setting. This policy also allows the user to change or reset the current setting in the specified AWS account and AWS Region.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users**.
1. In the list, choose the name of the user to embed a policy in.
1. Choose the **Permissions** tab.
1. On the right side of the page, under **Permission policies**, choose **Add inline policy**.
1. Choose the **JSON** tab.
1. Replace the default content with the following:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetServiceSetting"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:ResetServiceSetting",
"ssm:UpdateServiceSetting"
],
"Resource": "arn:aws:ssm:us-east-1:111122223333:servicesetting/ssm/managed-instance/activation-tier"
}
]
}
```
------
1. Choose **Review policy**.
1. On the **Review policy** page, for **Name**, enter a name for the inline policy. For example: **Managed-Instances-Tier**.
1. Choose **Create policy**.
Administrators can specify read-only permission by assigning the following inline policy to the user.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetServiceSetting"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ssm:ResetServiceSetting",
"ssm:UpdateServiceSetting"
],
"Resource": "*"
}
]
}
```
------
For more information about creating and editing IAM policies, see [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
## Turning on the advanced-instances tier (console)
The following procedure shows you how to use the Systems Manager console to change *all* non-EC2 nodes that were added using managed-instance activation, in the specified AWS account and AWS Region, to use the advanced-instances tier.
**Before you begin**
Verify that the console is open in the AWS Region where you created your managed instances. You can switch Regions by using the list in the top, right corner of the console.
Verify that you have completed the setup requirements for your Amazon Elastic Compute Cloud (Amazon EC2) instances and non-EC2 machines in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment. For information, see [Setting up managed nodes for AWS Systems Manager](systems-manager-setting-up-nodes.md).
**Important**
The following procedure describes how to change an account-level setting. This change results in charges being billed to your account.
**To turn on the advanced-instances tier (console)**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose **Settings**, and then choose **Change instance tier settings**.
1. Review the information in the dialog box about changing account settings.
1. If you approve, choose the option to accept, and then choose **Change setting**.
The system can take several minutes to complete the process of moving all instances from the standard-instances tier to the advanced-instances tier.
**Note**
For information about changing back to the standard-instances tier, see [Reverting from the advanced-instances tier to the standard-instances tier](fleet-manager-revert-to-standard-tier.md).
## Turning on the advanced-instances tier (AWS CLI)
The following procedure shows you how to use the AWS Command Line Interface to change *all* on-premises servers and VMs that were added using managed-instance activation, in the specified AWS account and AWS Region, to use the advanced-instances tier.
**Important**
The following procedure describes how to change an account-level setting. This change results in charges being billed to your account.
**To turn on the advanced-instances tier using the AWS CLI**
1. Open the AWS CLI and run the following command. Replace each *example resource placeholder* with your own information.
------
#### [ Linux & macOS ]
```
aws ssm update-service-setting \
--setting-id arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier \
--setting-value advanced
```
------
#### [ Windows ]
```
aws ssm update-service-setting ^
--setting-id arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier ^
--setting-value advanced
```
------
There is no output if the command succeeds.
1. Run the following command to view the current service settings for managed nodes in the current AWS account and AWS Region.
------
#### [ Linux & macOS ]
```
aws ssm get-service-setting \
--setting-id arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier
```
------
#### [ Windows ]
```
aws ssm get-service-setting ^
--setting-id arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier
```
------
The command returns information like the following.
```
{
"ServiceSetting": {
"SettingId": "/ssm/managed-instance/activation-tier",
"SettingValue": "advanced",
"LastModifiedDate": 1555603376.138,
"LastModifiedUser": "arn:aws:sts::123456789012:assumed-role/Administrator/User_1",
"ARN": "arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/managed-instance/activation-tier",
"Status": "PendingUpdate"
}
}
```
## Turning on the advanced-instances tier (PowerShell)
The following procedure shows you how to use the AWS Tools for Windows PowerShell to change *all* on-premises servers and VMs that were added using managed-instance activation, in the specified AWS account and AWS Region, to use the advanced-instances tier.
**Important**
The following procedure describes how to change an account-level setting. This change results in charges being billed to your account.
**To turn on the advanced-instances tier using PowerShell**
1. Open AWS Tools for Windows PowerShell and run the following command. Replace each *example resource placeholder* with your own information.
```
Update-SSMServiceSetting `
-SettingId "arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier" `
-SettingValue "advanced"
```
There is no output if the command succeeds.
1. Run the following command to view the current service settings for managed nodes in the current AWS account and AWS Region.
```
Get-SSMServiceSetting `
-SettingId "arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier"
```
The command returns information like the following.
```
ARN:arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/managed-instance/activation-tier
LastModifiedDate : 4/18/2019 4:02:56 PM
LastModifiedUser : arn:aws:sts::123456789012:assumed-role/Administrator/User_1
SettingId : /ssm/managed-instance/activation-tier
SettingValue : advanced
Status : PendingUpdate
```
The system can take several minutes to complete the process of moving all nodes from the standard-instances tier to the advanced-instances tier.
**Note**
For information about changing back to the standard-instances tier, see [Reverting from the advanced-instances tier to the standard-instances tier](fleet-manager-revert-to-standard-tier.md).
# Reverting from the advanced-instances tier to the standard-instances tier
This section describes how to change hybrid-activated nodes running in the advanced-instances tier back to the standard-instances tier. This configuration applies to all hybrid-activated nodes in an AWS account and a single AWS Region.
**Before you begin**
Review the following important details.
**Note**
You can't revert back to the standard-instance tier if you're running more than 1,000 hybrid-activated nodes in the account and Region. You must first deregister nodes until you have 1,000 or fewer. This also applies to Amazon Elastic Compute Cloud (Amazon EC2) instances that use a Systems Manager hybrid activation (which isn't a common scenario). For more information, see [Deregistering managed nodes in a hybrid and multicloud environment](fleet-manager-deregister-hybrid-nodes.md).
After you revert, you won't be able to use Session Manager, a tool in AWS Systems Manager, to interactively access your hybrid-activated nodes.
After you revert, you won't be able to use Patch Manager, a tool in AWS Systems Manager, to patch applications released by Microsoft on hybrid-activated nodes.
The process of reverting all hybrid-activated nodes back to the standard-instance tier can take 30 minutes or more to complete.
This section describes how to revert all hybrid-activated nodes in an AWS account and AWS Region from the advanced-instances tier to the standard-instances tier.
## Reverting to the standard-instances tier (console)
The following procedure shows you how to use the Systems Manager console to change all hybrid-activated nodes in your [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment to use the standard-instances tier in the specified AWS account and AWS Region.
**To revert to the standard-instances tier (console)**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the **Account settings** dropdown and choose **Instance tier settings**.
1. Choose **Change account setting**.
1. Review the information in the pop-up about changing account settings, and then if you approve, choose the option to accept and continue.
## Reverting to the standard-instances tier (AWS CLI)
The following procedure shows you how to use the AWS Command Line Interface to change all hybrid-activated nodes in your [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment to use the standard-instances tier in the specified AWS account and AWS Region.
**To revert to the standard-instances tier using the AWS CLI**
1. Open the AWS CLI and run the following command. Replace each *example resource placeholder* with your own information.
------
#### [ Linux & macOS ]
```
aws ssm update-service-setting \
--setting-id arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier \
--setting-value standard
```
------
#### [ Windows ]
```
aws ssm update-service-setting ^
--setting-id arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier ^
--setting-value standard
```
------
There is no output if the command succeeds.
1. Run the following command 30 minutes later to view the settings for managed instances in the current AWS account and AWS Region.
------
#### [ Linux & macOS ]
```
aws ssm get-service-setting \
--setting-id arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier
```
------
#### [ Windows ]
```
aws ssm get-service-setting ^
--setting-id arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier
```
------
The command returns information like the following.
```
{
"ServiceSetting": {
"SettingId": "/ssm/managed-instance/activation-tier",
"SettingValue": "standard",
"LastModifiedDate": 1555603376.138,
"LastModifiedUser": "System",
"ARN": "arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/managed-instance/activation-tier",
"Status": "Default"
}
}
```
The status changes to *Default* after the request has been approved.
## Reverting to the standard-instances tier (PowerShell)
The following procedure shows you how to use AWS Tools for Windows PowerShell to change hybrid-activated nodes in your hybrid and multicloud environment to use the standard-instances tier in the specified AWS account and AWS Region.
**To revert to the standard-instances tier using PowerShell**
1. Open AWS Tools for Windows PowerShell and run the following command.
```
Update-SSMServiceSetting `
-SettingId "arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier" `
-SettingValue "standard"
```
There is no output if the command succeeds.
1. Run the following command 30 minutes later to view the settings for managed instances in the current AWS account and AWS Region.
```
Get-SSMServiceSetting `
-SettingId "arn:aws:ssm:region:aws-account-id:servicesetting/ssm/managed-instance/activation-tier"
```
The command returns information like the following.
```
ARN: arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/managed-instance/activation-tier
LastModifiedDate : 4/18/2019 4:02:56 PM
LastModifiedUser : System
SettingId : /ssm/managed-instance/activation-tier
SettingValue : standard
Status : Default
```
The status changes to *Default* after the request has been approved.
# Resetting passwords on managed nodes
You can reset the password for any user on a managed node. This includes Amazon Elastic Compute Cloud (Amazon EC2) instances; AWS IoT Greengrass core devices; and on-premises servers, edge devices, and virtual machines (VMs) that are managed by AWS Systems Manager. The password reset functionality is built on Session Manager, a tool in AWS Systems Manager. You can use this functionality to connect to managed nodes without opening inbound ports, maintaining bastion hosts, or managing SSH keys.
Password reset is useful when a user has forgotten a password, or when you want to quickly update a password without making an RDP or SSH connection to a managed node.
**Prerequisites**
Before you can reset the password on a managed node, the following requirements must be met:
+ The managed node on which you want to change a password must be a Systems Manager managed node. Also, SSM Agent version 2.3.668.0 or later must be installed on the managed node.) For information about installing or updating SSM Agent, see [Working with SSM Agent](ssm-agent.md).
+ The password reset functionality uses the Session Manager configuration that is set up for your account to connect to the managed node. Therefore, the prerequisites for using Session Manager must have been completed for your account in the current AWS Region. For more information, see [Setting up Session Manager](session-manager-getting-started.md).
**Note**
Session Manager support for on-premises nodes is provided for the advanced-instances tier only. For more information, see [Turning on the advanced-instances tier](fleet-manager-enable-advanced-instances-tier.md).
+ The AWS user who is changing the password must have the `ssm:SendCommand` permission for the managed node. For more information, see [Restricting Run Command access based on tags](run-command-setting-up.md#tag-based-access).
**Restricting access**
You can limit a user's ability to reset passwords to specific managed nodes. This is done by using identity-based policies for the Session Manager `ssm:StartSession` operation with the `AWS-PasswordReset` SSM document. For more information, see [Control user session access to instances](session-manager-getting-started-restrict-access.md).
**Encrypting data**
Turn on AWS Key Management Service (AWS KMS) complete encryption for Session Manager data to use the password reset option for managed nodes. For more information, see [Turn on KMS key encryption of session data (console)](session-preferences-enable-encryption.md).
## Reset a password on a managed node
You can reset a password on a Systems Manager managed node using the Systems Manager **Fleet Manager** console or the AWS Command Line Interface (AWS CLI).
**To change the password on a managed node (console)**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the node that needs a new password.
1. Choose **Instance actions, Reset password**.
1. For **User name**, enter the name of the user for which you're changing the password. This can be any user name that has an account on the node.
1. Choose **Submit**.
1. Follow the prompts in the **Enter new password** command window to specify the new password.
**Note**
If the version of SSM Agent on the managed node doesn't support password resets, you're prompted to install a supported version using Run Command, a tool in AWS Systems Manager.
**To reset the password on a managed node (AWS CLI)**
1. To reset the password for a user on a managed node, run the following command. Replace each *example resource placeholder* with your own information.
**Note**
To use the AWS CLI to reset a password, the Session Manager plugin must be installed on your local machine. For information, see [Install the Session Manager plugin for the AWS CLI](session-manager-working-with-install-plugin.md).
------
#### [ Linux & macOS ]
```
aws ssm start-session \
--target instance-id \
--document-name "AWS-PasswordReset" \
--parameters '{"username": ["user-name"]}'
```
------
#### [ Windows ]
```
aws ssm start-session ^
--target instance-id ^
--document-name "AWS-PasswordReset" ^
--parameters username="user-name"
```
------
1. Follow the prompts in the **Enter new password** command window to specify the new password.
## Troubleshoot password resets on managed nodes
Many password reset issues can be resolved by ensuring that you have completed the [password reset prerequisites](#pw-reset-prereqs). For other problems, use the following information to help you troubleshoot password reset issues.
**Topics**
+ [Managed node not available](#password-reset-troubleshooting-instances)
+ [SSM Agent not up-to-date (console)](#password-reset-troubleshooting-ssmagent-console)
+ [Password reset options aren't provided (AWS CLI)](#password-reset-troubleshooting-ssmagent-cli)
+ [No authorization to run `ssm:SendCommand`](#password-reset-troubleshooting-sendcommand)
+ [Session Manager error message](#password-reset-troubleshooting-session-manager)
### Managed node not available
**Problem**: You want to reset the password for a managed node on the **Managed instances** console page, but the node isn't in the list.
+ **Solution**: The managed node you want to connect to might not be configured for Systems Manager. To use an EC2 instance with Systems Manager, an AWS Identity and Access Management (IAM) instance profile that gives Systems Manager permission to perform actions on your instances must be attached to the instance. For information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md).
To use a non-EC2 machine with Systems Manager, create an IAM service role that gives Systems Manager permission to perform actions on your managed nodes. For more information, see [Create the IAM service role required for Systems Manager in hybrid and multicloud environments](hybrid-multicloud-service-role.md). (Session Manager support for on-premises servers and VMs is provided for the advanced-instances tier only. For more information, see [Turning on the advanced-instances tier](fleet-manager-enable-advanced-instances-tier.md).)
### SSM Agent not up-to-date (console)
**Problem**: A message reports that the version of SSM Agent doesn't support password reset functionality.
+ **Solution**: Version 2.3.668.0 or later of SSM Agent is required to perform password resets. In the console, you can update the agent on the managed node by choosing **Update SSM Agent**.
An updated version of SSM Agent is released whenever new tools are added to Systems Manager or updates are made to existing tools. Failing to use the latest version of the agent can prevent your managed node from using various Systems Manager tools and features. For that reason, we recommend that you automate the process of keeping SSM Agent up to date on your machines. For information, see [Automating updates to SSM Agent](ssm-agent-automatic-updates.md). Subscribe to the [SSM Agent Release Notes](https://github.com/aws/amazon-ssm-agent/blob/mainline/RELEASENOTES.md) page on GitHub to get notifications about SSM Agent updates.
### Password reset options aren't provided (AWS CLI)
**Problem**: You connect successfully to a managed node using the AWS CLI `[https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html)` command. You specified the SSM Document `AWS-PasswordReset` and provided a valid user name, but prompts to change the password aren't displayed.
+ **Solution**: The version of SSM Agent on the managed node isn't up-to-date. Version 2.3.668.0 or later is required to perform password resets.
An updated version of SSM Agent is released whenever new tools are added to Systems Manager or updates are made to existing tools. Failing to use the latest version of the agent can prevent your managed node from using various Systems Manager tools and features. For that reason, we recommend that you automate the process of keeping SSM Agent up to date on your machines. For information, see [Automating updates to SSM Agent](ssm-agent-automatic-updates.md). Subscribe to the [SSM Agent Release Notes](https://github.com/aws/amazon-ssm-agent/blob/mainline/RELEASENOTES.md) page on GitHub to get notifications about SSM Agent updates.
### No authorization to run `ssm:SendCommand`
**Problem**: You attempt to connect to a managed node to change the password but receive an error message saying that you aren't authorized to run `ssm:SendCommand` on the managed node.
+ **Solution**: Your IAM policy must include permission to run the `ssm:SendCommand` command. For information, see [Restricting Run Command access based on tags](run-command-setting-up.md#tag-based-access).
### Session Manager error message
**Problem**: You receive an error message related to Session Manager.
+ **Solution**: Password reset support requires that Session Manager is configured correctly. For information, see [Setting up Session Manager](session-manager-getting-started.md) and [Troubleshooting Session Manager](session-manager-troubleshooting.md).
# Deregistering managed nodes in a hybrid and multicloud environment
If you no longer want to manage an on-premises server, edge device, or virtual machine (VM) by using AWS Systems Manager, then you can deregister it. Deregistering a hybrid-activated node removes it from the list of managed nodes in Systems Manager. AWS Systems Manager Agent (SSM Agent) running on the hybrid-activated node won't be able to refresh its authorization token because it's no longer registered. SSM Agent hibernates and reduce its ping frequency to Systems Manager in the cloud to once per hour. Systems Manager stores the command history for a deregistered managed node for 30 days.
**Note**
You can reregister an on-premises server, edge device, or VM using the same activation code and ID as long as you haven't reached the instance limit for the designated activation code and ID. You can verify the instance limit in the console by choosing **Node tools**, and then choose **Hybrid activations**. If the value of **Registered instances** is less than **Registration limit**, you can reregister a machine using the same activation code and ID. If it's greater, you must use a different activation code and ID.
The following procedure describes how to deregister a hybrid-activated node by using the Systems Manager console. For information about how to do this by using the AWS Command Line Interface, see [deregister-managed-instance](https://docs.aws.amazon.com/cli/latest/reference/ssm/deregister-managed-instance.html).
For related information, see the following topics:
+ [Deregister and reregister a managed node (Linux)](hybrid-multicloud-ssm-agent-install-linux.md#systems-manager-install-managed-linux-deregister-reregister) (Linux)
+ [Deregister and reregister a managed node (Windows Server)](hybrid-multicloud-ssm-agent-install-windows.md#systems-manager-install-managed-win-deregister-reregister) (Windows Server)
**To deregister a hybrid-activated node (console)**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the checkbox next to the managed node that you want to deregister.
1. Choose **Node actions, Tools, Deregister this managed node**.
1. Review the information in the **Deregister this managed node** dialog box. If you approve, choose **Deregister**.
# Working with OS file systems using Fleet Manager
You can use Fleet Manager, a tool in AWS Systems Manager, to work with the file system on your managed nodes. Using Fleet Manager, you can view information about the directory and file data stored on the volumes attached to your managed nodes. For example, you can view the name, size, extension, owner, and permissions for your directories and files. Up to 10,000 lines of file data can be previewed as text from the Fleet Manager console. You can also use this feature to `tail` files. When using `tail` to view file data, the last 10 lines of the file are displayed initially. As new lines of data are written to the file, the view is updated in real time. As a result, you can review log data from the console, which can improve the efficiency of your troubleshooting and systems administration. Additionally, you can create directories and copy, cut, paste, rename, or delete files and directories.
We recommend creating regular backups, or taking snapshots of the Amazon Elastic Block Store (Amazon EBS) volumes attached to your managed nodes. When copying, or cutting and pasting files, existing files and directories in the destination path with the same name as the new files or directories are replaced. Serious problems can occur if you replace or modify system files and directories. AWS doesn't guarantee that these problems can be solved. Modify system files at your own risk. You're responsible for all file and directory changes, and ensuring you have backups. Deleting or replacing files and directories can't be undone.
**Note**
Fleet Manager uses Session Manager, a tool in AWS Systems Manager, to view text previews and `tail` files. For Amazon Elastic Compute Cloud (Amazon EC2) instances, the instance profile attached to your managed instances must provide permissions for Session Manager to use this feature. For more information about adding Session Manager permissions to an instance profile, see [Add Session Manager permissions to an existing IAM role](getting-started-add-permissions-to-existing-profile.md).
**Topics**
+ [Viewing the OS file system using Fleet Manager](fleet-manager-viewing-file-system.md)
+ [Previewing OS files using Fleet Manager](fleet-manager-preview-os-files.md)
+ [Tailing OS files using Fleet Manager](fleet-manager-tailing-os-files.md)
+ [Copying, cutting, and pasting OS files or directories using Fleet Manager](fleet-manager-move-files-or-directories.md)
+ [Renaming OS files and directories using Fleet Manager](fleet-manager-renaming-files-and-directories.md)
+ [Deleting OS files and directories using Fleet Manager](fleet-manager-deleting-files-and-directories.md)
+ [Creating OS directories using Fleet Manager](fleet-manager-creating-directories.md)
+ [Cutting, copying, and pasting OS directories using Fleet Manager](fleet-manager-managing-directories.md)
# Viewing the OS file system using Fleet Manager
You can use Fleet Manager to view the OS file system on a Systems Manager managed node.
**To view the file OS system using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node with the file system you want to view.
1. Choose **Tools, File system**.
# Previewing OS files using Fleet Manager
You can use Fleet Manager to preview text files on an OS.
**To view text previews of files using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node with the files you want to preview.
1. Choose **Tools, File system**.
1. Select the **File name** of the directory that contains the file you want to preview.
1. Choose the button next to the file whose content you want to preview.
1. Choose **Actions, Preview as text**.
# Tailing OS files using Fleet Manager
You can use Fleet Manager to tail a file on a managed node.
**To tail OS files with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node with the files you want to tail.
1. Choose **Tools, File system**.
1. Select the **File name** of the directory that contains the file you want to tail.
1. Choose the button next to the file whose content you want to tail.
1. Choose **Actions, Tail file**.
# Copying, cutting, and pasting OS files or directories using Fleet Manager
You can use Fleet Manager to copy, cut, and paste OS files on a managed node.
**To copy or cut and paste files or directories using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node with the files you want to copy, or cut and paste.
1. Choose **Tools, File system**.
1. To copy or cut a file, select the **File name** of the directory that contains the file you want to copy or cut. To copy or cut a directory, choose the button next to the directory that you want to copy or cut and then proceed to step 8.
1. Choose the button next to the file you want to copy or cut.
1. In the **Actions** menu, choose **Copy** or **Cut**.
1. In the **File system** view, choose the button next to the directory you want to paste the file in.
1. In the **Actions** menu, choose **Paste**.
# Renaming OS files and directories using Fleet Manager
You can use Fleet Manager to rename files and directories on a managed node in your account.
**To rename files or directories with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node with the files or directories you want to rename.
1. Choose **Tools, File system**.
1. To rename a file, select the **File name** of the directory that contains the file you want to rename. To rename a directory, choose the button next to the directory that you want to rename and then proceed to step 8.
1. Choose the button next to the file whose content you want to rename.
1. Choose **Actions, Rename**.
1. For **File name**, enter the new name for the file and select **Rename**.
# Deleting OS files and directories using Fleet Manager
You can use Fleet Manager to delete files and directories on a managed node in your account.
**To delete files or directories using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node with the files or directories you want to delete.
1. Choose **Tools, File system**.
1. To delete a file, select the **File name** of the directory that contains the file you want to delete. To delete a directory, choose the button next to the directory that you want to delete and then proceed to step 7.
1. Choose the button next to the file with the content you want to delete.
1. Choose **Actions, Delete**.
# Creating OS directories using Fleet Manager
You can use Fleet Manager to create directories on a managed node in your account.
**To create a directory using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node you want to create a directory in.
1. Choose **Tools, File system**.
1. Select the **File name** of the directory where you want to create a new directory.
1. Select **Create directory**.
1. For **Directory name**, enter the name for the new directory, and then select **Create directory**.
# Cutting, copying, and pasting OS directories using Fleet Manager
You can use Fleet Manager to cut, copy, and paste directories on a managed node in your account.
**To copy or cut and paste directories with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node with the files you want to copy, or cut and paste.
1. Choose **Tools, File system**.
1. Choose the button next to the directory that you want to copy or cut and then proceed to step 8.
1. In the **Actions** menu, choose **Copy** or **Cut**.
1. In the **File system** view, choose the button next to the directory you want to paste the file in.
1. In the **Actions** menu, choose **Paste**.
# Monitoring managed node performance
You can use Fleet Manager, a tool in AWS Systems Manager, to view performance data about your managed nodes in real time. The performance data is retrieved from performance counters.
The following performance counters are available in Fleet Manager:
+ CPU utilization
+ Disk input/output (I/O) utilization
+ Network traffic
+ Memory usage
**Note**
Fleet Manager uses Session Manager, a tool in AWS Systems Manager, to retrieve performance data. For Amazon Elastic Compute Cloud (Amazon EC2) instances, the instance profile attached to your managed instances must provide permissions for Session Manager to use this feature. For more information about adding Session Manager permissions to an instance profile, see [Add Session Manager permissions to an existing IAM role](getting-started-add-permissions-to-existing-profile.md).
**To view performance data with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node whose performance you want to monitor.
1. Choose **View details**.
1. Choose **Tools, Performance counters**.
# Working with processes
You can use Fleet Manager, a tool in AWS Systems Manager, to work with processes on your managed nodes. Using Fleet Manager, you can view information about processes. For example, you can see the CPU utilization and memory usage of processes in addition to their handles and threads. With Fleet Manager, you can start and terminate processes from the console.
**Note**
Fleet Manager uses Session Manager, a tool in AWS Systems Manager, to retrieve process data. For Amazon Elastic Compute Cloud (Amazon EC2) instances, the instance profile attached to your managed instances must provide permissions for Session Manager to use this feature. For more information about adding Session Manager permissions to an instance profile, see [Add Session Manager permissions to an existing IAM role](getting-started-add-permissions-to-existing-profile.md).
**Topics**
+ [Viewing details about OS processes using Fleet Manager](fleet-manager-view-process-details.md)
+ [Starting an OS process on a managed node using Fleet Manager](fleet-manager-start-process.md)
+ [Terminating an OS process using Fleet Manager](fleet-manager-terminate-process.md)
# Viewing details about OS processes using Fleet Manager
You can use Fleet Manager view details about processes on your managed nodes.
**To view details about processes with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the node whose processes you want to view.
1. Choose **Tools, Processes**.
# Starting an OS process on a managed node using Fleet Manager
You can use Fleet Manager to start a process on a managed node.
**To start a process with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node you want to start a process on.
1. Choose **Tools, Processes**.
1. Select **Start new process**.
1. For **Process name or full path**, enter the name of the process or the full path to the executable.
1. (Optional) For **Working directory**, enter the directory path where you want the process to run.
# Terminating an OS process using Fleet Manager
**To terminate an OS process using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Select the link of the managed node you want to start a process on.
1. Choose **Tools, Processes**.
1. Choose the button next to the process you want to terminate.
1. Choose **Actions, Terminate process** or **Actions, Terminate process tree**.
**Note**
Terminating a process tree also terminates all processes and applications using that process.
# Viewing logs on managed nodes
You can use Fleet Manager, a tool in AWS Systems Manager, to view log data stored on your managed nodes. For Windows managed nodes, you can view Windows event logs and copy their details from the console. To help you search events, filter Windows event logs by **Event level**, **Event ID**, **Event source**, and **Time created**. You can also view other log data using the procedure to view the file system. For more information about viewing the file system with Fleet Manager, see [Working with OS file systems using Fleet Manager](fleet-manager-file-system-management.md).
**To view Windows event logs with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node whose event logs you want to view.
1. Choose **View details**.
1. Choose **Tools, Windows event logs**.
1. Choose the **Log name** that contains the events you want to view.
1. Choose the button next to the **Log name** you want to view, and then select **View events**.
1. Choose the button next to the event you want to view, and then select **View event details**.
1. (Optional) Select **Copy as JSON** to copy the event details to your clipboard.
# Managing OS user accounts and groups on managed nodes using Fleet Manager
You can use Fleet Manager, a tool in AWS Systems Manager, to manage operating system (OS) user accounts and groups on your managed nodes. For example, you can create and delete users and groups. Additionally, you can view details like group membership, user roles, and status.
**Important**
Fleet Manager uses Run Command and Session Manager, tools in AWS Systems Manager, for various user management operations. As a result, a user could grant permissions to an operating system user account that they would otherwise be unable to. This is because AWS Systems Manager Agent (SSM Agent) runs on Amazon Elastic Compute Cloud (Amazon EC2) instances using root permissions (Linux) or SYSTEM permissions (Windows Server). For more information about restricting access to root-level commands through SSM Agent, see [Restricting access to root-level commands through SSM Agent](ssm-agent-restrict-root-level-commands.md). To restrict access to this feature, we recommend creating AWS Identity and Access Management (IAM) policies for your users that only allow access to the actions you define. For more information about creating IAM policies for Fleet Manager, see [Controlling access to Fleet Manager](configuring-fleet-manager-permissions.md).
**Topics**
+ [Creating an OS user or group using Fleet Manager](manage-os-user-accounts-create.md)
+ [Updating user or group membership using Fleet Manager](manage-os-user-accounts-update.md)
+ [Deleting an OS user or group using Fleet Manager](manage-os-user-accounts-delete.md)
# Creating an OS user or group using Fleet Manager
**Note**
Fleet Manager uses Session Manager to set passwords for new users. For Amazon EC2 instances, the instance profile attached to your managed instances must provide permissions for Session Manager to use this feature. For more information about adding Session Manager permissions to an instance profile, see [Add Session Manager permissions to an existing IAM role](getting-started-add-permissions-to-existing-profile.md).
Instead of logging on directly to a server to create a user account or group, you can use the Fleet Manager console to perform the same tasks.
**To create an OS user account using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node you want to create a new user on.
1. Choose **View details**.
1. Choose **Tools, Users and groups**.
1. Choose the **Users** tab, and then choose **Create user**.
1. Enter a value for the **Name** of the new user.
1. (Recommended) Select the check box next to **Set password**. You will be prompted to provide a password for the new user at the end of the procedure.
1. Select **Create user**. If you selected the check box to create a password for the new user, you will be prompted to enter a value for the password and select **Done**. If the password you specify doesn't meet the requirements specified by your managed node's local or domain policies, an error is returned.
**To create an OS group using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node you want to create a group in.
1. Choose **View details**.
1. Choose **Tools, Users and groups**.
1. Choose the **Groups** tab, and then choose **Create group**.
1. Enter a value for the **Name** of the new group.
1. (Optional) Enter a value for the **Description** of the new group.
1. (Optional) Select users to add to the **Group members** for the new group.
1. Select **Create group**.
# Updating user or group membership using Fleet Manager
Instead of logging on directly to a server to update a user account or group, you can use the Fleet Manager console to perform the same tasks.
**To add an OS user account to a new group using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node where the user account exists that you want to update.
1. Choose **View details**.
1. Choose **Tools, Users and groups**.
1. Choose the **Users** tab.
1. Choose the button next to the user you want to update.
1. Choose **Actions, Add user to group**.
1. Choose the group you want to add the user to under **Add to group**.
1. Select **Add user to group**.
**To edit an OS group's membership using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node where the group exists that you want to update.
1. Choose **View details**.
1. Choose **Tools, Users and groups**.
1. Choose the **Groups** tab.
1. Choose the button next to the group you want to update.
1. Choose **Actions, Modify group**.
1. Choose the users you want to add or remove under **Group members**.
1. Select **Modify group**.
# Deleting an OS user or group using Fleet Manager
Instead of logging on directly to a server to delete a user account or group, you can use the Fleet Manager console to perform the same tasks.
**To delete an OS user account using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node where the user account exists that you want to delete.
1. Choose **View details**.
1. Choose **Users and groups**.
1. Choose the **Users** tab.
1. Choose the button next to the user you want to delete.
1. Choose **Actions, Delete local user**.
**To delete an OS group using Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node where the group exists that you want to delete.
1. Choose **View details**.
1. Choose **Tools, Users and groups**.
1. Choose the **Group** tab.
1. Choose the button next to the group you want to update.
1. Choose **Actions, Delete local group**.
# Managing the Windows registry on managed nodes
You can use Fleet Manager, a tool in AWS Systems Manager, to manage the registry on your Windows Server managed nodes. From the Fleet Manager console you can create, copy, update, and delete registry entries and values.
**Important**
We recommend creating a backup of the registry, or taking a snapshot of the root Amazon Elastic Block Store (Amazon EBS) volume attached to your managed node, before you modify the registry. Serious problems can occur if you modify the registry incorrectly. These problems might require you to reinstall the operating system, or restore the root volume of your node from a snapshot. AWS doesn't guarantee that these problems can be solved. Modify the registry at your own risk. You're responsible for all registry changes, and ensuring you have backups.
## Create a Windows registry key or entry
**To create a Windows registry key with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node you want to create a registry key on.
1. Choose **View details**.
1. Choose **Tools, Windows registry**.
1. Choose the hive you want to create a new registry key in by selecting the **Registry name**.
1. Choose **Create, Create registry key**.
1. Choose the button next to the registry entry you want to create a new key in.
1. Choose **Create registry key**.
1. Enter a value for the **Name** of the new registry key, and select **Submit**.
**To create a Windows registry entry with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the instance you want to create a registry entry on.
1. Choose **View details**.
1. Choose **Tools, Windows registry**.
1. Choose the hive, and subsequent registry key you want to create a new registry entry in by selecting the **Registry name**.
1. Choose **Create, Create registry entry**.
1. Enter a value for the **Name** of the new registry entry.
1. Choose the **Type** of value you want to create for the registry entry. For more information about registry value types, see [Registry value types](https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types).
1. Enter a value for the **Value** of the new registry entry.
## Update a Windows registry entry
**To update a Windows registry entry with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node you want to update a registry entry on.
1. Choose **View details**.
1. Choose **Tools, Windows registry**.
1. Choose the hive, and subsequent registry key you want to update by selecting the **Registry name**.
1. Choose the button next to the registry entry you want to update.
1. Choose **Actions, Update registry entry**.
1. Enter the new value for the **Value** of the registry entry.
1. Choose **Update**.
## Delete a Windows registry entry or key
**To delete a Windows registry key with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node you want to delete a registry key on.
1. Choose **Tools, Windows registry**.
1. Choose the hive, and subsequent registry key you want to delete by selecting the **Registry name**.
1. Choose the button next to the registry key you want to delete.
1. Choose **Actions, Delete registry key**.
**To delete a Windows registry entry with Fleet Manager**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Fleet Manager**.
1. Choose the button next to the managed node you want to delete a registry entry on.
1. Choose **View details**.
1. Choose **Tools, Windows registry**.
1. Choose the hive, and subsequent registry key containing the entry you want to delete by selecting the **Registry name**.
1. Choose the button next to the registry entry you want to delete.
1. Choose **Actions, Delete registry entry**.