public/EC2/Update-AWSWindowsHelperAMI.ps1

function Update-AWSWindowsHelperAMI{
    Param(
        [Parameter(Mandatory=$true)]
        $Region,
        [Parameter(Mandatory=$true)]
        $InstanceID
    )
    
    $UserData = {
        $TaskName = "AMI Windows Patching"
        Start-Transcript -Path "$Env:Temp\WindowsPatching$(Get-Date -Format "yyyymmddhhmmss").log" -NoClobber
        if(-not $(Get-ScheduledTask -TaskName 'AMI Windows Patching')){
            try{
                Write-Host "Attempting to create Scheduled Task '$TaskName'"
                $STPrin = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
                $STTri1 = New-ScheduledTaskTrigger -AtStartup
                $STAct = New-ScheduledTaskAction -Execute "PowerShell.exe" `
                    -Argument $('-executionpolicy Bypass -NonInteractive -c "powershell -executionpolicy Bypass -NonInteractive -c '+$($MyInvocation.MyCommand.Definition)+' -verbose >> %TEMP%\PatchingScheduledTask.log 2>&1"')
                Register-ScheduledTask -Principal $STPrin -Trigger @($STTri1) -TaskName $TaskName -Action $STAct
                Write-Host "Successfully created Scheduled Task '$TaskName'"
            }catch{
                Write-Error $_.exception.message
            }
        }
        # Install PSWindowsUpdate using Chocolatey
        if(-not $(Get-Command choco)){
            Write-Output "Installing chocolatey"
            iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) 
        }
        choco source add -n=chocolatey -s="https://chocolatey.org/api/v2/" -y
        choco source add -n=psgallery -s="https://www.powershellgallery.com/api/v2/" -y
        choco install pswindowsupdate -y
        import-module C:\ProgramData\chocolatey\lib\PSWindowsUpdate\PSWindowsUpdate.psd1
        if(Get-WUList){
            Write-Output "Updates required, installing"
            Get-WUInstall -AcceptAll -AutoReboot | Out-File $Env:Temp\PSWindowsUpdate.log
        }else{
            Get-ScheduledTask -TaskName $TaskName | Unregister-ScheduledTask -Confirm:$false
            Write-Output "No updates needed, stopping computer"
            Stop-Computer -Force
        }
        Stop-Transcript
    }

    try{
        $SSMCommand = Send-SSMCommand -DocumentName "AWS-RunPowerShellScript" -Parameter @{commands=[string]$UserData} -InstanceId $InstanceID -Region $Region
    }catch{
        if($_.FullyQualifiedErrorId -like "*Amazon.SimpleSystemsManagement.Model.InvalidInstanceIdException*"){
            Write-Error "Invalid Instance ID, does the AMI have a version of the EC2 config service installed which is compatible with SSM?"
            return
        }

        Write-Error $_.exception.message
    }
    Write-Verbose "Executed SSM command ($($SSMCommand.CommandId)) to update Windows instance and shutdown upon completion"
}