Try SpotterDownload and install Windows updates
| "added in version" 2.0 of ansible.builtin"
Authors: Matt Davis (@nitzmahone)
preview | supported by core
pipInstall with pip install ansible==2.9.27
Searches, downloads, and installs Windows updates synchronously by automating the Windows Update client.
- name: Install all security, critical, and rollup updates without a scheduled task
win_updates:
category_names:
- SecurityUpdates
- CriticalUpdates
- UpdateRollups
- name: Install only security updates as a scheduled task for Server 2008
win_updates:
category_names: SecurityUpdates
use_scheduled_task: yes
- name: Search-only, return list of found updates (if any), log to C:\ansible_wu.txt
win_updates:
category_names: SecurityUpdates
state: searched
log_path: C:\ansible_wu.txt
- name: Install all security updates with automatic reboots
win_updates:
category_names:
- SecurityUpdates
reboot: yes
- name: Install only particular updates based on the KB numbers
win_updates:
category_name:
- SecurityUpdates
whitelist:
- KB4056892
- KB4073117
- name: Exclude updates based on the update title
win_updates:
category_name:
- SecurityUpdates
- CriticalUpdates
blacklist:
- Windows Malicious Software Removal Tool for Windows
- \d{4}-\d{2} Cumulative Update for Windows Server 2016
# One way to ensure the system is reliable just after a reboot, is to set WinRM to a delayed startup
- name: Ensure WinRM starts when the system has settled and is ready to work reliably
win_service:
name: WinRM
start_mode: delayed
# Optionally, you can increase the reboot_timeout to survive long updates during reboot
- name: Ensure we wait long enough for the updates to be applied during reboot
win_updates:
reboot: yes
reboot_timeout: 3600
# Search and download Windows updates
- name: Search and download Windows updates without installing them
win_updates:
state: downloaded
state:
choices:
- installed
- searched
- downloaded
default: installed
description:
- Controls whether found updates are downloaded or installed or listed
- This module also supports Ansible check mode, which has the same effect as setting
state=searched
type: str
reboot:
default: false
description:
- Ansible will automatically reboot the remote host if it is required and continue
to install updates after the reboot.
- This can be used instead of using a M(win_reboot) task after this one and ensures
all updates for that category is installed in one go.
- Async does not work when C(reboot=yes).
type: bool
version_added: '2.5'
version_added_collection: ansible.builtin
log_path:
description:
- If set, C(win_updates) will append update progress to the specified file. The directory
must already exist.
type: path
blacklist:
description:
- A list of update titles or KB numbers that can be used to specify which updates
are to be excluded from installation.
- If an available update does match one of the entries, then it is skipped and not
installed.
- Each entry can either be the KB article or Update title as a regex according to
the PowerShell regex rules.
type: list
version_added: '2.5'
version_added_collection: ansible.builtin
whitelist:
description:
- A list of update titles or KB numbers that can be used to specify which updates
are to be searched or installed.
- If an available update does not match one of the entries, then it is skipped and
not installed.
- Each entry can either be the KB article or Update title as a regex according to
the PowerShell regex rules.
- The whitelist is only validated on updates that were found based on I(category_names).
It will not force the module to install an update if it was not in the category
specified.
type: list
version_added: '2.5'
version_added_collection: ansible.builtin
category_names:
default:
- CriticalUpdates
- SecurityUpdates
- UpdateRollups
description:
- A scalar or list of categories to install updates from. To get the list of categories,
run the module with C(state=searched). The category must be the full category string,
but is case insensitive.
- Some possible categories are Application, Connectors, Critical Updates, Definition
Updates, Developer Kits, Feature Packs, Guidance, Security Updates, Service Packs,
Tools, Update Rollups and Updates.
type: list
reboot_timeout:
default: 1200
description:
- The time in seconds to wait until the host is back online from a reboot.
- This is only used if C(reboot=yes) and a reboot is required.
version_added: '2.5'
version_added_collection: ansible.builtin
server_selection:
choices:
- default
- managed_server
- windows_update
default: default
description:
- Defines the Windows Update source catalog.
- C(default) Use the default search source. For many systems default is set to the
Microsoft Windows Update catalog. Systems participating in Windows Server Update
Services (WSUS), Systems Center Configuration Manager (SCCM), or similar corporate
update server environments may default to those managed update sources instead of
the Windows Update catalog.
- C(managed_server) Use a managed server catalog. For environments utilizing Windows
Server Update Services (WSUS), Systems Center Configuration Manager (SCCM), or similar
corporate update servers, this option selects the defined corporate update source.
- C(windows_update) Use the Microsoft Windows Update catalog.
type: str
version_added: '2.8'
version_added_collection: ansible.builtin
use_scheduled_task:
default: false
description:
- Will not auto elevate the remote process with I(become) and use a scheduled task
instead.
- Set this to C(yes) when using this module with async on Server 2008, 2008 R2, or
Windows 7, or on Server 2008 that is not authenticated with basic or credssp.
- Can also be set to C(yes) on newer hosts where become does not work due to further
privilege restrictions from the OS defaults.
type: bool
version_added: '2.6'
version_added_collection: ansible.builtin
failed_update_count:
description: The number of updates that failed to install.
returned: always
sample: 0
type: int
filtered_updates:
contains:
filtered_reason:
description: The reason why this update was filtered.
returned: always
sample: skip_hidden
type: str
description: List of updates that were found but were filtered based on I(blacklist),
I(whitelist) or I(category_names). The return value is in the same form as I(updates),
along with I(filtered_reason).
returned: success
sample: see the updates return value
type: complex
found_update_count:
description: The number of updates found needing to be applied.
returned: success
sample: 3
type: int
installed_update_count:
description: The number of updates successfully installed or downloaded.
returned: success
sample: 2
type: int
reboot_required:
description: True when the target server requires a reboot to complete updates (no
further updates can be installed until after a reboot).
returned: success
sample: true
type: bool
updates:
contains:
categories:
description: A list of category strings for this update.
returned: always
sample:
- Critical Updates
- Windows Server 2012 R2
type: list of strings
failure_hresult_code:
description: The HRESULT code from a failed update.
returned: on install failure
sample: 2147942402
type: bool
id:
description: Internal Windows Update GUID.
returned: always
sample: fb95c1c8-de23-4089-ae29-fd3351d55421
type: str
installed:
description: Was the update successfully installed.
returned: always
sample: true
type: bool
kb:
description: A list of KB article IDs that apply to the update.
returned: always
sample:
- '3004365'
type: list of strings
title:
description: Display name.
returned: always
sample: Security Update for Windows Server 2012 R2 (KB3004365)
type: str
description: List of updates that were found/installed.
returned: success
sample: null
type: complex