Windows Updates with Ansible

How to create simple Ansible playbook for  Windows Updates

I created simple playbook for run windows updates

I use for this win_updates module in Ansible.

  1. navigate to win_updates snippet to get all options

2.  I used first playbook just for searching patches so I changed only last line state: searched

- hosts: win
- name: windows_updates
reboot_timeout: 1200
log_path: undefined
whitelist: undefined
category_names: Application;Connectors;CriticalUpdates;DefinitionUpdates;DeveloperKits;FeaturePacks;Guidance;SecurityUpdates;ServicePacks;Tools;UpdateRollups;
reboot: yes # not required. Ansible will automatically reboot the remote host if it is required and continue to install updates after the reboot.,
use_scheduled_task: no # not required
blacklist: undefined # not required. A list of update titles or KB numbers that can be used to specify which updates are to be excluded from installation
state: searched #state: searched

3. Lets test it

I use visual studio code so I just right click on the playbook and press Run Ansible Playbook Remotely via ssh

It looks like below ip addres  this is you ip from host file (/etc/ansible/hosts)

In meantime I login to my windows server and check if playbook works

And looks like all works 🙂


Next step will be install updates

So you need to create new playbook.

I created really simple one.

After installation Ansible will reboot server automatically.



Different examples and options funded on web

- name: Install all security, critical, and rollup updates without a scheduled task
      - SecurityUpdates
      - CriticalUpdates
      - UpdateRollups

- name: Install only security updates as a scheduled task for Server 2008
    category_names: SecurityUpdates
    use_scheduled_task: yes

- name: Search-only, return list of found updates (if any), log to C:\ansible_instalacja.txt
    category_names: SecurityUpdates
    state: searched
    log_path: C:\ansible_instalacja.txt

- name: Install all security updates with automatic reboots
    - SecurityUpdates
    reboot: yes

- name: Install only particular updates based on the KB numbers
    - SecurityUpdates
    - KB4056892
    - KB4073117

- name: Exclude updates based on the update title
    - SecurityUpdates
    - CriticalUpdates
    - Windows Malicious Software Removal Tool for Windows
    - \d{4}-\d{2} Cumulative Update for Windows Server 2016

# One way to ensure the system is reliable just after a reboot, is to set WinRM to a delayed startup
- name: Ensure WinRM starts when the system has settled and is ready to work reliably
    name: WinRM
    start_mode: delayed

# Optionally, you can increase the reboot_timeout to survive long updates during reboot
- name: Ensure we wait long enough for the updates to be applied during reboot
    reboot: yes
    reboot_timeout: 3600

# Search and download Windows updates
- name: Search and download Windows updates without installing them
    state: downloaded




Please Comment and Subscribe


Leave a Reply

Your email address will not be published. Required fields are marked *