From 05d402898faa406e03e2df8fd6692e38e50958fc Mon Sep 17 00:00:00 2001 From: "mhorak@totalservice.cz" Date: Mon, 8 Sep 2025 16:04:18 +0200 Subject: [PATCH] Version 3.1 --- patch-dc-controllers.yaml | 45 +++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/patch-dc-controllers.yaml b/patch-dc-controllers.yaml index a9c99e4..e617185 100644 --- a/patch-dc-controllers.yaml +++ b/patch-dc-controllers.yaml @@ -1,17 +1,40 @@ --- -- name: Patch Windows DCs using PowerShell via JEA - hosts: windows +- name: Patch DCs via JEA (minimal allowed cmdlets) + hosts: domain_controllers gather_facts: no + tasks: - - name: Search for updates - win_shell: Get-WindowsUpdate - register: search_output + - name: List available updates + ansible.windows.win_powershell: + script: | + Get-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot + register: available_updates + changed_when: false - - name: Install updates - win_shell: Install-WindowsUpdate -AcceptAll -AutoReboot - register: install_output + - name: Install updates (no reboot yet) + ansible.windows.win_powershell: + script: | + Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot -Verbose + register: install_result + + - name: Reboot if required + ansible.windows.win_powershell: + script: | + if (Get-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot | Where-Object { $_.IsDownloaded -and $_.IsInstalled -eq $false }) { + Restart-Computer -Force + } + async: 1 + poll: 0 + + - name: Check update history + ansible.windows.win_powershell: + script: | + Get-WUHistory | Select-Object -First 5 + register: wu_history + changed_when: false + + - name: Show update history + debug: + var: wu_history.stdout_lines - - name: Reboot the system - win_shell: Restart-Computer -Force - when: install_output.stdout | search("RebootRequired")