Version 3.1

patch-dc-controllers.yaml

@@ -1,17 +1,40 @@
 ---
-- name: Patch Windows DCs using PowerShell via JEA
-  hosts: windows
+- name: Patch DCs via JEA (minimal allowed cmdlets)
+  hosts: domain_controllers
   gather_facts: no
+
   tasks:
-    - name: Search for updates
-      win_shell: Get-WindowsUpdate
-      register: search_output
+    - name: List available updates
+      ansible.windows.win_powershell:
+        script: |
+          Get-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot
+      register: available_updates
+      changed_when: false
 
-    - name: Install updates
-      win_shell: Install-WindowsUpdate -AcceptAll -AutoReboot
-      register: install_output
+    - name: Install updates (no reboot yet)
+      ansible.windows.win_powershell:
+        script: |
+          Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot -Verbose
+      register: install_result
+
+    - name: Reboot if required
+      ansible.windows.win_powershell:
+        script: |
+          if (Get-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot | Where-Object { $_.IsDownloaded -and $_.IsInstalled -eq $false }) {
+              Restart-Computer -Force
+          }
+      async: 1
+      poll: 0
+
+    - name: Check update history
+      ansible.windows.win_powershell:
+        script: |
+          Get-WUHistory | Select-Object -First 5
+      register: wu_history
+      changed_when: false
+
+    - name: Show update history
+      debug:
+        var: wu_history.stdout_lines
 
-    - name: Reboot the system
-      win_shell: Restart-Computer -Force
-      when: install_output.stdout | search("RebootRequired")