diff --git a/patch-dc-controllers.yaml b/patch-dc-controllers.yaml
index 69ebd78..64b3e65 100644
--- a/patch-dc-controllers.yaml
+++ b/patch-dc-controllers.yaml
@@ -1,18 +1,23 @@
 ---
-- name: Patch DCs directly via JEA (no scheduled task)
+- name: Patch Domain Controllers via SYSTEM scheduled task
   hosts: domain_controllers
   gather_facts: no
 
   tasks:
-    - name: Install security & critical updates
-      ansible.windows.win_updates:
-        category_names:
-          - SecurityUpdates
-          - CriticalUpdates
-        reboot: yes
-        reboot_timeout: 3600
-      register: updates_result
+    - name: Start the SYSTEM patch task
+      community.windows.win_scheduled_task:
+        name: "Patching-windows-task"
+        state: started
 
-    - name: Show summary
-      ansible.builtin.debug:
-        var: updates_result
+    - name: Wait until the task finishes
+      community.windows.win_scheduled_task_stat:
+        name: "Patching-windows-task"
+      register: patch_task
+      until: patch_task.task.state in ['Ready','Disabled']   # Task finished
+      retries: 180     # check for up to 3 hours
+      delay: 60        # wait 60s between checks
+
+    - name: Reboot DC if needed (belt & suspenders)
+      ansible.windows.win_reboot:
+        reboot_timeout: 3600
+      when: patch_task.task.state == 'Ready'
\ No newline at end of file