3

patch-dc-controllers.yaml

@@ -1,18 +1,23 @@
 ---
-- name: Patch DCs directly via JEA (no scheduled task)
+- name: Patch Domain Controllers via SYSTEM scheduled task
   hosts: domain_controllers
   gather_facts: no
 
   tasks:
-    - name: Install security & critical updates
+    - name: Start the SYSTEM patch task
-      ansible.windows.win_updates:
+      community.windows.win_scheduled_task:
-        category_names:
+        name: "Patching-windows-task"
-          - SecurityUpdates
+        state: started
-          - CriticalUpdates
-        reboot: yes
-        reboot_timeout: 3600
-      register: updates_result
 
-    - name: Show summary
+    - name: Wait until the task finishes
-      ansible.builtin.debug:
+      community.windows.win_scheduled_task_stat:
-        var: updates_result
+        name: "Patching-windows-task"
+      register: patch_task
+      until: patch_task.task.state in ['Ready','Disabled']   # Task finished
+      retries: 180     # check for up to 3 hours
+      delay: 60        # wait 60s between checks
+
+    - name: Reboot DC if needed (belt & suspenders)
+      ansible.windows.win_reboot:
+        reboot_timeout: 3600
+      when: patch_task.task.state == 'Ready'