---
- name: Patch DCs via JEA (minimal allowed cmdlets)
  hosts: domain_controllers
  gather_facts: no

  tasks:
    - name: List available updates
      ansible.windows.win_powershell:
        script: |
          Get-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot
      register: available_updates
      changed_when: false

    - name: Install updates (no reboot yet)
      ansible.windows.win_powershell:
        script: |
          Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot -Verbose
      register: install_result

    - name: Reboot if required
      ansible.windows.win_powershell:
        script: |
          if (Get-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot | Where-Object { $_.IsDownloaded -and $_.IsInstalled -eq $false }) {
              Restart-Computer -Force
          }
      async: 1
      poll: 0

    - name: Check update history
      ansible.windows.win_powershell:
        script: |
          Get-WUHistory | Select-Object -First 5
      register: wu_history
      changed_when: false

    - name: Show update history
      debug:
        var: wu_history.stdout_lines