---
- name: Patch DCs directly via JEA (no scheduled task)
  hosts: domain_controllers
  gather_facts: no

  tasks:
    - name: Install security & critical updates
      ansible.windows.win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
        reboot: yes
        reboot_timeout: 3600
      register: updates_result

    - name: Show summary
      ansible.builtin.debug:
        var: updates_result