---
- name: Patch Domain Controllers via SYSTEM scheduled task
  hosts: domain_controllers
  gather_facts: no

  tasks:
    - name: Start the SYSTEM patch task
      community.windows.win_scheduled_task:
        name: "Patching-windows-task"
        state: started

    - name: Wait until the task finishes
      community.windows.win_scheduled_task_stat:
        name: "Patching-windows-task"
      register: patch_task
      until: patch_task.task.state in ['Ready','Disabled']   # Task finished
      retries: 180     # check for up to 3 hours
      delay: 60        # wait 60s between checks

    - name: Reboot DC if needed (belt & suspenders)
      ansible.windows.win_reboot:
        reboot_timeout: 3600
      when: patch_task.task.state == 'Ready'