Automating Windows Server Updates Using Ansible Playbooks

Efficiently managing and applying updates on Windows servers is critical to maintaining security, performance, and compliance within an organization. Patching Windows servers manually can be time-consuming, especially in large environments. Ansible automation offers a robust solution for automating Windows patching across multiple systems with minimal downtime. In this article, we will explore various Ansible playbooks to manage Windows updates efficiently, including installing, searching, and excluding specific updates, as well as controlling reboots during the update process.

Key Ansible Playbooks for Windows Server Update Management

Let’s take a look at several Ansible playbooks that cover different aspects of Windows server patching, including installing updates, searching for updates, and controlling reboot behavior.

1. Install All Updates and Reboot as Needed

The following Ansible playbook installs all available updates on the target Windows server and automatically reboots the system as necessary to complete the installation process.

- name: Install all updates and reboot as many times as needed
  ansible.windows.win_updates:
    category_names: '*'
    reboot: true
  • category_names: ‘*’: This installs all types of updates, including security, critical, and optional updates.
  • reboot: true: This ensures the system will automatically reboot after each update if required.

This playbook is useful for ensuring that all updates are applied without manual intervention.

2. Set Server Alive Interval for SSH Connections During Update Stage

When updating a Windows server over SSH, especially in environments with long update durations, it’s essential to ensure that the SSH connection does not timeout. The following playbook sets the ServerAliveInterval to ensure the connection remains active.

- name: Set a server alive interval during update stage for the ssh connection plugin
  ansible.windows.win_updates:
    category_names: '*'
    reboot: true
  vars:
    ansible_ssh_args: -o ControlMaster=no -o ServerAliveInterval=30
  • ansible_ssh_args: Sets SSH arguments, disabling ControlMaster and adjusting ServerAliveInterval to keep the connection active during long update processes.

This configuration helps prevent interruptions during updates, particularly for long-running installations.

3. Install Security, Critical, and Rollup Updates Without Scheduled Tasks

In some cases, you may want to install security, critical, and rollup updates while bypassing scheduled tasks. The following playbook installs these updates without creating any additional tasks on the server.

- name: Install all security, critical, and rollup updates without a scheduled task
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
      - CriticalUpdates
      - UpdateRollups
  become: true
  become_method: runas
  become_user: SYSTEM
  • become: true: Ensures the task is executed with elevated privileges.
  • become_user: SYSTEM: Executes the task as the SYSTEM account, ensuring it has the necessary privileges to install updates.

This playbook ensures that crucial updates are applied without affecting the scheduled task system on the server.

4. Search and Log Found Updates

Before applying updates, you may wish to search for available updates and log the results. The following playbook searches for security updates and logs the results to a file (C:\ansible_wu.txt).

- name: Search-only, return list of found updates (if any), log to C:\ansible_wu.txt
  ansible.windows.win_updates:
    category_names: SecurityUpdates
    state: searched
    log_path: C:\ansible_wu.txt

– name: Search-only, return list of found updates (if any), log to C:\ansible_wu.txt
ansible.windows.win_updates:
category_names: SecurityUpdates
state: searched
log_path: C:\ansible_wu.txt

- name: Install all security updates with automatic reboots
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
    reboot: true
  • category_names: SecurityUpdates: Limits updates to security-related patches.
  • reboot: true: Ensures the system reboots after applying updates.

This is a straightforward playbook for ensuring critical security updates are applied and systems are rebooted as needed.

6. Install Specific Updates Based on KB Numbers

If you need to install specific updates based on KB numbers, you can filter the updates using the accept_list option. The following playbook installs specific updates:

- name: Install only particular updates based on the KB numbers
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
    accept_list:
      - KB4056892
      - KB4073117
  • accept_list: Specifies a list of updates identified by their KB (Knowledge Base) numbers that should be installed.

This playbook allows for targeted updates, useful when you need to install or exclude specific patches.

7. Exclude Updates Based on Title

If you need to exclude specific updates, such as Windows Malicious Software Removal Tool or specific cumulative updates, you can use the reject_list to filter them out.

- name: Exclude updates based on the update title
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
      - CriticalUpdates
    reject_list:
      - Windows Malicious Software Removal Tool for Windows
      - \d{4}-\d{2} Cumulative Update for Windows Server 2016
  • reject_list: Excludes updates that match the specified titles or patterns from being installed.

This is useful for avoiding certain updates that might cause issues or are unnecessary for your environment.

8. Ensure Sufficient Reboot Timeout

In some cases, updates may require extended reboot times. The following playbook ensures the system waits long enough for updates to apply during reboot:

- name: Ensure we wait long enough for the updates to be applied during reboot
  ansible.windows.win_updates:
    reboot: true
    reboot_timeout: 3600
  • reboot_timeout: Extends the timeout for the reboot process, allowing more time for updates to be applied before the playbook proceeds.

This is especially helpful for long-running updates that might require extended reboots.

9. Search and Download Windows Updates Without Installing Them

Finally, if you want to download updates without installing them, use the following playbook:

- name: Search and download Windows updates without installing them
  ansible.windows.win_updates:
    state: downloaded
  • state: downloaded: Downloads the updates without installing them, useful for testing or caching updates for future installation.

 

By using Ansible playbooks, you can automate and streamline the process of patching and updating Windows servers. Whether you need to apply all updates, install specific updates, or exclude certain patches, Ansible offers flexible and efficient solutions. Automation helps maintain security, compliance, and operational efficiency, especially in large or complex environment

Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

Leave a Reply