96 lines
3.3 KiB
YAML
96 lines
3.3 KiB
YAML
---
|
|
- name: Check for pending reboot before patching
|
|
ansible.windows.win_reboot:
|
|
reboot_timeout: 300
|
|
pre_reboot_delay: 10
|
|
post_reboot_delay: 30
|
|
msg: "Rebooting to clear pending reboot state before patching"
|
|
when: pre_patch_reboot | bool
|
|
|
|
- name: Get installed updates before patching
|
|
ansible.windows.win_shell: |
|
|
Get-HotFix | Select-Object -Property HotFixID, Description, InstalledOn | ConvertTo-Json
|
|
register: hotfixes_before
|
|
changed_when: false
|
|
|
|
- name: Store pre-patch hotfix list
|
|
ansible.builtin.set_fact:
|
|
windows_hotfixes_before: "{{ hotfixes_before.stdout | from_json }}"
|
|
|
|
- name: Search for available updates
|
|
ansible.windows.win_updates:
|
|
category_names: "{{ windows_update_categories }}"
|
|
state: searched
|
|
register: updates_available
|
|
|
|
- name: Log available updates
|
|
ansible.builtin.debug:
|
|
msg: "{{ updates_available.found_update_count }} updates available on {{ inventory_hostname }}"
|
|
|
|
- name: Install Windows updates
|
|
ansible.windows.win_updates:
|
|
category_names: "{{ windows_update_categories }}"
|
|
state: installed
|
|
reboot: false
|
|
register: windows_update_result
|
|
when: updates_available.found_update_count > 0
|
|
|
|
- name: Get installed updates after patching
|
|
ansible.windows.win_shell: |
|
|
Get-HotFix | Select-Object -Property HotFixID, Description, InstalledOn | ConvertTo-Json
|
|
register: hotfixes_after
|
|
changed_when: false
|
|
|
|
- name: Store post-patch hotfix list
|
|
ansible.builtin.set_fact:
|
|
windows_hotfixes_after: "{{ hotfixes_after.stdout | from_json }}"
|
|
|
|
- name: Build list of newly installed KBs
|
|
ansible.builtin.set_fact:
|
|
packages_updated: >-
|
|
{%- set before_ids = windows_hotfixes_before | map(attribute='HotFixID') | list -%}
|
|
{%- set updated = [] -%}
|
|
{%- for fix in windows_hotfixes_after -%}
|
|
{%- if fix.HotFixID not in before_ids -%}
|
|
{%- set _ = updated.append({
|
|
'name': fix.HotFixID,
|
|
'version_before': 'not installed',
|
|
'version_after': fix.InstalledOn,
|
|
'type': fix.Description
|
|
}) -%}
|
|
{%- endif -%}
|
|
{%- endfor -%}
|
|
{{ updated }}
|
|
|
|
- name: Log newly installed KBs
|
|
ansible.builtin.debug:
|
|
msg: "Installed: {{ item.name }} — {{ item.type }}"
|
|
loop: "{{ packages_updated }}"
|
|
|
|
- name: Check if reboot is required
|
|
ansible.windows.win_shell: |
|
|
$rebootPending = $false
|
|
if (Get-Item "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue) { $rebootPending = $true }
|
|
if (Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" -ErrorAction SilentlyContinue) { $rebootPending = $true }
|
|
Write-Output $rebootPending
|
|
register: windows_reboot_check
|
|
changed_when: false
|
|
|
|
- name: Set reboot required fact
|
|
ansible.builtin.set_fact:
|
|
host_reboot_required: "{{ windows_reboot_check.stdout | trim | bool }}"
|
|
|
|
- name: Reboot if required and auto_reboot is enabled
|
|
ansible.windows.win_reboot:
|
|
reboot_timeout: 300
|
|
pre_reboot_delay: 10
|
|
post_reboot_delay: 60
|
|
msg: "Rebooting after patch run — initiated by Ansible"
|
|
when:
|
|
- host_reboot_required | bool
|
|
- auto_reboot | bool
|
|
|
|
- name: Patching complete
|
|
ansible.builtin.debug:
|
|
msg: "Windows patching complete on {{ inventory_hostname }} — {{ packages_updated | length }} KBs installed"
|