Automating Windows Updates with Ansible
In this blog post, I will show you how to create an Ansible playbook to apply Windows updates on your systems. This playbook enables you to automate the installation of security and system updates on all your Windows clients and servers.
Introduction
Ansible is a powerful tool for automating IT processes, and with this playbook, you can ensure that your Windows systems are always up to date. The playbook makes sure necessary updates are installed and required reboots are performed.
Playbook Structure
General Structure
The playbook runs on all specified hosts (in this case, Windows machines). It first gathers facts about the systems and then checks if a reboot is required before proceeding with installing the updates.
Variables and Tasks
Variable for Reboot Requirement
vars:
initial_reboot: |-
{{ 86400 <
(( ((ansible_date_time.date+" "+ansible_date_time.time)|to_datetime('%Y-%m-%d %H:%M:%S')) -
ansible_facts.lastboot|to_datetime('%Y-%m-%d %H:%M:%SZ')).total_seconds())|abs }}
This variable checks if the system uptime exceeds one day. If so, a reboot is recommended before installing updates.
Reboot Systems with High Uptime
- name: Reboot if system uptime is high
win_reboot:
when: initial_reboot and not ansible_check_mode
tags:
- never
- reboot
This task reboots the system if it has a high uptime to ensure the system is fresh before applying updates.
Search and Install Updates
- block:
- name: >
{{ 'Install' if 'install' in ansible_run_tags else 'Search' }} updates
{{ 'will automatically reboot' if 'reboot' in ansible_run_tags else 'no reboot' }}
win_updates:
category_names:
- SecurityUpdates
- CriticalUpdates
- UpdateRollups
- DefinitionUpdates
- Updates
reboot: "{{ 'yes' if 'reboot' in ansible_run_tags else 'no' }}"
state: "{{ 'installed' if 'install' in ansible_run_tags else 'searched' }}"
become: yes
become_method: runas
become_user: SYSTEM
register: update_results
tags:
- never
- install
- check
This task searches for the specified updates and installs them if requested. The reboot parameter determines whether the system should automatically reboot after installation.
Error Handling for Failed Updates
rescue:
- name: Windows update failed?
debug:
msg: "Error: {{ update_results.msg }}"
when: update_results is failed and update_results.msg is defined
tags:
- always
If updates fail, an error message is displayed here.
Reboot Again if Pending Updates Require It
- name: Server had pending reboots?
win_reboot:
when: not ansible_check_mode and
update_results is failed and
update_results.msg is search('A reboot is required')
tags:
- never
- reboot
If a reboot is required, this task performs it.
Report Results
always:
- name: Report results
debug:
var: update_results
tags:
- never
- install
- check
At the end, this task reports the results of the update installation.
Complete Playbook
---
# DESCRIPTION
# Apply Windows updates
- name: Apply Windows updates
hosts: all
gather_facts: yes
vars:
initial_reboot: |-
{{ 86400 <
(( ((ansible_date_time.date+" "+ansible_date_time.time)|to_datetime('%Y-%m-%d %H:%M:%S')) -
ansible_facts.lastboot|to_datetime('%Y-%m-%d %H:%M:%SZ')).total_seconds())|abs }}
tasks:
# Reboot systems with uptime longer than a day
# this way we know the system rebooted before updates are applied
- name: Reboot if system uptime is high
win_reboot:
when: initial_reboot and not ansible_check_mode
tags:
- never
- reboot
- block:
- name: >
{{ 'Install' if 'install' in ansible_run_tags else 'Search' }} updates
{{ 'will automatically reboot' if 'reboot' in ansible_run_tags else 'no reboot' }}
win_updates:
category_names:
- SecurityUpdates
- CriticalUpdates
- UpdateRollups
- DefinitionUpdates
- Updates
reboot: "{{ 'yes' if 'reboot' in ansible_run_tags else 'no' }}"
state: "{{ 'installed' if 'install' in ansible_run_tags else 'searched' }}"
become: yes
become_method: runas
become_user: SYSTEM
register: update_results
tags:
- never
- install
- check
rescue:
- name: Windows update failed?
debug:
msg: "Error: {{ update_results.msg }}"
when: update_results is failed and update_results.msg is defined
tags:
- always
- name: Server had pending reboots?
win_reboot:
when: not ansible_check_mode and
update_results is failed and
update_results.msg is search('A reboot is required')
tags:
- never
- reboot
always:
- name: Report results
debug:
var: update_results
tags:
- never
- install
- check
Usage and Example Commands
To use this Ansible playbook for installing Windows updates, ensure Ansible is properly configured and your Windows hosts are reachable.
Check for Updates Only (No Installation)
ansible-playbook -i hosts windows_updates.yml --tags check
Searches Windows machines for available updates without installing them.
Install Updates Without Reboot
ansible-playbook -i hosts windows_updates.yml --tags install
Installs the found updates without automatically rebooting the systems.
Install Updates and Reboot if Needed
ansible-playbook -i hosts windows_updates.yml --tags install,reboot
Installs updates and reboots the machine if necessary.
Reboot Only Systems with High Uptime
ansible-playbook -i hosts windows_updates.yml --tags reboot
Reboots only systems with uptime longer than a day.
Conclusion
With this Ansible playbook, you ensure your Windows systems always receive the latest security and system updates. The entire process — checking, installing, and rebooting — is automated, saving time and manual effort. Use this playbook to keep your systems reliably updated and secure.