Blog

Ansible Windows Update Playbook

7/30/2025 3 min read

Automating Windows Updates with Ansible

In this blog post, I will show you how to create an Ansible playbook to apply Windows updates on your systems. This playbook enables you to automate the installation of security and system updates on all your Windows clients and servers.


Introduction

Ansible is a powerful tool for automating IT processes, and with this playbook, you can ensure that your Windows systems are always up to date. The playbook makes sure necessary updates are installed and required reboots are performed.


Playbook Structure

General Structure

The playbook runs on all specified hosts (in this case, Windows machines). It first gathers facts about the systems and then checks if a reboot is required before proceeding with installing the updates.


Variables and Tasks

Variable for Reboot Requirement

vars:
  initial_reboot: |-
    {{ 86400 <
        (( ((ansible_date_time.date+" "+ansible_date_time.time)|to_datetime('%Y-%m-%d %H:%M:%S')) -
            ansible_facts.lastboot|to_datetime('%Y-%m-%d %H:%M:%SZ')).total_seconds())|abs }}

This variable checks if the system uptime exceeds one day. If so, a reboot is recommended before installing updates.


Reboot Systems with High Uptime

- name: Reboot if system uptime is high
  win_reboot:
  when: initial_reboot and not ansible_check_mode
  tags:
  - never
  - reboot

This task reboots the system if it has a high uptime to ensure the system is fresh before applying updates.


Search and Install Updates

- block:
  - name: >
      {{ 'Install' if 'install' in ansible_run_tags else 'Search' }} updates
      {{ 'will automatically reboot' if 'reboot' in ansible_run_tags else 'no reboot' }}
    win_updates:
      category_names:
        - SecurityUpdates
        - CriticalUpdates
        - UpdateRollups
        - DefinitionUpdates
        - Updates
      reboot: "{{ 'yes' if 'reboot' in ansible_run_tags else 'no' }}"
      state: "{{ 'installed' if 'install' in ansible_run_tags else 'searched' }}"
    become: yes
    become_method: runas
    become_user: SYSTEM
    register: update_results
    tags:
    - never
    - install
    - check

This task searches for the specified updates and installs them if requested. The reboot parameter determines whether the system should automatically reboot after installation.


Error Handling for Failed Updates

rescue:
- name: Windows update failed?
  debug:
    msg: "Error: {{ update_results.msg }}"
  when: update_results is failed and update_results.msg is defined
  tags:
  - always

If updates fail, an error message is displayed here.


Reboot Again if Pending Updates Require It

- name: Server had pending reboots?
  win_reboot:
  when: not ansible_check_mode and
        update_results is failed and
        update_results.msg is search('A reboot is required')
  tags:
  - never
  - reboot

If a reboot is required, this task performs it.


Report Results

always:
- name: Report results
  debug:
    var: update_results
  tags:
  - never
  - install
  - check

At the end, this task reports the results of the update installation.


Complete Playbook

---
# DESCRIPTION
# Apply Windows updates

- name: Apply Windows updates
  hosts: all
  gather_facts: yes
  vars:
    initial_reboot: |-
      {{ 86400 <
          (( ((ansible_date_time.date+" "+ansible_date_time.time)|to_datetime('%Y-%m-%d %H:%M:%S')) -
              ansible_facts.lastboot|to_datetime('%Y-%m-%d %H:%M:%SZ')).total_seconds())|abs }}

  tasks:

  # Reboot systems with uptime longer than a day
  # this way we know the system rebooted before updates are applied
  - name: Reboot if system uptime is high
    win_reboot:
    when: initial_reboot and not ansible_check_mode
    tags:
    - never
    - reboot

  - block:
    - name: >
        {{ 'Install' if 'install' in ansible_run_tags else 'Search' }} updates
        {{ 'will automatically reboot' if 'reboot' in ansible_run_tags else 'no reboot' }}
      win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
          - UpdateRollups
          - DefinitionUpdates
          - Updates
        reboot: "{{ 'yes' if 'reboot' in ansible_run_tags else 'no' }}"
        state: "{{ 'installed' if 'install' in ansible_run_tags else 'searched' }}"
      become: yes
      become_method: runas
      become_user: SYSTEM
      register: update_results
      tags:
      - never
      - install
      - check

    rescue:
    - name: Windows update failed?
      debug:
        msg: "Error: {{ update_results.msg }}"
      when: update_results is failed and update_results.msg is defined
      tags:
      - always

    - name: Server had pending reboots?
      win_reboot:
      when: not ansible_check_mode and
            update_results is failed and
            update_results.msg is search('A reboot is required')
      tags:
      - never
      - reboot

    always:
    - name: Report results
      debug:
        var: update_results
      tags:
      - never
      - install
      - check

Usage and Example Commands

To use this Ansible playbook for installing Windows updates, ensure Ansible is properly configured and your Windows hosts are reachable.

Check for Updates Only (No Installation)

ansible-playbook -i hosts windows_updates.yml --tags check

Searches Windows machines for available updates without installing them.


Install Updates Without Reboot

ansible-playbook -i hosts windows_updates.yml --tags install

Installs the found updates without automatically rebooting the systems.


Install Updates and Reboot if Needed

ansible-playbook -i hosts windows_updates.yml --tags install,reboot

Installs updates and reboots the machine if necessary.


Reboot Only Systems with High Uptime

ansible-playbook -i hosts windows_updates.yml --tags reboot

Reboots only systems with uptime longer than a day.


Conclusion

With this Ansible playbook, you ensure your Windows systems always receive the latest security and system updates. The entire process — checking, installing, and rebooting — is automated, saving time and manual effort. Use this playbook to keep your systems reliably updated and secure.