Since Ansible only runs on Linux Machines, you’ll need to have access to a Linux Machine or the ability to build one. I have spun up a Photon OS 3.0 VM, so this instructions will be tailored to that.

First install ansible

tdnf install ansible

Next Install Pip

tdnf install python3-pip

Then install pywinrm so that the Linux Machine can connect to your Windows Machines

pip install pywinrm

Next download the script from here to your Windows Machines and run it. It will configure your windows hosts for connection.

Next create a folder to stage your ansible related files. For myself I create /ansible.

Create a file called hosts, and copy the following, adding an Administrator user and Password. Also put in whatever hosts you wish to patch.

[win]
host1
host2

[win:vars]
ansible_user="Administrator"
ansible_password="password"
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_port=5986

Next we create the playbook that will execute the patching.

---
- name: update hosts
  hosts: all
  gather_facts: false
  tasks:
    - name: Search and download Windows updates without installing
      win_updates:
        state: downloaded
    - name: Install all updates without a schedule tasks
      win_updates:
        server_selection: windows_update
        category_names:
          - SecurityUpdates
          - CriticalUpdates
          - UpdateRollups
        reboot: yes
        log_path: E:\Win_Template_Patch.log

If your servers are attached to a WSUS server, and you wish to approve the alerts you can use the following playbook.

---
- name: approve wsus alerts
  hosts: wsus.kgas.local
  gather_facts: false
  tasks:
    - name: approve wsus alerts
      win_shell: |
       Get-WsusUpdate -Classification All -Approval Unapproved -Status Any | Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"
       Get-WsusUpdate -Classification Security -Approval Unapproved -Status Any | Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"
       Get-WsusUpdate -Classification Critical -Approval Unapproved -Status Any | Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"
       Get-WsusUpdate -Classification WSUS -Approval Unapproved -Status Any | Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"
- name: update hosts
  hosts: pleasework.kgas.local
  gather_facts: false
  tasks:
    - name: Search and download Windows updates without installing
      win_updates:
        state: downloaded
    - name: Install all updates without a schedule tasks
      win_updates:
        server_selection: windows_update
        category_names:
          - SecurityUpdates
          - CriticalUpdates
          - UpdateRollups
        reboot: yes
        log_path: E:\Win_Template_Patch.log

To execute the playbook

ansible-playbook win_updates.yml -i hosts

Sit back and wait for the playbook to complete


PLAY [approve wsus alerts] *****************************************************

TASK [approve wsus alerts] *****************************************************
changed: [wsus.kgas.local]

PLAY [update hosts] ************************************************************

TASK [Search and download Windows updates without installing] ******************
ok: [pleasework.kgas.local]

TASK [Install all updates without a schedule tasks] ****************************

The playbook will run, reboot the host, and wait for the host to be accessible before moving on to the next.

Published by mdicecca112

Systems Engineer from the Greater Boston Area

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: