Ansible Windows Update: Rolling Updates with win_updates Module (Guide)

How to perform Rolling Update with Ansible on Windows-like systems?

Every System Administrator knows how important is to maintain an up-to-date fleet in a consistent state. I'm going to show you a live Playbook with some simple Ansible code. I'm Luca Berton and welcome to today's episode of Ansible Pilot

See also: Add Windows Registry on Windows-like systems - Ansible module win_regedit

Ansible Rolling Update Windows-like systems

• ansible.windows.win_updates • Download and install Windows updates

Today we're talking about the Ansible module win_updates. The full name is ansible.windows.win_updates , which means that is part of the collection of modules specialized to interact with Windows target host. It's a module pretty stable and out for years. It works in Windows and Windows Server operating systems. It downloads and installs Windows updates. For Linux target use the yum module for RedHat-like systems, apt for Debian-like, and zypper for Suse-like.

Parameters

• category_names _string_ - CriticalUpdates, DefinitionUpdates, DeveloperKits, FeaturePacks, SecurityUpdates, ServicePacks, UpdateRollups • state _string_ - searched / downloaded / installed • reboot _boolean_ /reboot_timeout - no / yes • log_path _path_ - append log file • accept_list / reject_list _list_ - titles or KB to whitelist or blacklist

The parameter list is pretty wide but today we are focused only on the relevant for our use case. The most important is "category_names". The options are a lot here. The default is to enable only "CriticalUpdates", "SecurityUpdates" and "UpdateRollups" but could add or remove different categories. The "state" parameter specifies if the update is going to be only "searched", "downloaded" or "installed". If you prefer to only download the code and perform the actual update a second time you need to select the "downloaded" option. With the "reboot" option Ansible will automatically reboot the remote host if it is required and continue to install updates after the reboot. There is a default timeout of 1200 seconds to wait until the host is back online from a reboot. You could increase using the "reboot_timeout" option. Some System Administrators prefer to keep a log about the update operation using the "log_path" option to save to the target disk a log file of the performed operations. You could specify a list of update titles or KB numbers that specify which updates are to be searched or installed using the "accept_list" parameter as well as a list of exclusion in the "reject_list" parameter.

See also: Check .NET Framework Version on Windows with Ansible

Links

• ansible.windows.win_updates • Using Ansible and Windows

## Playbook

How to install Rolling Update on Windows-like systems, save the log in "C:\ansible.txt" and reboot if necessary with Ansible Playbook.

code

---
- name: windows rolling update
  hosts: all
  tasks:
    - name: Install all critical and security updates
      ansible.windows.win_updates:
        category_names:
          - CriticalUpdates
          - SecurityUpdates
        state: installed
        reboot: true
        log_path: C:\ansible.txt

execution

ansible-pilot $ ansible-playbook -i virtualmachines/win/inventory windows/update.yml
PLAY [windows rolling update] *********************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [WindowsServer]
TASK [Install all critical and security updates] **************************************************
ok: [WindowsServer]
PLAY RECAP ****************************************************************************************
WindowsServer              : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

idempotency

ansible-pilot $ ansible-playbook -i virtualmachines/win/inventory windows/update.yml
PLAY [windows rolling update] *********************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [WindowsServer]
TASK [Install all critical and security updates] **************************************************
ok: [WindowsServer]
PLAY RECAP ****************************************************************************************
WindowsServer              : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

before execution

after execution

code with ❤️ in GitHub

Conclusion

Now you know how to perform Rolling Update in Windows-like systems.

See also: Ansible win_file Module: Create Directory on Windows Hosts (Guide)

Install All Available Updates

- name: Install all Windows updates
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
      - CriticalUpdates
      - UpdateRollups
    state: installed
    reboot: true
  register: update_result
  become: true
  become_method: runas
  become_user: SYSTEM

Rolling Update Strategy

---
- name: Rolling Windows updates
  hosts: windows_servers
  serial: 1  # One server at a time
  tasks:
    - name: Remove from load balancer
      ansible.windows.win_shell: |
        Invoke-WebRequest -Uri "http://lb/api/disable/{{ inventory_hostname }}" -Method POST
      delegate_to: localhost
- name: Install updates
      ansible.windows.win_updates:
        category_names: [SecurityUpdates, CriticalUpdates]
        state: installed
        reboot: true
        reboot_timeout: 1800
      register: updates
- name: Verify server is healthy
      ansible.windows.win_shell: |
        (Invoke-WebRequest -Uri "http://localhost/health").StatusCode
      register: health
      retries: 10
      delay: 30
      until: health.stdout | trim == "200"
- name: Re-enable in load balancer
      ansible.windows.win_shell: |
        Invoke-WebRequest -Uri "http://lb/api/enable/{{ inventory_hostname }}" -Method POST
      delegate_to: localhost

Category Names

| Category | Description | |----------|-------------| | SecurityUpdates | Security patches | | CriticalUpdates | Critical fixes | | UpdateRollups | Monthly rollups | | Updates | General updates | | DefinitionUpdates | Defender definitions | | FeaturePacks | Feature updates | | ServicePacks | Service packs | | Drivers | Driver updates |

Selective Updates

# Only specific KB
- ansible.windows.win_updates:
    accept_list:
      - KB5001234
      - KB5005678
    state: installed
# Exclude specific updates
- ansible.windows.win_updates:
    reject_list:
      - KB5009999  # Known problematic update
    state: installed

Check for Updates (No Install)

- ansible.windows.win_updates:
    state: searched
    category_names: [SecurityUpdates, CriticalUpdates]
  register: available
- debug:
    msg: "{{ available.found_update_count }} updates available"

WSUS Configuration

- name: Configure WSUS server
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    name: WUServer
    data: http://wsus.corp.com:8530
    type: string
- name: Install from WSUS
  ansible.windows.win_updates:
    server_selection: managed_server
    state: installed
    reboot: true

Handle Reboots

- ansible.windows.win_updates:
    state: installed
    reboot: false  # Don't auto-reboot
  register: updates
- name: Reboot during maintenance window
  ansible.windows.win_reboot:
    reboot_timeout: 1800
    post_reboot_delay: 60
  when: updates.reboot_required

FAQ

How long do Windows updates take?

Varies widely. Set generous timeouts: reboot_timeout: 3600 (1 hour) for cumulative updates.

Can I schedule updates for a maintenance window?

Ansible doesn't have built-in scheduling. Use AWX/AAP job schedules, or trigger the playbook from a cron job / scheduled task.

Why do some updates fail silently?

Check update_result.updates dict for per-update status. Some updates require prerequisites or specific order.

Related Articles

• Ansible inventory file structure • Windows users and groups via Ansible