Ansible playbook is not working on the target host but shows in play recap - OK

Archives Ansible Project
1

Nothing changed on the target host, not even rebooted but able to ping and can do a handshake
Playbook -

PLAY [windows] *************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************
ok: [MQN-CKMH5E31UM7.corp.medqia.com]

TASK [Install all security, critical, and rollup updates without a scheduled task] *****************************************************************************************
ok: [MQN-CKMH5E31UM7.corp.medqia.com]

TASK [Install only security updates as a scheduled task for window machines] ***********************************************************************************************
ok: [MQN-CKMH5E31UM7.corp.medqia.com]

TASK [Install only particular updates based on the KB numbers] *************************************************************************************************************
ok: [MQN-CKMH5E31UM7.corp.medqia.com]

TASK [Install all security updates with automatic reboots] *****************************************************************************************************************
ok: [MQN-CKMH5E31UM7.corp.medqia.com]

TASK [Ensure WinRM starts when the system has settled and is ready to work reliably] ***************************************************************************************
ok: [MQN-CKMH5E31UM7.corp.medqia.com]

PLAY RECAP *****************************************************************************************************************************************************************
MQN-CKMH5E31UM7.corp.medqia.com : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Playbook contents =
hosts: windows
vars:
ansible_connection: winrm
ansible_ssh_port: 5986
anisble_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
validate_certs: false
ansible_winrm_scheme: https
ansibe_winrm_read_timeout_sec: 120
tasks:
name: Install all security, critical, and rollup updates without a scheduled task
win_updates:
category_names:

  • SecurityUpdates
  • CriticalUpdates
  • UpdateRollups

name: Install only security updates as a scheduled task for window machines
win_updates:
category_names: SecurityUpdates
use_scheduled_task: yes

name: Install only particular updates based on the KB numbers
win_updates:
category_name:

SecurityUpdates
whitelist:
KB4528760
KB890830
KB4534271
KB22677602
name: Install all security updates with automatic reboots
win_updates:
category_names:

SecurityUpdates
reboot: yes
name: Ensure WinRM starts when the system has settled and is ready to work reliably
win_service:
name: WinRM
start_mode: delayed

2

It’s showing OK because there was the state was already achieved. Ansible is running and the modules you are running with just have nothing to do.

3

But the target host has not achieved the desired result like it’s not updating/upgrading the OS based on KB number provided and is not rebooting. Any ideaa?

4

That’s probably because win_updates runs on various filters, you can’t just specify the KB, you also need to specify the category the update applies to. If you run with -vvv you can see all the updates that have been filtered (skipped) and the categories they apply to. If the update is not in that filtered list then the Windows Update Agent can’t see it as an applicable update and Ansible can’t do anything about that.

5

Can you give me an example that how to specify the category KB update applies too
Here is the output: -

ansible-playbook windows.yml -vvvansible-playbook 2.9.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.12 (default, Oct 8 2019, 14:14:10) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin

PLAYBOOK: windows.yml ******************************************************************************************************************************************************
1 plays in windows.yml

PLAY [windows] *************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************
task path: /etc/ansible/windows-playbook/windows.yml:2
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
Pipelining is enabled.
<MQN-CKMH5E31UM7.corp.medqia.com> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO MQN-CKMH5E31UM7.corp.medqia.com
EXEC (via pipeline wrapper)
ok: [MQN-CKMH5E31UM7.corp.medqia.com]
META: ran handlers

TASK [Install all security, critical, and rollup updates without a scheduled task] *****************************************************************************************
task path: /etc/ansible/windows-playbook/windows.yml:12
win_updates: running win_updates module
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_updates.ps1
Pipelining is enabled.
<MQN-CKMH5E31UM7.corp.medqia.com> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO MQN-CKMH5E31UM7.corp.medqia.com
EXEC (via pipeline wrapper)
ok: [MQN-CKMH5E31UM7.corp.medqia.com] => {
“changed”: false,
“filtered_updates”: {
“20668013-76d9-43ec-a6f2-f76fb4271642”: {
“categories”: [
“Definition Updates”,
“Windows Defender”
],
“filtered_reason”: “category_names”,
“id”: “20668013-76d9-43ec-a6f2-f76fb4271642”,
“installed”: false,
“kb”: [
“2267602”
],
“title”: “Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2832.0)”
},
“5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”: {
“categories”: [
“Updates”,
“Windows 10”
],
“filtered_reason”: “category_names”,
“id”: “5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”,
“installed”: false,
“kb”: [
“4494452”
],
“title”: “2019-05 Update for Windows 10 Version 1709 for x64-based Systems (KB4494452)”
},
“65ecc208-c6b1-4fce-b892-fc2c93917d76”: {
“categories”: [
“Drivers”
],
“filtered_reason”: “category_names”,
“id”: “65ecc208-c6b1-4fce-b892-fc2c93917d76”,
“installed”: false,
“kb”: ,
“title”: “Logitech - Image - 10/24/2018 12:00:00 AM - 1.3.89.0”
},
“79bfbb87-ae9d-480d-9f6f-5c82361e015d”: {
“categories”: [
“Upgrades”
],
“filtered_reason”: “category_names”,
“id”: “79bfbb87-ae9d-480d-9f6f-5c82361e015d”,
“installed”: false,
“kb”: [
“4530684”
],
“title”: “Feature update to Windows 10, version 1909”
}
},
“found_update_count”: 0,
“installed_update_count”: 0,
“reboot_required”: false,
“updates”: {}
}

TASK [Install only security updates as a scheduled task for window machines] ***********************************************************************************************
task path: /etc/ansible/windows-playbook/windows.yml:19
win_updates: running win_updates module
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_updates.ps1
Pipelining is enabled.
<MQN-CKMH5E31UM7.corp.medqia.com> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO MQN-CKMH5E31UM7.corp.medqia.com
EXEC (via pipeline wrapper)
ok: [MQN-CKMH5E31UM7.corp.medqia.com] => {
“changed”: false,
“filtered_updates”: {
“20668013-76d9-43ec-a6f2-f76fb4271642”: {
“categories”: [
“Definition Updates”,
“Windows Defender”
],
“filtered_reason”: “category_names”,
“id”: “20668013-76d9-43ec-a6f2-f76fb4271642”,
“installed”: false,
“kb”: [
“2267602”
],
“title”: “Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2832.0)”
},
“5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”: {
“categories”: [
“Updates”,
“Windows 10”
],
“filtered_reason”: “category_names”,
“id”: “5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”,
“installed”: false,
“kb”: [
“4494452”
],
“title”: “2019-05 Update for Windows 10 Version 1709 for x64-based Systems (KB4494452)”
},
“65ecc208-c6b1-4fce-b892-fc2c93917d76”: {
“categories”: [
“Drivers”
],
“filtered_reason”: “category_names”,
“id”: “65ecc208-c6b1-4fce-b892-fc2c93917d76”,
“installed”: false,
“kb”: {
“Count”: 0,
“ReadOnly”: true,
“_NewEnum”: “System.__ComObject”
},
“title”: “Logitech - Image - 10/24/2018 12:00:00 AM - 1.3.89.0”
},
“79bfbb87-ae9d-480d-9f6f-5c82361e015d”: {
“categories”: [
“Upgrades”
],
“filtered_reason”: “category_names”,
“id”: “79bfbb87-ae9d-480d-9f6f-5c82361e015d”,
“installed”: false,
“kb”: [
“4530684”
],
“title”: “Feature update to Windows 10, version 1909”
}
},
“found_update_count”: 0,
“installed_update_count”: 0,
“reboot_required”: false,
“updates”: {}
}

TASK [Install only particular updates based on the KB numbers] *************************************************************************************************************
task path: /etc/ansible/windows-playbook/windows.yml:24
win_updates: running win_updates module
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_updates.ps1
Pipelining is enabled.
<MQN-CKMH5E31UM7.corp.medqia.com> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO MQN-CKMH5E31UM7.corp.medqia.com
EXEC (via pipeline wrapper)
ok: [MQN-CKMH5E31UM7.corp.medqia.com] => {
“changed”: false,
“filtered_updates”: {
“20668013-76d9-43ec-a6f2-f76fb4271642”: {
“categories”: [
“Definition Updates”,
“Windows Defender”
],
“filtered_reason”: “whitelist”,
“id”: “20668013-76d9-43ec-a6f2-f76fb4271642”,
“installed”: false,
“kb”: [
“2267602”
],
“title”: “Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2832.0)”
},
“5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”: {
“categories”: [
“Updates”,
“Windows 10”
],
“filtered_reason”: “whitelist”,
“id”: “5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”,
“installed”: false,
“kb”: [
“4494452”
],
“title”: “2019-05 Update for Windows 10 Version 1709 for x64-based Systems (KB4494452)”
},
“65ecc208-c6b1-4fce-b892-fc2c93917d76”: {
“categories”: [
“Drivers”
],
“filtered_reason”: “whitelist”,
“id”: “65ecc208-c6b1-4fce-b892-fc2c93917d76”,
“installed”: false,
“kb”: ,
“title”: “Logitech - Image - 10/24/2018 12:00:00 AM - 1.3.89.0”
},
“79bfbb87-ae9d-480d-9f6f-5c82361e015d”: {
“categories”: [
“Upgrades”
],
“filtered_reason”: “whitelist”,
“id”: “79bfbb87-ae9d-480d-9f6f-5c82361e015d”,
“installed”: false,
“kb”: [
“4530684”
],
“title”: “Feature update to Windows 10, version 1909”
}
},
“found_update_count”: 0,
“installed_update_count”: 0,
“reboot_required”: false,
“updates”: {}
}

TASK [Install all security updates with automatic reboots] *****************************************************************************************************************
task path: /etc/ansible/windows-playbook/windows.yml:34
win_updates: running win_updates module
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_updates.ps1
Pipelining is enabled.
<MQN-CKMH5E31UM7.corp.medqia.com> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO MQN-CKMH5E31UM7.corp.medqia.com
EXEC (via pipeline wrapper)
ok: [MQN-CKMH5E31UM7.corp.medqia.com] => {
“changed”: false,
“filtered_updates”: {
“20668013-76d9-43ec-a6f2-f76fb4271642”: {
“categories”: [
“Definition Updates”,
“Windows Defender”
],
“filtered_reason”: “category_names”,
“id”: “20668013-76d9-43ec-a6f2-f76fb4271642”,
“installed”: false,
“kb”: [
“2267602”
],
“title”: “Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2832.0)”
},
“5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”: {
“categories”: [
“Updates”,
“Windows 10”
],
“filtered_reason”: “category_names”,
“id”: “5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”,
“installed”: false,
“kb”: [
“4494452”
],
“title”: “2019-05 Update for Windows 10 Version 1709 for x64-based Systems (KB4494452)”
},
“65ecc208-c6b1-4fce-b892-fc2c93917d76”: {
“categories”: [
“Drivers”
],
“filtered_reason”: “category_names”,
“id”: “65ecc208-c6b1-4fce-b892-fc2c93917d76”,
“installed”: false,
“kb”: ,
“title”: “Logitech - Image - 10/24/2018 12:00:00 AM - 1.3.89.0”
},
“79bfbb87-ae9d-480d-9f6f-5c82361e015d”: {
“categories”: [
“Upgrades”
],
“filtered_reason”: “category_names”,
“id”: “79bfbb87-ae9d-480d-9f6f-5c82361e015d”,
“installed”: false,
“kb”: [
“4530684”
],
“title”: “Feature update to Windows 10, version 1909”
}
},
“found_update_count”: 0,
“installed_update_count”: 0,
“reboot_required”: false,
“updates”: {}
}

TASK [Ensure WinRM starts when the system has settled and is ready to work reliably] ***************************************************************************************
task path: /etc/ansible/windows-playbook/windows.yml:40
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_service.ps1
Pipelining is enabled.
<MQN-CKMH5E31UM7.corp.medqia.com> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO MQN-CKMH5E31UM7.corp.medqia.com
EXEC (via pipeline wrapper)
ok: [MQN-CKMH5E31UM7.corp.medqia.com] => {
“can_pause_and_continue”: false,
“changed”: false,
“depended_by”: ,
“dependencies”: [
“RPCSS”,
“HTTP”
],
“description”: “Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a listener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix.”,
“desktop_interact”: false,
“display_name”: “Windows Remote Management (WS-Management)”,
“exists”: true,
“name”: “WinRM”,
“path”: “C:\WINDOWS\System32\svchost.exe -k NetworkService -p”,
“start_mode”: “delayed”,
“state”: “running”,
“username”: “NT AUTHORITY\NetworkService”
}
META: ran handlers
META: ran handlers

PLAY RECAP *****************************************************************************************************************************************************************
MQN-CKMH5E31UM7.corp.medqia.com : ok=6 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

6

Have a look through your output, the “filtered_updates” key show all the updates that the Windows Update Agent can find and also displays why they have been filtered in the win_updates task. So there’s nothing the win_updates module is set to do because Windows is reporting no updates are available that match the criteria you are wanting.

You should see the exact same thing if you were to log onto the computer manually and search for update, Ansible isn’t doing anything special here.

7

Attached is the target host and it shows that it needs to be updated. I have provided the update in KB number but it’s not working. and it’s not rebooting too.

target host.PNG
target host.PNG509×255 5.53 KB

8

So read your filtered updates list, you can see both updates are in there

ok: [MQN-CKMH5E31UM7.corp.medqia.com] => {
“changed”: false,
“filtered_updates”: {
“20668013-76d9-43ec-a6f2-f76fb4271642”: {
“categories”: [
“Definition Updates”,
“Windows Defender”
],
“filtered_reason”: “category_names”,
“id”: “20668013-76d9-43ec-a6f2-f76fb4271642”,
“installed”: false,
“kb”: [
“2267602”
],
“title”: “Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2832.0)”
},
“5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”: {
“categories”: [
“Updates”,
“Windows 10”
],
“filtered_reason”: “category_names”,
“id”: “5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”,
“installed”: false,
“kb”: [
“4494452”
],
“title”: “2019-05 Update for Windows 10 Version 1709 for x64-based Systems (KB4494452)”
},
“65ecc208-c6b1-4fce-b892-fc2c93917d76”: {
“categories”: [
“Drivers”
],
“filtered_reason”: “category_names”,
“id”: “65ecc208-c6b1-4fce-b892-fc2c93917d76”,
“installed”: false,
“kb”: ,
“title”: “Logitech - Image - 10/24/2018 12:00:00 AM - 1.3.89.0”
},
“79bfbb87-ae9d-480d-9f6f-5c82361e015d”: {
“categories”: [
“Upgrades”
],
“filtered_reason”: “category_names”,
“id”: “79bfbb87-ae9d-480d-9f6f-5c82361e015d”,
“installed”: false,
“kb”: [
“4530684”
],
“title”: “Feature update to Windows 10, version 1909”
}
},
“found_update_count”: 0,
“installed_update_count”: 0,
“reboot_required”: false,
“updates”: {}
}

The win_updates modules has 2 filters that are applied to available updates

  1. It first filters the updates based on the categories that are set. By default Critical Updates, Security Updates, and Update Rollups are applied and any other filtered
  2. From there if you have a whitelist or blacklist these filters are applied to the list

We can see that both the defender update and the feature update have been filtered due to the category name not matching from the input. If you want them to be applied you will have to add the ‘Upgrades’ category for the feature upgrade and the ‘Windows Defender’ or ‘Definition Updates’ for the defender update. Say you wanted to make sure that only the feature update to Windows 10, version 1909 is installed you can do

`

  • name: ensure Windows 10 has 1909 feature upgrade installed
    win_updates:
    category_names:
  • Upgrades
    whitelist:
  • KB4530684
    reboot: yes

`

If you didn’t care about the actual KB and want all Upgrades installed then just remove the whitelist.

9

I ran through an error
here is the playbook : -

10

root@ip-10-0-2-209:/etc/ansible/windows-playbook# ansible-playbook upgrades.yml -vvv
ansible-playbook 2.9.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.12 (default, Oct 8 2019, 14:14:10) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin

PLAYBOOK: upgrades.yml *****************************************************************************************************************************************************
1 plays in upgrades.yml

PLAY [windows] *************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************
task path: /etc/ansible/windows-playbook/upgrades.yml:2
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
Pipelining is enabled.
<MQN-CKMH5E31UM7.corp.medqia.com> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO MQN-CKMH5E31UM7.corp.medqia.com
EXEC (via pipeline wrapper)
ok: [MQN-CKMH5E31UM7.corp.medqia.com]
META: ran handlers

TASK [Install all security, critical, and rollup updates without a scheduled task] *****************************************************************************************
task path: /etc/ansible/windows-playbook/upgrades.yml:12
win_updates: running win_updates module
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_updates.ps1
Pipelining is enabled.
<MQN-CKMH5E31UM7.corp.medqia.com> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO MQN-CKMH5E31UM7.corp.medqia.com
EXEC (via pipeline wrapper)
fatal: [MQN-CKMH5E31UM7.corp.medqia.com]: FAILED! => {
“changed”: false,
“filtered_updates”: {
“48715a8c-3c38-4dfb-86e7-077be8b8663e”: {
“categories”: [
“Definition Updates”,
“Windows Defender”
],
“filtered_reason”: “category_names”,
“id”: “48715a8c-3c38-4dfb-86e7-077be8b8663e”,
“installed”: false,
“kb”: [
“2267602”
],
“title”: “Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2839.0)”
},
“5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”: {
“categories”: [
“Updates”,
“Windows 10”
],
“filtered_reason”: “category_names”,
“id”: “5bb32ece-7c8c-4f07-ace1-7ba1d36736a1”,
“installed”: false,
“kb”: [
“4494452”
],
“title”: “2019-05 Update for Windows 10 Version 1709 for x64-based Systems (KB4494452)”
},
“65ecc208-c6b1-4fce-b892-fc2c93917d76”: {
“categories”: [
“Drivers”
],
“filtered_reason”: “category_names”,
“id”: “65ecc208-c6b1-4fce-b892-fc2c93917d76”,
“installed”: false,
“kb”: ,
“title”: “Logitech - Image - 10/24/2018 12:00:00 AM - 1.3.89.0”
}
},
“found_update_count”: 1,
“installed_update_count”: 0,
“msg”: “Failed to install update from Update Collection: Exception from HRESULT: 0x80240016”,
“reboot_required”: false,
“updates”: {
“79bfbb87-ae9d-480d-9f6f-5c82361e015d”: {
“categories”: [
“Upgrades”
],
“id”: “79bfbb87-ae9d-480d-9f6f-5c82361e015d”,
“installed”: false,
“kb”: [
“4530684”
],
“title”: “Feature update to Windows 10, version 1909”
}
}
}

PLAY RECAP *****************************************************************************************************************************************************************
MQN-CKMH5E31UM7.corp.medqia.com : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

11

According to https://docs.microsoft.com/en-us/previous-versions/windows/desktop/hh968413(v=vs.85), the HRESULT value 0x80240016 corresponds to WU_E_INSTALL_NOT_ALLOWED

Operation tried to install while another installation was in progress or the system was pending a mandatory restart.

Sounds like you either have some other installer working in the background or a reboot is pending

12
  1. Well we provided reboot: yes doesn’t it suppose to make mandatory reboot by itself?
  2. I used the same playbook to a different instance. For some reason, it filtered out the required information but didn’t install.
    root@ip-10-0-2-209:/etc/ansible/windows-playbook# ansible-playbook upgrades.yml -vvv
    ansible-playbook 2.9.2
    config file = /etc/ansible/ansible.cfg
    configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
    ansible python module location = /usr/lib/python2.7/dist-packages/ansible
    executable location = /usr/bin/ansible-playbook
    python version = 2.7.12 (default, Oct 8 2019, 14:14:10) [GCC 5.4.0 20160609]
    Using /etc/ansible/ansible.cfg as config file
    host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
    script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
    auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
    Parsed /etc/ansible/hosts inventory source with ini plugin

PLAYBOOK: upgrades.yml *****************************************************************************************************************************************************
1 plays in upgrades.yml

PLAY [windows] *************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************
task path: /etc/ansible/windows-playbook/upgrades.yml:2
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
Pipelining is enabled.
<EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM
EXEC (via pipeline wrapper)
ok: [EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM]
META: ran handlers

TASK [Install all security, critical, and rollup updates without a scheduled task] *****************************************************************************************
task path: /etc/ansible/windows-playbook/upgrades.yml:12
win_updates: running win_updates module
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_updates.ps1
Pipelining is enabled.
<EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM
EXEC (via pipeline wrapper)
ok: [EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM] => {
“changed”: false,
“filtered_updates”: {
“68d313ad-b2ef-4722-a437-a8f4b8260ce7”: {
“categories”: [
“Definition Updates”,
“Windows Defender”
],
“filtered_reason”: “category_names”,
“id”: “68d313ad-b2ef-4722-a437-a8f4b8260ce7”,
“installed”: false,
“kb”: [
“2267602”
],
“title”: “Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2841.0)”
}
},
“found_update_count”: 0,
“installed_update_count”: 0,
“reboot_required”: false,
“updates”: {}
}
META: ran handlers
META: ran handlers

PLAY RECAP *****************************************************************************************************************************************************************
EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

After I installed the update manually on the server for " Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2841.0)". the prompt went away. Why it didn’t update?
root@ip-10-0-2-209:/etc/ansible/windows-playbook# ansible-playbook upgrades.yml -vvv
ansible-playbook 2.9.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.12 (default, Oct 8 2019, 14:14:10) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin

PLAYBOOK: upgrades.yml *****************************************************************************************************************************************************
1 plays in upgrades.yml

PLAY [windows] *************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************
task path: /etc/ansible/windows-playbook/upgrades.yml:2
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
Pipelining is enabled.
<EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM
EXEC (via pipeline wrapper)
ok: [EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM]
META: ran handlers

TASK [Install all security, critical, and rollup updates without a scheduled task] *****************************************************************************************
task path: /etc/ansible/windows-playbook/upgrades.yml:12
win_updates: running win_updates module
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_updates.ps1
Pipelining is enabled.
<EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM> ESTABLISH WINRM CONNECTION FOR USER: None on PORT 5986 TO EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM
EXEC (via pipeline wrapper)
ok: [EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM] => {
“changed”: false,
“filtered_updates”: {},
“found_update_count”: 0,
“installed_update_count”: 0,
“reboot_required”: false,
“updates”: {}
}
META: ran handlers
META: ran handlers

PLAY RECAP *****************************************************************************************************************************************************************
EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

"

13

why did it filter this time? I don’t understand…

14

Please read through the doc for win_updates again https://docs.ansible.com/ansible/latest/modules/win_updates_module.html. I’ve told you multiple times why updates can be filtered and in your case it’s because the categories you specify don’t match up with the updates that are available. Even the filtered updates entries tell you what categories they apply to and the reason why they have been filtered.

  1. Well we provided reboot: yes doesn’t it suppose to make mandatory reboot by itself?

In a perfect world yes but right now reboot: yes only applies to reboots that need to happen post installation, the win_updates module does not have reboots that need to occur before an update is installed. There’s no reason why this isn’t possible it’s just not implemented.

  1. I used the same playbook to a different instance. For some reason, it filtered out the required information but didn’t install.

See my first comment, there’s a reason why updates are filtered, it’s because they are for categories you never specified.

After I installed the update manually on the server for " Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2841.0)". the prompt went away. Why it didn’t update?

Because the update is installed it won’t appear in the list anymore and once again, if the categories for an update do not match up with what you specify it will be filtered.

15

Hi Jordan, thanks for explaining. My question was referenced to the playbook that you gave me as it says Upgrades. I thought if we run this it is automatically going to upgrade everything in windows host but it didn’t.
tasks:

  • name: Install all security, critical, and rollup updates without a scheduled task
    win_updates:
    category_names:
    - Upgrades
    reboot: yes
16

Hello I am wandering if this ever got resolved. I am also running a play book to upgrade a windows 10 box to 1909. The play book seems to run fine it says there were changes the windows 10 box re-boots several times but at the end it is not upgraded. I tried the play from this post which was:

  • name: ensure Windows 10 has 1909 feature upgrade installed
    win_updates:
    category_names:
  • Upgrades
    whitelist:
    reboot: yes

with out the KB and it ran for hours but the windows 10 box was never updated. I also run a playbook to find what updates are needed and it keeps finding these:

{ "updates": { "ac2b20ab-6186-4267-8d55-4b3ca35197d1": { "categories": [ "Upgrades" ], "title": "Feature update to Windows 10, version 1909", "id": "ac2b20ab-6186-4267-8d55-4b3ca35197d1", "installed": false, "kb": [ "4560960" ] } }, "found_update_count": 1, "changed": false, "reboot_required": false, "installed_update_count": 0, "filtered_updates": { "f9d81e60-32f2-41f3-b553-2261ff953ee8": { "id": "f9d81e60-32f2-41f3-b553-2261ff953ee8", "filtered_reason": "category_names", "title": "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.319.975.0)", "categories": [ "Definition Updates", "Microsoft Defender Antivirus" ], "kb": [ "2267602" ], "installed": false }

if you were able to resolve this and get the system upgraded to 1909 I would love to know how. I also started a topic on this here that shows teh playbook I was using I have changed it several times to see if I can get it working to no avail- https://groups.google.com/forum/#!searchin/ansible-project/windows$2010$20upgrades|sort:date/ansible-project/GhF7VndaQWU/_F9eVDaIBQAJ