Ansible has the functionality to be used for configuration management but it seems the win_update module takes a considerable amount of time to run.
Are there plans to improve the performance of the module? I would ideally like to be able to use it to force immediate installation of updates across servers or stagger them.
Ansible isn’t doing anything magic around Windows Updates (other than synchronous application)- we’re just using the Windows Update client API, so it should take about the same amount of time via Ansible as it would to do it interactively. If you’re doing something like booting a 2008R2 RTM image and hitting it with win_updates, it may possibly take hours and numerous reboots…
Running from a local WSUS server instead of public Windows Update servers can shave a HUGE amount of time off the process as well- public WU servers have extremely variable performance. In my testing when building win_updates, during peak times, just doing an update check on a fully-patched host against public WU could take upwards of 10min, where using WSUS would be 15-30sec.
Do you have any other specific asks about win_updates around perf (besides “make it faster”, as we’re pretty much at Microsoft’s mercy on that one)? The only one we’ve gotten a few times (that I’ll probably try to do something about in 2.3) is to allow idempotent application of a list of specific updates (eg, emergency vulnerability mitigation).
-Matt
Hi Matt,
Thanks for the quick reply. Well in our scenario we 100+ servers we’re loking at patching using the simple combo of WSUS and Ansible. Our policies set the servers to download the updates from WSUS prior to us doing the Ansible side. This way the updates are literally waiting to be installed when we run our playbook. The issue seems to be that although the playbook works it takes longer than if I manually logon to each server and run updates. Given that we have a set windows for updates not being able to tell how long or even estimate with the automation makes it difficult to put forward the playbook as a solution. Is there anything going forward with regards to possible integration of Powershell on linux for the windows modules?
Could you have a ‘canary’ group that you apply the updates to and get timings for that, before rolling out to your other hosts?
How would powershell on linux help?