Patching windows servers through Ansible

As we all aware patching a Linux or Unix server through Ansible is a piece of cake for the administrators. When it is come to windows patching we use windows native products like SCCM, WSUS etc. so what is the uniform way of doing patching for an enterprises using single solution? Yes, the answer is Ansible

Let’s have a look on how to configure Ansible for an windows server

Configuring Ansible for patching Windows Server updates is fairly straightforward. It involves the following steps:

  1. Setting up an Ansible server:
  2. Configuring Ansible authentication to communicate with Windows Servers:

Configuring Windows Remote Management (WinRM) and setting up authentication to be able to connect to servers listed in the inventory file

  1. Creating playbooks containing Windows Server updates directives

Creating the actual playbook with the code snippets to perform Windows updates

Setting up Ansible Server

Configuring an Ansible Server is as simple as installing a supported distribution of like Ubuntu, Redhat, Suse etc (Ansible can installed only in Linux distribution as of now and we follow Ubuntu here )

Once Ubuntu installed, Python is mandatory for Ansible, lets install python & below packages

ansible and pywinrm.

What is pywinrm?

The pywinrm package is what allows Ansible to communicate to Windows Servers via WinRM instead of Secure Shell (SSH).

Make sure to update the Ubuntu Linux distribution:

Also, to make Python package installation easier and more robust, let’s install pip

What is pip?

It’s a package management system used to install and manage software packages written in Python. To install pip, run the following

Now we can use pip to install both the pywinrm package as well as Ansible itself using the two following commands:

We can verify this successfully installed Ansible by querying the Ansible version using the following:

Configuring Ansible authentication

An extremely important part of Ansible configuration is configuring its authentication to communicate properly with the target Windows Servers.

Best and recommended authentication method is domain-based authentication which uses Kerberos authentication supported with Microsoft Active Directory Services. It allows a greater level of trust for the WinRM connections as well as a centralized repository for credentials.

Configuring the WinRM connections required to connect Ansible to the Windows Servers involves a few tweaks to the WinRM configuration settings on the target servers. Please refer below docs from Ansible

https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html

ConfigureRemotingForAnsible.ps1 script — easy way to setup communication between Ansible and windows host

This community-driven script enables WinRM properly to communicate with the Ansible server. The script also enables the required Windows Firewall rules as well as PowerShell remoting and is an easy way to make all the necessary changes for Ansible communication at once.

Automate Windows updates with Ansible

Ansible includes powerful modules “out of the box” that provide the mechanisms to install Windows updates on your Windows Servers. The Ansible modules allow administrators to control downloading and installing Windows updates on their Windows Servers. They download Windows updates from the configured location on the server (either from Microsoft or WSUS) and then install them as directed by Ansible. The win_updates module allows automating various aspects of installing Windows updates. Let’s look at a few examples.

win_updates — Download and install Windows updates

More information available on https://docs.ansible.com/ansible/latest/modules/win_updates_module.html

Below are few play book examples for windows updates

If you want to install Windows updates by the category of the Windows updates, you can specify the category in the Ansible playbook directive of the win_updates module.

Above that the category_names directive allows specifying the type of updates to download and apply

If you want to install only specific updates based on the KB numbers for a specific category, you can specify those updates via the whitelist directive in the YML code.

If you simply want to check for missing updates, you can run the following:

What if you want to install the updates and reboot if the result records a reboot is necessary?

Few other examples from Ansible

- name: Install all security, critical, and rollup updateswin_updates:category_names:- SecurityUpdates- CriticalUpdates- UpdateRollups- name: Install only security updateswin_updates:category_names: SecurityUpdates- name: Search-only, return list of found updates (if any), log to c:\ansible_wu.txtwin_updates:category_names: SecurityUpdatesstate: searchedlog_path: c:\ansible_wu.txt- name: Install all security updates with automatic rebootswin_updates:category_names:- SecurityUpdatesreboot: yes- name: Install only particular updates based on the KB numberswin_updates:category_name:- SecurityUpdateswhitelist:- KB4056892- KB4073117- name: Exlude updates based on the update titlewin_updates:category_name:- SecurityUpdates- CriticalUpdatesblacklist:- Windows Malicious Software Removal Tool for Windows- \d{4}-\d{2} Cumulative Update for Windows Server 2016# Note async works on Windows Server 2012 or newer - become must be explicitly set on the task for this to work- name: Search for Windows updates asynchronouslywin_updates:category_names:- SecurityUpdatesstate: searchedasync: 180poll: 10register: updates_to_installbecome: yesbecome_method: runasbecome_user: SYSTEM# Async can also be run in the background in a fire and forget fashion- name: Search for Windows updates asynchronously (poll and forget)win_updates:category_names:- SecurityUpdatesstate: searchedasync: 180poll: 0register: updates_to_install_async- name: get status of Windows Update async jobasync_status:jid: '{{ updates_to_install_async.ansible_job_id }}'register: updates_to_install_resultbecome: yesbecome_method: runasbecome_user: SYSTEM