skolo/win/ansible/windows-update.yml

---
# Install all available updates from Windows Update. See "Windows new bot setup" doc for full
# instructions.
# Requires Ansible 2.5.
- hosts: all
  tasks:
  - name: Disable deferring feature updates
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
      name: "DeferFeatureUpdates"
      data: 0
      type: dword
  - name: Disable deferring quality updates
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
      name: "DeferQualityUpdates"
      data: 0
      type: dword
  - name: Set deferral period for feature updates to 0 in UpdatePolicy
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
      name: "FeatureUpdatesDeferralInDays"
      data: 0
      type: dword
  - name: Set deferral period for feature updates to 0 in UX Settings
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
      name: "DeferFeatureUpdatesPeriodInDays"
      data: 0
      type: dword
  - name: Set deferral period for quality updates to 0 in UpdatePolicy
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
      name: "QualityUpdatesDeferralInDays"
      data: 0
      type: dword
  - name: Set deferral period for quality updates to 0 in UX Settings
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
      name: "DeferQualityUpdatesPeriodInDays"
      data: 0
      type: dword
  - name: Enable Windows Update
    win_service:
      name: wuauserv
      start_mode: manual
  # Based on example at https://docs.ansible.com/ansible/latest/modules/win_updates_module.html
  - name: Ensure WinRM starts only after the system is ready to work reliably
    win_service:
      name: WinRM
      start_mode: delayed
  # Sometimes Windows has updates already pending and the win_updates module doesn't work until
  # after a reboot.
  - name: Reboot before running Windows Update
    win_reboot:
  - name: Install updates and reboot
    win_updates:
      category_names:
        # All categories.
        - Application
        - Connectors
        - CriticalUpdates
        - DefinitionUpdates
        - DeveloperKits
        - FeaturePacks
        - Guidance
        - SecurityUpdates
        - ServicePacks
        - Tools
        - UpdateRollups
        - Updates
      reboot: yes
    register: result
    # Note that Ansible will say “FAILED - RETRYING: Install updates and reboot,” even though we're
    # just checking for additional updates.
    until: result.found_update_count == 0
    retries: 4
  - debug:
      msg: "Result of win_updates:\n{{ result }}"
  - name: Enable deferring feature updates
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
      name: "DeferFeatureUpdates"
      data: 1
      type: dword
  - name: Set deferral period for feature updates to 365 in UpdatePolicy
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
      name: "FeatureUpdatesDeferralInDays"
      data: 365
      type: dword
  - name: Set deferral period for feature updates to 365 in UX Settings
    win_regedit:
      path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
      name: "DeferFeatureUpdatesPeriodInDays"
      data: 365
      type: dword
  # We do not defer quality updates because they rarely cause problems.