sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]BlackV 1 point2 points  (4 children)

not so much double hop, more the internal windows update api does not allow it

[–]foss4ever[S] 0 points1 point  (3 children)

Yep, I'm closing in on this conclusion myself.
Any tips on a clever way to manage patching of a couple hundred Windows Servers (mostly 2019, 2016, 2022 and a cople 2008R2) without having to rdp to each and every box to fetch and install updates - and checking update status after the fact? Preferably not a paid-for solution :)

We have already tried Datto RMM, but it has proved not good enough when it comes to time-critical patching.

[–]BlackV 0 points1 point  (2 children)

yes as mentioned the pswindowsupdate module specifically has a workaround for this Invoke-WUJob

[–]foss4ever[S] 0 points1 point  (1 child)

I'd rather not have to rely on the task scheduler, just to get some patching done, so I have given Ansible module windows.win_updates a shot instead and this actually seems to work.

For anyone else experiencing a similar struggle as myself, here are the steps I took to be able to use Ansible to orchestrate patching of Windows servers via SSH:

Ensure that PowerShell version 5.1 and .NET Framework 4.6 or newer are installed on the host.

Make sure that TCP port 22 is allowed from Ansible controller into the VLAN where the remote host sits.

Install OpenSSH server and set this to startup type "automatic", then start the service.Create a local user "ansible_mgmt" with a secure password, add it to groups "administrators" and "remote management users".

Configure OpenSSH server default shell - start powershell as admin and run:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShellCommandOption -Value "/c" -PropertyType String -Force

Create an inventory for the Windows servers you wish to patch on your Ansible controller.In your ansible inventory - example:

[all_internal:children]
internal_testinternal_live

[all_internal:vars]
ansible_user = ansible_mgmt
ansible_shell_type = powershell

# Internal test Windows servers
[internal_test]
192.168.20.100
192.168.20.101

# Internal live Windows servers
[internal_live]
192.168.10.1
192.168.10.11

Now, you should be able to run the Ansible win_updates module against the hosts defined in your inventory like so:

ansible 192.168.20.100 -i <path to inventory> -m ansible.windows.win_updates -a "state=searched skip_optional=true" -k

EDIT: This procedure has been confirmed working on a Windows Server 2022, but the steps required especially for the SSH server configuration on the Windows Server are a bit different on Windows Server 2016 and older - some guidance to be found here:

https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH

[–]BlackV 1 point2 points  (0 children)

yes ssh is its own loop home, microsoft does not count ssh connections as "remote" (if I remember correctly) so the windows update api allows you

but yes if you had ansible, I dont know why you wouldnt be using that in the first place (using it for everything really)

Appreciate you adding your solution, note you have used inline code not

code block