search

ansible-collections / ansible.windows

Windows core collection for Ansible
https://galaxy.ansible.com/ansible/windows
GNU General Public License v3.0
249 stars 169 forks source link

ansible.windows.win_updates not applying cumulative updates correctly #180

Closed dpower1985 closed 3 years ago

dpower1985 commented 3 years ago
SUMMARY

When running the ansible.windows.win_updates module Cumulative security updates for Windows Server 2019 are not being correctly installed on target hosts. During a first run of the module the cumulative update shows as being installed successfully, however on subsequent runs of the module it detects that the same update is still outstanding installation and so attempts to install it again.

Opening the Control Panel in the OS shows the update as installed, but on opening the built in Windows Updater the update is detected as not installed and then once again installed via Windows. After the first pass the subsequent installations by both the windows_updates module and the built in Windows Updater are extremely quick, so it appears the first pass is actually performing the installation but not then marking it as correctly installed.

This is coming from a fresh vanilla installation of Windows Server 2019 being built in Packer with Packer invoking the ansible playbooks. The only configuration carried out prior to Ansible playbook is configuration of WinRM and creation of additional local administrator account, performed in autounattend.xml

Other updates appear to install correctly, but not the larger cumulative update.

ISSUE TYPE
COMPONENT NAME

ansible.windows.windows_updates

ANSIBLE VERSION
ansible 2.10.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.17 (default, Sep 30 2020, 13:38:04) [GCC 7.5.0]
CONFIGURATION
No output
OS / ENVIRONMENT

Target OS is Windows Server 2019

STEPS TO REPRODUCE
- name: Configure WinRM for updates
  ansible.windows.win_service:
    name: WinRM
    start_mode: delayed

- name: Pre Update Check
  ansible.windows.win_updates:
    category_names:
      - Application
      - Connectors
      - CriticalUpdates
      - DefinitionUpdates
      - DeveloperKits
      - FeaturePacks
      - Guidance
      - SecurityUpdates
      - ServicePacks
      - Tools
      - UpdateRollups
      - Updates
    state: searched
    log_path: C:\Windows\Temp\Pre-AllUpdatesFound.txt

- name: First update run
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
      - CriticalUpdates
      - UpdateRollups
      - Updates
    reboot: no
    state: installed
    blacklist:
      - Windows Malicious Software Removal Tool
    log_path: C:\Windows\Temp\ansible_updates_first_run.txt

- name: First update run reboot
  win_reboot:
    reboot_timeout: 3600

- name: Second update run
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
      - CriticalUpdates
      - UpdateRollups
      - Updates
    reboot: no
    state: installed
    blacklist:
      - Windows Malicious Software Removal Tool
    log_path: C:\Windows\Temp\ansible_updates_second_run.txt

- name: Second update run reboot
  win_reboot:
    reboot_timeout: 3600

- name: Third update run
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
      - CriticalUpdates
      - UpdateRollups
      - Updates
    reboot: no
    state: installed
    blacklist:
      - Windows Malicious Software Removal Tool
    log_path: C:\Windows\Temp\ansible_updates_third_run.txt

- name: Third update run reboot
  win_reboot:
    reboot_timeout: 3600

- name: Post Update Check
  ansible.windows.win_updates:
    category_names:
      - Application
      - Connectors
      - CriticalUpdates
      - DefinitionUpdates
      - DeveloperKits
      - FeaturePacks
      - Guidance
      - SecurityUpdates
      - ServicePacks
      - Tools
      - UpdateRollups
      - Updates
    state: searched
    log_path: C:\Windows\Temp\Post-AllUpdatesFound.txt

- name: Set WinRM back to standard settings
  ansible.windows.win_service:
    name: WinRM
    start_mode: auto
EXPECTED RESULTS

Installation of updates to complete successfully

ACTUAL RESULTS

As can be seen in the log below the same update, 2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345) is picked up as requiring installation in all three runs, then shows as not being present in the post-update search run.

First run update log

2021-02-12 07:43:28Z Adding update 1abb2377-20ef-43ff-aabc-0de4711ab205 - 2020-10 Security Update for Adobe Flash Player for Windows Server 2019 for x64-based Systems (KB4580325)
2021-02-12 07:43:28Z Skipping update 7fc75501-1b97-4df1-932e-55c7451a14aa - Windows Malicious Software Removal Tool x64 - v5.86 (KB890830) as it was found in the blacklist
2021-02-12 07:43:28Z Adding update 3c114126-d4ec-42c6-b563-fd11b8c15b46 - 2021-02 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows Server 2019 for x64 (KB4601887)
2021-02-12 07:43:28Z Skipping update 9f19993c-d2de-4ebe-a8ab-9c9edfff44a0 - Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.331.789.0) as it was not found in the category names filter
2021-02-12 07:43:28Z Adding update bcd58b64-3cef-42da-b169-a66060ae195e - 2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)

2021-02-12 07:44:21Z Adding update 1abb2377-20ef-43ff-aabc-0de4711ab205
2021-02-12 07:44:21Z Adding update 3c114126-d4ec-42c6-b563-fd11b8c15b46
2021-02-12 07:44:21Z Adding update bcd58b64-3cef-42da-b169-a66060ae195e
2021-02-12 08:03:13Z Update (1 of 3) 1abb2377-20ef-43ff-aabc-0de4711ab205 succeeded
2021-02-12 08:03:13Z Update (2 of 3) 3c114126-d4ec-42c6-b563-fd11b8c15b46 succeeded
2021-02-12 08:03:13Z Update (3 of 3) bcd58b64-3cef-42da-b169-a66060ae195e succeeded

"bcd58b64-3cef-42da-b169-a66060ae195e":  {
                                                                 "id":  "bcd58b64-3cef-42da-b169-a66060ae195e",
                                                                 "title":  "2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)",
                                                                 "categories":  [
                                                                                    "Security Updates"
                                                                                ],
                                                                 "kb":  [
                                                                            "4601345"
                                                                        ],
                                                                 "installed":  true
                                                             }

Second update log

2021-02-12 08:15:08Z Adding update bcd58b64-3cef-42da-b169-a66060ae195e - 2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)

2021-02-12 08:15:09Z Update (2 of 2) bcd58b64-3cef-42da-b169-a66060ae195e already downloaded, skipping...
2021-02-12 08:15:09Z Installing updates...
2021-02-12 08:15:09Z Creating installer object...
2021-02-12 08:15:09Z Creating install collection...
2021-02-12 08:15:09Z Adding update 33a64099-ba99-4e7f-a2d7-cf7d7fc4029f
2021-02-12 08:15:09Z Adding update bcd58b64-3cef-42da-b169-a66060ae195e
2021-02-12 08:15:13Z Update (1 of 2) 33a64099-ba99-4e7f-a2d7-cf7d7fc4029f succeeded
2021-02-12 08:15:13Z Update (2 of 2) bcd58b64-3cef-42da-b169-a66060ae195e succeeded

"bcd58b64-3cef-42da-b169-a66060ae195e":  {
                                                                 "id":  "bcd58b64-3cef-42da-b169-a66060ae195e",
                                                                 "title":  "2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)",
                                                                 "categories":  [
                                                                                    "Security Updates"
                                                                                ],
                                                                 "kb":  [
                                                                            "4601345"
                                                                        ],
                                                                 "installed":  true
                                                             }

Third update log

2021-02-12 08:18:26Z Adding update bcd58b64-3cef-42da-b169-a66060ae195e - 2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)

2021-02-12 08:18:26Z Update (1 of 1) bcd58b64-3cef-42da-b169-a66060ae195e already downloaded, skipping...
2021-02-12 08:18:26Z Installing updates...
2021-02-12 08:18:26Z Creating installer object...
2021-02-12 08:18:26Z Creating install collection...
2021-02-12 08:18:26Z Adding update bcd58b64-3cef-42da-b169-a66060ae195e
2021-02-12 08:18:27Z Update (1 of 1) bcd58b64-3cef-42da-b169-a66060ae195e succeeded

"bcd58b64-3cef-42da-b169-a66060ae195e":  {
                                                                 "id":  "bcd58b64-3cef-42da-b169-a66060ae195e",
                                                                 "title":  "2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)",
                                                                 "categories":  [
                                                                                    "Security Updates"
                                                                                ],
                                                                 "kb":  [
                                                                            "4601345"
                                                                        ],
                                                                 "installed":  true
                                                             }

After all update runs are complete a search pass of the module shows the same update as not installed,

"bcd58b64-3cef-42da-b169-a66060ae195e":  {
                                                                 "categories":  [
                                                                                    "Security Updates"
                                                                                ],
                                                                 "title":  "2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)",
                                                                 "id":  "bcd58b64-3cef-42da-b169-a66060ae195e",
                                                                 "installed":  false,
                                                                 "kb":  [
                                                                            "4601345"
                                                                        ]
                                                             },
jborean93 commented 3 years ago

Sorry for not getting back to you earlier on this, I've tried to replicate this problem but cannot. I ran the following playbook twice on a Server 2019 host

- hosts: '2019'
  gather_facts: no
  tasks:
  - win_updates:
      category_names:
      - Security Updates
      state: installed
      log_path: C:\temp\wua.log
    register: res

  - win_reboot:
    when: res.reboot_required

The log produced the following output

2021-03-08 12:38:00Z WUA is available in current logon process, running natively
2021-03-08 12:38:00Z Creating Windows Update session...
2021-03-08 12:38:00Z Create Windows Update searcher...
2021-03-08 12:38:00Z Setting the Windows Update Agent source catalog...
2021-03-08 12:38:00Z Requested search source is 'default'
2021-03-08 12:38:00Z Search source set to 'default' (ServerSelection = 0)
2021-03-08 12:38:00Z Searching for updates to install
2021-03-08 12:38:04Z Found 1 updates
2021-03-08 12:38:04Z Creating update collection...
2021-03-08 12:38:04Z Adding update bcd58b64-3cef-42da-b169-a66060ae195e - 2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)
2021-03-08 12:38:04Z Calculating pre-install reboot requirement...
2021-03-08 12:38:04Z No reboot is pending...
2021-03-08 12:38:04Z Downloading updates...
2021-03-08 12:38:04Z Creating downloader object...
2021-03-08 12:38:04Z Creating download collection...
2021-03-08 12:38:04Z Adding update (1 of 1) bcd58b64-3cef-42da-b169-a66060ae195e
2021-03-08 12:38:04Z Downloading (1 of 1) bcd58b64-3cef-42da-b169-a66060ae195e
2021-03-08 12:39:15Z Download result code for (1 of 1) bcd58b64-3cef-42da-b169-a66060ae195e = 2
2021-03-08 12:39:15Z Installing updates...
2021-03-08 12:39:15Z Creating installer object...
2021-03-08 12:39:15Z Creating install collection...
2021-03-08 12:39:15Z Adding update bcd58b64-3cef-42da-b169-a66060ae195e
2021-03-08 12:50:57Z Update (1 of 1) bcd58b64-3cef-42da-b169-a66060ae195e succeeded
2021-03-08 12:50:57Z Performing post-install reboot requirement check...
2021-03-08 12:50:57Z Return value:
{
    "updates":  {
                    "bcd58b64-3cef-42da-b169-a66060ae195e":  {
                                                                 "id":  "bcd58b64-3cef-42da-b169-a66060ae195e",
                                                                 "title":  "2021-02 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4601345)",
                                                                 "categories":  [
                                                                                    "Security Updates"
                                                                                ],
                                                                 "kb":  [
                                                                            "4601345"
                                                                        ],
                                                                 "installed":  true
                                                             }
                },
    "failed_update_count":  0,
    "found_update_count":  1,
    "changed":  true,
    "reboot_required":  true,
    "installed_update_count":  1,
    "filtered_updates":  {

                         }
}
2021-03-08 12:50:57Z Native job completed with output:
Name                           Value
----                           -----
updates                        {bcd58b64-3cef-42da-b169-a66060ae195e}
failed_update_count            0
found_update_count             1
changed                        True
reboot_required                True
installed_update_count         1
filtered_updates               {}

On the 2nd run

2021-03-08 12:54:52Z WUA is available in current logon process, running natively
2021-03-08 12:54:52Z Creating Windows Update session...
2021-03-08 12:54:52Z Create Windows Update searcher...
2021-03-08 12:54:52Z Setting the Windows Update Agent source catalog...
2021-03-08 12:54:52Z Requested search source is 'default'
2021-03-08 12:54:53Z Search source set to 'default' (ServerSelection = 0)
2021-03-08 12:54:53Z Searching for updates to install
2021-03-08 12:55:00Z Found 1 updates
2021-03-08 12:55:00Z Creating update collection...
2021-03-08 12:55:00Z Skipping update f71124b3-83b4-4dd4-918d-09490a61f861 - Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.331.2638.0) as it was not found in the category names filter
2021-03-08 12:55:00Z Calculating pre-install reboot requirement...
2021-03-08 12:55:00Z Native job completed with output:
Name                           Value
----                           -----
updates                        {}
found_update_count             0
changed                        False
reboot_required                False
installed_update_count         0
filtered_updates               {f71124b3-83b4-4dd4-918d-09490a61f861}

It goes to show that the update was installed and the subsequent run didn't detect it still needed to be installed. I'm not sure what else it could be, all these results are based on what the Windows Update API returns, we aren't actually checking if these updates are installed, just asking WUA to get the list and telling it what ones to install.

If you do come across it again you can use the following PowerShell code to try and get some more information about the update itself. It might contain some helpful info that could indicate what is going wrong.

$session = New-Object -ComObject Microsoft.Update.Session
$searcher = $session.CreateUpdateSearcher()
$searchResult = $searcher.Search("IsInstalled = 0")

$searchResult.Updates | ForEach-Object -Process {
    [PSCustomObject]@{
        Title = $_.Title
        AutoSelectOnWebSites = $_.AutoSelectOnWebSites
        CanRequireSource = $_.CanRequireSource
        Categories = $_.Categories | ForEach-Object -Process {
            [PSCustomObject]@{
                Name = $_.Name
                CategoryID = $_.CategoryID
                Description = $_.Descripiton
                Type = $_.Type
            }
        }
        Deadline = $_.Deadline
        DeltaCompressedContentAvailable = $_.DeltaCompressedContentAvailable
        DeltaCompressedContentPreferred = $_.DeltaCompressedContentPreferred
        Description = $_.Description
        EulaAccepted = $_.EulaAccepted
        EulaText = $_.EulaText
        HandlerID = $_.HandlerID
        Image = $_.Image
        InstallationBehavior = [PSCustomObject]@{
            CanRequestUserInput = $_.InstallationBehavior.CanRequestUserInput
            Impact = switch ($_.InstallationBehavior.Impact) {
                0 { 'Normal' }
                1 { 'Minor' }
                2 { 'RequiresExclusiveHandling' }
                default { $_ }
            }
            RebootBehavour = switch ($_.InstallationBehavior.RebootBehavior) {
                0 { 'NeverReboots' }
                1 { 'AlwaysRequiresReboot' }
                2 { 'CanRequestReboot' }
                default { $_ }
            }
            RequiresNetworkConnectivity = $_.InstallationBehavior.RequiresNetworkConnectivity
        }
        IsBeta = $_.IsBeta
        IsDownloaded = $_.IsDownloaded
        IsHidden = $_.IsHidden
        IsInstalled = $_.IsInstalled
        IsMandatory = $_.IsMandatory
        IsUninstallable = $_.IsUninstallable
        LastDeploymentChangeTime = $_.LastDeploymentChangeTime
        MaxDownloadSize = $_.MaxDownloadSize
        MinDownloadSize = $_.MinDownloadSize
        MsrcSeverity = $_.MsrcSeverity
        RecommendedCpuSpeed = $_.RecommendedCpuSpeed
        RecommendedHardDiskSpace = $_.RecommendedHardDiskSpace
        RecommendedMemory = $_.RecommendedMemory
        ReleaseNotes = $_.ReleaseNotes
        SupportUrl = $_.SupportUrl
        Type = switch ($_.Type) {
            1 { 'Software' }
            2 { 'Driver' }
            default { $_ }
        }
        UninstallationNotes = $_.UninstallationNotes
        UninstallationBehavior = [PSCustomObject]@{
            CanRequestUserInput = $_.UninstallationBehavior.CanRequestUserInput
            Impact = switch ($_.UninstallationBehavior.Impact) {
                0 { 'Normal' }
                1 { 'Minor' }
                2 { 'RequiresExclusiveHandling' }
                default { $_ }
            }
            RebootBehavour = switch ($_.UninstallationBehavior.RebootBehavior) {
                0 { 'NeverReboots' }
                1 { 'AlwaysRequiresReboot' }
                2 { 'CanRequestReboot' }
                default { $_ }
            }
            RequiresNetworkConnectivity = $_.UninstallationBehavior.RequiresNetworkConnectivity
        }
        KBArticleIDs = $null
        DeploymentAction = switch ($_.DeploymentAction) {
            0 { 'None' }
            1 { 'Installation' }
            2 { 'Uninstallation' }
            3 { 'Detection' }
            default { $_ }
        }
        DownloadPriority = switch ($_.DownloadPriority) {
            0 { 'Low' }
            1 { 'Normal' }
            2 { 'High' }
            3 { 'ExtraHigh' }
            default { $_ }
        }
        RebootRequired = $_.RebootRequired
        IsPresent = $_.IsPresent
        BrowseOwnly = $_.BrowseOwnly
        PerUser = $_.PerUser
        AutoSelection = switch ($_.AutoSelection) {
            0 { 'LetWindowsUpdateDecide' }
            1 { 'AutoSelectIfDownloaded' }
            2 { 'NeverAutoSelect' }
            3 { 'AlwaysAutoSelect' }
            default { $_ }
        }
        AutoDownload = switch ($_.AutoDownload) {
            0 { 'LetWindowsUpdateDecide' }
            1 { 'NeverAutoDownload' }
            2 { 'AlwaysAutoDownload' }
            default { $_ }
        }
    }
}
dpower1985 commented 3 years ago

Thanks for getting back to me!

Very strange, I was still seeing the issue on every host I was building (And seeing the same issue on Windows Server 2016). I'm not currently at work but will be back next week and will do some more testing, along with trying out that Powershell code you've suggested. I'll put it into a script and set it to run prior to and after the update tasks to compare.

jborean93 commented 3 years ago

Just an FYI If you are running it through Packer/WinRM you are going to have to "elevate" it somehow. For Ansible we have become, there’s also the option of psexec or running it in a scheduled task.

dpower1985 commented 3 years ago

So I've tried again but I'm still seeing the same issues. I've tried the following methods for installing the updates,

- name: First update run
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
    reboot: no
    state: installed
    log_path: C:\Windows\Temp\ansible_updates_first_run.txt

- name: First update run reboot
  win_reboot:
    reboot_timeout: 3600
- name: First update run
  ansible.windows.win_updates:
    category_names:
      - SecurityUpdates
    state: installed
    log_path: C:\Windows\Temp\ansible_updates_first_run.txt
  vars:
    ansible_become: yes
    ansible_become_user: packer
    ansible_become_method: runas
  register: res

- name: First update run reboot
  win_reboot:
    reboot_timeout: 3600
  when: res.reboot_required

(The ansible_become_password is passed in as part of the actual packer ansible call using a secured variable)

But I'm still seeing the same issue in that the 2021-03 Cumulative update continues to be flagged in my subsequent passes as needing to be installed.

I've run the powershell script provided and this is the output for that particular update (This was run after the Ansible update runs)

Title                           : 2021-03 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB5000822)
AutoSelectOnWebSites            : True
CanRequireSource                : False
Categories                      : @{Name=Security Updates; CategoryID=0fa1201d-4330-4fa8-8ae9-b877473b6441; Description=; Type=UpdateClassification}
Deadline                        :
DeltaCompressedContentAvailable : True
DeltaCompressedContentPreferred : True
Description                     : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated
                                  Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
EulaAccepted                    : True
EulaText                        :
HandlerID                       : http://schemas.microsoft.com/msus/2016/01/UpdateHandlers/OSInstaller
Image                           :
InstallationBehavior            : @{CanRequestUserInput=False; Impact=Normal; RebootBehavour=CanRequestReboot; RequiresNetworkConnectivity=False}
IsBeta                          : False
IsDownloaded                    : True
IsHidden                        : False
IsInstalled                     : False
IsMandatory                     : False
IsUninstallable                 : False
LastDeploymentChangeTime        : 09/03/2021 00:00:00
MaxDownloadSize                 : 16588080866
MinDownloadSize                 : 0
MsrcSeverity                    :
RecommendedCpuSpeed             : 0
RecommendedHardDiskSpace        : 0
RecommendedMemory               : 0
ReleaseNotes                    :
SupportUrl                      : https://support.microsoft.com/help/5000822
Type                            : Software
UninstallationNotes             :
UninstallationBehavior          : @{CanRequestUserInput=; Impact=; RebootBehavour=; RequiresNetworkConnectivity=}
KBArticleIDs                    :
DeploymentAction                : Installation
DownloadPriority                : High
RebootRequired                  : False
IsPresent                       : False
BrowseOwnly                     :
PerUser                         : False
AutoSelection                   : AutoSelectIfDownloaded
AutoDownload                    : AlwaysAutoDownload

As can be seen the IsInstalled field shows as False, even though my Ansible logs show it as having been successfully installed and the system rebooted several times since.

dpower1985 commented 3 years ago

So it gets weirder.

Running through again the output log from Ansible still reports that KB5000822 isn't installed when I run a search, after it runs 3 sweeps of installations. The Powershell script also reports False for it being installed.

BUT if I go into the Control Panel and open Programs and Features, then use "View Installed Updates".... image

It's right there saying it's installed.

Run a manual check for updates though and it gets picked up as not installed and still outstanding, image

jborean93 commented 3 years ago

At this point it sounds as like the cache was invalid or some other internal logic in the Windows Update API wasn't handling this properly. We are ultimately at the mercy of what the Windows Update API tells us. If it tells us the update is not installed then the module will attempt to install it. If that install was meant to have succeeded then that's what the module will report.

I can confirm that I'm still unable to replicate this problem and I've even recently build a new set of images from the RTM iso and things seems to be fine. There's a tiny possibility that the update did fail and there was a bug in the logic when it went to detect that but my logs didn't indicate this was a problem on my side. The only other possibility is that the update was rolled back on the reboot due to some problem that is outside the control of the module.

I am going to close the issue for a few reasons

If this is still a problem for you I would start looking at the Windows Update logs and see if it gives you any indication of a failure or just more info for this particular update. You can use Get-WindowsUpdateLog to generate this log file for further analysis.

larkoie commented 3 years ago

@dpower1985 i'm running in the exact same thing

Did you find a solution to your problem by any chance? if yes would you have the kindness to share it?

thank you

dpower1985 commented 3 years ago

Unfortunately I never did find a solution using the ansible win_updates module. In the end I had to just use the PSWindows Update Powershell module invoked through win_shell. I haven’t really gone back and taken another look since then.

From: @.> Sent: 17 August 2021 14:14 To: @.> Cc: @.>; @.> Subject: Re: [ansible-collections/ansible.windows] ansible.windows.win_updates not applying cumulative updates correctly (#180)

@dpower1985https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdpower1985&data=04%7C01%7C%7C79b488a1026546c4c61908d96180e5c0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637648028500952243%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RpOWOiJdp1GrfljyCXq0QBxAQcgdwDy1hdDE1yZiV30%3D&reserved=0 i'm running in the exact same thing

Did you find a solution to your problem by any chance? if yes would you have the kindness to share it?

thank you

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fansible-collections%2Fansible.windows%2Fissues%2F180%23issuecomment-900287702&data=04%7C01%7C%7C79b488a1026546c4c61908d96180e5c0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637648028500952243%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wLNyBIAJiZzsq9Ici3iZb1TeRTXh3wnSVBMPmkOiHRk%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPBNIOC4C3Z3XVML3RI6D33T5JOCBANCNFSM4XQKCSYA&data=04%7C01%7C%7C79b488a1026546c4c61908d96180e5c0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637648028500962195%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u0BQc30wZ%2F6EUhshZ3wHyzLYAf3WNTqdt9ULjVODRps%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7C%7C79b488a1026546c4c61908d96180e5c0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637648028500962195%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sp0Qtq9EsmwBE1wYREXjEZKx%2FzEusayNfInpC4P0fmg%3D&reserved=0 or Androidhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26utm_campaign%3Dnotification-email&data=04%7C01%7C%7C79b488a1026546c4c61908d96180e5c0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637648028500972153%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6xZfx1m0joM8lEMRNocsqRTaOzTAn6wvWekgpT07ZMY%3D&reserved=0.

larkoie commented 3 years ago

thank you for your quick feedback. I could not find any solution either and it's happening on both win2016 and win2019 images so I really don't understand why we are facing this behavior while the majority of the people seems to be good. @jborean93 did you ever faced this since this issue was closed by any chance? i'm going to explore the PSWindows Update with win_shell as suggested by dpower1985 but i'd rather use the "native" win_update module if I could.

vijainimmala commented 3 years ago

I am also facing the same issue as reported by dpower1985. The playbook to update win 2019 says successfully installed the updates but when I see built in Windows Updater the update is detected as not installed. Have this issue been resolved. Looking for some help here

agibson2 commented 3 years ago

I saw the same thing on a bunch of 2012 R2 or 2016 or 2019 (can't remember... I will pay more attention this month) with a version of Ansible that is on CentOS 7 (will have to verify version later 2.9.x). The next time the server checks for updates on some interval, It figures out that it was applied and shows as no updates to perform. You can't force a check through the GUI right away because it checked recently or something. It eventually does another check with WU and corrects itself. You can't trust the GUI right away it seems after doing the update through Ansible. This is assuming your issue is the same as mine of course.

a-stoyanov commented 2 years ago

Thought I might add a "solution" to clear the Windows update agent cache for Server 2016/19/22 for anyone who is interested.

- name: "[{{ inventory_hostname }}] Run Update Session Orchestrator check to clear GUI cached results"
   win_shell: |
     UsoClient RefreshSettings
     UsoClient ScanInstallWait

This will force the agent to refresh and correctly display the state of available updates. It still doesn't update/display updates installed via win_updates under "View Update History" gui.

agibson2 commented 2 years ago

Thanks for that info. I wonder if win_updates could run that (maybe as an option) after it reboots the system just to make sure the GUI is showing updated info (assuming it is safe to do and low ovearhead and actually helps)? I haven't detected this problem lately but maybe I just happened to login to the system after it had checked. I will try to remember to test this next updates day.

dannykorpan commented 1 year ago

Hi, any updates? Having also the problem, that cumulative updates are not installing.