ansible-collections / ansible.windows

Windows core collection for Ansible
https://galaxy.ansible.com/ansible/windows
GNU General Public License v3.0
254 stars 173 forks source link

Error Installing Windows Server Updates with Ansible #589

Closed auxbit closed 3 months ago

auxbit commented 9 months ago
SUMMARY

Hi everyone,

I'm trying to automate Windows Updates on my servers using Ansible. I created a dedicated Administrator user on the machine to run updates with Ansible.

The updates start, but they don't install. I always get an error. I've tried on multiple installations, but the result is always an update error. However, I haven't seen this issue with Windows 11, for example, only with the Server version.

If I start this updates manually with Windows Update is going to install without problems.

ISSUE TYPE

COMPONENT NAME

win.update

ANSIBLE VERSION

ansible 2.10.8 config file = None configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3/dist-packages/ansible executable location = /usr/bin/ansible python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]

COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT

Windows Server 2022

STEPS TO REPRODUCE

EXPECTED RESULTS
ACTUAL RESULTS

TASK [Install all security updates with automatic reboots] ***** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Invoke-WithPipeOutput, : line 1005 fatal: [dc2.auxbit.it]: FAILED! => {"changed": true, "failed_update_count": 1, "filtered_updates": {"ea67cabb-aaf1-4482-a9aa-d6048b7bc15f": {"categories": ["Definition Updates", "Microsoft Defender Antivirus"], "downloaded": false, "filtered_reason": "category_names", "filtered_reasons": ["category_names"], "id": "ea67cabb-aaf1-4482-a9aa-d6048b7bc15f", "installed": false, "kb": ["2267602"], "title": "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.802.0) - Current Channel (Broad)"}}, "found_update_count": 1, "installed_update_count": 0, "msg": "Failed to install all updates - see updates for more information", "reboot_required": false, "rebooted": false, "updates": {"a8a2d6e3-c6dc-4eb8-bcfb-8c8c7d947899": {"categories": ["Microsoft Server operating system-21H2", "Security Updates"], "downloaded": false, "failure_hresult_code": 2147944003, "failure_msg": "Unknown WUA HRESULT 2147944003 (UNKNOWN 0x80070643)", "id": "a8a2d6e3-c6dc-4eb8-bcfb-8c8c7d947899", "installed": false, "kb": ["5034439"], "title": "2024-01 Security Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5034439)"}}}

or the Event Viewer of Windows is writing this: Installation Failure: Windows failed to install the following update with error 0x8024200B: 2024-01 Security Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5034439).

jborean93 commented 9 months ago

KB2267602

Is a very problematic update where I've found Microsoft release a new patch roughly every hour and 1/3 times is extremely problematic with trying to install. The following code was recently added with https://github.com/ansible-collections/ansible.windows/commit/9bb5483a6f8821d16a849245303652af2f5d3e81 and is part of the ansible.windows 2.1.0 release.

https://github.com/ansible-collections/ansible.windows/blob/c207ed49ddf73f152f56817787824a2c4ba93226/plugins/modules/win_updates.ps1#L1937-L1958

What the code does is detect if the Windows Update API failed to install that specific KB and use a workaround process using MpCmdRun.exe to try and update the definitions which I've found is able to handle that 1/3 problematic update. Please update your ansible.windows version to at least 2.1.0 (which means also updating your Ansible version) and try again.

mtcoffee commented 7 months ago

If you are on Server Core, there is a fix from Microsoft https://learn.microsoft.com/en-gb/answers/questions/1568326/update-kb5034439-should-not-appear-as-pending-in-a reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /f /v WinREVersion /t REG_SZ /d "10.0.20348.2201"

If you are on Server full you need to increase the size of the winre parition from the default size. https://support.microsoft.com/en-gb/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8

jborean93 commented 3 months ago

Closing as per the above, thanks for the info.