Playbook is unable to install specified KB number updates but shows OK in playbook recap

823 views
Skip to first unread message

Work Email

unread,
Jan 23, 2020, 12:46:15 PM1/23/20
to Ansible Project
KB number upgrades/ security patches are not installing?
Playbook
  tasks:
   - name: Install all security, critical, and rollup updates without a scheduled task
     win_updates:
       category_names:
       - Upgrades
       - SecurityUpdates
       whitelist:
       - KB4494452
       - KB2267602
       - KB4494452
       state: installed
       register: update_result
       win_reboot: yes

For one of my server, it's still filtering out. I have provided KB2267602. it's not installing why ?
    "changed": false,
    "filtered_updates": {
        "1b20f24b-2b80-43cb-8511-4677f3915843": {
            "categories": [
                "Definition Updates",
                "Windows Defender"
            ],
            "filtered_reason": "category_names",
            "id": "1b20f24b-2b80-43cb-8511-4677f3915843",
            "installed": false,
            "kb": [
                "2267602"
            ],
            "title": "Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.2889.0)"
        }
    },
PLAY RECAP ***************************************************************************************************************************************
EC2AMAZ-3FFNIJH.CORP.MEDQIA.COM : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
MQN-CKMH5E31UM7.corp.medqia.com : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
jimmy.corp.medqia.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
mqn-huddlermpc.corp.medqia.com : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Dick Visser

unread,
Jan 23, 2020, 2:52:50 PM1/23/20
to ansible...@googlegroups.com
since it works for other hosts, the problem is related to that specific host, not ansible. 
There may be many reasons why it doesn't work.
Since ansible is just an automation tool, best to try an troubleshoot things manually on that host. 


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/adea7788-cccd-4baf-8f63-31a139c987ea%40googlegroups.com.
--
Sent from a mobile device - please excuse the brevity, spelling and punctuation.

Work Email

unread,
Jan 23, 2020, 3:00:01 PM1/23/20
to Ansible Project
I have tried multiple machines to download the updates but it's not working. 
Playbook
  tasks:
   - name: Search and download Windows updates without installing them
     win_updates:
      state: downloaded
      win_reboot: true

Throwing error - 
fatal: [EC2AMAZ-5TQR7L8.corp.medqia.com]: FAILED! => {"changed": false, "filtered_updates": {"ca3bb521-a8ea-4e26-a563-2ad6e3108b9a": {"categories": ["Feature Packs", "Silverlight"], "filtered_reason": "category_names", "id": "ca3bb521-a8ea-4e26-a563-2ad6e3108b9a", "installed": false, "kb": ["4481252"], "title": "Microsoft Silverlight (KB4481252)"}}, "found_update_count": 2, "installed_update_count": 0, "msg": "A reboot is required before more updates can be installed", "reboot_required": true, "updates": {"46de78a6-89c2-4adc-a827-d55e913ca853": {"categories": ["Security Updates", "Windows Server 2016"], "id": "46de78a6-89c2-4adc-a827-d55e913ca853", "installed": false, "kb": ["4534271"], "title": "2020-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4534271)"}, "a4816cdf-d87e-4555-afa3-b839655fc564": {"categories": ["Update Rollups", "Windows Server 2016"], "id": "a4816cdf-d87e-4555-afa3-b839655fc564", "installed": false, "kb": ["890830"], "title": "Windows Malicious Software Removal Tool x64 - January 2020 (KB890830)"}}}

I have already enabled the command to reboot. why it's not rebooting ? I can't download or install anything through ansible.. kinda sucks



To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.

Nick Schendel

unread,
Jan 23, 2020, 3:09:06 PM1/23/20
to Ansible Project
Based on that message it appears that a reboot is requried before you can install the patches.  The win_updates module is not going to reboot the host after changes if it doesnt make any changes.  Reboot the host manually, then try running again and I bet it goes.  Otherwise you could probably put in a separate task to reboot the host first, then patch and reboot after if needed.

Jordan Borean

unread,
Jan 23, 2020, 3:20:45 PM1/23/20
to Ansible Project
The filtered message says it's filtered due to category_names, here are the categories you've applied in one of your tasks
  • Upgrades
  • Security Updates
When you omit the category_names here are the categories it uses by default (as per the docs)
  • CriticalUpdates (same as "Critical Updates")
  • SecurityUpdates (same as "Security Updates")
  • UpdateRollups (same as "Update Rollups")
Here are the categories for KB2267602
  • Definition Updates
  • Windows Defender
You can see that none of the categories for KB2267602 are matching up in either of your tasks so they are being filtered out, hence the "filtered_reason": "category_names" entry in the filtered list.

For an update to not be filtered you MUST specify at least one of the categories it belongs to, you have not done this. The whitelist/blacklist is only applied to updates that have already matched the categories as per the documentation

The whitelist is only validated on updates that were found based on category_names. It will not force the module to install an update if it was not in the category specified.

You cannot just specify a whitelist of categories and expect them to be match, they MUST first be part of the categories you have specified.

Jordan Borean

unread,
Jan 23, 2020, 3:24:04 PM1/23/20
to Ansible Project
Then finally for your last message, I've already told you in https://groups.google.com/forum/#!topic/ansible-project/ME6fY1n7SCA why it's failing the reboot check.

Firstly
  1. The reboot option in win_updates is 'reboot: yes', not 'win_reboot: yes', you would know that if you had read the docs and understand how the options work. The win_reboot module is a completely separate module
  2. I've said in your original post that the win_updates module only handles reboots post installation, if a reboot is required before the install it won't do that
Arguably 2 is something that we can do but it's just not something that is available right now. Feel free to submit a PR to add that functionality if you desire it.

Work-Hard

unread,
Jan 23, 2020, 8:45:51 PM1/23/20
to Ansible Project

Thank you, it worked
Reply all
Reply to author
Forward
0 new messages