Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

win_feature : possibility to bypass WSUS server #575

Open
LaurentLienhard opened this issue Aug 1, 2024 · 2 comments
Open

win_feature : possibility to bypass WSUS server #575

LaurentLienhard opened this issue Aug 1, 2024 · 2 comments

Comments

@LaurentLienhard
Copy link

SUMMARY

in some cases, when WSUS is present, the installation of Windows features may fail

ISSUE TYPE

Adding a boolean variable "bypass_wsus" (true/false) and if the variable is true change the parameter in the registry HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer

COMPONENT NAME

win_feature

ADDITIONAL INFORMATION

My exemple playbook

---
- name: Install windows feature in test
  hosts: rdsgtw:&test
  gather_facts: true
  collections:
    - laurentlienhard.managedwindowsserver
  tasks:
    - name: Install RDS Gateway
      ansible.builtin.import_role:
        name: install_windowsfeature
      vars:
        bypass_wsus: true 
        include_management_tools: true
        include_sub_features: false
        state: present
        win_feature: 
          - RDS-Gateway

I made an example in a test collection

My task

- name: Allow acces to Microsoft Update
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    name: UseWUServer
    data: 0
    type: dword
    state: present
  register: data_changed
  when: (bypass_wsus == true)

- name: Reboot WSUS service
  ansible.windows.win_service:
    name: wuauserv
    state: restarted
  when: (data_changed.changed == true)

- name: Install Windows Feature 
  become: true
  ansible.windows.win_feature:
    name: '{{ item }}'
    include_management_tools: "{{ include_management_tools }}"
    include_sub_features: "{{ include_sub_features }}"
    state: '{{ state }}'
  loop:
    '{{win_feature}}'
  register: result

- name: Deny acces to Microsoft Update
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    name: UseWUServer
    data: 1
    type: dword
    state: present
  when: (data_changed.changed == true)

- name: Reboot WSUS service
  ansible.windows.win_service:
    name: wuauserv
    state: restarted
  when: (data_changed.changed == true)
@hiyokotaisa
Copy link
Contributor

This could be problematic if win_feature or win_updates modules modify the registry on the windows node directly. When the update task is failed, the registry will not be back to the original value and that is unwanted change. So I think it is better to achieve this by other task like you did in the playbook.

@hiyokotaisa
Copy link
Contributor

FYI, WSUS will be deprecated

https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hiyokotaisa @LaurentLienhard