Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

win_update not showing stable .net update when suppressing Preview updates #407

Open
agibson2 opened this issue Sep 5, 2022 · 3 comments

Comments

@agibson2
Copy link
Contributor

agibson2 commented Sep 5, 2022

SUMMARY

The goal that I have is to suppress Preview updates but in doing so, It hides stable version of the same update.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

win_update

ANSIBLE VERSION
ansible [core 2.12.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/testuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/testuser/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.10 (main, Feb  9 2022, 00:00:00) [GCC 11.2.1 20220127 (Red Hat 11.2.1-9)]
  jinja version = 2.11.3
  libyaml = True
COLLECTION VERSION
Collection        Version
----------------- -------
community.general 4.5.0
CONFIGURATION
The output is empty
OS / ENVIRONMENT

Rocky Linux 9.0 (RHEL 9) fully updated as of 2022-09-05
Using OS provided packages for Ansible with a pip installed pywinrm (not available from the OS as RPM).

STEPS TO REPRODUCE
  1. Set windows 10 system to automatically download but not install updates.
  2. Don't update a windows 10 system until near the end of the month until Microsoft releases preview updates for .net. This will allow there to be a stable version of .net cumulative update (non-security) available and a newer preview update available for .net.
  3. Go to the GUI and it will show that there is a cumulative .net update pending install but also near the bottom an optional preview update available to update.
  4. Set a reject_list of ' Preview ' for your win_updates task
    reject_list:
    • ' Preview '
  5. Perform a check and you will see that that the stable version of the .net update is not offered. It only shows that the preview is filtered.
EXPECTED RESULTS

Filtering of the Preview should allow the stable .net version to be offered for update.

ACTUAL RESULTS

Output from -vvv for win_update showing that only the Preview is seen (but correctly filtered). Not offering the stable update that is also needed though.

changed: [win10-test] => {
    "changed": true,
    "failed_update_count": 0,
    "filtered_updates": {
        "03922492-75c6-4fe8-adfc-5e6af373ffb5": {
            "categories": [
                "Definition Updates",
                "Microsoft Defender Antivirus"
            ],
            "downloaded": false,
            "filtered_reason": "category_names",
            "filtered_reasons": [
                "category_names"
            ],
            "id": "03922492-75c6-4fe8-adfc-5e6af373ffb5",
            "installed": false,
            "kb": [
                "2267602"
            ],
            "title": "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.373.1583.0)"
        },
        "710baea7-9c56-4782-9200-5d92c9bdb221": {
            "categories": [
                "Updates",
                "Windows 10 LTSB",
                "Windows 10, version 1903 and later"
            ],
            "downloaded": false,
            "filtered_reason": "blacklist",
            "filtered_reasons": [
                "reject_list"
            ],
            "id": "710baea7-9c56-4782-9200-5d92c9bdb221",
            "installed": false,
            "kb": [
                "5016592"
            ],
            "title": "2022-08 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 (KB5016592)"
        },
        "e47c958d-abea-4414-bb8e-0ef43e9832e2": {
            "categories": [
                "Drivers"
            ],
            "downloaded": false,
            "filtered_reason": "category_names",
            "filtered_reasons": [
                "category_names"
            ],
            "id": "e47c958d-abea-4414-bb8e-0ef43e9832e2",
            "installed": false,
            "kb": [],
            "title": "Hewlett-Packard  - Other hardware, Printer - Null Print - HP Officejet Pro 8620"
        }
    },
    "found_update_count": 3,
    "installed_update_count": 0,
    "invocation": {
        "module_args": {
            "accept_list": null,
            "category_names": [
                "CriticalUpdates",
                "SecurityUpdates",
                "Updates",
                "Update Rollups",
                "FeaturePacks"
            ],
            "log_path": "C:\\Support\\Ansible\\windowsupdates.log",
            "reboot": true,
            "reboot_timeout": 1200,
            "reject_list": [
                " Preview "
            ],
            "server_selection": "default",
            "skip_optional": true,
            "state": "installed",
            "use_scheduled_task": false
        }
    },
    "reboot_required": false,
    "updates": {
        "01f7dc80-5870-4a79-bb59-fe9071e01405": {
            "categories": [
                "Security Updates",
                "Windows 10 LTSB",
                "Windows 10, version 1903 and later"
            ],
            "downloaded": false,
            "id": "01f7dc80-5870-4a79-bb59-fe9071e01405",
            "installed": false,
            "kb": [
                "5012170"
            ],
            "title": "2022-08 Security Update for Windows 10 Version 21H2 for x64-based Systems (KB5012170)"
        },
        "8f56c3fa-2d4f-44e9-a392-76b839cdb970": {
            "categories": [
                "Security Updates"
            ],
            "downloaded": false,
            "id": "8f56c3fa-2d4f-44e9-a392-76b839cdb970",
            "installed": false,
            "kb": [
                "5016616"
            ],
            "title": "2022-08 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5016616)"
        },
        "b5292e9e-d174-4ae1-be7f-10092f940b10": {
            "categories": [
                "Update Rollups",
                "Windows 10",
                "Windows 10 LTSB",
                "Windows 10, version 1903 and later",
                "Windows 11"
            ],
            "downloaded": false,
            "id": "b5292e9e-d174-4ae1-be7f-10092f940b10",
            "installed": false,
            "kb": [
                "890830"
            ],
            "title": "Windows Malicious Software Removal Tool x64 - v5.104 (KB890830)"
        }
    }
}

Output from the Windows GUI is in the attached screenshot.
windowsupdate-win10

I am pretty sure I understand why this is happening. The Preview is a newer update so Ansible doesn't get the stable version of the update from the windows update api. I am hoping there is a solution so that the reject_list can be given to the windows update api so that any stable version of updates can still be offered. Maybe provide that as an optional thing because it might cause the reject_list'd updates to not be seen as filtered. That might be ok for things like Preview stuff though so maybe it wouldn't be a big deal. The current way it works though, you can miss some updates using reject_list if there is a preview update that supersedes a stable update.

@agibson2 agibson2 changed the title win_update not showing stable .net update when surpressing Preview updates win_update not showing stable .net update when suppressing Preview updates Sep 5, 2022
@jborean93
Copy link
Collaborator

I'll have to try to create a reproducer to see if it's possible to search again if an update was filtered. Right now we just do 1 search pass and then filter it based on the results. Trying to then see if more updates are available if certain ones are filtered should be possible but not something I've tried before so might take some time before I get around to it sorry.

@jborean93
Copy link
Collaborator

Do you happen to know of a good way to force Windows to scan for updates and display them in the GUI but not install them. I've configured the local policy to notify for download and install and then tried running things like:

wuauclt /startscan
usoclient StartScan

(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

$session = New-Object -ComObject Microsoft.Update.Session
$searcher = $session.CreateUpdateSearcher()
$searcher.Search("IsInstalled = 0")

While the last one does give updates it doesn't get reflected in the settings UI which still say no updates are available at this time. I'm going to keep this VM turned on for a few hours and hopefully it does the detection during this period but knowing how to kick if off in an adhoc fashion will definitely help.

@agibson2
Copy link
Contributor Author

agibson2 commented Sep 20, 2022

I have not figured out how to do that either. Sometimes when installing updates with Ansible i see similar but oposite behavior. Updates are installed but after all reboots are done with Ansible, The GUI still thinks the updates need to be applied. I don't recall if history in the GUI shows them installed or not. If you were to then install those updates through the GUI, the system realizes they are already installed and doesn't seem to install them and removes them from the list and does show them as updated in the history.
I usually just play the wait game and then eventually they will show installed. I haven't figured out yet if that is all the time, only on some windows versions, or what.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants