Add SCCM support to win_updates module

[jeffcpullen]

Summary

I am trying to patch Windows systems that are managed by SCCM. Currently, the win_updates module does not include the necessary logic to do this.

The process now for patching SCCM managed systems can only be accomplished with powershell scripts.

In a previous issue #194 it was mentioned that the win_updates module could be updated to support this use case.

It would of course be possible to have it support SCCM as well, but then a lot of logic would have to go into the backend of the windows updates module in Ansible: does a machine have SCCM client installed? No, then use WUA API. Does it have the SCCM client installed? And it also is set to have updates being managed via SCCM (because you could have the client installed yet still deliver updates in the "normal way") then use the SCCM WMI API.

But bottom line, it's not a bug.

Originally posted by @FaustoNascimento in #194 (comment)

For the use cases I've seen, automatic determination of the source of updates (WSUS vs SCCM) is not a requirement of this feature. This is information is already known or can gathered in prior steps.

Design question:

1. Would it be acceptable to leave the current logic as the default and add a parameter to use the SCCM method rather than trying to determine the method on execution?
2. Is this functionality something that needs to go in its own module?

Issue Type

Feature Idea

Component Name

ansible.windows/plugins/modules/win_updates.ps1

Additional Information

Example ansible code

- name: Exclude updates based on the update title
  ansible.windows.win_updates:
    category_name:
    - SecurityUpdates
    - CriticalUpdates
    server_selection: sccm
    reboot: yes

Example Powershell to get available updates

function SCCMUpdateList{
    param (
        [string]$Namespace 
    )
    $availableUpdates=Get-WmiObject -ComputerName "localhost" -Namespace "root\CCM\ClientSDK" -ClassName CCM_SoftwareUpdate -ErrorAction Stop -Filter ComplianceState=0

    foreach ($update in $availableUpdates)
    {
        Write-Host $update.Name
    }
    
}

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[jborean93]

Unfortunately I do not have much experience with SCCM but I am aware of how convuluted the WMI/CIM API can be for it. I've also heard rumours that it only works with the old WMI based cmdlets and it might have problems with the new CIM cmdlets. I'm unsure if this is actually true but if it is, I would be very reluctant to add it in a module when the WMI cmdlets are going away in the future.

Currently the win_updates module is very complex, it's around 17K lines and that doesn't include the action plugin side. I would be very reluctant to add even more functionality to this module and would definitely favour a dedicated module specifically for SCCM. Unfortunately at this point in time we are not planning on adding such functionality ourselves to this module. If something is wanting to write such a thing they are more than welcome to distribute it in their own collection. If it proves to be popular and shown that it works reliably through Ansible we can look at potentially migrating it into ansible.windows but that would be further down the line.