From b508ec4b3e8e1303fb70cca42dff2a93b08dcf69 Mon Sep 17 00:00:00 2001
From: X9 Dev <dev@x9.cz>
Date: Thu, 16 Apr 2026 14:22:36 +0200
Subject: [PATCH] feat: add Windows Update step (12) via PSWindowsUpdate module

Installs NuGet provider + PSWindowsUpdate from PSGallery, then runs
Install-WindowsUpdate -AcceptAll -IgnoreReboot. No auto-reboot -
operator restarts manually after all steps complete.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 internal/config/config.go     |  1 +
 internal/runner/runner.go     |  1 +
 scripts/12-windows-update.ps1 | 88 +++++++++++++++++++++++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 scripts/12-windows-update.ps1

diff --git a/internal/config/config.go b/internal/config/config.go
index 8800eb9..988fbea 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -77,6 +77,7 @@ func DefaultConfig() Config {
 			"backinfo":        true,
 			"activation":      true,
 			"dellUpdate":      true,
+			"windowsUpdate":   true,
 			"network":         true,
 			"pcIdentity":      true,
 		},
diff --git a/internal/runner/runner.go b/internal/runner/runner.go
index e073ce3..a85b55b 100644
--- a/internal/runner/runner.go
+++ b/internal/runner/runner.go
@@ -36,6 +36,7 @@ func AllSteps() []Step {
 		{ID: "backinfo",        Num: "07", Name: "BackInfo",                  ScriptName: "07-backinfo.ps1"},
 		{ID: "activation",      Num: "08", Name: "Windows aktivace",          ScriptName: "08-activation.ps1"},
 		{ID: "dellUpdate",      Num: "11", Name: "Dell Command | Update",      ScriptName: "11-dell-update.ps1"},
+		{ID: "windowsUpdate",   Num: "12", Name: "Windows Update",            ScriptName: "12-windows-update.ps1"},
 		{ID: "network",         Num: "09", Name: "Network discovery",         ScriptName: "10-network.ps1"},
 		{ID: "pcIdentity",      Num: "10", Name: "PC identita",               ScriptName: "09-pc-identity.ps1"},
 	}
diff --git a/scripts/12-windows-update.ps1 b/scripts/12-windows-update.ps1
new file mode 100644
index 0000000..b091e41
--- /dev/null
+++ b/scripts/12-windows-update.ps1
@@ -0,0 +1,88 @@
+<#
+.SYNOPSIS
+    Installs all available Windows Updates via PSWindowsUpdate module.
+
+.DESCRIPTION
+    Installs the PSWindowsUpdate module from PSGallery and runs a full
+    Windows Update pass. Does not auto-reboot - the operator restarts
+    manually after all deployment steps complete. Skips drivers (handled
+    by step 11 Dell Command Update or Windows Update for Business).
+
+.ITEMS
+    nainstalovat-pswindowsupdate-modul: Installs NuGet provider and PSWindowsUpdate module from PSGallery. Required only on first run - subsequent runs reuse the cached module.
+    spustit-windows-update-vsechny-aktualizace: Calls Install-WindowsUpdate -AcceptAll -IgnoreReboot. Installs all Quality, Security and Feature updates. Skips reboot - operator restarts manually after deployment completes.
+#>
+param(
+    [object]$Config,
+    [string]$LogFile
+)
+
+$ErrorActionPreference = "Continue"
+
+function Write-Log {
+    param([string]$Message, [string]$Level = "INFO")
+    $line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"
+    $null = New-Item -ItemType Directory -Force -Path (Split-Path $LogFile -Parent) -ErrorAction SilentlyContinue
+    Add-Content -Path $LogFile -Value $line -Encoding UTF8
+    Write-Output $line
+}
+
+Write-Log "=== Step 12 - Windows Update ===" -Level STEP
+
+# -----------------------------------------------------------------------
+# 1. NuGet provider (required for Install-Module from PSGallery)
+# -----------------------------------------------------------------------
+Write-Log "Installing NuGet provider..." -Level INFO
+try {
+    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope AllUsers | Out-Null
+    Write-Log "  NuGet provider ready" -Level OK
+} catch {
+    Write-Log "  NuGet provider install failed: $_" -Level WARN
+}
+
+# -----------------------------------------------------------------------
+# 2. PSWindowsUpdate module
+# -----------------------------------------------------------------------
+Write-Log "Installing PSWindowsUpdate module..." -Level INFO
+try {
+    $existing = Get-Module -ListAvailable -Name PSWindowsUpdate | Select-Object -First 1
+    if ($existing) {
+        Write-Log "  PSWindowsUpdate $($existing.Version) already installed" -Level INFO
+    } else {
+        Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers -AllowClobber | Out-Null
+        Write-Log "  PSWindowsUpdate installed" -Level OK
+    }
+    Import-Module PSWindowsUpdate -Force
+} catch {
+    Write-Log "  PSWindowsUpdate module setup failed: $_" -Level ERROR
+    Write-Log "  Skipping Windows Update step" -Level WARN
+    exit 1
+}
+
+# -----------------------------------------------------------------------
+# 3. Run Windows Update
+# -----------------------------------------------------------------------
+Write-Log "Checking for available updates..." -Level INFO
+
+try {
+    $updates = Get-WindowsUpdate -AcceptAll -IgnoreReboot 2>&1
+    if (-not $updates) {
+        Write-Log "  No updates available - system is up to date" -Level OK
+    } else {
+        $count = ($updates | Measure-Object).Count
+        Write-Log "  Found $count update(s) - installing..." -Level INFO
+
+        Install-WindowsUpdate -AcceptAll -IgnoreReboot -Verbose 2>&1 | ForEach-Object {
+            if ($_ -match '\S') {
+                Write-Log "  $_" -Level INFO
+            }
+        }
+
+        Write-Log "  Windows Update complete ($count updates processed)" -Level OK
+    }
+} catch {
+    Write-Log "  Windows Update failed: $_" -Level ERROR
+    exit 1
+}
+
+Write-Log "Step 12 - Windows Update complete" -Level OK