Skip to content

Configure Your Windows Host to be Managed by Ansible

|

I was talking to my friend about Ansible automation and how we are implementing automated solutions for cloud and on-premise infrastructure. Then he told me that, his team is looking for such tools to automate their Windows servers and Desktops. When I suggested Ansible, he didn’t believe me as he thought Ansible cannot do anything with Windows machines ! Oh.. then I realized that there are some misunderstanding about Ansible and it’s supported platforms as most of them thought Ansible is only available for Linux (or Unix); yes that is true (Ansible is not natively available for Windows yet) but you know, you can use Ansible to manage your Windows machines as well (and network devices, firewall devices, cloud, containers and more)

(Cover: Photo by Charles Parker from Pexels)

Also Read : Automation with Ansible Guides

Watch video for demo

Do you know, you have more than 100 Windows modules already available to use from Ansible Community.

Read: Installing Ansible

But like Linux managed nodes, you need to configure some setups on your Windows machine as well, so that Ansible can talk to your Windows machine and execute automated tasks. And this guide is for you, if you are struggling for configuring your Windows machine to manage by Ansible.

Supported Windows Operating Systems

  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows Server 2008
  • Windows Server2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Ansible Control Node Prerequisites

There is no special requirement on Ansible Engine or Ansible Controlnode, except winrm library. You need to install python winrm library for your python environment.

$ pip install "pywinrm>=0.2.2"
## or 
$ python3 -m pip install --user --ignore-installed pywinrm

Make sure, you have installed the winrm library on the exact python environment Ansible is using. (Check ansible --version and see which python version is using)

Windows Host Prerequisites for Ansible

Your Windows machine should meet below requirements.

  • PowerShell 3.0 or newer
  • .NET 4.0 to be installed
  • A WinRM listener should be created and activated

Check PowerShell Version

Open a PowerShell console and verify PowerShell version.

PS C:\Users\Administrator> (Get-Host).Version

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      14393  693

Configure WinRM

You need to configure listener and the service on the Windows machine as part of WinRM setup. You have to execute few steps in PowerShell for this, but fortunately, there is a readymade PowerShell script available in Ansible repository called – ConfigureRemotingForAnsible.ps1. You can just download and execute the same on the Windows machine as below.

PS C:\Users\Administrator> $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
PS C:\Users\Administrator> $file = "$env:temp\ConfigureRemotingForAnsible.ps1"
PS C:\Users\Administrator> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
PS C:\Users\Administrator> powershell.exe -ExecutionPolicy ByPass -File $file
Self-signed SSL certificate generated; thumbprint: DD2BFCC45E7503BC9C05BA9174326B593614C733


wxf                 : http://schemas.xmlsoap.org/ws/2004/09/transfer
a                   : http://schemas.xmlsoap.org/ws/2004/08/addressing
w                   : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
lang                : en-US
Address             : http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters : ReferenceParameters

Ok.


PS C:\Users\Administrator>

If you are facing any SSL/TLS issues while downloading files, please check the TLS version you have configured. You can also use TLS1.2 explicitly as below.

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

Note : If you have concern on executing this readymade script (like the authentication it is using, the access policies etc), you can manually configure WinRM listener and the service by following WinRM setup documentation.

Ensure WinRM Ports are Open

Also make sure, ports 5985 and 5986 are open in firewall (both OS as well as network side).

Read How to open WinRM ports in the Windows firewall.

That’s it, now you can access your Windows machine over WinRM and Ansible will be able to execute playbook and tasks on your Windows machine.

Let us test Ansible to Windows Access

As you know, the first thing is you need to add your new machine in inventory; something like below. I have added my new Windows machine under host group called windows2016.

[windows2016]
vm-win2016-dev ansible_host=10.1.10.101

Also need to configure other parameters like ansible_connection, ansible_port, user credential etc. Either you can put it in same inventory or under host_vars or group_vars. For this demo, I have put everything under group_vars/windows2016.

$ cat group_vars/windows2016.yml 
---
ansible_user: "Administrator"
ansible_password: "MyWindowsPassword2020"
ansible_port: "5986"
ansible_connection: "winrm"
ansible_winrm_transport: "basic"
ansible_winrm_server_cert_validation: ignore

Note: For production, you need to use password encrypted using Ansible Vault or keep credentials in Ansible Tower. Also, you may need to create different user rather than Administrator.

Let’s run a very basic Ansible adhoc command with win_ping module.

$ ansible vm-win2016-dev -m win_ping
vm-win2016-dev | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Yes, Ansible can reach our Windows machine and able to communicate. (Please note, the ping is not simple network ping, but Ansible will login to machine and verify the access)

Fine, what about writing a playbook to create a new user in Windows machine ? Here see the very basic playbook and let’s test it.

---

- name: "Create New user on Windows Machine"

  hosts: "{{ NODES }}"

  tasks:

    - name: "Check Windows machines access using win_ping"

      win_ping:

      when: ansible_os_family == 'Windows'

    

    - name: Create a new User 

      win_user:

        name: john

        password: MyP4ssw0rd

        state: present

        groups:

          - Users
      when: ansible_os_family == 'Windows'

Execute the playbook using ansible-playbook command. Please note the NODES variable as I don’t usually hardcode the hosts inside playbook; instead I pass the hosts list while running ansible-playbook command as show below.

$ ansible-playbook test-access.yaml -e "NODES=windows"

PLAY [Testing Basic Connection to Managed Nodes] ***********************************************************

TASK [Gathering Facts] *************************************************************************************
ok: [10.6.1.216]
ok: [vm-win2016-dev]

TASK [Test Windows machines using win_ping] ****************************************************************
ok: [10.6.1.216]
ok: [vm-win2016-dev]

TASK [Create a new User] ***********************************************************************************
changed: [vm-win2016-dev]
changed: [10.6.1.216]

PLAY RECAP *************************************************************************************************
10.6.1.216                 : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
vm-win2016-dev             : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Yes, its working and Ansible already completed all tasks successfully. Let’s go and check the Windows machine for new user.

New user john already created on Windows machine !

Hope, you learned how to configure on a Windows machine to manage by Ansible.

Gineesh has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform). (aka Gini Gangadharan - iamgini.com)

Gineesh has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform). (aka Gini Gangadharan - iamgini.com)

Comments

3 Responses

  1. […] You might already knew that, Ansible can manage Windows servers as well. And this is a supporting article for Configure Your Windows Host to be Managed by Ansible. […]

  2. […] Windows machines using Ansible is pretty straightforward and simple as in the document. You need to configure and enable WinRM on your Windows machine and then open WinRM ports 5985 and 5986(HTTPS) in the Windows Firewall […]

  3. […] Configure Your Windows Host to be Managed by Ansible […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: