Ansible Automation for Windows
-
Gineesh Madapparambath
- Infrastructre & hardware, Ansible, Ansible doc
- January 6, 2022
Ansible’s reputation as a Linux automation powerhouse is well-deserved. But a common misconception lingers: is Ansible strictly for Linux environments? The answer? Absolutely not!
While Ansible itself doesn’t run natively on Windows, its magic lies in its ability to orchestrate tasks across a wide range of platforms. That includes your Windows servers and desktops, alongside network devices, firewalls, cloud infrastructure, containers, and more. This opens the door to managing your entire IT landscape with a single, powerful tool, streamlining processes, boosting efficiency, and minimizing human error. So, if you’re looking to automate Windows management or explore Ansible’s broader capabilities, keep reading – you might be surprised!
This is a collection of articles and references about Windows automation using Ansible, published in techbeatly and other platforms.
- Guides for Configuring Windows Machine
- Ansible talks to Windows
- What is
ansible_winrm_transport? - Authentication Options Overview
- Transport vs Account Type vs Encryption — Full Matrix
- Certificate Requirements per Auth Type
- HTTP vs HTTPS Safety Summary
- Python Library Requirements (Ansible Controller Side)
- Windows-Side Setup Required per Auth Type
- What is Credential Delegation?
- NTLM vs Basic — Key Difference
- Appendix
Do you know, you have more than 80 Windows modules available from the Ansible Community?
Guides for Configuring Windows Machine
The first step is to configure your Windows machine to be managed by Ansible. Follow below guides to configure the Windows system with and without SSL methods.
- Configure Your Windows Host to be Managed by Ansible
- How to open WinRM ports in the Windows firewall
- Ansible Windows Management using HTTPS and SSL
Ansible talks to Windows
Unlike SSH for Linux machines, Ansible uses Windows PowerShell remoting to automate Windows. Ansible uses the WinRM (Windows Remote Management) protocol which is Microsoft’s built-in HTTP-based remote management technology.
Refer to Windows Remote Management to learn more.
What is ansible_winrm_transport?
ansible_winrm_transport defines the authentication method Ansible uses when connecting to a Windows host over WinRM. It is not the same as transport-layer encryption (HTTP vs HTTPS) — it controls how credentials are verified.
Authentication Options Overview
The following matrix is a high level overview of the authentication options:
| Option | Local Accounts | Active Directory Accounts | Credential Delegation | HTTP Encryption |
|---|---|---|---|---|
| Basic | Yes | No | No | No |
| Certificate | Yes | No | No | No |
| Kerberos | No | Yes | Yes | Yes |
| NTLM | Yes | Yes | No | Yes |
| CredSSP | Yes | Yes | Yes | Yes |
Transport vs Account Type vs Encryption — Full Matrix
| Transport | Connection Plugin | Local Account | AD/Domain Account | HTTP (5985) | HTTPS (5986) | Credential Delegation | Extra Setup Required |
|---|---|---|---|---|---|---|---|
basic |
winrm |
✅ | ❌ | ⚠️ unsafe | ✅ safe | ❌ | Enable Basic auth on Windows |
basic |
psrp |
✅ | ❌ | ⚠️ unsafe | ✅ safe | ❌ | Enable Basic auth on Windows |
ntlm |
winrm |
✅ | ✅ | ✅ msg-encrypt | ✅ | ❌ | None (enabled by default) |
negotiate |
psrp |
✅ | ✅ | ✅ msg-encrypt | ✅ | ❌ (✅ if Kerberos) | None — tries Kerberos first, falls back to NTLM |
kerberos |
winrm |
❌ | ✅ | ✅ msg-encrypt | ✅ | ✅ | krb5 libs + /etc/krb5.conf + kinit |
kerberos |
psrp |
❌ | ✅ | ✅ msg-encrypt | ✅ | ✅ | Same as above |
credssp |
winrm |
✅ | ✅ | ✅ msg-encrypt | ✅ | ✅ | Enable CredSSP on Windows + extra pip libs |
credssp |
psrp |
✅ | ✅ | ✅ msg-encrypt | ✅ | ✅ | Enable CredSSP on Windows + extra pip libs |
certificate |
winrm |
✅ | ❌ | ❌ | ✅ required | ❌ | Client cert + mapped to local user |
certificate |
psrp |
✅ | ❌ | ❌ | ✅ required | ❌ | Client cert + mapped to local user |
Certificate Requirements per Auth Type
| Transport | Listener Certificate (Server) | Client Certificate | Certificate Authority |
|---|---|---|---|
basic |
Optional (needed for HTTPS) | ❌ not needed | Self-signed OK |
ntlm |
Optional (needed for HTTPS) | ❌ not needed | Self-signed OK |
kerberos |
Optional (needed for HTTPS) | ❌ not needed | AD CS recommended for domain |
credssp |
Optional for HTTPS listener; CredSSP auto-generates its own TLS cert | ❌ not needed | Self-signed OK (no validation on CredSSP cert) |
certificate |
Required (HTTPS mandatory) | Required — mapped to local user | Self-signed OK, or AD CS |
HTTP vs HTTPS Safety Summary
| Transport | HTTP (5985) safe? | HTTPS (5986) safe? | Why |
|---|---|---|---|
basic |
❌ No | ✅ Yes | Password is only Base64 encoded — TLS is the only protection |
ntlm |
⚠️ Acceptable | ✅ Yes | Has message-level encryption; official docs warn against HTTP use |
kerberos |
✅ Yes | ✅ Yes | Message-level encryption built in |
credssp |
✅ Yes | ✅ Yes | Message-level encryption built in; but sends credentials to host |
certificate |
❌ Never | ✅ Yes | Requires HTTPS by design |
Python Library Requirements (Ansible Controller Side)
| Transport | winrm plugin |
psrp plugin |
|---|---|---|
| basic / ntlm / certificate | pywinrm>=0.4.0 |
pypsrp<=1.0.0 |
| kerberos (additional) | pywinrm[kerberos] |
pypsrp[kerberos] |
| credssp (additional) | pywinrm[credssp] |
pypsrp[credssp] |
Install with pip:
pip3 install "pywinrm>=0.4.0" # winrm basic/ntlm
pip3 install "pywinrm[kerberos]" # winrm kerberos
pip3 install "pywinrm[credssp]" # winrm credssp
pip3 install "pypsrp<=1.0.0" # psrp basic/ntlm
pip3 install "pypsrp[credssp]<=1.0.0" # psrp credssp
Windows-Side Setup Required per Auth Type
Basic Auth
Not enabled by default. Enable with PowerShell:
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
NTLM
Enabled by default on WinRM — no setup required.
Kerberos
No extra setup on the Windows host. Requires setup on the Ansible controller:
- Install
krb5system libraries - Configure
/etc/krb5.confwith your domain - Run
kinit [email protected]to get a ticket
CredSSP
Not enabled by default. Enable with PowerShell:
Enable-WSManCredSSP -Role Server -Force
Certificate
Requires HTTPS listener + a client certificate mapped to a local Windows user account. See: WinRM Certificate Authentication
Do you want to learn more about Ansible practical use cases? Check the latest book from the author as follows. Available on Packt and Amazon .
What is Credential Delegation?
Credential delegation means the Windows host can pass your credentials further to a third resource on your behalf — solving the classic double-hop problem.
Ansible Controller → Windows Host → SQL Server / File Share / Another Server
- Without delegation (Basic, NTLM, Certificate): credentials stop at the Windows host
- With delegation (Kerberos, CredSSP): credentials can be forwarded to a second hop
CredSSP should only be used when absolutely necessary as it can be a security risk due to its use of unconstrained delegation. — Ansible Docs
NTLM vs Basic — Key Difference
| Basic | NTLM | |
|---|---|---|
| How it works | Sends username + password (Base64) | Challenge-response — password never sent |
| HTTP (5985) | ❌ Plaintext credentials | ⚠️ Message-encrypted but not recommended |
| HTTPS (5986) | ✅ TLS wraps credentials | ✅ TLS + message encryption |
| Credential exposure | Depends entirely on TLS | Password never travels the wire |
Appendix
- Windows Remote Management
- Automating Microsoft Windows with Ansible (Red Hat)
- Ansible and Windows (Ansible)
- 10 ways to automate Microsoft Windows with Red Hat Ansible Automation Platform (Ansible eBook)
- Automate Windows Environments with Ansible (Slides from Boston Event)
- Using Ansible and Windows (Ansible documentation)
- Setting up a Windows Host (Ansible documentation)
- Automating mixed Red Hat Enterprise Linux and Windows Environments (Ansible blog)
- Windows Package Management (Ansible Blog)
- Making the double hop on Windows with Red Hat Ansible Automation Platform
- The Windows enterprise in an Ansible galaxy
- Using Kerberos for Windows in Ansible Automation Platform 2
- User Authentication with Kerberos
Gineesh Madapparambath
Gineesh Madapparambath is the founder of techbeatly. He is the co-author of The Kubernetes Bible, Second Edition and the author of Ansible for Real Life Automation. He has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform). (Read more: iamgini.com)
Note
Disclaimer: The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.
