I was talking to my friend about Ansible automation and how we are implementing automated solutions for cloud and on-premise infrastructure. Then he told me that, his team is looking for such tools to automate their Windows servers and Desktops. When I suggested Ansible, he didn’t believe me as he thought Ansible cannot do anything with Windows machines ! Oh.. then I realized that there are some misunderstanding about Ansible and it’s supported platforms as most of them thought Ansible is only available for Linux (or Unix); yes that is true (Ansible is not natively available for Windows yet) but you know, you can use Ansible to manage your Windows machines as well (and network devices, firewall devices, cloud, containers and more)
See other articles to learn how to manage windows using Ansible
- Configure Your Windows Host to be Managed by Ansible
- How to open WinRM ports in the Windows firewall
- Ansible Windows Management using HTTPS and SSL
(Cover: Photo by Charles Parker from Pexels)
Also Read : Automation with Ansible Guides
Watch video for demo
Do you know, you have more than 100 Windows modules already available to use from Ansible Community.
Read: Installing Ansible
But like Linux managed nodes, you need to configure some setups on your Windows machine as well, so that Ansible can talk to your Windows machine and execute automated tasks. And this guide is for you, if you are struggling for configuring your Windows machine to manage by Ansible.
Supported Windows Operating Systems
- Windows 7
- Windows 8.1
- Windows 10
- Windows Server 2008
- Windows Server2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Ansible Control Node Prerequisites
There is no special requirement on Ansible Engine or Ansible Controlnode, except winrm
library. You need to install python winrm library for your python environment.
$ pip install "pywinrm>=0.2.2"
## or
$ python3 -m pip install --user --ignore-installed pywinrm
Make sure, you have installed the winrm
library on the exact python environment Ansible is using. (Check ansible --version
and see which python version is using)
Windows Host Prerequisites for Ansible
Your Windows machine should meet below requirements.
- PowerShell 3.0 or newer
- .NET 4.0 to be installed
- A WinRM listener should be created and activated
Check PowerShell Version
Open a PowerShell console and verify PowerShell version.
PS C:\Users\Administrator> (Get-Host).Version
Major Minor Build Revision
----- ----- ----- --------
5 1 14393 693
Configure WinRM
You need to configure listener
and the service
on the Windows machine as part of WinRM setup. You have to execute few steps in PowerShell for this, but fortunately, there is a readymade PowerShell script available in Ansible repository called – ConfigureRemotingForAnsible.ps1. You can just download and execute the same on the Windows machine as below.
PS C:\Users\Administrator> $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
PS C:\Users\Administrator> $file = "$env:temp\ConfigureRemotingForAnsible.ps1"
PS C:\Users\Administrator> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
PS C:\Users\Administrator> powershell.exe -ExecutionPolicy ByPass -File $file
Self-signed SSL certificate generated; thumbprint: DD2BFCC45E7503BC9C05BA9174326B593614C733
wxf : http://schemas.xmlsoap.org/ws/2004/09/transfer
a : http://schemas.xmlsoap.org/ws/2004/08/addressing
w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
lang : en-US
Address : http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters : ReferenceParameters
Ok.
PS C:\Users\Administrator>
If you are facing any SSL/TLS issues while downloading files, please check the TLS version you have configured. You can also use TLS1.2
explicitly as below.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
Note : If you have concern on executing this readymade script (like the authentication it is using, the access policies etc), you can manually configure WinRM listener
and the service
by following WinRM setup documentation.
Ensure WinRM Ports are Open
Also make sure, ports 5985 and 5986 are open in firewall (both OS as well as network side).
Read How to open WinRM ports in the Windows firewall.
That’s it, now you can access your Windows machine over WinRM and Ansible will be able to execute playbook and tasks on your Windows machine.
Let us test Ansible to Windows Access
As you know, the first thing is you need to add your new machine in inventory; something like below. I have added my new Windows machine under host group called windows2016
.
[windows2016]
vm-win2016-dev ansible_host=10.1.10.101
Also need to configure other parameters like ansible_connection
, ansible_port
, user credential etc. Either you can put it in same inventory or under host_vars
or group_vars
. For this demo, I have put everything under group_vars/windows2016
.
$ cat group_vars/windows2016.yml
---
ansible_user: "Administrator"
ansible_password: "MyWindowsPassword2020"
ansible_port: "5986"
ansible_connection: "winrm"
ansible_winrm_transport: "basic"
ansible_winrm_server_cert_validation: ignore
Note: For production, you need to use password encrypted using Ansible Vault or keep credentials in Ansible Tower. Also, you may need to create different user rather than Administrator.
Let’s run a very basic Ansible adhoc command with win_ping
module.
$ ansible vm-win2016-dev -m win_ping
vm-win2016-dev | SUCCESS => {
"changed": false,
"ping": "pong"
}
Yes, Ansible can reach our Windows machine and able to communicate. (Please note, the ping is not simple network ping, but Ansible will login to machine and verify the access)
Fine, what about writing a playbook to create a new user in Windows machine ? Here see the very basic playbook and let’s test it.
---
- name: "Create New user on Windows Machine"
hosts: "{{ NODES }}"
tasks:
- name: "Check Windows machines access using win_ping"
win_ping:
when: ansible_os_family == 'Windows'
- name: Create a new User
win_user:
name: john
password: MyP4ssw0rd
state: present
groups:
- Users
when: ansible_os_family == 'Windows'
Execute the playbook using ansible-playbook
command. Please note the NODES
variable as I don’t usually hardcode the hosts inside playbook; instead I pass the hosts list while running ansible-playbook
command as show below.
$ ansible-playbook test-access.yaml -e "NODES=windows"
PLAY [Testing Basic Connection to Managed Nodes] ***********************************************************
TASK [Gathering Facts] *************************************************************************************
ok: [10.6.1.216]
ok: [vm-win2016-dev]
TASK [Test Windows machines using win_ping] ****************************************************************
ok: [10.6.1.216]
ok: [vm-win2016-dev]
TASK [Create a new User] ***********************************************************************************
changed: [vm-win2016-dev]
changed: [10.6.1.216]
PLAY RECAP *************************************************************************************************
10.6.1.216 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
vm-win2016-dev : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Yes, its working and Ansible already completed all tasks successfully. Let’s go and check the Windows machine for new user.
Hope, you learned how to configure on a Windows machine to manage by Ansible.