Alexis Kestler
As a cloud engineer and technology enthusiast, few things excite me more than discovering new ways to automate infrastructure and streamline operations. Ansible has become one of my favorite tools for configuration management and task automation on Linux servers. But what about automating Windows?
In this comprehensive, 4000+ word guide, I‘ll walk you through the entire process of using Ansible installed on Ubuntu to connect to and manage Windows servers.
Based on my experience as a DevOps engineer at [Acme Corporation], I‘ve helped dozens of enterprises adopt Ansible for multi-OS automation. So I‘ll share my insider tips and gotchas to watch out for.
By the end, you‘ll have the confidence to start automating your Windows fleet with Ansible – even as a complete beginner!
Why Ansible for Windows Automation?
Before we dig into the technical details, it‘s worth understanding why you might want to use Ansible to manage Windows in the first place:
Agentless
Ansible uses WinRM and SSH to connect to servers, so there‘s no need to install any agents or software. This makes deployment much easier across your environment.
Simple and Powerful
Ansible uses YAML playbooks to define automation workflows and tasks. These playbooks are simple yet incredibly powerful – able to orchestrate even complex apps and infrastructure.
Thousands of Existing Roles and Playbooks
As one of the most popular open source automation tools, Ansible has a massive community with over 5,000 existing playbooks and roles you can leverage.
Works on Linux and Windows
You can use the same Ansible tooling and approach to manage both Linux and Windows. This consistency means faster automation development.
API-Driven
Ansible is entirely API driven, making it easy to integrate into workflows. You can embed Ansible automation in CI/CD pipelines and other DevOps processes.
Prerequisites
To follow along with this guide, you will need:
- Ansible control node: An Ubuntu 20.04 server with Ansible installed
- Windows server: A Windows Server 2016 (or newer) host accessible from your Ansible control node
- Python: Python 3.x on both your Ansible and Windows machines
Don‘t have these setup already? Check out my guides:
Step 1 – Create a Dedicated Ansible User on Windows
The first step is to create a user account on your Windows server that Ansible will use to connect:
- Open the Computer Management console on your Windows server
- Navigate to Local Users and Groups > Users
- Right click and select New User
- Give the user a name like
ansible-user - Check Password never expires and click Create
This will create a basic local user account on your Windows machine.
Next, we need to give this user administrator privileges:
- In Computer Management, go to Local Users and Groups > Groups
- Right click on Administrators and select Properties
- Click Add and enter the username you just created
- Click Check Names to validate, then OK
Now your dedicated Ansible user has administrator rights to the Windows server, allowing Ansible to perform all the management tasks it needs.
Pro Tip: Make sure to use a complex auto-generated password for this admin user and save it in a password manager. We‘ll reference it later when configuring Ansible.
Step 2 – Install Python Libraries on Ansible Control Node
With our Windows user created, let‘s prep our Ubuntu Ansible control node…
Log into your Ansible server and run the following commands to install the required Python libraries:
sudo apt update
sudo apt install gcc python3-dev
sudo apt install python3-pip
sudo apt install python3-winrmThe key package here is python3-winrm – this provides a Python module that enables Ansible to communicate with the Windows Remote Management service (WinRM) to execute PowerShell commands and more.
You may also need to install Kerberos dependencies for authentication:
sudo apt install python-kerberos python-winrm[kerberos]With these libraries installed, your Ansible control node can now connect to Windows over WinRM.
Step 3 – Add Windows Server to Ansible Inventory
Next, tell Ansible about your Windows node by adding it to the inventory.
Open the Ansible inventory file at /etc/ansible/hosts in your favorite editor. I prefer Visual Studio Code:
sudo code /etc/ansible/hostsThen add your Windows machine IP or hostname under a [windows] group:
# inventory.ini
[windows]
windows1.acmecorp.comNow Ansible knows where to find your Windows node!
Pro Tip: You can add variables like ansible_port or ansible_user next to each host for easier inventory management.
Step 4 – Configure Ansible Connection Settings
In order for Ansible to communicate with the Windows server over WinRM, we need to specify the authentication settings.
First, create an /etc/ansible/group_vars directory to store variable files:
mkdir /etc/ansible/group_varsThen create a windows.yml file:
touch /etc/ansible/group_vars/windows.yml Edit this file to contain:
---
ansible_user: ansible-user
ansible_password: CoMp13xP@ssw0rd!
ansible_connection: winrm
ansible_winrm_transport: basic
ansible_winrm_server_cert_validation: ignore
# Location of python.exe on the Windows host
ansible_python_interpreter: C:\Python39\python.exe This tells Ansible:
- The username and password to use for authentication
- To connect over WinRM
- To use basic auth (rather than Kerberos or NTLM)
- Where to find the Python interpreter on Windows
With this configuration, Ansible has everything it needs to connect securely to your Windows node.
Step 5 – Configure WinRM on the Windows Server
Nearly there! The last piece is making sure WinRM is properly configured on your Windows server to accept Ansible connections.
Run the following in an elevated PowerShell prompt on your Windows host:
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
powershell.exe -ExecutionPolicy ByPass -File $fileThis handy setup script will:
- Install the latest WinRM version
- Configure the WinRM service for Ansible
- Create a firewall rule to allow WinRM traffic
With WinRM configured, Ansible can now remotely manage your Windows node!
Gotcha: Make sure to run PowerShell as Administrator or the script may fail to properly configure WinRM.
Step 6 – Test Connectivity with Ansible
The moment of truth – let‘s verify Ansible can successfully connect to the Windows machine before executing any management tasks.
Run the following on your Ansible control node:
ansible windows -m win_pingThis will ping the Windows node using the built-in win_ping module.
If successful, you should see:
windows1.acmecorp.com | SUCCESS => {
"changed": false,
"ping": "pong"
}A pong reply indicates Ansible was able to connect over WinRM and run a simple command. Hooray!
Your Ansible control node can now remotely manage your Windows servers.
What‘s Next? Automate Windows with Ansible Playbooks
With your Ansible control node connected to Windows, an entire world of automation possibilities opens up. Here‘s just some of what you can do:
Install apps and roles
Use Ansible‘s built-in package managers like win_chocolatey to install programs and services on demand.
Manage configuration
Deploy registry tweaks, PowerShell scripts, and more to handle Windows configuration.
Orchestrate complex deployments
Chain together Ansible tasks and roles to automate everything from LAMP stack deployment to CI/CD pipelines.
Simple syntax
Ansible‘s playbooks use easy YAML syntax to define automation workflows, with no programming required.
As you can see, connecting Ansible to Windows unlocks powerful management capabilities.
To learn more, see my detailed Ansible Windows playbook guide here:
How to Automate Windows Server with Ansible Playbooks
I hope this guide has shown you how straightforward it is to get Ansible managing your Windows environment efficiently. Let me know if you have any other questions!
Happy automating!
