Ansible has been gaining a lot of popularity during the past years and it has become a permanent resident in many organisations and individuals DevOps tooling. Mainly due to it’s simplicity and a reasonable learning curve. Getting Ansible set up is just a matter of minutes, and getting something concrete done is extremely fast, once you’ve captured the basics of the technology.

Ansible is well known amongst folks in the linux space and is gaining more and more traction on the network automation space, but on the windows side it is not as widely used as it could be. There are of course reasons for this, for example Microsoft has been providing tooling for automating windows estates and other Microsoft technologies since ages, so there has not been an urgent need or the willingness to look elsewhere.

Now imagine if there would be a single technology that does all of that..

Many organisations are streamlining their IT and building DevOps teams and tooling, therefore a technology that could cover the whole estate regardless of the platform is of interest. Whether it’s a linux box, windows server, AWS cloud or a F5 load balancer, with Ansible you are able to manage and automate them.

Often, when we talk about automation in the bigger picture, there are other things that come into play. Whether it’s change management processes, existing tools and platforms or CMDB’s that we need to touch with our automation, Ansible is capable of handling the whole chain. This is what makes Ansible so popular and powerful.

That said, although Ansible gets very close - silver bullets don’t exist.

Ansible can do ALOT, but you also have to keep in mind that you should choose the right tool for the job. Having the right tool is imperative to successful completion of the task at hand. In addition, the right tools allow individuals to complete their tasks efficiently, which allows for opportunities to expand their range of capabilities.

Now to the point, how do you get your Windows environment setup so that Ansible can connect to and start doing things?


To be able to connect to windows end-points, Ansible utilises WinRM protocol, that is shipped out of the box with windows OS.
There is also the possibility to use SSH that is now shipped with Windows Server 2019, but on the Ansible side it still is an experimental feature and best be used with discretion.

Ansible also requires PowerShell 3.0+ and .NET 4.0+ to be installed on the managed system. These requirements are met by default on Windows Server 2012 and upwards.

If & when these requirements are met, you have to configure your windows to accept connections, such as configuring windows firewall, enabling WinRM, etc.
This can be achieved by using the script provided by Ansible community. This script checks the current WinRM configuration and makes the necessary changes to allow Ansible to connect, authenticate and execute PowerShell commands on the given host.
Details on how the script is run, on can be found from the Ansible documentation.

Disclaimer; If using the script in production, you should modify it to meet your organisation's security baseline. The script enables some insecure settings that you likely don’t want and/or are not allowed to use on production systems.

Other option is to enable all of this by hand by using winrm quickconfig for HTTP or winrm quickconfig -transport:https for HTTPS. By running winrm quickconfig your windows firewall gets setup as well.

WinRM HTTPS requires a local computer Server Authentication certificate with a CN matching the hostname, that is not expired, revoked, or self-signed to be installed.

To install or view certificates for the local computer:

  
1. Select Start and then select Run.
2. Type MMC and then press Enter.
3. Select File from menu options and then select Add or Remove Snap-ins.
4. Select Certificates and select Add.
5. Go through the wizard selecting Computer account.
6. Install or view the certificates under Certificates (Local computer) > Personal > Certificates.
  

Third option would be to configure WinRM via Group policy and then there's an option to do it via Powershell commands:

  
$hostname = $env:COMPUTERNAME
$thumbprint = New-SelfSignedCertificate -DnsName $hostname -CertStoreLocation Cert:\LocalMachine\My

$selectorset = @{     Address = "*"     Transport = "HTTPS" }
$valueset = @{     Hostname = $hostname     CertificateThumbprint = $thumbprint.Thumbprint }
New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset

If you now list the configuration by running:

winrm enumerate winrm/config/listener

You should see a configured HTTPS Listener.

Once the listener has been created, the last thing to do is to open the windows firewall port for the newly created listener:

netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow
Now that all is set up on the windows side, we are a few steps away from establishing a connection to the remote servers with Ansible.


To connect to windows, you need to set some connection parameters for Ansible to know how to connect - credentials, ports, type of connection, etc.
Ansible uses connection plugins to determine how to connect to the target system. For Windows you can choose between WinRM or PSRP (SSH experimental). This configuration should either be in the inventory that Ansible uses, or in a group_vars file.

  
ansible_user: ansible_user
ansible_password: your_password_here
ansible_port: 5986
ansible_connection: psrp
ansible_psrp_transport: basic
ansible_psrp_cert_validation: ignore
  

As you see from the example, I tend to default to PSRP connection due to many reasons I will not list here. If you are interested about know more on the WinRM and PSRP and their differences, read this blog post.

The ansible_psrp_transport -variable defines what authentication protocol to use, an exhaustive list with their capabilities can be found here. On any real environments you’d likely use Kerberos as the chosen authentication method.
ansible_psrp_cert_validation -variable ignores my self signed certificate, on production environments proper certificates should be set and thus this variable can be removed.

Example inventory:

  
[win]
10.1.1.100

[win:vars]
ansible_user: ansible_user
ansible_password: your_password_here
ansible_port: 5986
ansible_connection: psrp
ansible_psrp_transport: basic
ansible_psrp_cert_validation: ignore
  

Keep in mind that in order for windows connection plugins to work, you have to install the required python libraries to the Ansible control node. Those can be installed by running $ pip install pywinrm for WinRM and $ pip install pypsrp for PSRP.

Once all that is set up, you can finally test the connection with Ansible by running

$ ansible win -m win_ping

If all is set up correctly, you should get a reply:

  
$ ansible win -m win_ping
10.1.1.100 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}