Automate Windows Server 2019 & Windows 10 Administration with Ansible

Posted on 298 views

Ansible is a simple, yet powerful IT automation engine that thousands of companies are using to drive complexity out of their environments and accelerate DevOps initiatives.

Be it the deployment of applications, routine maintenance of your servers, Configuration Management, Continuous Delivery, Orchestration or any repetitive work that you can describe, Ansible can handle it for you.

To get to witness its top tier features, we are going to leverage on it to automate Windows server administration. This is going to be a adventurous ride so buckle up as we begin the voyage.

“Don’t wait. The time will never be just right.”
–Napoleon Hill


Before we delve into the woods, a windows host requires a few things for it to “agree” to be managed by Ansible. The list below suffices:

  • Powershell version 3.0 or higher
  • .NET Framework 4.0 or higher
  • Windows Remote Management Listener or SSH (cygwin)
  • Windows 7+, and server OSs including Windows Server 2008+
  • Chocolatey
  • WSUS for updating OS packages and patching
  • Ansible or AWX

Step 1: Install Chocalatey and WSUS

Being the most widely used Operating System in personal computers, Windows users can benefit a lot from a tool like Chocolatey to install and generally manage their software. It makes it so easy to install applications via your Command-Line or PowerShell. WSUS on the other hand makes it a breeze for users to deliver Operating System updates/patching.

To get Chocolatey installed, follow setup and manage Windows Applications from Command Prompt with Chocolatey detailed guide. After you are done, you can proceed to install WSUS using how to install Windows Service Update Services on Windows Server 2019 guide.

Step 2: Install Ansible AWX

We are going to use Ansible AWX in this guide to manage the Windows host(s) due to its ease of use and a friendly web management space that most people will love. You can install Ansible AWX using Install and Configure Ansible AWX on CentOS 8 guide.

Something to add in your AWX Server is pywinrm. Ansible uses the pywinrm package to communicate with Windows servers over WinRM. It is not installed by default with the Ansible package, but can be installed by running the following:

sudo pip3 install "pywinrm>=0.2.2"

After you are done with the installation plus installing pywinrm, set up the following in AWX as described in the guide:

  • A user with the requisite permissions and an optional team
  • An organization or you can use the default one
  • Credentials to connect with the Windows host
  • Inventory containing a list of your hosts (Add variables as shared below)
  • Set up a Project – You can use a GitHub repository having the playbooks
  • Set up a template that has everything ready for launch

You will add a few changes on the inventory to include special variables to match WinRM features. The following are the variables you should add under “inventories” and a screenshot shared for the same .

ansible_connection: winrm
ansible_winrm_transport: basic
ansible_winrm_server_cert_validation: ignore


Step 3: Configure Windows Remote Management for Ansible

Since Ansible uses no agents installed on the servers being managed, it takes advantage of what the Operating System has provided for communication. In Windows 2019, Secure Shell (ssh) was introduced but in case you have other Server versions below 2019, then you will have to settle on Windows Remote Management (WinRM) because it is available in the other versions as well.

There are two main components of the WinRM service that governs how Ansible can interface with the Windows host: the listener and the service configuration settings. The WinRM services listens for requests on one or more ports. Each of these ports must have a listener created and configured.

We shall use this script, ConfigureRemotingForAnsible.ps1, which can be used to set up the basics. This script sets up both HTTP and HTTPS listeners with a self-signed certificate and enables the Basic authentication option on the service. More on this can be found on Ansible Docs

To use this script, run the following in PowerShell (as Administrator):

$url = ""
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
powershell.exe -ExecutionPolicy ByPass -File $file

A screenshot is shared below for the same.


WinRM Listener

The WinRM services listens for requests on one or more ports. Each of these ports must have a listener created and configured. To view the current listeners that are running on the WinRM service, run the following command:

winrm enumerate winrm/config/Listener

Another screenshot is shared below for the same.


Step 4: Execute Ansible Playbook in Windows

Once WinRM has been setup, it is now time to manage it using Ansible installed on your Linux server of choice. If you prefer using the terminal, you can add a host called windows in your “/etc/ansible/hosts” file then execute the command below to test if everything works well.

ansible -i windows -m win_ping -e ansible_connection=winrm \
-e ansible_user= -e ansible_password= \
-e ansible_winrm_transport=basic \
-e ansible_winrm_server_cert_validation=ignore

You should see a message like below if everything is okay | SUCCESS => 
    "changed": false,       
    "ping": "pong"

Once the test has been done and it is successful, we can go back to our AWX web interface and execute playbooks. Depending on where you decided to place your Playbook (Git or in the server), it is time to create a template and then launch it. We are assuming you have already created credentials, user, organization, project, inventory and now a template.

I used a project with a playbook within the server (Manual SCM) as it can be shown in the screenshot below.


I created a directory called “test” within “/var/lib/awx/projects” then created a sample playbook named “main.yaml” with the following contents:

- hosts: all
  gather_facts: true
    - name: Install Git
        name: git
        state: present

It is a simple task to install “Git” in Windows server 2019 that we have prepared above.

Once that is done, we can go ahead and create a “Template” that glues everything together and executes the playbook. A screenshot is shared below with the settings filled in.


Save it then Launch.


In case everything goes well, the playbook will start running and a success message presented. An illustration is shown below


Step 5: Confirm Git was installed

After the play is done, we can login to our Windows Server to confirm that Git was indeed installed by Ansible using Chocolatey. Hit the “Start” icon or and you should see “Git” as a new application as shown below.


And we are good to go!!

Final Thoughts

AWX and Ansible in general is the way to go especially if you have a lot of servers you are managing. Set everything up once then relax as you add your Playbooks to configure your infrastructure. If you have not ventured into the colorful world of Ansible and automation, then board the next ship to that amazing land. Finally, we continue to thank your awesome support and we hope the guide was helpful.

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.