E-Handbook: Windows and Linux: What systems administrators need to know Article 4 of 4


How to start using Ansible for Windows management

Ansible is a configuration management offering that runs on Linux but controls Windows systems with PowerShell. Find out how to get the tool running in your data center.

As more enterprises mix Linux and Windows machines into the IT stack, it makes sense to find a tool that manages both platforms.

There are several tools designed for this purpose, but Ansible is making great strides to establish itself as the leader in this space. Ansible manages Linux and Windows systems. It has PowerShell support, so Windows admins can use their scripts once they learn Ansible's management structure. The Ansible stack needs to run on Red Hat, Debian, CentOS, macOS or a similarly architected OS server or virtual machine.

Ansible doesn't use the typical server/client architecture of other remote management tools, so the setup work might be foreign to some administrators. Ansible manages Windows systems via PowerShell remoting or Windows Remote Management (WinRM).

It only takes a few steps to set up the control machine, configure a Windows Server, execute individual commands on the configured machine and use custom scripts on Ansible for Windows management. Being able to copy and run your current PowerShell scripts is a quick way to get started with the Ansible console before learning how to dive deep into the Ansible playbook management approach.

Set up the control machine

To configure the Ansible control machine to manage hosts, enable PowerShell remoting on the host and give the appropriate credentials to Ansible for Windows administration, usually with a Secure Socket Shell key.

Make sure the Ansible control machine runs on a valid version of Python with an updated version of pip, then run the following command to install the pywinrm module:

$ pip install "pywinrm>=0.2.2"

Being able to copy and run your current PowerShell scripts is a quick way to get started with the Ansible console before learning how to dive deep into the Ansible playbook management approach.

Use the following code to add the Windows machine you want to control to the /etc/ansible/hosts file so Ansible registers the Windows machine:


Next, add the following configuration to Ansible in the /etc/ansible/group_vars/groupname.yaml file for basic authentication:

ansible_user: 'YourHostsUsername'
ansible_password: 'YourHostsPassword'
ansible_connection: 'winrm'
ansible_winrm_transport: basic
ansible_port: '5986'
ansible_winrm_server_cert_validation: ignore
validate_certs: false

Set up the host

Be sure the Windows machine you want to manage is on a supported version of Windows -- version 7 or later for desktops and 2008 or later for Windows Server -- and PowerShell 3.0 or later.

Next, enable PSRemoting with this command:

Enable-PSRemoting -force

Then, set up the WinRM service -- required to use PowerShell remoting -- to start automatically.

Set-Service WinRM -StartMode Automatic

On the local machine, confirm you've started the WinRM service with the following cmdlet:


From a remote computer, add the -ComputerName parameter:

Test-WSMan -ComputerName "server123"

A primer on Windows management via Linux

Next, set up a WinRM Listener with the PowerShell script below from Ansible. It sets up an HTTP and HTTPS listener, as well as configure basic authentication on the host. It might require some adjustments to use in a production environment.

$url="https://raw.githubusercontent.com/ansible/ansible/devel/ examples/scripts/ConfigureRemotingForAnsible.ps1"

(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

powershell.exe -ExecutionPolicy ByPass -File $file

For this tutorial, we use basic authentication, which you enable with the following command:

Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true

Lastly, complete the host configuration for Ansible by creating the WinRM listener.

winrm quickconfig

This Ansible for Windows tutorial is tailored for managing an individual server. To deploy this configuration on many machines, create a group policy and deploy that to the Windows servers. The group policy should set the WinRM service to start automatically, run the configuration script and configure the WinRM listeners.

How to work with Ansible for Windows machine management

After finalizing the configuration from the Ansible server to the remote managed machine, you can run tasks remotely from the Ansible server.

First, test connectivity with a ping from the Ansible host.

$ ansible groupname -m win_ping | SUCCESS => {
    "changed": false,
    "ping": "pong"

To run ad hoc commands on Windows from Ansible, you can easily create one-liners by calling the win_shell module. A simple example is stopping a service remotely for a group of machines from the Ansible console:

$ ansible groupname -m win_shell -a "Get-Service -Name servicename | Stop-Service"

You also have access to the win_command module to run executables remotely.

$ ansible groupname -m win_command -a whoami.exe

How to run an Ansible for Windows script

Another example of Ansible management of remote Windows servers is to copy a local PowerShell script to the remote managed machine.

$ ansible groupname -m win_copy -a "src=/path/to/script.ps1 dest=C:\temp\script.ps1"

You can then run the script with the win_command module.

$ ansible groupname -m win_command -a "powershell.exe -ExecutionPolicy ByPass -File C:\temp\script.ps1"

Ansible opens the door to advanced management capabilities

Ansible is worth learning due to its cross-platform capabilities that scale to manage a large number of devices. Once you've learned the basics, you can perform more in-depth tasks, such as using PowerShell Desired State Configuration with Ansible and working with custom modules.

Dig Deeper on Windows Server OS and management

Cloud Computing
Enterprise Desktop
Virtual Desktop