Are you looking to simplify management of your Windows servers? Do you want to leverage your existing Ansible skills and tooling to standardize Windows and Linux automation?
If so, you‘ve come to the right guide! Below I‘ll walk you through step-by-step how to connect Ansible running on Linux to Windows servers for centralized and consistent cross-platform management.
The Rise of Ansible for Hybrid Infrastructure
First, let‘s start with some background on why connecting Ansible to Windows is becoming so popular…
Ansible has quickly become one of the most widely used automation and configuration management tools. According to RedHat, there are over 5 million Ansible downloads per year – a number that‘s growing 30% year over year.
And Ansible isn‘t just for Linux anymore…
Over the last several years, Ansible has focused heavily on expanding support for non-Linux platforms like Windows. There are now over 280+ dedicated Ansible modules for Windows to allow the same level of automation as on Linux.
Why does this matter? Hybrid and multi-OS environments are becoming the norm. Even Linux-centric organizations are likely running at least some Windows servers these days as well.
According to various surveys, 70-80% of enterprise organizations have hybrid infrastructure spanning Linux, Windows, on-prem servers, and public cloud VMs. That number is only increasing with digital transformation and cloud adoption initiatives.
This creates a major need to unite management of this hybrid environment under a common automation toolchain. Ansible delivers here – providing modules and native functionality supporting Linux, Windows, networking gear, public clouds, and more.
No wonder Ansible dominance in the configuration management space just continues to climb:
[Insert chart showing Ansible adoption growth vs competitors]So in today‘s world, chances are you need to automate and manage Windows right alongside Linux. Connecting Ansible to your Windows environment allows you to do just that.
Now let‘s get into how to connect Ansible running on Linux to your Windows servers…
How Ansible Communicates with Windows
Before jumping into the hands-on walkthrough, it‘s useful to understand at a high level how Ansible connects to and manages Windows machines:
- Ansible is installed on a control node (typically Linux)
- Windows servers act as managed nodes
- The control node connects to Windows over WinRM using port 5985/5986
- Modules like
win_packageor playbooks execute over this connection
So WinRM acts as the communication channel for Ansible to execute tasks, fetch status, and return output from Windows servers.
Capabilities Once Connected
What can you actually do once Ansible is hooked up to Windows? Here are some examples:
Configuration Management & Deployment
- Install packages like IIS, SQL Server, etc
- Manage Windows features and roles
- Deploy applications and services
- Manage local users, groups, policies
- Configure registry settings
Operational Tasks
- Start/stop services
- Query event logs
- Run PowerShell commands and scripts
- Fetch system facts and inventory
Security Hardening
- Manage firewall rules
- Enforce GPOs
- Disable unnecessary features/ports
- Set up auditing rules
These are just a small sampling – Ansible has over 280 modules specifically for automating Windows management at scale across your environment.
Okay, ready to get hands-on? Let‘s walk through connecting Ansible running on Linux to Windows…
Prerequisites
Before getting started, here is what you need:
Ansible Control Node:
- Ubuntu 20.04 Server
- Ansible installed via
aptorpip - Python 3.x
Windows Server:
- Windows Server 2016+
- PowerShell 5.0+
- .NET Framework 4.0+
- WinRM enabled
I have guides on installing Ansible on Ubuntu and setting up Ansible on Windows if you need them.
With those fulfilled, let‘s move on to the steps…
Step 1 – Create a Dedicated Windows Ansible User
First, we should create a user that Ansible will use for connectivity and privilege escalation:
- Open Computer Management > Local Users and Groups
- Right click Users > New User
- Enter username like
ansible - Enable password to Never Expire
- Go to Administrators group > Add
ansibleuser
Creating a dedicated Ansible admin account is a best practice for a few reasons:
- Avoid using the default
Administratoraccount - Ensures account doesn‘t get locked out
- Can dial back permissions later if needed
Okay, with a user created, let‘s prep the Ansible control node…
Step 2 – Install Python Modules on Ansible Control Node
On your Ubuntu Ansible server, run:
sudo apt update
sudo apt install python3 python3-pip python-pip
sudo pip3 install pywinrmSpecifically, we installed:
- Python 3 – Needed for Ansible on Linux
- Python pip – To install modules
- pywinrm – WinRM client for Ansible connectivity
With the Python packages installed, let‘s shift to the Windows side…
Step 3 – Configure WinRM for Ansible Management
For Ansible to communicate with Windows, the WinRM service needs to be installed and configured properly.
Rather than adjust settings manually, we can use a PowerShell script to do this automatically:
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
powershell.exe -ExecutionPolicy ByPass -File $fileThis PowerShell script handles several important items:
- Ensure WinRM is installed
- Open firewall port 5986 for WinRM traffic
- Create WinRM listener to allow remote connections
- Enable basic authentication
You should now see WinRM is correctly enabled:
winrm enumerate winrm/config/listenerWith WinRM communication opened up, Ansible will be able to connect.
Step 4 – Define Windows Hosts in Ansible Inventory
Let‘s now tell Ansible about our Windows server by editing /etc/ansible/hosts:
[windows]
winserver1.mydomain.com
winserver2.mydomain.com
[windows:vars]
ansible_port = 5986
ansible_connection=winrmDefining hosts under a [windows] group means we can refer to them easily later in playbooks and ad-hoc commands.
The ansible_connection=winrm line tells Ansible to connect over WinRM instead of the default SSH method.
Step 5 – Create Group Variables File
We should also create a group variables file at /etc/ansible/group_vars/windows.yml:
ansible_user: ansible
ansible_password: P@ssw0rd!
ansible_winrm_server_cert_validation: ignoreHere we provide credentials and disable strict host-key checking for a simpler setup.
Storing credentials securely is crucial! Consider using Ansible vault to encrypt passwords.
Additionally, once connectivity is working, switch the WinRM listener to use HTTPS for increased security.
Step 6 – Test Connectivity
With all the pieces in place, let‘s validate everything works!
On our Ansible control node, run:
ansible windows -m win_ping -u ansibleThis performs a simple ping using the Ansible user to test connectivity. If all is well, you will see pong come back from the the Windows node!
Success – Ansible can now connect to Windows and start automating away.
Automating Windows Configuration with Ansible Playbooks
Now that you have basic connectivity validated, you can begin automating Windows management via Ansible playbooks and roles…
Let‘s walk through a simple playbook example – installing IIS on a Windows host:
---
- name: Install IIS
hosts: windows
vars:
iis_features:
- Web-Server
- Web-Mgmt-Tools
- Web-Mgmt-Console
- Web-Mgmt-Compat
- Web-Metabase
- Application-Init
- ASP
- ASP-Net45
tasks:
- name: Install IIS role
win_feature:
name: "{{ item }}"
state: present
loop: "{{ iis_features }}"The above playbook leverages the win_feature Ansible module for Windows to install all the component pieces needed to enable IIS.
You could enhance this further to also:
- Deploy an actual web application
- Set up an IIS site and binding
- Tweak config like application pools
Ansible makes Windows automation simple by handling these types of multi-step workflows in an easy, repeatable way.
Additional Best Practices and Considerations
Here are some additional tips for production Ansible on Windows deployments:
Secure WinRM – Configure certificate auth for encryption instead of basic auth
Organize Content – Use a windows role for all Windows automation content
Credential Management – Leverage Ansible vault to encrypt credentials
Hybrid Cloud Automation – Manage Windows VMs in public clouds alongside traditional Windows servers
Troubleshooting – Validate WinRM connectivity manually with winrs when issues arise
And much more! The key is Ansible provides a unified framework to automate Windows right alongside Linux.
Closing Thoughts
In closing, connecting Ansible running on Linux to manage Windows servers provides compelling benefits:
Pros
- Unified automation for hybrid infrastructure
- Leverage powerful Ansible capabilities
- Eliminate need for separate PowerShell skills
Cons
- Additional components like WinRM to troubleshoot
- Typically slower performance than native PowerShell
So while it does introduce some incremental complexity, the simplicity and power of being able to use a single Ansible playbook or role to configure Windows, Linux, on-prem servers, cloud servers, networking gear and more is huge!
I hope you found this guide helpful for getting started. Feel free to reach out if you have any other questions!
