Information for Ansible prep and config on a Windows host

Host Requirements

• Ansible’s supported Windows versions generally match
those under current and extended support from Microsoft.
Supported desktop OSs include Windows 7, 8.1, and 10, and
supported server OSs are Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016.

• Ansible requires PowerShell 3.0 or newer and at least .NET 4.0 to be installed on the Windows host.

• A WinRM listener (HTTP or HTTPS via Basic, NTLM, Kerberos, SSPCred, or Cert)

Things to do (broadstrokes)

• Get Execution Policy Current Value
• Set Execution Policy Unrestricted

• Check OS Version

• Check PS and .NET urrently installed versions
Update PS and .NET to requested versions
Install PS3 WinRM Hotpatch if necessarry

• Configure Windows for Selected Auth (Basic, NTLM, Kerberos, CredSSP, or Cert)
CredSSP – Enable CredSSP Server on Windows

• Remove Autologon registry keys

• Configure WinRM listener(s)

• Set Execution Policy to Original Value

• Logging

To Do List
• Currently need a user in the administrator’s group on the windows host
figure out minimum group membership requirements

Current Installation Steps

Set-ExecutionPolicy Unrestricted -Force


Use Upgrade-Powershell.ps1 to update PS (and .NET) to specified levels

On a Windows Server 2016 Fully-patched host
powershell.exe -ExecutionPolicy ByPass -File Upgrade-PowerShell.ps1 -version 5.1 -verbose

Things it “does”
• Set’s execution policy (previous command is not needed)
• Checks OS Version
• Checks Current PowerShell Version and updates to specified version
• Checks NET version and updates to necessary version
• Removes autologon


On a Windows Server 2016 Host:

powershell.exe -ExecutionPolicy ByPass -File ConfigureRemotingForAnsible.ps1 -Verbose -EnableCredSSP
#@nick – read through the comments in the script itself
you will want to use -SkipNetworkProfileCheck to
enable WinRM on a PUBLIC network
e.g. IIS servers 😉

to view winrm listeners

winrm enumerate winrm/config/Listener

to delete HTTP listener

Get-ChildItem -Path WSMan:\localhost\Listener | Where-Object { $_.Keys -contains “Transport=HTTP” } | Remove-Item -Recurse -Force

to delete HTTPS listener

Get-ChildItem -Path WSMan:\localhost\Listener | Where-Object { $_.Keys -contains “Transport=HTTPS” } | Remove-Item -Recurse -Force

Things it “does”
• Set’s Execution Policy to bypass
• Adds HTTP and HTTPS listeners for WinRM
HTTPS – generates a self-signed SSL
– also works with ADCS for domain cert auth
HTTP – Plaintext
– requires auth transport to encrypt
• Enables CredSSP server if specified
• Adds Firewall rules for HTTP and HTTPS

Once done with these scripts view the Ansible Host file config for connecting

Linux host requirements

Python Packages

#pip install “pywinrm>=0.3.0”
#required for ansible to communicate with winrm

ipaddress – when using IPv6 addresses in the hosts file
#pip install ipaddress
#optional – not needed outside of specifying IPv6 in hosts file

#pip install pywinrm[credssp]
#required when using ansible_winrm_transport=credssp

#pip install pywinrm[kerberos]
#required when using ansible_winrm_transport=kerberos (plus a shit ton of other setup)


Ansible uses a dedicated set of win_ modules (e.g. win_copy vs copy, win_ping vs win_ping)
They will bite you in the ass
Use win_ping to test your configuration – any parsing issues with the host file or connection issues will be returned
If you get pissy double check Security in Event Viewer on the windows host

ansible -m win_ping windows-servers

Should return | SUCCESS => {
“changed”: false,
“ping”: “pong”

if successful try out win_updates to see if it can access winrm resources (query) them correctly

ansible -m win_updates windows-servers | SUCCESS => {
“changed”: false,
“filtered_updates”: {},
“found_update_count”: 0,
“installed_update_count”: 0,
“reboot_required”: false,
“updates”: {}

Author: Nathan Emslander