ansible to manage windows hosts

Using Ansible to manage Windows hosts

In this article I will guide you through what’s needed to configure Ansible so it can be used to manage Windows hosts. Using Ansible to manage Windows hosts gives you great benefits such as installing updates, installing software, joining domains and a whole lot more all using infrastructure as code. We’re going to be using Kerberos to authenticate with our Windows hosts so you’re going to need a server running Active Directory Domain Services and then a Windows host joined to that domain, Ansible is going to be running on an Ubuntu host so that will also need joining to the domain (if you need assistance with that check out this article).

Let’s start by configuring our Windows host to allow Ansible to connect to it, simply run the following Powershell script on your Windows host.

$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"

(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

powershell.exe -ExecutionPolicy ByPass -File $file

Now that’s done let’s SSH into our Ubuntu machine, this is going to be our Ansible controller (or control-node as Ansible like to call it) and install everything we need.

sudo apt install software-properties-common
sudo apt-add-repository --yes --update ppa:ansible/ansible
sudo apt update
sudo apt install ansible
sudo apt-get install python-dev libkrb5-dev krb5-user
sudo apt-get install python-pip
pip install pywinrm
pip install pywinrm[kerberos]

Now that Ansible is installed we can get to configuring everything. Let’s add our Windows hosts to the /etc/ansible/hosts file

sudo nano /etc/ansible/hosts

Let’s declare a group called windows and add our hosts to it, make sure to use the full FQDN of the Windows machine you want to manage (in this case s2019 is the name of my Windows host and lab.local is the domain)

[win]
s2019.lab.local

Below this we need to add some configuration to let Ansible know how to communicate with our Windows hosts. I’ve created an domain Anisble user that I’m going to use but you can use any domain account. Ideally we wouldn’t set our credentials here but this is fine just for an example, in production I’d pass these credentials in as part of a CI/CD pipeline.

[win:vars]
[email protected]
ansible_password=password
ansible_connection=winrm
ansible_winrm_transport=kerberos
ansible_winrm_server_cert_validation=ignore

Save and exit (Ctrl + O, Enter, Ctrl + X)

Now that the configuration is done let’s write a basic playbook. A playbook is a collection of tasks that Ansible will execute against the hosts.

sudo nano updates.yml
- name: Windows Updates
  hosts: win

  tasks:
    - name: Install updates
      win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
        reboot: yes

This playbook will install security and critical Windows updates and reboot if necessary. Let’s Save and Exit again.

Now we can run the playbook.

ansible-playbook updates.yml

If all has gone to plan Ansible should connect to your Windows hosts and install the updates we told it to before rebooting if required.

This is a fairly basic example and like I said earlier; we ideally want to be doing this from a CI/CD pipeline – look for an article about that in the future. If you have any questions or comments then please leave a comment or contact me on Twitter. Thanks.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.