Ansible has become the de facto standard for IT infrastructure automation due to its simplicity, ease-of-use and broad capabilities across operating systems and platforms. While Ansible was born in the Linux world, support and capabilities for managing Windows environments have improved significantly.
In this comprehensive guide, we will walk through the entire process of getting Ansible up and running on Windows Subsystem for Linux (WSL) and using it to automate common administrative tasks on Windows servers.
Why Ansible for Windows Automation?
Before we jump into the installation steps, let‘s briefly go over why Ansible is a great choice for automating Windows:
-
No agents required – Ansible uses SSH, WinRM or Powershell Remoting to connect to Windows hosts without needing any agent software installed. This makes deployment much easier.
-
Improved idempotence – Tasks are coded in easy YAML playbooks so they can be run repeatedly with the same outcome.
-
Simpler Windows tasks – Ansible modules abstract away complexity for many common management tasks on Windows.
-
Cross-platform capabilities – Ansible can automate Linux, Windows and networking gear from a single control node.
-
Thriving community – As an open source tool, Ansible benefits from a vast set of pre-built modules and plugins.
Now that we‘ve seen the major advantages of Ansible for Windows, let‘s get Ansible installed and configured.
Step 1 – Enable and Set Up Windows Subsystem for Linux
Since Ansible itself runs from a Linux control machine, we need to enable Windows Subsystem for Linux (WSL) to provide an Ubuntu environment on Windows for installing and running Ansible.
Here are the steps to enable WSL:
-
Open PowerShell as Administrator and run:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
-
Restart your computer when prompted.
-
Open the Microsoft Store application and search for "Ubuntu". Install the latest Ubuntu version available.
-
Complete the initial user setup when Ubuntu first launches.
Once complete, you will have an Ubuntu terminal environment running natively within Windows that we can use for Ansible.
Step 2 – Install Ansible Dependencies
With the WSL Ubuntu shell open, we can now install the packages needed by Ansible:
sudo apt update
sudo apt install software-properties-common
sudo apt-add-repository --yes --update ppa:ansible/ansible
sudo apt install ansible
The key packages we installed:
- python – Ansible is written in Python
- python-pip – Used to install Ansible dependencies
- software-properties-common – Allows apt-add-repository command
- ansible – The latest Ansible release
Verify Ansible is installed properly:
ansible --version
This will display the version number of Ansible if the installation was successful.
Step 3 – Configure Ansible Inventory and Hosts
Ansible uses an inventory file (ansible hosts) to specify which Windows machines to connect to and manage with Ansible playbooks.
Let‘s create an inventory file and set up key-based SSH authentication for passwordless connections:
-
Create a .ansible.cfg file in your home directory:
[defaults] interpreter_python=auto_silent host_key_checking = False
This will set some sane defaults for Ansible on Windows.
-
Create an ansible_hosts file in /etc/ansible/hosts:
[windows] windows_host_1 ansible_host=x.x.x.x ansible_user=username ansible_password=password windows_host_2 ansible_host=y.y.y.y ansible_user=username ansible_password=password
Replace the IP addresses, usernames and passwords with your real Windows server names, IPs and credentials.
-
Run a quick ping test:
ansible windows -m win_ping
You should see pong responses from your Windows hosts.
We now have inventory setup, but currently we have to store passwords in plaintext. Let‘s set up key authentication as a more secure option:
-
Run the following on your Linux control node:
ssh-keygen
Accept defaults to generate a keypair in /home/username/.ssh/id_rsa
-
Copy the public key to your Windows host:
scp /home/username/.ssh/id_rsa.pub username@windows_host_1:/home/username/
-
Remote into windows_host_1 and append public key to authorized_keys
-
Update your inventory to use key auth instead of password:
windows_host_1 ansible_host=x.x.x.x ansible_user=username ansible_ssh_private_key_file=/home/username/.ssh/id_rsa
This will connect to your Windows hosts without needing to store your password in plaintext.
Step 4 – Run Ad-Hoc Commands on Windows
Now that we have Ansible installed and can connect to our Windows servers, let‘s start running some basic ad-hoc commands to test things out.
Ad-hoc commands let you run quick one-off tasks without having to write a full Ansible playbook. They are useful for simple administration tasks.
Let‘s run some commands against our Windows hosts:
Ping servers
ansible windows -m win_ping
Gather facts
ansible windows -m setup
Fetch a file
ansible windows -m win_get_url -a "url=https://files.com/installme.exe dest=c:\temp\installme.exe"
Create a user
ansible windows -m win_user -a "name=test12345 password=Pass1234!"
As you can see ad-hoc commands let you quickly run Ansible modules without any of the ceremony or boilerplate of writing playbooks.
Now let‘s move on to writing Ansible playbooks for Windows automation…
Step 5 – Write Ansible Playbooks for Windows Tasks
Ad-hoc commands are great, but Ansible really shines when you write playbooks – files that codify complex multi-tier automation tasks in easy to read YAML format.
Let‘s walk through some sample playbooks for common Windows automation tasks.
Playbook to Install IIS Web Server Role
Many applications rely on IIS for hosting web applications on Windows. Here is an Ansible playbook to ensure IIS is installed on our hosts:
---
- name: Install IIS Web Server on Windows
hosts: windows
tasks:
- name: Install IIS Role
win_feature:
name: Web-Server
state: present
include_management_tools: yes
- name: Start IIS Service
win_service:
name: W3Svc
state: started
To run this playbook:
ansible-playbook iis_install.yml
This will connect to your Windows hosts and install the IIS role with management tools enabled and start the IIS service – all in an automated, repeatable way.
Let‘s explore some other playbooks…
Playbook to Manage Windows Services
Controlling services is a key part of Windows administration. Here is an example for stopping and disabling services:
---
- name: Stop and disable unwanted Windows services
hosts: windows
tasks:
- name: Stop print spooler service
win_service:
name: Spooler
state: stopped
- name: Disable print spooler service
win_service:
name: Spooler
state: stopped
start_mode: disabled
We can also restart services after updates or configuration changes:
- name: Restart server after updates
win_reboot:
- name: Wait for server to restart
wait_for_connection:
delay: 60
sleep: 30
timeout: 300
- name: Start services
win_service:
name: "{{ item }}"
state: started
loop:
- W3SVC
- someservice
This playbook does a reboot, waits for the server to come back up, and then restarts the listed services.
As you can see, Ansible makes managing Windows services much simpler.
Playbook to Copy Files to Windows Hosts
Copying files or deploying applications is very common. Here is an Ansible playbook template for that:
---
- name: Copy application to Windows servers
hosts: windows
tasks:
- name: Create destination directory
win_file:
path: C:\app
state: directory
- name: Copy application file
win_copy:
src: files/installer.exe
dest: C:\app\
- name: Install application
win_command: C:\app\installer.exe /S
This creates the folder C:\app, copies over the installer.exe file to that location, and then executes the silent installation.
Ansible‘s copy and command modules make application deployment consistent and repeatable.
Step 6 – Troubleshooting Ansible Issues on Windows
When getting started with Ansible and Windows, there are some common issues that may come up. Here are a few troubleshooting tips for problems you might run into:
Connection Issues
If Ansible playbooks fail with authentication or connection issues, some things to check:
- Make sure WinRM is enabled with
Enable-PSRemoting
- Confirm PowerShell remoting allowed in firewall
- Check SSH server enabled and configured properly
- Verify Linux node has SSH access to reach hosts
Privilege Escalation Problems
Many Ansible modules require Administrator level access. If you get access denied errors, use become:
- name: Manage something that requires admin access
win_module:
....
become: yes
become_method: runas
Playbook Debugging
- Use
-vvv
flag to enable verbose output for debugging - Check Windows event logs for errors
- Capture logs with
debug
module to see output
Check the Ansible troubleshooting guide for more detailed information on common issues.
Step 7 – Optimizing Performance with Ansible on Windows
When managing larger Windows environments, performance tuning is important for playbook runtimes.
Here are some best practices to optimize Ansible speed on Windows:
Increase Parallelism
Take advantage of Ansible‘s built-in parallelization by targeting tasks where possible:
- name: Install IIS sites
win_iis_website:
....
loop:
- { name: site1...}
- { name: site2...}
loop_control:
parallelism: 10
Use Async Batching
For long running tasks, dequeuing with async can drastically improve runtime:
- name: Install many applications
win_package:
....
loop:
- { name: app1, src: files/app1.msi }
- { name: app2, src: files/app2.msi }
loop_control:
parallelism: 10
async: 600
poll: 10
Tune Windows for Ansible
- Disable PowerShell transcription on endpoints
- Exclude C:\Windows\Temp\ from antivirus real-time scans
- Reduce group policy background refresh frequency
There are many other optimizations covered in Ansible‘s performance tuning guide.
For extra large environments (10k+ hosts), Ansible Tower provides additional scale-out capabilities.
Alternative Installation Methods
So far we have used WSL and Ubuntu to install and run Ansible on Windows. There are some other options available as well:
Installing from Source
You can install Ansible directly on Windows by:
- Enabling Windows Subsystem for Linux
- Installing Python and pip
- Cloning the Ansible source code from GitHub
- Running
pip install -r requirements.txt
from the Ansible project directory
This avoids needing the Ubuntu layer, but does require compiling some components from source code.
Deploying Ansible via Containers
Another option is running Ansible in Docker containers. By packaging Ansible images into containers, you can maintain standardized images across teams.
Some options for containerized Ansible:
- Official Ansible container images
- Third party images with Ansible pre-installed
- Custom images with Ansible and playbooks baked in
Running in containers adds some operational overhead, but provides consistency and portability across environments.
Summary
In this detailed guide, we went through the full steps for getting Ansible working smoothly on Windows:
- Enabled and set up Windows Subsystem for Linux (WSL)
- Installed Ansible and its dependencies using APT
- Configured Ansible inventory and SSH key auth for Windows hosts
- Ran ad-hoc commands to test things out
- Wrote playbooks to automate Windows server configuration
- Troubleshot issues like privilege escalation
- Optimized performance for large Windows environments
- Covered alternative installation options
We‘ve really just scratched the surface of what‘s possible with Ansible and Windows.
Ansible provides modules for nearly any Windows administration task like IIS configuration, SQL server DB administration, Office 365 management and much more.
Hopefully this provided a good starting point for leverage Ansible automation to simplify your Windows server infrastructure and deployments.