Complete Guide to Installing and Using Ansible on Windows

Ansible has become the de facto standard for IT infrastructure automation due to its simplicity, ease-of-use and broad capabilities across operating systems and platforms. While Ansible was born in the Linux world, support and capabilities for managing Windows environments have improved significantly.

In this comprehensive guide, we will walk through the entire process of getting Ansible up and running on Windows Subsystem for Linux (WSL) and using it to automate common administrative tasks on Windows servers.

Why Ansible for Windows Automation?

Before we jump into the installation steps, let‘s briefly go over why Ansible is a great choice for automating Windows:

No agents required – Ansible uses SSH, WinRM or Powershell Remoting to connect to Windows hosts without needing any agent software installed. This makes deployment much easier.
Improved idempotence – Tasks are coded in easy YAML playbooks so they can be run repeatedly with the same outcome.
Simpler Windows tasks – Ansible modules abstract away complexity for many common management tasks on Windows.
Cross-platform capabilities – Ansible can automate Linux, Windows and networking gear from a single control node.
Thriving community – As an open source tool, Ansible benefits from a vast set of pre-built modules and plugins.

Now that we‘ve seen the major advantages of Ansible for Windows, let‘s get Ansible installed and configured.

Step 1 – Enable and Set Up Windows Subsystem for Linux

Since Ansible itself runs from a Linux control machine, we need to enable Windows Subsystem for Linux (WSL) to provide an Ubuntu environment on Windows for installing and running Ansible.

Here are the steps to enable WSL:

Open PowerShell as Administrator and run:

 Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Restart your computer when prompted.
Open the Microsoft Store application and search for "Ubuntu". Install the latest Ubuntu version available.
Complete the initial user setup when Ubuntu first launches.

Once complete, you will have an Ubuntu terminal environment running natively within Windows that we can use for Ansible.

Step 2 – Install Ansible Dependencies

With the WSL Ubuntu shell open, we can now install the packages needed by Ansible:

sudo apt update
sudo apt install software-properties-common
sudo apt-add-repository --yes --update ppa:ansible/ansible
sudo apt install ansible

The key packages we installed:

python – Ansible is written in Python
python-pip – Used to install Ansible dependencies
software-properties-common – Allows apt-add-repository command
ansible – The latest Ansible release

Verify Ansible is installed properly:

ansible --version

This will display the version number of Ansible if the installation was successful.

Step 3 – Configure Ansible Inventory and Hosts

Ansible uses an inventory file (ansible hosts) to specify which Windows machines to connect to and manage with Ansible playbooks.

Let‘s create an inventory file and set up key-based SSH authentication for passwordless connections:

Create a .ansible.cfg file in your home directory:
```
 [defaults]
 interpreter_python=auto_silent
 host_key_checking = False
```
This will set some sane defaults for Ansible on Windows.

Create an ansible_hosts file in /etc/ansible/hosts:

 [windows]
 windows_host_1 ansible_host=x.x.x.x ansible_user=username ansible_password=password
 windows_host_2 ansible_host=y.y.y.y ansible_user=username ansible_password=password

Replace the IP addresses, usernames and passwords with your real Windows server names, IPs and credentials.

Run a quick ping test:
```
 ansible windows -m win_ping
```
You should see pong responses from your Windows hosts.

We now have inventory setup, but currently we have to store passwords in plaintext. Let‘s set up key authentication as a more secure option:

Run the following on your Linux control node:
```
 ssh-keygen
```
Accept defaults to generate a keypair in /home/username/.ssh/id_rsa

Copy the public key to your Windows host:

 scp /home/username/.ssh/id_rsa.pub username@windows_host_1:/home/username/

Remote into windows_host_1 and append public key to authorized_keys

Update your inventory to use key auth instead of password:

 windows_host_1 ansible_host=x.x.x.x ansible_user=username ansible_ssh_private_key_file=/home/username/.ssh/id_rsa

This will connect to your Windows hosts without needing to store your password in plaintext.

Step 4 – Run Ad-Hoc Commands on Windows

Now that we have Ansible installed and can connect to our Windows servers, let‘s start running some basic ad-hoc commands to test things out.

Ad-hoc commands let you run quick one-off tasks without having to write a full Ansible playbook. They are useful for simple administration tasks.

Let‘s run some commands against our Windows hosts:

Ping servers

ansible windows -m win_ping

Gather facts

ansible windows -m setup

Fetch a file

ansible windows -m win_get_url -a "url=https://files.com/installme.exe dest=c:\temp\installme.exe"

Create a user

ansible windows -m win_user -a "name=test12345 password=Pass1234!"

As you can see ad-hoc commands let you quickly run Ansible modules without any of the ceremony or boilerplate of writing playbooks.

Now let‘s move on to writing Ansible playbooks for Windows automation…

Step 5 – Write Ansible Playbooks for Windows Tasks

Ad-hoc commands are great, but Ansible really shines when you write playbooks – files that codify complex multi-tier automation tasks in easy to read YAML format.

Let‘s walk through some sample playbooks for common Windows automation tasks.

Playbook to Install IIS Web Server Role

Many applications rely on IIS for hosting web applications on Windows. Here is an Ansible playbook to ensure IIS is installed on our hosts:

---
- name: Install IIS Web Server on Windows
  hosts: windows

  tasks:
    - name: Install IIS Role 
      win_feature:
        name: Web-Server
        state: present
        include_management_tools: yes

    - name: Start IIS Service
      win_service:
        name: W3Svc
        state: started

To run this playbook:

ansible-playbook iis_install.yml

This will connect to your Windows hosts and install the IIS role with management tools enabled and start the IIS service – all in an automated, repeatable way.

Let‘s explore some other playbooks…

Playbook to Manage Windows Services

Controlling services is a key part of Windows administration. Here is an example for stopping and disabling services:

---
- name: Stop and disable unwanted Windows services
  hosts: windows
  tasks:
    - name: Stop print spooler service
      win_service:
        name: Spooler
        state: stopped

    - name: Disable print spooler service
      win_service:
        name: Spooler
        state: stopped
        start_mode: disabled

We can also restart services after updates or configuration changes:

- name: Restart server after updates
  win_reboot:

- name: Wait for server to restart
  wait_for_connection:
    delay: 60
    sleep: 30 
    timeout: 300

- name: Start services 
  win_service:
    name: "{{ item }}"
    state: started
  loop:
     - W3SVC
     - someservice

This playbook does a reboot, waits for the server to come back up, and then restarts the listed services.

As you can see, Ansible makes managing Windows services much simpler.

Playbook to Copy Files to Windows Hosts

Copying files or deploying applications is very common. Here is an Ansible playbook template for that:

---
- name: Copy application to Windows servers
  hosts: windows

  tasks:
    - name: Create destination directory
      win_file:
        path: C:\app
        state: directory

    - name: Copy application file 
      win_copy:
        src: files/installer.exe
        dest: C:\app\

    - name: Install application 
      win_command: C:\app\installer.exe /S

This creates the folder C:\app, copies over the installer.exe file to that location, and then executes the silent installation.

Ansible‘s copy and command modules make application deployment consistent and repeatable.

Step 6 – Troubleshooting Ansible Issues on Windows

When getting started with Ansible and Windows, there are some common issues that may come up. Here are a few troubleshooting tips for problems you might run into:

Connection Issues

If Ansible playbooks fail with authentication or connection issues, some things to check:

Make sure WinRM is enabled with Enable-PSRemoting
Confirm PowerShell remoting allowed in firewall
Check SSH server enabled and configured properly
Verify Linux node has SSH access to reach hosts

Privilege Escalation Problems

Many Ansible modules require Administrator level access. If you get access denied errors, use become:

- name: Manage something that requires admin access  
  win_module:
     .... 
  become: yes
  become_method: runas

Playbook Debugging

Use -vvv flag to enable verbose output for debugging
Check Windows event logs for errors
Capture logs with debug module to see output

Check the Ansible troubleshooting guide for more detailed information on common issues.

Step 7 – Optimizing Performance with Ansible on Windows

When managing larger Windows environments, performance tuning is important for playbook runtimes.

Here are some best practices to optimize Ansible speed on Windows:

Increase Parallelism

Take advantage of Ansible‘s built-in parallelization by targeting tasks where possible:

- name: Install IIS sites
  win_iis_website:
    ....
  loop: 
    - { name: site1...}
    - { name: site2...}
  loop_control:
    parallelism: 10

Use Async Batching

For long running tasks, dequeuing with async can drastically improve runtime:

- name: Install many applications
  win_package:
    ....
  loop: 
   - { name: app1, src: files/app1.msi }
   - { name: app2, src: files/app2.msi }
  loop_control:
    parallelism: 10
  async: 600
  poll: 10

Tune Windows for Ansible

Disable PowerShell transcription on endpoints
Exclude C:\Windows\Temp\ from antivirus real-time scans
Reduce group policy background refresh frequency

There are many other optimizations covered in Ansible‘s performance tuning guide.

For extra large environments (10k+ hosts), Ansible Tower provides additional scale-out capabilities.

Alternative Installation Methods

So far we have used WSL and Ubuntu to install and run Ansible on Windows. There are some other options available as well:

Installing from Source

You can install Ansible directly on Windows by:

Enabling Windows Subsystem for Linux
Installing Python and pip
Cloning the Ansible source code from GitHub
Running pip install -r requirements.txt from the Ansible project directory

This avoids needing the Ubuntu layer, but does require compiling some components from source code.

Deploying Ansible via Containers

Another option is running Ansible in Docker containers. By packaging Ansible images into containers, you can maintain standardized images across teams.

Some options for containerized Ansible:

Official Ansible container images
Third party images with Ansible pre-installed
Custom images with Ansible and playbooks baked in

Running in containers adds some operational overhead, but provides consistency and portability across environments.

Summary

In this detailed guide, we went through the full steps for getting Ansible working smoothly on Windows:

Enabled and set up Windows Subsystem for Linux (WSL)
Installed Ansible and its dependencies using APT
Configured Ansible inventory and SSH key auth for Windows hosts
Ran ad-hoc commands to test things out
Wrote playbooks to automate Windows server configuration
Troubleshot issues like privilege escalation
Optimized performance for large Windows environments
Covered alternative installation options

We‘ve really just scratched the surface of what‘s possible with Ansible and Windows.

Ansible provides modules for nearly any Windows administration task like IIS configuration, SQL server DB administration, Office 365 management and much more.

Hopefully this provided a good starting point for leverage Ansible automation to simplify your Windows server infrastructure and deployments.