Windows client node configuration

As well as Linux hosts, Ansible is capable of remotely managing Microsoft Windows hosts. This includes Windows Desktop 7, 8, and 10, and Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016.

The Windows clients require you to have some specific versions of the following applications installed:

• PowerShell 3.0 or higher
• .NET 4.0

Those two requirements are met on most Windows releases, except for Window 7 and Windows server 2008.

There is an Ansible-made PowerShell script that can carry out an automatic installation of the missing requirements that can be found at the following link: https://github.com/PacktPublishing/Ansible-QuickStart-Guide/blob/master/Chapter2/Upgrade_Powershell.ps1.

To be able to execute this script, or any other third-party script, we need to change the execution policy from restricted to unrestricted, run our script, and then turn the policy back to restricted. Using Windows PowerShell, run the following using local or domain administrator credentials:

$link = "https://raw.githubusercontent.com/jborean93/ansible-windows/master/scripts/Upgrade-PowerShell.ps1"
$script = "$env:temp\Upgrade-PowerShell.ps1"
$username = "Admin"
$password = "secure_password"

(New-Object -TypeName System.Net.WebClient).DownloadFile($link, $script)
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force

&$script -Version 5.1 -Username $username -Password $password -Verbose

Set-ExecutionPolicy -ExecutionPolicy Restricted -Force

$reg_winlogon_path = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set-ItemProperty -Path $reg_winlogon_path -Name AutoAdminLogon -Value 0
Remove-ItemProperty -Path $reg_winlogon_path -Name DefaultUserName -ErrorAction SilentlyContinue
Remove-ItemProperty -Path $reg_winlogon_path -Name DefaultPassword -ErrorAction SilentlyContinue

Then, on all the Windows systems, a second script is essential to configure WinRM to be active and listen to Ansible commands. This script can be downloaded from the following link: https://github.com/PacktPublishing/Ansible-QuickStart-Guide/blob/master/Chapter2/ConfigureRemotingForAnsible.ps1.

Similarly, this script also requires privileged access and the execution policy should be unrestricted. Run the following code:

$link = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$script = "$env:temp\ConfigureRemotingForAnsible.ps1"

(New-Object -TypeName System.Net.WebClient).DownloadFile($link, $script)

powershell.exe -ExecutionPolicy ByPass -File $script

If no errors appear, Ansible should now be able to manage these machines.

The same applies for the Windows hosts. We may need to create a local or domain administrator that is only used by Ansible to execute commands freely. Its credentials can be configured in the host inventory group as well. This can be secured using Ansible Vault to prevent having passwords written in plain text.