AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible infra.windows_ops Collection: DISA STIG and CIS Benchmark Drift Remediation

By Luca Berton · Published 2024-01-01 · Category: windows-automation

How the new infra.windows_ops collection for AAP 2.7 automates DISA STIG and CIS benchmark drift remediation on Windows fleets.

Keeping Windows servers aligned with DISA STIG and CIS benchmarks is one of those compliance chores that never actually finishes — a patch lands, a GPO gets overridden, an admin flips a registry key during an incident, and suddenly a "compliant" fleet has quietly drifted. At Red Hat Tech Day Netherlands 2026 (3 June 2026, Bunnik), the Ansible team addressed exactly this problem when it unveiled 12 new content collections for Ansible Automation Platform (AAP) 2.7. Among them, infra.windows_ops stands out as the collection purpose-built for Windows security baseline enforcement, DISA STIG alignment, CIS benchmark checks, and continuous drift remediation.

This article looks specifically at what infra.windows_ops is for, how it fits into the broader AAP 2.7 collection lineup, and how teams can start structuring compliance-as-code playbooks around it.

Why Windows Compliance Needs Its Own Collection

Linux configuration management has had mature, standardized compliance tooling (OpenSCAP, compliance-as-code content, ansible.posix) for years. Windows environments, by contrast, have historically relied on a patchwork of Group Policy Objects, PowerShell DSC scripts, and manual STIG checklists that are hard to version, hard to audit, and easy to drift out of alignment silently.

infra.windows_ops closes that gap by giving Windows fleets the same "automate the audit, automate the fix" model that Linux teams already expect: scan a host against a benchmark, produce a structured compliance report, and — where policy allows — automatically remediate the finding in place.

See also: AAP 2.7 EE Builder Step 1: Choosing a Base Image

What the Collection Covers

Based on its announced scope, infra.windows_ops is built around three pillars:

  • Security baseline enforcement — applying and validating DISA STIG and CIS Benchmark controls (registry settings, local security policy, audit policy, service states, and account policies) across Windows Server and desktop targets.
  • Drift detection — periodic or on-demand scans that compare live host state against the target baseline and flag deviations before they become audit findings.
  • Remediation workflows — idempotent tasks that bring non-compliant settings back into line, with reporting suitable for feeding into governance dashboards or Event-Driven Ansible (EDA) pipelines for closed-loop response.
This positions infra.windows_ops alongside the other "infra." validated content announced at the same event — such as infra.mecm_ops, which layers higher-level validated roles (emergency patching, health reports) on top of the new microsoft.mecm collection. The pattern across both is consistent: a foundational collection provides granular modules, while the "infra" layer packages them into opinionated, ready-to-run roles.

Example: A Drift Remediation Playbook

Because infra.windows_ops was announced as part of the AAP 2.7 wave rather than shipped with full public API documentation at the time of the event, the task names below are illustrative of how this kind of compliance-as-code playbook is typically structured — the shape will be familiar to anyone who has written STIG or CIS remediation content before.

---
- name: Enforce CIS Level 1 baseline and remediate drift on Windows Server fleet
  hosts: windows_servers
  gather_facts: true
  vars:
    baseline_profile: cis_level1_server2022
    remediate_on_drift: true

  tasks:
    - name: Scan host against CIS Level 1 benchmark
      infra.windows_ops.baseline_scan:
        profile: "{{ baseline_profile }}"
      register: scan_result

    - name: Report detected drift findings
      ansible.builtin.debug:
        msg: "{{ scan_result.findings | length }} findings out of compliance"

    - name: Remediate non-compliant controls
      infra.windows_ops.baseline_remediate:
        profile: "{{ baseline_profile }}"
        findings: "{{ scan_result.findings }}"
      when:
        - remediate_on_drift | bool
        - scan_result.findings | length > 0
      register: remediation_result

    - name: Generate compliance report artifact
      infra.windows_ops.compliance_report:
        scan_data: "{{ scan_result }}"
        remediation_data: "{{ remediation_result | default(omit) }}"
        output_format: json
      register: compliance_report

    - name: Save compliance report for audit trail
      ansible.builtin.copy:
        content: "{{ compliance_report.report | to_nice_json }}"
        dest: "/var/log/ansible/compliance/{{ inventory_hostname }}-{{ baseline_profile }}.json"
      delegate_to: localhost

The key structural idea is the separation of scan → remediate → report into distinct, auditable steps. That separation matters for governance: security teams often want visibility into what would* change before automation is allowed to change it, especially on production Windows infrastructure.

See also: AAP 2.7 EE Builder Step 2: Adding Collections from Private Automation Hub

Comparing Baseline Options

Baseline typeTypical use caseChange toleranceReporting need
DISA STIGGovernment, defense, regulated federal workloadsLow — strict pass/fail per controlHigh — formal audit artifacts (SCAP-style)
CIS Benchmark Level 1General-purpose hardening, broad server fleetsModerate — practical security without breaking appsModerate — periodic compliance scoring
CIS Benchmark Level 2High-security environments, sensitive data tiersLow — assumes stricter operational constraintsHigh — detailed control-by-control evidence
Custom org baselineInternal policy layered on top of CIS/STIGFlexible — org-definedDepends on internal governance requirements
Teams adopting infra.windows_ops will typically pick a starting profile (CIS or STIG) and then layer organization-specific exceptions on top, rather than trying to hand-roll a baseline from scratch.

Fitting Into the AAP 2.7 Governance Story

infra.windows_ops doesn't exist in isolation. It's one of 12 collections announced together at Red Hat Tech Day Netherlands 2026 under the themes of Efficiency, Resilience, Governance, and Scale — alongside collections like ansible.platform (configuration-as-code and RBAC refactoring for AAP itself) and hashicorp.vault (secrets and dynamic credentials). In practice, that means a mature compliance workflow can combine:

  • ansible.platform to manage the job templates and RBAC controlling who can run remediation against which inventory.
  • hashicorp.vault to supply dynamic, short-lived credentials for the Windows accounts executing baseline changes.
  • infra.windows_ops to perform the actual scan-and-remediate work.
That combination is a concrete example of the "Governance" pillar Red Hat emphasized at the event: compliance automation that is not just technically capable, but also auditable and access-controlled end to end.

See also: AAP 2.7 EE Builder Step 3: Destination, Build, and Publish to Git

Key Takeaways

  • infra.windows_ops is one of 12 new collections announced for AAP 2.7 at Red Hat Tech Day Netherlands 2026, focused specifically on Windows security baseline enforcement, DISA STIG alignment, CIS benchmark checks, and drift remediation.
  • The collection follows a scan → remediate → report pattern, letting teams separate detection from automated fixing for better governance control.
  • It complements infra.mecm_ops (patch orchestration) and pairs naturally with ansible.platform and hashicorp.vault for a fully governed, credentialed compliance pipeline.
  • Organizations should pick a baseline (DISA STIG for regulated environments, CIS Level 1/2 for general hardening) and layer custom policy on top rather than building compliance content from zero.
  • As infra.windows_ops matures beyond its announcement, expect the module and role surface to expand — treat early playbooks as a starting framework, not a finished implementation.

Category: windows-automation

Browse all Ansible tutorials · AnsiblePilot Home