AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Windows 10 22H2 Automation: Legacy Workstation Migration, Hardening, ESU Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate Windows 10 22H2 (NT 10.0.19045) endpoints with Ansible. Inventory, hardening, software rollout, ESU enrollment, and migration prep to Windows 11.

Windows 10 reached end of mainstream support on October 14, 2025. Most enterprises in 2026 are running 22H2 (NT build 10.0.19045) under the Extended Security Updates (ESU) program through October 2028. Ansible's main job on Windows 10 in 2026 is therefore not net-new automation but rather inventory, hardening, software rollout, ESU enrollment, decommissioning, and migration prep to Windows 11 24H2/25H2. This guide focuses on those operational use cases.

Windows 10 release facts

| Item | Value | |---|---| | Last feature release | 22H2 | | NT build | 10.0.19045 | | Mainstream end | 2025-10-14 | | ESU end (consumer) | 2026-10-13 | | ESU end (commercial, year 3) | 2028-10-10 | | PowerShell shipped | 5.1 (7.x optional) |

See also: Ansible Windows Server 2025 Automation: WinRM, PSRP, Active Directory, IIS, Hyper-V Complete Guide

Ansible-core compatibility

Use ansible-core 2.18 LTS with ansible.windows >= 2.6 and chocolatey.chocolatey >= 1.5. Newer collections (ansible.windows >= 3.0) still work on Win10 22H2 but their docs target Win11/Server 2025.

Enable WinRM HTTPS

$ErrorActionPreference = 'Stop'
Enable-PSRemoting -SkipNetworkProfileCheck -Force
$cert = New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My
winrm create winrm/config/Listener?Address=*+Transport=HTTPS `
    "@{Hostname=`"$env:COMPUTERNAME`";CertificateThumbprint=`"$($cert.Thumbprint)`"}"
New-NetFirewallRule -DisplayName 'WinRM HTTPS-In' -Direction Inbound `
    -LocalPort 5986 -Protocol TCP -Action Allow

See also: Ansible on Windows 11 24H2/25H2 Automation: Workstation, MDM, Security Baseline Complete Guide

Inventory

[w10]
desk-001.lab.example.com
desk-002.lab.example.com

[w10:vars]
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=credssp
ansible_user=ansible_svc@LAB.EXAMPLE.COM
ansible_password='{{ vault_winrm_password }}'

Inventory and hardware audit playbook

---
- name: Windows 10 22H2 inventory and audit
  hosts: w10
  gather_facts: true
  tasks:
    - name: Collect hardware facts
      ansible.windows.win_shell: |
        Get-CimInstance Win32_ComputerSystem | Select-Object Name, Manufacturer, Model, TotalPhysicalMemory | ConvertTo-Json
      register: hw
      changed_when: false

- name: Collect TPM and Secure Boot facts (Win11 readiness)
      ansible.windows.win_shell: |
        $tpm  = (Get-Tpm).TpmReady
        $sb   = Confirm-SecureBootUEFI -ErrorAction SilentlyContinue
        $cpu  = (Get-CimInstance Win32_Processor).Name
        @{ tpm_ready = $tpm; secure_boot = $sb; cpu = $cpu } | ConvertTo-Json
      register: w11_ready
      changed_when: false


- name: Save report
      ansible.builtin.copy:
        content: |
          host: {{ inventory_hostname }}
          hardware: {{ hw.stdout }}
          win11_ready: {{ w11_ready.stdout }}
        dest: "./reports/{{ inventory_hostname }}.yml"
      delegate_to: localhost

See also: Ansible on Windows Server 2022 Automation: WinRM, Active Directory, IIS, Hyper-V Complete Guide

Hardening baseline

- name: Windows 10 22H2 hardening
  hosts: w10
  tasks:
    - name: Disable SMBv1
      ansible.windows.win_optional_feature:
        name: SMB1Protocol
        state: absent

- name: Enable SmartScreen
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System
        name: EnableSmartScreen
        data: 1
        type: dword


- name: Disable LLMNR
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
        name: EnableMulticast
        data: 0
        type: dword


- name: Enforce TLS 1.2+
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
        name: SchUseStrongCrypto
        data: 1
        type: dword

ESU enrollment helper

- name: Enroll Win10 22H2 in ESU
  hosts: w10
  tasks:
    - name: Install ESU MAK key
      ansible.windows.win_shell: |
        cscript //nologo C:\Windows\System32\slmgr.vbs /ipk {{ esu_mak_key }}
        cscript //nologo C:\Windows\System32\slmgr.vbs /ato
      register: slmgr
      changed_when: "'successfully' in slmgr.stdout | lower"

Software rollout

- name: Deploy operator tools to Win10
  hosts: w10
  tasks:
    - name: Install Chocolatey
      chocolatey.chocolatey.win_chocolatey:
        name: chocolatey
        state: present

- name: Install baseline apps
      chocolatey.chocolatey.win_chocolatey:
        name:
          - googlechrome
          - 7zip
          - vlc
          - sysinternals
        state: present

Migration prep to Windows 11

Before in-place upgrade, capture user state and verify hardware:

- name: Pre-migration capture
  hosts: w10
  tasks:
    - name: Backup user profile to file share
      ansible.windows.win_robocopy:
        src: "C:\\Users\\{{ target_user }}"
        dest: "\\\\fileserver\\backups\\{{ inventory_hostname }}\\{{ target_user }}"
        flags: "/MIR /R:2 /W:5 /XJ"

- name: Stage Windows 11 installer
      ansible.windows.win_get_url:
        url: "{{ win11_iso_url }}"
        dest: C:\Setup\Win11_24H2.iso
        checksum: "sha256:{{ win11_iso_sha256 }}"

Decommissioning

- name: Decommission Windows 10 host
  hosts: w10_retiring
  tasks:
    - name: Disable AD account
      microsoft.ad.computer:
        name: "{{ ansible_hostname }}"
        enabled: false
      delegate_to: dc01.lab.example.com

- name: Wipe disk with cipher /w
      ansible.windows.win_shell: cipher /w:C:\

Best practices

• Treat Windows 10 fleets as transition assets — the priority is migration, not new feature work. • Use Ansible to report on Win11 readiness (TPM 2.0, Secure Boot, supported CPU) before MDM rollouts. • Pin all Choco packages and avoid state: latest to prevent drift on legacy endpoints. • Schedule playbooks during maintenance windows; Win10 reboots are slower than Win11.

Conclusion

Even in 2026 Windows 10 22H2 is a meaningful Ansible target for inventory, hardening, ESU enrollment, software rollout, and migration prep. Use ansible.windows and chocolatey.chocolatey to keep these endpoints compliant until they are upgraded to Windows 11 24H2 or 25H2.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home