AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Windows 11 24H2/25H2 Automation: Workstation, MDM, Security Baseline Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate Windows 11 24H2 (NT 10.0.26100) and 25H2 workstations with Ansible. Configure WinRM/SSH, deploy software with Chocolatey/Winget, enforce baselines, manage updates.

Windows 11 is Microsoft's enterprise desktop platform for 2026. The two LTS-class consumer/enterprise releases in active service are 24H2 (NT build 10.0.26100, GA October 1 2024) and 25H2 (NT build 10.0.26200, GA October 2025). Although Ansible's primary strength is server automation, it is increasingly used to provision developer laptops, kiosk endpoints, lab VMs, and CI runner workstations. This guide covers the full Windows 11 workstation lifecycle: enabling WinRM/OpenSSH, deploying software with Chocolatey and Winget, applying CIS-aligned security baselines, managing local users and certificates, and orchestrating Windows Update for Business.

Windows 11 release facts

| Release | NT build | GA | End of servicing (Enterprise/Education) | |---|---|---|---| | 21H2 | 10.0.22000 | 2021-10-04 | 2024-10-08 | | 22H2 | 10.0.22621 | 2022-09-20 | 2025-10-14 | | 23H2 | 10.0.22631 | 2023-10-31 | 2026-11-10 | | 24H2 | 10.0.26100 | 2024-10-01 | 2027-10-12 | | 25H2 | 10.0.26200 | 2025-10-14 | 2028-10-10 |

24H2 is the kernel base shared with Windows Server 2025, and it is required for Copilot+ PC features, the new TPM 2.0 attestation flow, and sudo for Windows.

See also: Ansible Windows Server 2025 Automation: WinRM, PSRP, Active Directory, IIS, Hyper-V Complete Guide

Ansible-core compatibility

Use ansible-core 2.18 LTS with ansible.windows >= 3.0, chocolatey.chocolatey >= 1.5, and community.windows >= 2.4 for Windows 11 24H2/25H2.

Enable Ansible transport on Windows 11

Two options work well: classic WinRM HTTPS and modern OpenSSH. SSH is increasingly preferred on workstations because port 22 is easier to allow than 5986.

Option A: WinRM HTTPS

$ErrorActionPreference = 'Stop'
Enable-PSRemoting -SkipNetworkProfileCheck -Force

$cert = New-SelfSignedCertificate `
    -DnsName $env:COMPUTERNAME `
    -CertStoreLocation Cert:\LocalMachine\My
$thumb = $cert.Thumbprint


winrm create winrm/config/Listener?Address=*+Transport=HTTPS `
    "@{Hostname=`"$env:COMPUTERNAME`";CertificateThumbprint=`"$thumb`"}"
New-NetFirewallRule -DisplayName 'WinRM HTTPS-In' -Direction Inbound `
    -LocalPort 5986 -Protocol TCP -Action Allow

Option B: OpenSSH server

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType Automatic
New-NetFirewallRule -DisplayName 'OpenSSH-Server-In' -Direction Inbound `
    -Protocol TCP -LocalPort 22 -Action Allow

For SSH, set the default shell to PowerShell:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell `
    -Value "C:\Program Files\PowerShell\7\pwsh.exe" -PropertyType String -Force

See also: Ansible on Windows 10 22H2 Automation: Legacy Workstation Migration, Hardening, ESU Complete Guide

Inventory

[w11]
laptop-01.lab.example.com
laptop-02.lab.example.com

[w11:vars]
ansible_connection=ssh
ansible_shell_type=powershell
ansible_user=ansible_svc
ansible_ssh_private_key_file=~/.ssh/id_ed25519_w11

Test connectivity:

ansible -i inventory/w11.ini w11 -m ansible.windows.win_ping

Baseline workstation playbook

---
- name: Windows 11 24H2/25H2 workstation baseline
  hosts: w11
  gather_facts: true
  tasks:
    - name: Assert build is 26100 or 26200
      ansible.builtin.assert:
        that:
          - ansible_facts['kernel'] is search('10.0.2610[0-9]|10.0.2620[0-9]')

- name: Set time zone
      ansible.windows.win_timezone:
        timezone: UTC


- name: Disable consumer features (Start menu suggestions)
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent
        name: DisableWindowsConsumerFeatures
        data: 1
        type: dword


- name: Enforce SmartScreen
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System
        name: EnableSmartScreen
        data: 1
        type: dword


- name: Apply security updates
      ansible.windows.win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
        reboot: true
        reboot_timeout: 1800

See also: Ansible on Windows Server 2022 Automation: WinRM, Active Directory, IIS, Hyper-V Complete Guide

Software deployment with Winget and Chocolatey

- name: Deploy developer toolchain
  hosts: w11
  tasks:
    - name: Install Chocolatey
      chocolatey.chocolatey.win_chocolatey:
        name: chocolatey
        state: present

- name: Install developer tools via Choco
      chocolatey.chocolatey.win_chocolatey:
        name:
          - git
          - vscode
          - powershell-core
          - python313
          - nodejs-lts
          - docker-desktop
        state: present


- name: Install Microsoft Store apps via Winget
      ansible.windows.win_shell: |
        winget install --id Microsoft.WindowsTerminal -e --accept-source-agreements --accept-package-agreements
        winget install --id Microsoft.PowerToys      -e --accept-source-agreements --accept-package-agreements
      register: winget_out
      changed_when: "'Successfully installed' in winget_out.stdout"
      failed_when: winget_out.rc not in [0, -1978335189]

Local user and BitLocker management

- name: Manage local users and BitLocker on Windows 11
  hosts: w11
  tasks:
    - name: Create local admin
      ansible.windows.win_user:
        name: localadmin
        password: '{{ vault_localadmin_password }}'
        groups:
          - Administrators
        password_never_expires: false
        state: present

- name: Enable BitLocker on C:
      community.windows.win_bitlocker:
        drive: C:
        state: enabled
        method: xts_aes_256
        password_protector: true
        recovery_password_protector: true

Windows Update for Business orchestration

- name: Configure WUfB deferral
  hosts: w11
  tasks:
    - name: Defer feature updates 30 days
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
        name: DeferFeatureUpdatesPeriodInDays
        data: 30
        type: dword

- name: Defer quality updates 7 days
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
        name: DeferQualityUpdatesPeriodInDays
        data: 7
        type: dword

Best practices

• Prefer OpenSSH over WinRM on remote endpoints behind firewalls. • Manage Microsoft Entra–joined devices with MDM (Intune) for compliance, then layer Ansible for software and developer tooling. • Pin Chocolatey package versions for reproducibility (version: 1.2.3). • Use Windows Update for Business policies, not direct win_updates, on user laptops to respect active hours. • For Copilot+ PCs (ARM64) confirm package architectures before rollout.

Troubleshooting

| Symptom | Fix | |---|---| | winget fails non-interactively | Use --accept-source-agreements --accept-package-agreements and run as system context | | SSH login lands in cmd.exe | Set DefaultShell registry to PowerShell 7 | | win_updates reboots take too long | Tune reboot_timeout and use category_names to scope |

Conclusion

Ansible on Windows 11 24H2/25H2 turns laptop provisioning into reproducible code. Combine WinRM or OpenSSH transport, Chocolatey + Winget for software, and ansible.windows/community.windows for system configuration to ship a CIS-aligned, ready-to-use developer workstation in minutes rather than hours.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home