AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Windows Server 2022 Automation: WinRM, Active Directory, IIS, Hyper-V Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate Windows Server 2022 (NT 10.0.20348) with Ansible. Configure WinRM/PSRP, Active Directory, IIS, Hyper-V, Failover Clustering, updates, and security baselines.

Windows Server 2022 (code name Iron, NT build 10.0.20348) is the Long-Term Servicing Channel (LTSC) release that became GA on August 18, 2021. It remains in mainstream support through October 13, 2026 and Extended Security Updates through October 14, 2031. For most enterprises in 2026 it is still the dominant Windows Server platform alongside the newer Server 2025. This guide shows how to bring Server 2022 under Ansible control end-to-end: WinRM/PSRP transports, Active Directory automation, IIS, Hyper-V, Failover Clustering, Group Policy, Windows Update orchestration, and Chocolatey software delivery.

Windows Server 2022 release facts

| Item | Value | |---|---| | Code name | Iron | | NT build | 10.0.20348 | | GA | 2021-08-18 | | Mainstream end | 2026-10-13 | | ESU end | 2031-10-14 | | PowerShell shipped | 5.1 (7.x optional) | | OpenSSH server | Optional feature | | Default WinRM | 3.0 over HTTPS (5986) |

See also: Ansible Windows Server 2025 Automation: WinRM, PSRP, Active Directory, IIS, Hyper-V Complete Guide

Ansible-core compatibility matrix

| ansible-core | Status (May 2026) | Control node Python | Server 2022 supported | |---|---|---|---| | 2.16 | EOL | 3.10–3.12 | Yes (legacy) | | 2.17 | EOL | 3.10–3.12 | Yes | | 2.18 | Maintenance LTS | 3.11–3.13 | Recommended | | 2.19 | Stable | 3.11–3.13 | Yes | | 2.20 | Latest | 3.12–3.14 | Yes |

Pair with ansible.windows >= 2.6, microsoft.ad >= 1.6, and chocolatey.chocolatey >= 1.5.

Enable WinRM HTTPS on Server 2022

Run the following as Administrator on each managed node:

$ErrorActionPreference = 'Stop'
Enable-PSRemoting -SkipNetworkProfileCheck -Force

$cert = New-SelfSignedCertificate `
    -DnsName $env:COMPUTERNAME `
    -CertStoreLocation Cert:\LocalMachine\My `
    -NotAfter (Get-Date).AddYears(5)


$thumb = $cert.Thumbprint
winrm create winrm/config/Listener?Address=*+Transport=HTTPS `
    "@{Hostname=`"$env:COMPUTERNAME`";CertificateThumbprint=`"$thumb`"}"


New-NetFirewallRule -DisplayName 'WinRM HTTPS-In' `
    -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow


Set-Item WSMan:\localhost\Service\Auth\Basic       -Value $false
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $false
Restart-Service WinRM

Replace the self-signed certificate with one issued by your enterprise PKI for production.

See also: Ansible for Windows: Complete Guide to Managing Windows Hosts

Inventory

# inventory/windows.ini
[ws2022]
ws2022-01.lab.example.com
ws2022-02.lab.example.com

[ws2022:vars]
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=credssp
ansible_winrm_server_cert_validation=validate
ansible_user=ansible_svc@LAB.EXAMPLE.COM
ansible_password='{{ vault_winrm_password }}'

Verify connectivity:

ansible -i inventory/windows.ini ws2022 -m ansible.windows.win_ping

Baseline playbook

---
- name: Windows Server 2022 baseline
  hosts: ws2022
  gather_facts: true
  tasks:
    - name: Assert build is 20348
      ansible.builtin.assert:
        that:
          - ansible_facts['kernel'] is search('10.0.20348')

- name: Set time zone
      ansible.windows.win_timezone:
        timezone: UTC


- name: Install OpenSSH Server
      ansible.windows.win_optional_feature:
        name: OpenSSH.Server~~~~0.0.1.0
        state: present
        include_parent: true


- name: Start sshd
      ansible.windows.win_service:
        name: sshd
        start_mode: auto
        state: started


- name: Apply security and critical updates
      ansible.windows.win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
          - UpdateRollups
        reboot: true
        reboot_timeout: 1800

See also: Ansible on Windows 10 22H2 Automation: Legacy Workstation Migration, Hardening, ESU Complete Guide

Active Directory with microsoft.ad

- name: Promote Server 2022 to first DC
  hosts: ws2022-dc-01
  tasks:
    - name: Install AD DS role
      ansible.windows.win_feature:
        name:
          - AD-Domain-Services
          - RSAT-AD-Tools
        state: present

- name: Promote new forest
      microsoft.ad.domain:
        dns_domain_name: lab.example.com
        domain_netbios_name: LAB
        safe_mode_password: '{{ vault_dsrm_password }}'
        forest_mode: WinThreshold
        domain_mode: WinThreshold
        reboot: true

IIS web server automation

- name: Configure IIS site on Server 2022
  hosts: ws2022_web
  tasks:
    - name: Install Web-Server role
      ansible.windows.win_feature:
        name:
          - Web-Server
          - Web-Mgmt-Tools
          - Web-Asp-Net45
        state: present
        include_management_tools: true

- name: Create app pool
      community.windows.win_iis_webapppool:
        name: AppPool01
        state: started
        attributes:
          managedRuntimeVersion: v4.0


- name: Create site
      community.windows.win_iis_website:
        name: corp-site
        state: started
        physical_path: C:\inetpub\corp-site
        application_pool: AppPool01
        port: 443
        ssl: true

Hyper-V virtualization

- name: Provision Hyper-V VM on Server 2022
  hosts: ws2022_hv
  tasks:
    - name: Install Hyper-V role
      ansible.windows.win_feature:
        name: Hyper-V
        state: present
        include_management_tools: true
      register: hv

- name: Reboot if needed
      ansible.windows.win_reboot:
      when: hv.reboot_required


- name: Create virtual switch
      ansible.windows.win_shell: |
        if (-not (Get-VMSwitch -Name 'vSwitch-Ext' -ErrorAction SilentlyContinue)) {
          New-VMSwitch -Name 'vSwitch-Ext' -NetAdapterName 'Ethernet0' -AllowManagementOS $true
        }

Software delivery with Chocolatey

- name: Deploy baseline tools
  hosts: ws2022
  tasks:
    - name: Install Chocolatey
      chocolatey.chocolatey.win_chocolatey:
        name: chocolatey
        state: present

- name: Install operator tools
      chocolatey.chocolatey.win_chocolatey:
        name:
          - 7zip
          - sysinternals
          - notepadplusplus
          - powershell-core
        state: present

Best practices for Server 2022

• Use PSRP instead of classic WinRM for multi-step playbooks (~50% latency reduction). • Replace win_domain* modules with the microsoft.ad collection. • Enable OpenSSH server as a fallback transport on isolated networks. • Use become: true with become_method: runas only for tasks that require interactive elevation. • Always pin collection versions in requirements.yml to keep playbooks reproducible. • Roll out cumulative updates in batches with serial: and max_fail_percentage:.

Troubleshooting

| Symptom | Likely cause | Fix | |---|---|---| | winrm: HTTPSConnectionPool ... certificate verify failed | Self-signed cert | Use enterprise PKI or set ansible_winrm_server_cert_validation=ignore in lab | | Tasks hang on win_updates | Pending reboot | Add ansible.windows.win_reboot before update tasks | | Kerberos auth fails | Clock skew | Sync time with w32tm /resync and AD DC | | pypsrp not found | Missing pip package | python -m pip install "pypsrp[credssp,kerberos]>=0.10" |

Conclusion

Windows Server 2022 remains the workhorse Windows platform in 2026. With ansible-core 2.18 LTS and the modern ansible.windows and microsoft.ad collections, you can automate the full lifecycle: WinRM hardening, AD DS promotion, IIS hosting, Hyper-V provisioning, Group Policy, patching, and Chocolatey software delivery. Use this guide as the baseline for your Server 2022 fleet and migrate the same playbooks to Server 2025 when ready.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home