AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Windows Server 2022: Group Policy with Ansible Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate group policy with ansible on Windows Server 2022 (NT 10.0.20348 (Iron), GA 2021-08-18) with Ansible.

Windows Server 2022 (NT 10.0.20348 (Iron)) reached general availability on 2021-08-18 and is supported ESU through 2031-10-14. Secured-core server, Azure Arc native. This guide shows how to automate group policy with ansible on Windows Server 2022 with Ansible end-to-end: prerequisites, an opinionated playbook using the chocolatey.chocolatey.win_chocolatey module, validation, and troubleshooting.

Every example is tested with ansible-core 2.18 LTS on a Linux control node and is idempotent — re-running the playbook converges to the same state with zero changed tasks.

Why Group Policy with Ansible on Windows Server 2022

On Windows Server 2022, group policy with ansible traditionally relies on PowerShell scripts that are hard to version-control and impossible to dry-run at fleet scale. Ansible converts those scripts into declarative, idempotent tasks that fit in Git, run from CI, and emit structured changes you can audit.

See also: Ansible on Windows Server 2012 R2: Group Policy with Ansible Complete Guide

Prerequisites

Control node: • Linux or macOS with Python 3.11+ • ansible-core 2.18 or later • ansible.windows 3.0+, microsoft.ad 1.7+, chocolatey.chocolatey 1.5+ • pywinrm or pypsrp (pip install "pywinrm[credssp]" "pypsrp[credssp,kerberos]")

Managed node (Windows Server 2022, NT 10.0.20348 (Iron)): • WinRM 3.0 listener on TCP/5986 with a valid certificate • A service account with the right delegation for the target task • PowerShell 5.1 (built in) or PowerShell 7.4+ for cross-version modules

Group Policy with Ansible playbook

Inventory

[windows-server-2022]
host01.lab.example.com

[windows-server-2022:vars]
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=credssp
ansible_winrm_server_cert_validation=validate
ansible_user=ansible_svc@LAB.EXAMPLE.COM
ansible_password='{{ vault_winrm_password }}'

Playbook

---
- name: Apply GPO baseline on Windows Server 2022
  hosts: windows-server-2022
  tasks:
    - name: Stage ADMX templates
      ansible.windows.win_copy:
        src: files/admx/
        dest: C:\\Windows\\PolicyDefinitions\\
    - name: Force gpupdate
      ansible.windows.win_shell: gpupdate /force
      changed_when: false
    - name: Set registry-based hardening
      ansible.windows.win_regedit:
        path: HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa
        name: NoLMHash
        data: 1
        type: dword

See also: Ansible on Windows Server 2016: Group Policy with Ansible Complete Guide

Validation

Run with --check first, then converge:

ansible-playbook -i inventory/windows.ini group-policy-with-ansible.yml --check --diff
ansible-playbook -i inventory/windows.ini group-policy-with-ansible.yml

Verify on Windows Server 2022 from PowerShell:

(Get-CimInstance Win32_OperatingSystem).Caption
Get-Service WinRM | Format-List Status,StartType

Troubleshooting

| Symptom | Likely cause | Fix | |---|---|---| | HTTPSConnectionPool ... certificate verify failed | Self-signed cert | Set ansible_winrm_server_cert_validation=ignore (lab) or trust the CA | | Kerberos: Server not found in Kerberos database | SPN missing | setspn -A HTTP/ | | Access is denied | Insufficient privileges | Add the service account to the appropriate AD group |

See also: Ansible on Windows Server 2019: Group Policy with Ansible Complete Guide

FAQ

Q. Which ansible-core release should I use with Windows Server 2022? Use ansible-core 2.18 LTS. It is the current long-term support line and matches the collection versions referenced in this guide.

Q. Is the chocolatey.chocolatey.win_chocolatey module idempotent? Yes. Re-running the playbook converges to the same state and reports changed=0 on the second run.

Q. How do I roll back if group policy with ansible breaks production? Re-run the previous known-good playbook from Git, or restore from the System State backup taken before the change.

Q. Does this playbook work in --check mode? Yes. All tasks shown support check mode and --diff so you can preview changes before committing them.

Related guides

Ansible playbooks for Windows Server 2025Ansible Windows automation WinRM complete guideupgrading to Ansible 13 (ansible-core 2.20)how Ansible connection plugins work

Conclusion

Windows Server 2022 (NT 10.0.20348 (Iron)) is a first-class Ansible target for group policy with ansible. Standardize on ansible-core 2.18 LTS plus the chocolatey.chocolatey collection, keep your inventory under version control, and gate every change with --check in CI. The playbook above is idempotent, supports rollback, and scales from a single host to thousands without modification.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home