Ansible on Windows: Complete Guide to Windows Automation (2026)
By Luca Berton · Published 2024-01-01 · Category: installation
Complete guide to using Ansible with Windows. Configure WinRM, run PowerShell, manage Windows services, registry, and users with Ansible modules and examples.
Ansible is a versatile automation tool that works seamlessly across Linux, macOS, and Windows systems. This article explores how Ansible can automate tasks on Windows, its requirements, and common use cases.
Can Ansible Work on Windows?
Yes, Ansible can manage and automate Windows systems. While Ansible traditionally targets Linux systems, its support for Windows has grown significantly. Using WinRM (Windows Remote Management) or SSH, Ansible communicates with Windows machines to perform various administrative tasks.
See also: Can Ansible Manage Windows? Complete Windows Automation Guide
Setting Up Ansible for Windows
To manage Windows with Ansible, follow these steps:
1. Configure the Windows Host
Enable WinRM on the Windows machine. This allows Ansible to communicate with the system.Steps to Enable WinRM:
- Open PowerShell as Administrator.
- Run the following command to enable basic authentication:
winrm quickconfig
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'- Add the Ansible control node's IP to the trusted hosts:
Set-Item wsman:\localhost\Client\TrustedHosts -Value "<Ansible_Control_Node_IP>"2. Install Required Modules
Ensure the pywinrm Python library is installed on the Ansible control node:pip install pywinrm3. Update the Inventory
Define the Windows host in the Ansible inventory file:[windows]
windows_host ansible_host=192.168.1.10 ansible_user=Administrator ansible_password=your_password ansible_connection=winrmAnsible Modules for Windows
Ansible provides a rich set of modules specifically for Windows automation:
Common Windows Modules
- win_service: Manage Windows services.
- name: Ensure IIS service is running
win_service:
name: W3SVC
state: started
- win_package: Install or uninstall Windows packages.
- name: Install Google Chrome
win_package:
path: "https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise.msi"
- win_user: Manage Windows user accounts.
- name: Create a new user
win_user:
name: ansible_user
password: StrongPassword123!
state: present
- win_file: Manage file and directory properties.
- name: Ensure a directory exists
win_file:
path: C:\Temp
state: directory
- win_shell: Run shell commands on Windows.
- name: Run a PowerShell command
win_shell: Get-Service
See also: Can Ansible Automate Windows? Complete WinRM + SSH Setup Guide (2026)
Use Cases for Ansible on Windows
- Software Installation and Updates:
- Service Management:
- User and Group Management:
- File and Directory Management:
- Security and Compliance:
Best Practices for Windows Automation with Ansible
- Secure Credentials:
- Use Roles:
- Test on Non-Production Systems:
See also: Can Ansible Be Used to Manage Windows Systems?
Conclusion
Ansible's support for Windows makes it a powerful tool for cross-platform automation. By leveraging Ansible's modules and playbooks, you can automate Windows systems just as easily as Linux, simplifying infrastructure management.
Learn More About Managing Windows with Ansible
How Ansible Manages Windows
Ansible connects to Windows via WinRM (Windows Remote Management) or SSH (OpenSSH on Windows):
# inventory.yml
windows:
hosts:
win-server1:
ansible_host: 192.168.1.50
ansible_user: Administrator
ansible_password: "{{ vault_win_password }}"
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignoreEnable WinRM on Windows
# Run on Windows host (as Administrator)
winrm quickconfig
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
# Or use the Ansible setup script
Invoke-WebRequest -Uri https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile configure.ps1
.\configure.ps1Windows Modules
# Install software
- ansible.windows.win_package:
path: https://example.com/installer.msi
product_id: '{12345-ABCDE}'
state: present
# Manage services
- ansible.windows.win_service:
name: W3SVC
state: started
start_mode: auto
# Copy files
- ansible.windows.win_copy:
src: files/config.xml
dest: C:\MyApp\config.xml
# Run PowerShell
- ansible.windows.win_shell: |
Get-Process | Where-Object { $_.CPU -gt 100 }
register: procs
# Manage registry
- ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\MyApp
name: InstallPath
data: C:\MyApp
type: string
# Windows features
- ansible.windows.win_feature:
name: Web-Server
state: present
include_management_tools: trueKey Windows Collections
| Collection | Modules |
|---|---|
ansible.windows | Core Windows modules |
community.windows | Extended Windows modules |
microsoft.ad | Active Directory |
chocolatey.chocolatey | Package management |
Windows vs Linux Module Mapping
| Linux | Windows |
|---|---|
copy | win_copy |
file | win_file |
command | win_command |
shell | win_shell |
service | win_service |
user | win_user |
stat | win_stat |
package | win_package |
template | win_template |
FAQ
Can I run Ansible FROM Windows?
Ansible controller must run on Linux/macOS. On Windows, use WSL2 (Windows Subsystem for Linux).
WinRM vs SSH — which should I use?
WinRM is the standard and supports all Windows modules. SSH (via OpenSSH) works but has limitations. Use WinRM for production.
Does Ansible need an agent on Windows?
No — Ansible is agentless. It connects over WinRM/SSH and runs PowerShell remotely.
How Ansible Connects to Windows
Ansible uses WinRM (Windows Remote Management) instead of SSH to manage Windows hosts.
# inventory.yml
windows:
hosts:
win1:
ansible_host: 192.168.1.20
vars:
ansible_connection: winrm
ansible_user: Administrator
ansible_password: "{{ vault_win_password }}"
ansible_winrm_transport: ntlm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignoreEnable WinRM on Windows
# Run as Administrator on Windows host
Enable-PSRemoting -Force
winrm quickconfig -q
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
# For HTTPS (recommended for production)
$cert = New-SelfSignedCertificate -DnsName "hostname" -CertStoreLocation "cert:\LocalMachine\My"
winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"hostname`";CertificateThumbprint=`"$($cert.Thumbprint)`"}"Install pywinrm on Controller
pip install pywinrm
# Verify
ansible win1 -m win_pingCommon Windows Modules
# Install software
- ansible.windows.win_package:
path: https://example.com/installer.msi
state: present
# Manage services
- ansible.windows.win_service:
name: nginx
state: started
start_mode: auto
# Registry
- ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\MyApp
name: Version
data: "2.0"
type: string
# Copy files
- ansible.windows.win_copy:
src: files/config.xml
dest: C:\MyApp\config.xml
# Run PowerShell
- ansible.windows.win_powershell:
script: |
Get-Process | Where-Object { $_.CPU -gt 100 }
register: ps_result
# Manage users
- ansible.windows.win_user:
name: deploy
password: "{{ vault_deploy_pass }}"
groups: Administrators
state: present
# Windows features
- ansible.windows.win_feature:
name: Web-Server
state: present
include_sub_features: trueChocolatey Packages
- ansible.windows.win_chocolatey:
name:
- git
- vscode
- python3
state: presentWindows Update
- ansible.windows.win_updates:
category_names:
- SecurityUpdates
- CriticalUpdates
reboot: true
register: update_resultFile Management
# Create directory
- ansible.windows.win_file:
path: C:\MyApp\logs
state: directory
# Template
- ansible.windows.win_template:
src: web.config.j2
dest: C:\MyApp\web.config
# Permissions
- ansible.windows.win_acl:
path: C:\MyApp
user: deploy
rights: FullControl
type: allowKey Windows Collections
| Collection | Purpose |
|---|---|
ansible.windows | Core Windows modules |
community.windows | Extended Windows modules |
chocolatey.chocolatey | Chocolatey package management |
microsoft.ad | Active Directory |
Ansible on Windows as Controller?
Ansible control node does not run natively on Windows. Options:
- WSL2 (Windows Subsystem for Linux) — recommended
- Docker container
- Linux VM
FAQ
Can I use SSH instead of WinRM?
Yes — Windows 10+ has OpenSSH. Set ansible_connection: ssh and ansible_shell_type: powershell. WinRM is still more mature for Windows automation.
Does Ansible support Active Directory?
Yes — the microsoft.ad collection manages AD users, groups, OUs, GPOs, and domain joins.
Can I manage IIS with Ansible?
Yes — use win_feature to install IIS and win_iis_* modules from community.windows to manage sites and app pools.
Related Articles
Category: installation