AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

microsoft.mecm and microsoft.scom: New Certified Ansible Collections for Windows Automation in AAP 2.7

By Luca Berton · Published 2026-06-30 · Category: installation

Automate Windows patching, client management, and SCOM alerting with the new microsoft.mecm and microsoft.scom certified collections in AAP 2.7.

Ansible Automation Platform 2.7 introduces two brand-new Red Hat Certified Collections for Microsoft infrastructure: microsoft.mecm (v1.0.0) and microsoft.scom (v1.0.1). These collections bring Ansible-native automation to Microsoft Endpoint Configuration Manager (formerly SCCM) and System Center Operations Manager, closing a long-standing gap for teams managing Windows estates alongside Linux infrastructure.

microsoft.mecm: Automating MECM/SCCM

The microsoft.mecm collection ships with 26 modules that act as a bridge between Ansible Automation Platform and Microsoft Endpoint Configuration Manager. The collection targets the three areas where MECM automation has the highest operational impact: patch management, client actions, and health monitoring.

Patch Management

The collection's flagship capability is zero-downtime Windows Server patching using granular deployment control:

- name: Deploy approved security patches to web tier
  hosts: localhost
  connection: local
  tasks:
    - name: Create software update group for June patches
      microsoft.mecm.software_update_group:
        name: "2026-06-Security-Patches"
        description: "June 2026 security update bundle"
        updates:
          - kb: "KB5040434"
          - kb: "KB5040435"
        state: present

    - name: Deploy update group to web servers collection
      microsoft.mecm.software_update_deployment:
        name: "June-2026-Web-Tier"
        software_update_group: "2026-06-Security-Patches"
        collection: "Web Servers Production"
        schedule:
          start: "2026-06-30T22:00:00"
          duration_hours: 4
        reboot: required
        state: present

The install_updates module triggers immediate installation on targeted devices, bypassing MECM's standard polling cycle for urgent patches:

    - name: Force immediate patch install on critical server
      microsoft.mecm.install_updates:
        device_name: "web-prod-07"
        software_update_group: "2026-06-Security-Patches"
        wait: true
        timeout: 3600

Client Management

The client_action module triggers immediate policy retrieval and actions on managed clients without waiting for the standard 60-minute polling interval:

    - name: Force machine policy retrieval on new servers
      microsoft.mecm.client_action:
        device_collection: "New Servers"
        action: MachinePolicy
        wait: true

Supported actions include MachinePolicy, DiscoveryData, ComplianceEvaluation, AppDeployment, HardwareInventory, and SoftwareInventory.

Health Status Monitoring

Before kicking off large-scale deployments, validate that MECM infrastructure is ready using the info modules:

    - name: Verify WSUS sync is current before patching
      microsoft.mecm.wsus_sync_status_info:
      register: wsus_status

    - name: Abort if WSUS sync is stale
      ansible.builtin.fail:
        msg: "WSUS last synced {{ wsus_status.last_sync_time }} — too old for deployment"
      when: wsus_status.hours_since_sync | int > 24

    - name: Check distribution point health
      microsoft.mecm.dp_status_info:
        site_server: "mecm-primary.corp.example.com"
      register: dp_status

    - name: Show DP health summary
      ansible.builtin.debug:
        msg: "{{ dp_status.distribution_points | selectattr('status', 'eq', 'healthy') | list | length }} of {{ dp_status.distribution_points | length }} DPs healthy"

Event-Driven Ansible Integration

MECM compliance events can trigger EDA rulebooks. For example, detect non-compliant devices and auto-remediate:

# rulebook: mecm-compliance-remediation.yml
- name: MECM compliance event handler
  hosts: all
  sources:
    - ansible.eda.webhook:
        host: 0.0.0.0
        port: 5001

  rules:
    - name: Remediate non-compliant device
      condition: event.payload.compliance_state == "NonCompliant"
      action:
        run_job_template:
          name: "MECM Force Compliance"
          organization: "IT Operations"
          extra_vars:
            device_name: "{{ event.payload.device_name }}"
            update_group: "{{ event.payload.update_group }}"

See also: Ansible Patch Management: Automated OS Patching Across Linux and Windows Enterprise Fleets

microsoft.scom: Automating System Center Operations Manager

The microsoft.scom collection (v1.0.1) is a newly certified collection for automating Microsoft System Center Operations Manager infrastructure and routing SCOM alerts into Event-Driven Ansible for automated Windows Server remediations.

Infrastructure Automation

- name: Configure SCOM monitoring for new web servers
  hosts: localhost
  connection: local
  tasks:
    - name: Add new servers to SCOM monitoring group
      microsoft.scom.agent:
        management_server: "scom-mgmt.corp.example.com"
        device_name: "web-prod-08"
        management_group: "CORP-MGMT-GROUP"
        state: present

    - name: Apply Windows Server baseline monitoring template
      microsoft.scom.monitoring_template:
        name: "Windows Server Baseline"
        targets:
          - "web-prod-08"
        state: applied

Alert Routing to Event-Driven Ansible

The collection is designed for bidirectional integration: SCOM raises alerts, EDA receives them via webhook or polling, and Ansible remediates the root cause automatically:

# rulebook: scom-alert-remediation.yml
- name: SCOM alert auto-remediation
  hosts: all
  sources:
    - ansible.eda.webhook:
        host: 0.0.0.0
        port: 5002

  rules:
    - name: Restart service on SCOM service-down alert
      condition: >
        event.payload.alert_name == "Windows Service Health"
        and event.payload.severity == "Critical"
      action:
        run_job_template:
          name: "Restart Windows Service"
          organization: "IT Operations"
          extra_vars:
            target_host: "{{ event.payload.affected_host }}"
            service_name: "{{ event.payload.service_name }}"

    - name: Close SCOM alert after remediation
      condition: event.payload.job_status == "successful"
      action:
        run_playbook:
          name: "scom-close-alert.yml"
          extra_vars:
            alert_id: "{{ event.payload.alert_id }}"

Installation and Execution Environment Setup

Both collections ship in ee-supported in AAP 2.7. To use them in a custom Execution Environment:

# execution-environment.yml
version: 3
dependencies:
  galaxy:
    collections:
      - name: microsoft.mecm
        version: ">=1.0.0"
      - name: microsoft.scom
        version: ">=1.0.1"
  system:
    - python3-pywinrm [platform:rpm]

Build with ansible-builder:

ansible-builder build \
  --tag private-hub.corp.example.com/ee/windows-automation:latest \
  --file execution-environment.yml

See also: Ansible for Windows: Complete Guide to Windows Automation (2026)

MECM Connection Configuration

Both collections connect to MECM/SCOM management servers. Store credentials in AAP using a custom credential type:

# Custom credential type input configuration
fields:
  - id: mecm_server
    type: string
    label: MECM Primary Site Server
  - id: mecm_username
    type: string
    label: Service Account Username
  - id: mecm_password
    type: string
    label: Service Account Password
    secret: true
  - id: site_code
    type: string
    label: MECM Site Code

Reference in playbooks via environment variables injected by the credential type:

- name: Patch Windows estate via MECM
  hosts: localhost
  connection: local
  environment:
    MECM_SERVER: "{{ lookup('env', 'MECM_SERVER') }}"
    MECM_USERNAME: "{{ lookup('env', 'MECM_USERNAME') }}"
    MECM_PASSWORD: "{{ lookup('env', 'MECM_PASSWORD') }}"
    MECM_SITE_CODE: "{{ lookup('env', 'MECM_SITE_CODE') }}"

FAQ

Does microsoft.mecm replace the community.windows collection for patching?

No. community.windows and microsoft.mecm serve different purposes. community.windows manages Windows OS settings directly via WinRM (registry, services, features). microsoft.mecm manages MECM infrastructure — update groups, deployments, and the MECM agent itself — without requiring direct WinRM access to every managed server.

Is WinRM required for microsoft.mecm tasks?

No. microsoft.mecm tasks connect to the MECM site server API, not to individual managed nodes. You can run all microsoft.mecm tasks on localhost with connection: local.

Do I need a MECM service account with admin rights?

You need a MECM account with sufficient RBAC permissions for the operations you automate. Red Hat recommends a dedicated service account with scoped permissions per collection type (e.g., software update permissions for patching tasks, discovery permissions for health checks).

Are microsoft.mecm and microsoft.scom in ee-supported?

Yes. Both collections are included in ee-supported in AAP 2.7. They were added in this release alongside microsoft.hyperv.

See also: Run Windows 11 Client ARM64 Insider Preview in Apple Silicon (M1, M2, M3) with VMware Fusion

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home