How Ansible Makes Automating Windows Easier

March 9, 2016 by Matt Davis


In case you missed it, Ansible 2.0’s Windows support includes a number of improvements and new features that make automating Windows with Ansible easier. Because of Red Hat’s ongoing commitment to cross-platform management, you’ll also see a continued acceleration of similar improvements included in future Ansible releases. In this post, I’ll highlight a few of the items we're most excited about from 2.0, and give a quick peek at what we've got planned for future releases.

Windows Update Support

Update management is a common pain point for Windows administrators. The new win_updates module makes it easy to orchestrate updates during your maintenance windows- no more logging into individual machines to kick off updates or hoping a scheduled update pass actually ran as planned.

IIS Modules

2.0 shipped with a suite of modules for managing IIS. From configuring websites, AppPools, virtual directories, and more, you can now use Ansible to deploy and manage your IIS apps with simple, agentless ease.

Performance Enhancements to File Copy

Since WinRM doesn’t have a built-in file transfer mechanism, Ansible had to jump through some “interesting” hoops to deploy its module code and copy files from the control host to a managed Windows system. Historically, this process was very slow, and could only reliably transfer relatively small files. As of Ansible 2.0, the file copy process is now optimised to be several times faster, and to remove the file size restriction. These changes will make nearly all Ansible Windows tasks faster (since most tasks involve a file copy for the module itself), but are most noticeable when using win_copy.

Python 2.7.9+ Certificate Validation Control

If your Ansible control box happens to be running Python 2.7.9 or higher, you’ve probably run into failures connecting to HTTPS WinRM endpoints due to changes in how Python handles certificate validation. This posed a difficult set of choices: downgrade Python, deploy “real” HTTPS certificates to all WinRM endpoints, disable certificate validation globally, or use an insecure HTTP WinRM connection. Ansible 2.0 (in conjunction with pywinrm 0.1.1+) supports the ability to disable certificate validation in inventory with the ansible_winrm_server_cert_validation variable. This allows many of the benefits of HTTPS without the necessity to deploy private PKI or buy certs from a commercial CA. We do, however, still require that the variable be set to “ignore” explicitly, rather than defaulting to the ignore behavior. This way, if you do have verifiable certificates deployed, we’ll “do the right thing” from a security perspective, giving increased protection against MITM attacks.

What's Up Next

Domain Authentication and Management

We know that one of the biggest pain points with Ansible on Windows right now is domain authentication. With 2.0, domain auth is only supported using Kerberos, and the ticket management is largely manual. The current support works pretty well in an interactive single-sign-on environment, but can pose many challenges for more complex use-cases (e.g., multiple users, unattended/server-side Ansible runs, multi-hop). In upcoming releases, we’re committed to supporting all WinRM authentication mechanisms (NTLM, CredSSP), as well as improving Kerberos ticket management to better match other Ansible password-based connection types.

In future releases, we’ll include modules to allow basic management of Windows domains, including domain-join/leave, promotion/demotion of domain controllers, domain user management, and even deployment of entirely new forests/domains.

Reboot Management

It’s an unfortunate fact that Windows machines need a lot of reboots. Managing those reboots robustly as part of an Ansible orchestration can be somewhat painful today, requiring several tasks. In an upcoming release, we’ll ship a win_reboot action that will take care of all the heavy lifting for you in a single task. This also plays very nicely with the win_updates task from 2.0.


With the changes recently shipped in 2.0, and what’s coming in future releases, we hope it’s clear that we’re deeply committed to making Ansible the best way to manage your Windows infrastructure. Stay tuned for more exciting features. 


Windows, Ansible


Matt Davis

Matt is a Principal Software Engineer for Ansible Core, focused on Ansible's Windows support. He has over 20 years experience in software engineering, architecture, and operations at companies large and small. An avid musician, maker, and home hacker, Matt lives with his wife and daughter in Beaverton, Oregon.

rss-icon  RSS Feed

Ansible Tower by Red Hat
Ansible In-Depth Whitepaper
Ansible Tower by Red Hat
Learn About Ansible Tower