Deploying Microsoft Windows at scale can be a complex task, especially when dealing with multiple systems, configurations, and post-installation setups. While Microsoft provides several tools for deployment (like MDT, SCCM, or Intune), you can supercharge and simplify your automation stack by adding Ansible into the mix.

In this post, we'll walk through how to set up Ansible to manage and configure Windows systems as part of your deployment pipeline.

🛠️ Why Use Ansible for Windows?

Ansible is a powerful, agentless automation tool commonly used in Linux environments, but it also supports Windows! Benefits include:

• Centralized configuration and automation
• Repeatable, idempotent tasks
• Simple YAML playbooks
• Seamless integration with tools like WinRM, PowerShell, and Chocolatey

✅ Prerequisites

Before we start, here’s what you’ll need:

• A Linux/macOS control node (Ansible doesn't run natively on Windows)
• Windows machines with:
  • WinRM enabled (for Ansible to connect)
  • A common local or domain user with admin rights
• Ansible installed (version 2.9+)
• Python packages: pywinrm

You can install pywinrm with:

pip install "pywinrm[credssp]"

🔐 Configuring WinRM on Windows

WinRM is how Ansible talks to Windows. On each target Windows machine, run this PowerShell script as Administrator:

Enable WinRM

winrm quickconfig -force

Allow basic authentication (use only on trusted networks)

Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true

Allow unencrypted (for testing; use HTTPS in production)

Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $true

Set firewall exception

Enable-PSRemoting -Force

For domain environments, use Group Policy to enable and secure WinRM at scale.

🧾 Your Inventory File

Create an inventory file (hosts.ini):

[windows]
192.168.1.101

[windows:vars]
ansible_user=Administrator
ansible_password=your_password
ansible_connection=winrm
ansible_winrm_transport=basic
ansible_winrm_server_cert_validation=ignore

⚠️ Never store passwords in plain text for production use. Use Ansible Vault for encryption.

📜 Sample Playbook – Install Chocolatey and VS Code

Here's a simple playbook that installs Chocolatey and then uses it to install Visual Studio Code.

• name: Configure Windows Machine
  hosts: windows
  tasks:
  • name: Install Chocolatey
    win_chocolatey:
    name: chocolatey
    state: present
  • name: Install Visual Studio Code
    win_chocolatey:
    name: vscode
    state: present

Save this as windows-setup.yml and run it with:

ansible-playbook -i hosts.ini windows-setup.yml

🤖 What Can You Automate?

Once you're connected, the sky’s the limit:

• Join computers to a domain
• Install apps via Chocolatey or MSIs
• Configure system settings and registry keys
• Run PowerShell scripts
• Map drives and printers
• Set up scheduled tasks
• Patch and reboot systems

💡 Pro Tip: Combine With Imaging Tools

Use Ansible after imaging or as part of a hybrid deployment process. For example:

1. Deploy a base Windows image with MDT or WDS.
2. Automatically run a script on first boot to enable WinRM and report to Ansible.
3. Ansible detects the new machine and applies its post-image configuration.

🔐 Bonus: Securing Your Setup

• Use HTTPS for WinRM in production
• Use Kerberos or CredSSP for secure auth
• Encrypt secrets with ansible-vault
• Limit admin privileges with RBAC or Just Enough Administration (JEA)

📦 Wrapping Up

Ansible isn’t just for Linux admins anymore! With a little setup, it becomes a powerful ally in automating Windows deployments, saving time, reducing errors, and improving consistency across systems.

Start small with a few tasks, then scale up your playbooks as your needs grow. And as always — test, test, test in a lab before rolling into production.

-IcePhishHacker