Can Ansible Manage Windows? Complete Windows Automation Guide
By Luca Berton · Published 2024-01-01 · Category: installation
Can Ansible manage Windows? Yes! Learn how to configure WinRM, use Windows modules, manage services, registry, and Active Directory with Ansible examples.
Ansible is a powerful tool for automating tasks across various platforms, including Windows systems. While it’s widely known for managing Linux, Ansible’s support for Windows enables seamless cross-platform automation. This article explains how Ansible can manage Windows, the prerequisites, and use cases.
Can Ansible Manage Windows?
Yes, Ansible can manage Windows systems using WinRM (Windows Remote Management) or SSH. With its agentless architecture, Ansible performs tasks like software deployment, configuration management, and system updates on Windows nodes.
See also: Ansible on Windows: Complete Guide to Windows Automation (2026)
Prerequisites for Managing Windows with Ansible
1. Enable WinRM on Windows Hosts
WinRM allows Ansible to communicate with Windows machines remotely.Steps to Enable WinRM:
Open PowerShell as Administrator. Run the following commands:winrm quickconfig
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Set-Item wsman:\localhost\Client\TrustedHosts -Value "<Ansible_Control_Node_IP>"2. Install pywinrm on the Ansible Control Node
Install the pywinrm library to enable WinRM communication:pip install pywinrm3. Configure Inventory for Windows
Define the Windows hosts in your inventory file:[windows]
windows_host ansible_host=192.168.1.10 ansible_user=Administrator ansible_password=your_password ansible_connection=winrmAnsible Modules for Windows Automation
Ansible provides several modules specifically for managing Windows systems. Here are some commonly used ones:
1. win_service:
Manage Windows services. - name: Ensure IIS is running
win_service:
name: W3SVC
state: started
2. win_package:
Install or uninstall software. - name: Install Google Chrome
win_package:
path: "https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise.msi"
3. win_user:
Manage user accounts. - name: Create a new user
win_user:
name: dev_user
password: StrongPassword123!
state: present
4. win_file:
Manage files and directories. - name: Create a directory
win_file:
path: C:\Temp
state: directory
5. win_shell:
Execute PowerShell or command-line commands. - name: Run a PowerShell command
win_shell: Get-Service
See also: Can Ansible Automate Windows? Complete WinRM + SSH Setup Guide (2026)
Use Cases for Ansible on Windows
Application Deployment: Automate the installation and configuration of software. System Configuration: Apply consistent configurations across multiple Windows machines. Service Management: Start, stop, or restart Windows services as needed. File and Directory Management: Create, delete, or manage file permissions on Windows systems. User Management: Add, update, or remove users and groups.Running Playbooks on Windows
Once the inventory and playbook are set up, use the ansible-playbook command to run tasks on Windows systems:
ansible-playbook -i inventory.ini windows-playbook.ymlExample Playbook to Configure Windows
- hosts: windows
tasks:
- name: Install IIS
win_feature:
name: Web-Server
state: present
- name: Start IIS service
win_service:
name: W3SVC
state: started
See also: Can Ansible Be Used to Manage Windows Systems?
Best Practices for Managing Windows with Ansible
• Encrypt Credentials: Use Ansible Vault to secure sensitive data like passwords. • Test Playbooks: Validate configurations in a test environment before applying them to production. • Organize Tasks: Use roles and variables to simplify complex playbooks.Conclusion
Ansible’s support for Windows makes it a versatile automation tool for hybrid environments. With modules tailored for Windows and its agentless architecture, Ansible simplifies the management of Windows systems alongside Linux and other platforms.
Learn More About Managing Windows with Ansible
Yes — Full Windows Management
Ansible manages Windows via WinRM or SSH, without installing any agent.
Setup WinRM
On Windows (run as Administrator)
# Quick setup
winrm quickconfig -force
# Or use the Ansible script
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
Invoke-WebRequest -Uri $url -OutFile ConfigureRemotingForAnsible.ps1
.\ConfigureRemotingForAnsible.ps1
Ansible inventory
windows:
hosts:
win-server1:
ansible_host: 10.0.1.50
vars:
ansible_user: Administrator
ansible_password: "{{ vault_win_pass }}"
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignoreWhat Can Ansible Do on Windows?
Package management
- chocolatey.chocolatey.win_chocolatey:
name: [googlechrome, vscode, 7zip]
state: presentIIS web server
- ansible.windows.win_feature:
name: Web-Server
state: present
include_management_tools: true
- community.windows.win_iis_website:
name: MyWebsite
physical_path: C:\inetpub\mysite
port: 80
state: started
Active Directory
- microsoft.ad.user:
name: jsmith
firstname: John
surname: Smith
password: "{{ vault_ad_password }}"
state: present
path: "OU=Users,DC=example,DC=com"
- microsoft.ad.group:
name: Developers
scope: global
members:
add: [jsmith, jdoe]
Services
- ansible.windows.win_service:
name: Spooler
state: stopped
start_mode: disabledScheduled tasks
- community.windows.win_scheduled_task:
name: DailyBackup
actions:
- path: C:\Scripts\backup.ps1
triggers:
- type: daily
start_boundary: '2026-01-01T02:00:00'
username: SYSTEM
state: presentPowerShell execution
- ansible.windows.win_shell: |
Get-WmiObject Win32_LogicalDisk |
Where-Object { $_.FreeSpace / $_.Size -lt 0.1 } |
Select-Object DeviceID, @{N='FreeGB';E={[math]::Round($_.FreeSpace/1GB,2)}}
register: low_disk
- debug: var=low_disk.stdout_lines
Key Collections
| Collection | Use Case |
|-----------|----------|
| ansible.windows | Core Windows modules |
| community.windows | Extended (IIS, scheduled tasks) |
| microsoft.ad | Active Directory |
| chocolatey.chocolatey | Package management |
Controller Requirements
# Install pywinrm on Ansible controller
pip install pywinrm
# Install Windows collections
ansible-galaxy collection install ansible.windows community.windows microsoft.ad
FAQ
Can Ansible controller run on Windows?
No — use WSL2 (Windows Subsystem for Linux) to run Ansible on Windows machines.
WinRM vs SSH on Windows?
WinRM is standard and fully supported. OpenSSH on Windows works but has module limitations. Use WinRM for production.
Can I domain-join machines with Ansible?
- microsoft.ad.membership:
dns_domain_name: example.com
domain_admin_user: "{{ domain_admin }}"
domain_admin_password: "{{ vault_domain_pass }}"
state: domain
register: domain_join
- ansible.windows.win_reboot:
when: domain_join.reboot_required
Yes — Ansible Manages Windows
Ansible manages Windows hosts via WinRM (Windows Remote Management) or SSH (Windows 10+).
WinRM Setup
# On Windows host (as Administrator)
Enable-PSRemoting -Force
winrm quickconfig -q
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
# Verify
winrm enumerate winrm/config/listener
Inventory Configuration
windows:
hosts:
win-server1:
ansible_host: 192.168.1.50
vars:
ansible_connection: winrm
ansible_user: Administrator
ansible_password: "{{ vault_win_password }}"
ansible_winrm_transport: ntlm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignoreTest Connection
pip install pywinrm
ansible win-server1 -m win_pingWhat Can Ansible Do on Windows?
Software Management
- win_package:
path: C:\installers\app.msi
state: present
- win_chocolatey:
name: [git, vscode, python3, 7zip]
state: present
Service Management
- win_service:
name: W3SVC
state: started
start_mode: autoRegistry
- win_regedit:
path: HKLM:\SOFTWARE\MyApp
name: InstallPath
data: C:\MyApp
type: stringFile Operations
- win_copy:
src: files/config.xml
dest: C:\MyApp\config.xml
- win_file:
path: C:\Logs\MyApp
state: directory
- win_template:
src: web.config.j2
dest: C:\inetpub\wwwroot\web.config
Users and Groups
- win_user:
name: deploy
password: "{{ vault_password }}"
groups: Administrators
state: present
- win_group:
name: AppUsers
state: present
PowerShell Execution
- win_powershell:
script: |
Get-Process | Where-Object CPU -gt 100 | Stop-Process -Force
register: resultWindows Updates
- win_updates:
category_names: [SecurityUpdates, CriticalUpdates]
reboot: trueWindows Features (IIS, etc.)
- win_feature:
name: Web-Server
state: present
include_sub_features: true
include_management_tools: trueKey Windows Collections
| Collection | Modules |
|-----------|---------|
| ansible.windows | win_copy, win_file, win_service, win_user, win_regedit, etc. |
| community.windows | win_iis_, win_dns_, win_scheduled_task, etc. |
| microsoft.ad | AD users, groups, OUs, GPOs, domain join |
| chocolatey.chocolatey | Package management via Chocolatey |
WinRM vs SSH
| Feature | WinRM | SSH | |---------|-------|-----| | Windows support | All versions | Windows 10+ | | Setup complexity | Medium | Easy | | Module support | Full | Full | | Performance | Good | Good | | Default | Yes | No |
FAQ
Can the Ansible controller run on Windows?
Not natively. Use WSL2, Docker, or a Linux VM. The controller must be Linux/macOS.
Does Ansible need an agent on Windows?
No — Ansible is agentless. It connects via WinRM or SSH, runs PowerShell commands, and disconnects.
Can Ansible manage Active Directory?
Yes — the microsoft.ad collection manages AD users, groups, OUs, Group Policy, and domain operations.
Related Articles
• encrypting variables with Ansible Vault • managing inventory in Ansible • structuring playbooks with Ansible roles • Windows management with AnsibleCategory: installation