About
This is My Windows Ansible Playbooks Playground.
This targets Windows Server 2022 and Windows 11.
Disclaimer
- These playbooks might work only when you start from scratch, in a machine that only has a minimal installation.
- They might seem to work in other scenarios, but that is by pure luck.
- There is no support for upgrades, downgrades, or un-installations.
Usage
Add your machines into the Ansible inventory.yml file.
Review the development.yml playbook.
See the facts about the dm1 machine:
./ansible.sh dm1 -m ansible.builtin.setupRun an ad-hoc command in the dm1 machine:
./ansible.sh dm1 -m win_command -a 'whoami /all'
./ansible.sh dm1 -m win_shell -a 'Get-PSSessionConfiguration'Lint the development.yml playbook playbook:
./ansible-lint.sh --offline --parseable development.yml
./mega-linter.shRun the development.yml playbook against the dm1 machine:
./ansible-playbook.sh --limit=dm1 development.yml | tee ansible.logList this repository dependencies (and which have newer versions):
export GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN'
./renovate.shWindows Management
Ansible can use one of the native Windows management protocols: psrp (recommended) or winrm.
Its also advisable to use the credssp transport, as its the most flexible transport:
| transport | local accounts | active directory accounts | credentials delegation | encryption |
|---|---|---|---|---|
| basic | yes | no | no | no |
| certificate | yes | no | no | no |
| kerberos | no | yes | yes | yes |
| ntlm | yes | yes | no | yes |
| credssp | yes | yes | yes | yes |
For more information see the Ansible CredSSP documentation.
Troubleshoot
In a Windows PowerShell session, with Administration privileges, use the following commands to troubleshoot the machine and the WinRM service.
Try connecting to a machine with, e.g.:
Test-WSMan
winrm id
winrs -r:127.0.0.1:5985 "-u:Administrator" "-p:MyPassword" "whoami /all"
Enter-PSSession -ComputerName 127.0.0.1 -Port 5985
Invoke-Command -ComputerName 127.0.0.1 -Port 5985 -ScriptBlock { whoami /all }Verify the listening addresses:
Get-NetConnectionProfile # NB WinRM only works on non-Public network profiles.
(Get-NetIPAddress).IPAddress
netsh http show iplisten
netsh interface portproxy show all # NB if not empty, watch for conflicts.
netstat -aon | Select-String :5985
winrm enumerate winrm/config/listener
winrm get winrm/configIf required, modify the network profile, or delete/add listening addresses with, e.g.:
Get-NetConnectionProfile `
| Where-Object { $_.NetworkCategory -ne 'DomainAuthenticated' } `
| Set-NetConnectionProfile -NetworkCategory Private
netsh http delete iplisten ipaddress=127.0.0.1
netsh http add iplisten ipaddress=127.0.0.1
Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
New-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
Restart-Service WinRMVerify the Group Policy (GPO) or Local Policy:
gpresult.exe /h gporesult.html && start gporesult.html
# NB ensure the policy filters are set to * or
# the policy/filters do not exist at all.
$winRmPolicyKeyPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
if (Test-Path $winRmPolicyKeyPath) {
Get-ItemProperty -Path $winRmPolicyKeyPath -Name IPv4Filter
Get-ItemProperty -Path $winRmPolicyKeyPath -Name IPv6Filter
}If required, modify them with, e.g.:
$winRmPolicyKeyPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
if (!(Test-Path $winRmPolicyKeyPath)) {
New-Item -Force -Path $winRmPolicyKeyPath | Out-Null
}
Set-ItemProperty -Path $winRmPolicyKeyPath -Name IPv4Filter -Value '*'
Set-ItemProperty -Path $winRmPolicyKeyPath -Name IPv6Filter -Value '*'
Remove-ItemProperty -Path $winRmPolicyKeyPath -Name IPv4Filter
Remove-ItemProperty -Path $winRmPolicyKeyPath -Name IPv6Filter
Restart-Service WinRM