Part 33 — Windows Automation¶
Chapter status: outline
This chapter is scoped but not yet written in full prose. The sections below define what each part will cover.
Windows automation is different enough from the SSH/Python model covered everywhere else in this series that it deserves standalone treatment.
Why This Exists¶
- Real enterprise environments are rarely all-Linux — this chapter equips readers to automate Windows fleets alongside Linux ones using the same Ansible control node.
Problem Statement¶
- Windows doesn't ship an SSH-based remote-execution model equivalent to Unix by default, and its native scripting language is PowerShell, not Python — Ansible's Windows support has to bridge both gaps.
Internal Architecture¶
- WinRM (Windows Remote Management): the transport protocol Ansible uses to reach Windows managed nodes, analogous to SSH's role for Linux (Volume 3, Part 15).
- PowerShell: Windows modules are PowerShell scripts, not Python — the managed-node execution language differs from every other chapter in this series, though the module contract (JSON in/out, idempotency, check mode) stays conceptually the same.
pywinrm: the Python library the control node uses to speak WinRM, installed as an extra (pip install pywinrm) since it's not a core Ansible dependency (previewed in Volume 3, Part 17).
Step-by-Step Explanation¶
- Windows modules: the
win_*-prefixed andansible.windows/community.windowscollection modules (win_package,win_service,win_copy) mirroring familiar Linux module names but implemented in PowerShell. - Requirements: WinRM must be enabled and configured on the target (often via a bootstrap PowerShell script Microsoft/Ansible provide), and the control node needs
pywinrminstalled. - Authentication methods:
- Kerberos: domain-joined authentication, generally the most secure and recommended option inside an Active Directory environment.
- NTLM: works without Kerberos infrastructure but is a weaker authentication protocol, useful for non-domain or mixed environments.
- CredSSP: required specifically when a task needs to make a second network hop using the same credentials (the "double-hop" problem).
- Connection variables:
ansible_connection: winrm,ansible_winrm_transport,ansible_port(typically 5985/5986),ansible_winrm_server_cert_validation.
Production Best Practices¶
- Preferring Kerberos authentication in domain environments over NTLM for stronger security guarantees.
- Enabling HTTPS-based WinRM (port 5986) with real certificates in production rather than unencrypted HTTP WinRM.
Common Mistakes¶
- Hitting the WinRM "double-hop" problem (a task needing to authenticate onward to a second resource) without configuring CredSSP, resulting in confusing access-denied errors.
- Assuming Linux modules work unchanged against Windows hosts instead of using the dedicated
win_*/Windows-collection modules. - Leaving
ansible_winrm_server_cert_validation: ignoreset in production instead of using properly validated certificates.
Performance Considerations¶
- WinRM connections don't benefit from SSH's ControlPersist multiplexing the same way; connection reuse and batching strategies differ from the Linux tuning in Part 32.
Security Considerations¶
- Choosing the weakest sufficient authentication method deliberately (Kerberos > NTLM in most domain environments), and enabling encrypted WinRM (HTTPS) rather than plaintext.
Interview Questions¶
- "How does Ansible connect to and execute automation on Windows hosts?"
- "What's the WinRM 'double-hop' problem, and how does CredSSP address it?"
- "When would you choose NTLM over Kerberos for Windows automation?"
Hands-On Lab¶
- Configure
ansible_connection: winrmagainst a test Windows host, verify connectivity withansible winserver -m win_ping, and inspect the difference in output/behavior compared to the Linuxpingmodule used throughout Volume 3.
Summary¶
- Windows automation swaps SSH for WinRM and Python modules for PowerShell modules, but keeps the same conceptual contract (idempotent, JSON-returning modules) — the real complexity is in authentication method selection (Kerberos/NTLM/CredSSP) for your specific domain topology.
Next¶
Continue to Part 34 — Troubleshooting.