Skip to content

Ansible setup for Windows using WinRM

The Ansible docs are a bit difficult to follow on setting up Windows using WinRM as the connection method. They state that there’s an easy-to-use script.

Details about each component can be read below, but the script ConfigureRemotingForAnsible.ps1 can be used to set up the basics. This script sets up both HTTP and HTTPS listeners with a self-signed certificate and enables the Basic authentication option on the service.

https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#winrm-setup

However, they later warn:

The ConfigureRemotingForAnsible.ps1 script is intended for training and development purposes only and should not be used in a production environment, since it enables settings (like Basic authentication) that can be inherently insecure.

This warning is quite discouraging. However, looking at the script, it is true that Basic authentication is enabled by default. But, it can be disabled, by adding a -DisableBasicAuth option. You can modify their listed procedure of downloading and running the setup script to read as follows:

This script then sets up both http and https listeners for WinRM. NTLM authentication of the WinRM service is enabled by default.

Now, if you wanted certificate-based authentication, the above script wouldn’t do that. But for my purposes, that really isn’t worth the hassle. Since I am using NTLM authentication, my Ansible inventory does have a username/password listed in it. But, that inventory sits on a trusted host to begin with. (If it didn’t, anyone could start modifying my Ansible playbooks.)

You should review the firewall rules after running this script. In my case (caveat: I did a lot of experimenting before I ran the script which may have also changed the firewall rules), it showed 3 rules. The 1st allowed an HTTP listener for Domain & Private networks. It was enabled. The 2nd allowed an HTTP listener for Public networks with local subnet only, but it was disabled. The 3rd allowed HTTPS listener for all networks and was enabled. I modified that last one to be Domain & Private only. So, if I take a laptop out in the field, the firewall should block the rule (based on Public network profile).

Be the first to like.