/Ansible-Windows-Playbooks

Examples of various Ansible Playbooks for Microsoft Windows Server 2016

SETTING UP ANSIBLE FOR WINDOWS SERVERS

Ansible Documentation on Windows Remote management

https://docs.ansible.com/ansible/2.6/user_guide/windows_winrm.html#certificate

For setting up Ansible to communicate with Windows Servers via WinRM pywinrm needs to be installed on anisble server

pip install pywinrm

For Dev use only to enable WinRM communication without any over HTTP listener

winrm quickconfig
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'

For proper WinRM communication over HTTPS using selfsigncert download this PowerShell scrip from Ansible GITHUB Repo

https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1

Then in PowerShell with Elevated Privileges:

.\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert

To see WinRM listeners running:

winrm enumerate winrm/config/listeners

Shutdown windows server (for reboots use win_reboot module). Also this is only for Dev use, Never shutdown a server outside DEV:

ansible -i hosts windows -m raw -a "Stop-Computer -Force" --ask-pass

Example Ad-Hoc command to show diskspace on windows server

ansible -i hosts -m raw -a "Get-PSDrive C,D" windows --ask-pass

Get Certificate Thumbprint via Powershell

Get-ChildItem -path cert:\LocalMachine\My

Setting WinRM HTTPS listener manually with specific cert thumbprint

$selector_set = @{
    Address = "*"
    Transport = "HTTPS"
}
$value_set = @{
    CertificateThumbprint = "?33C42A60F6FDD08707F851625097163D1C14C0C8"
}

New-WSManInstance -ResourceURI "winrm/config/Listener" -SelectorSet $selector_set -ValueSet $value_set -UseSSL

Set up WinRM Listener on a specific IP eg. management IP only

New-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="HTTPS"} -ValueSet @{CertificateThumbprint = "??33C42A60F6FDD08707F851625097163D1C14C0C8"}

Remove all WinRM Listeners

Remove-Item -Path WSMan:\localhost\Listener* -Recurse -Force

Only remove WinRM listeners that are run over HTTPS

Get-ChildItem -Path WSMan:\localhost\Listener | Where-Object { $_.Keys -contains "Transport=HTTPS" } | Remove-Item -Recurse -Force

Disable AllowUnencrypted

winrm set winrm/config/service '@{AllowUnencrypted="false"}'
winrm set winrm/config/client '@{AllowUnencrypted="false"}'

Get overal WinRM Config

winrm get winrm/config

Convert .PFX cert to .pem cert (for private key) on Linux

openssl pkcs12 -in file.pfx -out file.pem -nodes