'; */ // Create a banner if we're not on the official docs site if (location.host == "docs.testing.ansible.com") { document.write('
'); } // Create a banner current_url_path = window.location.pathname; var important = false; var msg = '
'; if (startsWith(current_url_path, "/ansible-core/")) { msg += 'You are reading documentation for Ansible Core, which contains no plugins except for those in ansible.builtin. For documentation of the Ansible package, go to the latest documentation.'; } else if (startsWithOneOf(current_url_path, ["/ansible/latest/", "/ansible/9/"])) { /* temp extra banner to advertise something */ banner += extra_banner; msg += 'This is the latest (stable) Ansible community documentation. For Red Hat Ansible Automation Platform subscriptions, see Life Cycle for version details.'; } else if (startsWith(current_url_path, "/ansible/2.9/")) { msg += 'You are reading the latest Red Hat released version of the Ansible documentation. Community users can use this version, or select latest from the version selector to the left for the most recent community version.'; } else if (startsWith(current_url_path, "/ansible/devel/")) { /* temp extra banner to advertise something */ banner += extra_banner; msg += 'You are reading the devel version of the Ansible documentation - this version is not guaranteed stable. Use the version selection to the left if you want the latest (stable) released version.'; } else { msg += 'You are reading an older version of the Ansible documentation. Use the version selection to the left if you want the latest (stable) released version.'; /* temp extra banner to advertise something - this is for testing*/ banner += extra_banner; } msg += '
'; banner += important ? '
' : ''; banner += msg; banner += important ? '
' : ''; banner += '
Here are some commonly asked questions in regard to Ansible and Windows andtheir answers.
Note
This document covers questions about managing Microsoft Windows servers with Ansible.For questions about Ansible Core, please see thegeneral FAQ page.
Does Ansible work with Windows XP or Server 2003?
Ansible does not work with Windows XP or Server 2003 hosts. Ansible does work with these Windows operating system versions:
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows 10
Windows 11
Support for Windows Server 2008, 2008 R2, and Windows 7 ended in the 2.10release. Support for Windows Server 2012, 2012 R2, Windows 8, and 8.1 ended inthe 2.16 release.
Ansible also has minimum PowerShell version requirements - please seeSetting up a Windows Host for the latest information.
Can I manage Windows Nano Server with Ansible?
Ansible does not currently work with Windows Nano Server, since it doesnot have access to the full .NET Framework that is used by the majority of themodules and internal components.
Can Ansible run on Windows?
No, Ansible can only manage Windows hosts. Ansible cannot run on a Windows hostnatively, though it can run under the Windows Subsystem for Linux (WSL).
Note
The Windows Subsystem for Linux is not supported by Ansible andshould not be used for production systems.
To install Ansible on WSL, the following commandscan be run in the bash terminal:
sudo apt-get updatesudo apt-get install python3-pip git libffi-dev libssl-dev -ypip install --user ansible pywinrm
To run Ansible from source instead of a release on the WSL, simply uninstall the pipinstalled version and then clone the git repo.
pip uninstall ansible -ygit clone https://github.com/ansible/ansible.gitsource ansible/hacking/env-setup# To enable Ansible on login, run the followingecho ". ~/ansible/hacking/env-setup -q' >> ~/.bashrc
If you encounter timeout errors when running Ansible on the WSL, this may be due to an issuewith sleep not returning correctly. The following workaround may resolve the issue:
mv /usr/bin/sleep /usr/bin/sleep.origln -s /bin/true /usr/bin/sleep
Another option is to use WSL 2 if running Windows 10 later than build 2004.
wsl --set-default-version 2
Can I use SSH keys to authenticate to Windows hosts?
You cannot use SSH keys with the WinRM or PSRP connection plugins.These connection plugins use X509 certificates for authentication insteadof the SSH key pairs that SSH uses.
The way X509 certificates are generated and mapped to a user is differentfrom the SSH implementation; consult the Windows Remote Management documentation formore information.
Ansible 2.8 has added an experimental option to use the SSH connection plugin,which uses SSH keys for authentication, for Windows servers. See this questionfor more information.
Why can I run a command locally that does not work under Ansible?
Ansible executes commands through WinRM. These processes are different fromrunning a command locally in these ways:
Unless using an authentication option like CredSSP or Kerberos withcredential delegation, the WinRM process cannotdelegate the user’s credentials to a network resource, causing
Access isDeniederrors.All processes run under WinRM are in a non-interactive session. Applicationsthat require an interactive session will not work.
When running through WinRM, Windows restricts access to internal WindowsAPIs like the Windows Update API and DPAPI, which some installers andprograms rely on.
Some ways to bypass these restrictions are to:
Use
become, which runs a command as it would when run locally. This willbypass most WinRM restrictions, as Windows is unaware the process is runningunder WinRM whenbecomeis used. See the Understanding privilege escalation: become documentation for moreinformation.Use a scheduled task, which can be created with
win_scheduled_task. Likebecome, it will bypass all WinRM restrictions, but it can only be used to runcommands, not modules.Use
win_psexecto run a command on the host. PSExec does not use WinRMand so will bypass any of the restrictions.See AlsoAnsible for the Windows adminTo access network resources without any of these workarounds, you can useCredSSP or Kerberos with credential delegation enabled.
See Understanding privilege escalation: become more info on how to use become. The limitations section atWindows Remote Management has more details about WinRM limitations.
This program won’t install on Windows with Ansible
See this question for more information about WinRM limitations.
What Windows modules are available?
Most of the Ansible modules in Ansible Core are written for a combination ofLinux/Unix machines and arbitrary web services. These modules are written inPython and most of them do not work on Windows.
Because of this, there are dedicated Windows modules that are written inPowerShell and are meant to be run on Windows hosts. A list of these modulescan be found here.
In addition, the following Ansible Core modules/action-plugins work with Windows:
add_host
assert
async_status
debug
fail
fetch
group_by
include
include_role
include_vars
meta
pause
raw
script
set_fact
set_stats
setup
slurp
template (also: win_template)
wait_for_connection
Ansible Windows modules exist in the Ansible.Windows, Community.Windows, and Chocolatey.Chocolatey collections.
Can I run Python modules on Windows hosts?
No, the WinRM connection protocol is set to use PowerShell modules, so Pythonmodules will not work. A way to bypass this issue is to usedelegate_to: localhost to run a Python module on the Ansible control node.This is useful if during a playbook, an external service needs to be contactedand there is no equivalent Windows module available.
Can I connect to Windows hosts over SSH?
Ansible 2.8 has added an experimental option to use the SSH connection pluginto manage Windows hosts. To connect to Windows hosts over SSH, you must install and configure the Win32-OpenSSHfork that is in development with Microsoft onthe Windows host(s). While most of the basics should work with SSH,Win32-OpenSSH is rapidly changing, with new features added and bugsfixed in every release. It is highly recommend you install the latest releaseof Win32-OpenSSH from the GitHub Releases page when using it with Ansibleon Windows hosts.
To use SSH as the connection to a Windows host, set the following variables inthe inventory:
ansible_connection=ssh# Set either cmd or powershell not bothansible_shell_type=cmd# ansible_shell_type=powershell
The value for ansible_shell_type should either be cmd or powershell.Use cmd if the DefaultShell has not been configured on the SSH serviceand powershell if that has been set as the DefaultShell.
Why is connecting to a Windows host through SSH failing?
Unless you are using Win32-OpenSSH as described above, you must connect toWindows hosts using Windows Remote Management. If your Ansible output indicates thatSSH was used, either you did not set the connection vars properly or the host is not inheriting them correctly.
Make sure ansible_connection: winrm is set in the inventory for the Windowshost(s).
Why are my credentials being rejected?
This can be due to a myriad of reasons unrelated to incorrect credentials.
See HTTP 401/Credentials Rejected at Setting up a Windows Host for a more detailedguide of this could mean.
Why am I getting an error SSL CERTIFICATE_VERIFY_FAILED?
When the Ansible control node is running on Python 2.7.9+ or an older version of Python thathas backported SSLContext (like Python 2.7.5 on RHEL 7), the control node will attempt tovalidate the certificate WinRM is using for an HTTPS connection. If thecertificate cannot be validated (such as in the case of a self-signed cert), it willfail the verification process.
To ignore certificate validation, addansible_winrm_server_cert_validation: ignore to inventory for the Windowshost.
See also
- Windows Guides
The Windows documentation index
- Ansible playbooks
An introduction to playbooks
- Ansible tips and tricks
Tips and tricks for playbooks
- User Mailing List
Have a question? Stop by the Google group!
- Real-time chat
How to join Ansible chat channels
