1. Install these packages on your management Linux system
    1. apt-get -y install python-dev libkrb5-dev python-pip”.
    2. pip install “pywinrm>=0.2.0””.
    3. pip install kerberos”.
    4. apt-get -y install ansible”.
    5. apt-get –y install krb5-user”.
    6. pip install requests-ntlm


  1. Check the version of packages by running command “pip list”. The versions to have
    1. pip (1.5.4)
    2. pycrypto (2.6.1)
    3. pykerberos (1.1.13)
    4. python-apt (
    5. python-debian (0.1.21-nmu2ubuntu2)
    6. python-ntlm3 (1.0.2)
    7. pywinrm (0.2.0)
    8. requests-ntlm


Project root folder:


                        |___group_vars / windows.yml


windows.yml is used to store the vars for this project, the content is :

ansible_user: Administrator
ansible_password: password
ansible_winrm_scheme: https
ansible_port: 5986
ansible_connection: winrm
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore
ansible_winrm_message_encryption: auto
ansible_winrm_transport: ntlm
  • ansible_winrm_scheme: https
    ansible_port: 5986 — we are going to use https, and the port is 5986
  • ansible_connection: winrm — tell ansible to use winrm instead of ssh
  • ansible_winrm_message_encryption: auto — use encryption so we will not get rejected by windows machine.

hosts file:

frank-pc ansible_ssh_host=
Windows Setup
  • Ansible’s supported Windows versions generally match those under current and extended support from Microsoft. Supported desktop OSs include Windows 7, 8.1, and 10, and supported server OSs are Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016.
  • Ansible requires PowerShell 3.0 or newer and at least .NET 4.0 to be installed on the Windows host.
  • A WinRM listener should be created and activated. More details for this can be found below.
WinRM setup

Download: https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 to current folder:

powershell.exe -ExecutionPolicy ByPass -File ConfigureRemotingForAnsible.ps1
Setup WinRM Listener

There are three ways to set up a WinRM listener:

  • Using winrm quickconfig for HTTP or winrm quickconfig -transport:https for HTTPS.

  • To get an output of the current service configuration options, run the following command:
    winrm get winrm/config/Service
    winrm get winrm/config/Winrs
Windows firewall

Following rule needs to be enabled: Windows Remote Management (HTTP-in)


The specified credentials were rejected by the server
frank-pc | FAILED! => {
 "failed": true,
 "msg": "ERROR! plaintext: the specified credentials were rejected by the server"

You should check the winrm setup on the windows server by powershell command:

PS c:\windows\system32\ > winrm get winrm/config/service

  MaxConcurrentOperations = 4294967295
  MaxConcurrentOperationsPerUser = 1500
  EnumerationTimeoutms = 240000
  MaxConnections = 300
  MaxPacketRetrievalTimeSeconds = 120
  AllowUnencrypted = false

Note the AllowUnencrypted is false, so temporarily change this into allow unencrypted message:

set-item -Path WSMan:\localhost\Service\AllowUnencrypted -Value True

If this works, make sure the following configure is same in the vars file:

ansible_winrm_scheme: https 

ansible_port: 5986

ansible_winrm_message_encryption: auto 

ansible_winrm_transport: ntlm

pip install requests-ntlm




- name: Install Apache from an MSI
  hosts: all
    - name: Download the Apache installer
        url: 'http://www.7-zip.org/a/7z1701-x64.msi'
        dest: 'C:\Users\Support\Downloads\7z1701-x64.msi'

    - name: Install MSI
      path: 'C:\Users\Support\Downloads\7z1701-x64.msi'
      state: present

Then call it:

ansible-playbook apache_windows.yml -i hosts -u support




Configuring Ansible to manage Windows system over PowerShell