Ansible Control Server Setup for Windows

Ansible uses the pywinrm package to communicate with Windows servers over WinRM. It is not installed by default with the Ansible package, but can be installed by running the following:

# Install Ansible in RHEL/CENTOS
$ yum install wget -y
$ wget
$ sudo rpm -i epel-release-latest-7.noarch.rpm
$ sudo yum update -y 
$ sudo yum install ansible -y

# Install PIP
$ easy_install pip 
$ sudo yum install gcc krb5-devel krb5-workstation
$ pip install --upgrade pip
$ sudo yum install -y python-pip
$ sudo yum install gcc krb5-devel krb5-workstation
$ pip install --upgrade pip

$ sudo pip install markupsafe
$ sudo pip install xmltodict
$ pip install "pywinrm>=0.3.0" # pip install pywinrm --ignore-installed

$ ansible --version

How Ansible Control Server connects to Windows host?

When connecting to a Windows host, there are several different options that can be used when authenticating with an account. The authentication type may be set on inventory hosts or groups with the ansible_winrm_transport variable.

The following matrix is a high level overview of the options:

Option Local Accounts Active Directory Accounts Credential Delegation HTTP Encryption
Basic Yes No No No
Certificate Yes No No No
Kerberos No Yes Yes Yes
NTLM Yes Yes No Yes
CredSSP Yes Yes Yes Yes


Basic authentication is one of the simplest authentication options to use, but is also the most insecure. Basic authentication is not enabled by default on a Windows host but can be enabled by running the following in PowerShell:

$ Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true

The following example shows host vars configured for basic authentication:

ansible_user: LocalUsername
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: basic