Connect to the Environment

Ansible is an agentless configuration management tool. Instead of relying on an installed agent, it uses remote management protocols to communicate with remote hosts.

Ansible uses SSH to connect to Linux hosts and network devices, and WinRM to connect to Windows.

Host connection options

The following are options available to connect to Linux and Windows hosts:


  1. SSH keys over SSH(22)
  2. Username & password over SSH (22)


  1. WinRM over HTTPS (5986)
  2. WinRM over HTTP (5985)

Windows authentication options

You can authenticate with Windows hosts using the following methods:

Option Local Accounts Active Directory Accounts Credential Delegation HTTP Encryption
Basic Yes No No No
Certificate Yes No No No
Kerberos No Yes Yes Yes
NTLM Yes Yes No Yes
CredSSP Yes Yes Yes Yes

The table is taken from

How you set up the remote management is dependent on the environment.

Connect to a Windows Host

Ansible uses PowerShell remoting over WinRM to connect to Windows hosts. Ansible will attempt to connect to a Windows host using WinRM over HTTPS on port 5986. Windows Server does not have PowerShell remoting via HTTPS preconfigured.

We think it best to use Ansible for all the configurations. Having to configure something before you can use Ansible is a chicken and egg scenario. You can deal with this problem in one of three ways:

  1. Bootstrap the WinRM configuration;
    • AWS and Azure provide features that allow you to run scripts at startup.
  2. Embed the changes into an image;
    • Build a custom image that has WinRM configured.
  3. Use WinRM over HTTP on port 5985;
    • Windows Server 2012r2 and later have PowerShell remoting configured on port 5985.

We solved this problem by executing the Ansible playbooks Create Windows Virtual Machine in Azure and AWS. Each of the playbooks contained a configuration for bootstrapping the WinRM configuration with a PowerShell script, ConfigureRemotingForAnsible.ps1.

The script generates self-signed certificates for using HTTPS and modifies the firewall rules to allow HTTPS traffic on port 5896.

Let’s review the sections for bootstrapping in both AWS and Azure playbooks.


The azure_create_windows_vm.yaml playbook uses a CustomScriptExtension to download and execute the PowerShell script, ConfigureRemotingForAnsible.ps1. Review Line 7 and 9 in the playbook below:

Get hands-on with 1000+ tech skills courses.