Using Ansible to manage Windows desktops

Configuring the system for Powershell Remoting

The following actions have to be taken to enable WinRM Powershell remoting.

Enable WinRM

Start Powershell (Run as Administrator) and run the following command: WinRM qc

Answer yes on each question asked.

Allow Powershell script execution

Start Powershell (Run as Administrator) and run the following command: Set-ExecutionPolicy

Enter the policy to be used: Bypass

Answer yes when asked to change the policy.

Allow Powershell remoting for Ansible

Start Powershell (Run as Administrator) and run the following command: ConfigureRemotingForAnsible.ps1 -CertValidityDays 3650

Enable Wake-on-LAN (WoL)

In order to automatically turn on systems when doing maintenance, we configured the systems to support Wake-on-LAN. Most systems are configured this way automatically, however in some cases they need specific changes to make them work as we like.

BIOS settings

Boot the system using the F1 key pressed to enter the BIOS.

Inside the (Lenovo) BIOS go to Startup > Automatic Boot Sequence and move the Network entries down using the minus key (-). Ensure that the first entry is the local boot disk.

Save the configuration using the F10 key and select Yes.

Windows settings

No specific configuration is needed to make Wake-on-LAN work on the Lenovo systems in Windows 10.

Using Ansible

More information is available from: http://docs.ansible.com/ansible/intro_windows.html

Capabilities

The following things we can manage using Ansible today:

Turning on systems (using Wake-On-Lan)
Collect information from the system (e.g. Name, MAC address, IP addres, hardware) into a CSV
Applying system updates
Installing and removing software (incl. everything from Ninite)
Enable/disable services
Apply/merge registry settings
- Change mouse pointer to Extra Large
- Modifying the start menu
- Setting up International(ization) and Keyboard Layout

Still need to be implement:

Missing automation
- Customize start menu
- Customize desktop
- Customize task bar
- Customize system tray
- Customize startup tasks (like autoruns)
- Customize services (like autoruns)
Missing facts
- DMI information (e.g. Model, Serial number, …)
- MAC address
- Disk information
- CPU type
- Memory
- Instructions

Instructions

Existing Ansible playbooks are available from: https://github.com/crombeen/ansible

Turning all desktops on

$ ansible-playbook -k -l crombeen wakeonlan.yml

Collect information

$ ansible-playbook -k -l crombeen collect.yml

Manage software

$ ansible-playbook -k -l crombeen software.yml

Manage users

$ ansible-playbook -k -l crombeen users.yml

Manage desktop

$ ansible-playbook -k -l crombeen desktop.yml

Run everything

$ ansible-playbook -k -l crombeen site.yml

Problems

Here is a list of problems today:

Often command line systems management was an afterthought in Windows, not designed with it in mind.
A lot of (desktop) manipulations require registry edits because out-of-the-box cmdlets do not exist
Hard to predict how registry modifications will survive Windows 10 updates
Powershell is a big improvement over cmd.exe, however it feels like Perl 4 (1993) more than anything modern
Microsoft’s solution is to use Active Directory and Group Policies, rather than foster community development and open tooling

Resources

More resources related to Powershell and Ansible-integration below:

Ansible

Ansible Windows support
Ansible Windows modules
Powershell DSC modules - DSC community auto-generated modules

Powershell

Powershell 101 from a Linux guy

oss17888 / ansible Goto Github PK

ansible's Introduction