1
00:00:06,870 --> 00:00:08,100
- Now, I know that some of you

2
00:00:08,100 --> 00:00:10,900
are eager to get started with Windows.

3
00:00:10,900 --> 00:00:14,420
So let's talk about setting
up Windows as a managed host

4
00:00:14,420 --> 00:00:17,360
which is a procedure that's
a little bit different

5
00:00:17,360 --> 00:00:18,790
but not that much.

6
00:00:18,790 --> 00:00:20,023
Let's go check it out.

7
00:00:21,230 --> 00:00:23,670
So in order to set up
Windows as a managed host

8
00:00:23,670 --> 00:00:25,050
you need to know that Ansible

9
00:00:25,050 --> 00:00:26,570
can manage all Windows versions

10
00:00:26,570 --> 00:00:29,333
from Windows 7 and Windows server 2008.

11
00:00:30,320 --> 00:00:33,030
I do recommend you use
a recent Windows version

12
00:00:33,030 --> 00:00:36,325
so that you don't face
certificates that have expired

13
00:00:36,325 --> 00:00:37,703
for instance.

14
00:00:38,600 --> 00:00:40,850
In Ansible, a specific set of modules

15
00:00:40,850 --> 00:00:43,360
is provided to manage Windows assets.

16
00:00:43,360 --> 00:00:46,683
And we will talk about these
modules a bit more later.

17
00:00:47,730 --> 00:00:50,110
Now, in order to manage it with Windows

18
00:00:50,110 --> 00:00:52,543
you need to prepare the Windows host.

19
00:00:53,526 --> 00:00:55,640
In the demo that I'm going to do

20
00:00:55,640 --> 00:01:00,090
I'm going to install Windows
2019 server standards.

21
00:01:00,090 --> 00:01:04,080
The 180 day evaluation version will do.

22
00:01:04,080 --> 00:01:05,870
Also on that host you need to make sure

23
00:01:05,870 --> 00:01:08,373
there's Windows also
with admin privileges.

24
00:01:09,380 --> 00:01:13,080
On the host login is so with
the administrative privileges

25
00:01:13,080 --> 00:01:17,020
and in a powershell use winrm
quickconfig to set it up.

26
00:01:17,020 --> 00:01:19,736
And then check the Ansible documentation.

27
00:01:19,736 --> 00:01:21,660
In the Ansible documentation

28
00:01:21,660 --> 00:01:24,170
there are some Windows
remote manager wizard read

29
00:01:24,170 --> 00:01:28,030
that you need to run, and it
is just an easy copy paste

30
00:01:28,030 --> 00:01:30,550
if you work from the documentation.

31
00:01:30,550 --> 00:01:31,970
And after doing so,

32
00:01:31,970 --> 00:01:36,490
you can verify using winrm
enumerate winrm/config/Listener

33
00:01:36,490 --> 00:01:40,920
and verify that http as well
as http listeners are available

34
00:01:40,920 --> 00:01:44,460
for the Windows, remote
manager, remote contact.

35
00:01:44,460 --> 00:01:47,100
And hey in case you're wondering,
what is this all about?

36
00:01:47,100 --> 00:01:51,150
Well, this is all about
affected Windows cannot use SSH.

37
00:01:51,150 --> 00:01:53,560
Windows is using Windows remote manager

38
00:01:53,560 --> 00:01:56,090
as default remote management solution.

39
00:01:56,090 --> 00:01:58,848
So we need to tell Ansible about it.

40
00:01:58,848 --> 00:02:02,120
Last step before you can
move back to the control node

41
00:02:02,120 --> 00:02:03,797
is where you are going to check out

42
00:02:03,797 --> 00:02:07,300
the Windows control panel
and create an Ansible user

43
00:02:07,300 --> 00:02:11,310
with a password and make
this user an administrator

44
00:02:11,310 --> 00:02:13,400
such that this user is capable

45
00:02:13,400 --> 00:02:16,230
of configuring your Windows machine.

46
00:02:16,230 --> 00:02:18,550
Let's go and check out a Windows machine

47
00:02:18,550 --> 00:02:21,110
and make sure it's manageable.

48
00:02:21,110 --> 00:02:23,680
So here is the Windows
machine, as you can see

49
00:02:23,680 --> 00:02:27,578
I've already been looking
at it in the PowerShell

50
00:02:27,578 --> 00:02:30,900
and now that we are in
PowerShell as administrator,

51
00:02:30,900 --> 00:02:35,560
might as well continue from
there, winrm quickconfig,

52
00:02:35,560 --> 00:02:38,010
the first thing that we need to do.

53
00:02:38,010 --> 00:02:39,410
And make these changes?

54
00:02:39,410 --> 00:02:41,700
Yeah, I wanna make these changes

55
00:02:41,700 --> 00:02:44,240
and that'll update Windows remote manager

56
00:02:44,240 --> 00:02:47,910
for a remote management.

57
00:02:47,910 --> 00:02:52,910
Next, I need to go to the server manager

58
00:02:56,640 --> 00:02:58,440
and on local server

59
00:02:58,440 --> 00:03:02,970
I need to go to the IE enhanced
security configuration.

60
00:03:02,970 --> 00:03:04,890
This is a security configuration

61
00:03:04,890 --> 00:03:07,870
that makes Internet Explorer, unusable.

62
00:03:07,870 --> 00:03:09,690
So I'm setting everything to off

63
00:03:11,420 --> 00:03:13,270
'cause I wanna be able to use more

64
00:03:13,270 --> 00:03:16,080
than just trusted websites.

65
00:03:16,080 --> 00:03:19,410
And now I can go to Internet Explorer

66
00:03:19,410 --> 00:03:23,760
and I do not want to use
the recommended settings.

67
00:03:23,760 --> 00:03:26,110
And in the Internet Explorer

68
00:03:26,110 --> 00:03:31,110
I am going to https://docs.ansible.com

69
00:03:33,854 --> 00:03:36,320
/ansible/latest
/user_guide/Windows_setup.html

70
00:03:45,586 --> 00:03:49,508
That is bringing us to
the Windows setup guide.

71
00:03:49,508 --> 00:03:53,258
And there, I need to
scroll down a little bit

72
00:03:57,690 --> 00:03:59,260
and this is the part that I need.

73
00:03:59,260 --> 00:04:01,820
So this is the WinRM setup.

74
00:04:01,820 --> 00:04:06,283
And the good thing is I
can just copy all of this.

75
00:04:10,890 --> 00:04:14,710
And then I'm going back to the PowerShell

76
00:04:14,710 --> 00:04:16,410
and I'm running it from there.

77
00:04:16,410 --> 00:04:19,520
And that will set up the
Windows remote manager

78
00:04:19,520 --> 00:04:24,130
with basic authentication configuration,

79
00:04:24,130 --> 00:04:26,210
basic authentication configuration.

80
00:04:26,210 --> 00:04:27,876
If you need more than that

81
00:04:27,876 --> 00:04:30,270
you need some additional
things to be done.

82
00:04:30,270 --> 00:04:32,270
We'll talk about it in a minute.

83
00:04:32,270 --> 00:04:34,270
But first I would like to check

84
00:04:34,270 --> 00:04:36,800
if it's all working as expected.

85
00:04:36,800 --> 00:04:38,383
So I'm using winrm,

86
00:04:43,277 --> 00:04:44,110
enumerate

87
00:04:46,166 --> 00:04:49,833
winrm/config/Listener.

88
00:04:51,550 --> 00:04:54,060
And that is showing us
that we have listeners.

89
00:04:54,060 --> 00:04:55,530
We have an http listener.

90
00:04:55,530 --> 00:04:57,200
We have an https listener

91
00:04:57,200 --> 00:05:00,050
and that's exactly what
I need at this point.

92
00:05:00,050 --> 00:05:01,490
Then there is one more thing

93
00:05:01,490 --> 00:05:02,810
and that is something I need to do

94
00:05:02,810 --> 00:05:04,760
from the Windows control panel.

95
00:05:04,760 --> 00:05:08,010
So let's go check out the control panel.

96
00:05:08,010 --> 00:05:09,020
There we go.

97
00:05:09,020 --> 00:05:12,040
And in the control panel,
I need Ansible user.

98
00:05:12,040 --> 00:05:17,040
So I'm going to the user
accounts and in user accounts

99
00:05:17,700 --> 00:05:20,160
I am managing another account.

100
00:05:20,160 --> 00:05:25,160
I'm adding a user account and
my user account is Ansible.

101
00:05:25,510 --> 00:05:29,083
I need to set a very secret password.

102
00:05:35,150 --> 00:05:38,263
Windows has these security
rules for the passwords.

103
00:05:41,150 --> 00:05:42,840
And then I'm clicking next

104
00:05:42,840 --> 00:05:45,140
and that'll create a local account.

105
00:05:45,140 --> 00:05:47,100
Now I first need to finish that.

106
00:05:47,100 --> 00:05:50,080
And then I can select the user account

107
00:05:50,080 --> 00:05:53,090
and change the account type.

108
00:05:53,090 --> 00:05:56,060
And I'm going to make this
user account an administrator.

109
00:05:56,060 --> 00:05:59,170
So that is now done and
that means that we are done

110
00:05:59,170 --> 00:06:02,270
with the Windows part
of the configuration.

111
00:06:02,270 --> 00:06:03,560
Let's get back to the slide

112
00:06:03,560 --> 00:06:05,460
so that we can check out what is next.

113
00:06:06,490 --> 00:06:07,620
So before we continue,

114
00:06:07,620 --> 00:06:10,650
we need to talk about
Windows authentication a bit

115
00:06:10,650 --> 00:06:14,220
because Windows supports different
authentication protocols.

116
00:06:14,220 --> 00:06:17,340
If authentication, as we
configure to a strict protocol

117
00:06:17,340 --> 00:06:20,470
on Windows, you may have to
set up Ansible accordingly

118
00:06:20,470 --> 00:06:22,980
and that makes it a
little bit more complex.

119
00:06:22,980 --> 00:06:25,050
So on Windows, there's
a couple of options.

120
00:06:25,050 --> 00:06:27,830
There's basic, which only
supports local accounts.

121
00:06:27,830 --> 00:06:29,020
Don't use it.

122
00:06:29,020 --> 00:06:32,540
There is certificate which
only supports local accounts.

123
00:06:32,540 --> 00:06:34,050
Also don't use it.

124
00:06:34,050 --> 00:06:35,130
There's Kerberos.

125
00:06:35,130 --> 00:06:36,420
Kerberos is pretty common

126
00:06:36,420 --> 00:06:39,261
but it only works for
active directory accounts.

127
00:06:39,261 --> 00:06:42,230
That is cool, but it's
a little bit too much

128
00:06:42,230 --> 00:06:44,810
for what I want to do
in this video course.

129
00:06:44,810 --> 00:06:48,540
There's NTLM and NTLM works for local

130
00:06:48,540 --> 00:06:51,840
as well as AD accounts,
which is pretty cool.

131
00:06:51,840 --> 00:06:54,127
There's also CredSSP.

132
00:06:54,127 --> 00:06:57,070
CredSSP offers best support for local

133
00:06:57,070 --> 00:06:59,189
as well as active directory accounts

134
00:06:59,189 --> 00:07:01,053
which is cool as well.

135
00:07:01,890 --> 00:07:03,840
If you need to set up Ansible,

136
00:07:03,840 --> 00:07:08,510
then in the Ansible dot CFG
file for your Windows machine

137
00:07:08,510 --> 00:07:12,520
there's this parameter,
ansible_winrm_transport.

138
00:07:12,520 --> 00:07:16,570
Set it to CredSSP if you
have authentication issues

139
00:07:16,570 --> 00:07:19,090
and that'll fix most of the issues.

140
00:07:19,090 --> 00:07:21,470
Let's check out some other
configuration options

141
00:07:21,470 --> 00:07:23,173
that you can do on a control host.

142
00:07:24,130 --> 00:07:26,630
So on the Ansible control host

143
00:07:26,630 --> 00:07:30,100
it is recommended to create
a Windows product directly

144
00:07:30,100 --> 00:07:33,430
so that Windows has its own Ansible.cfg,

145
00:07:33,430 --> 00:07:35,180
has its own inventory.

146
00:07:35,180 --> 00:07:39,249
You can check out my GitHub
repository for some examples.

147
00:07:39,249 --> 00:07:41,020
Then you need to make sure

148
00:07:41,020 --> 00:07:44,110
that an ATC hosts you
have host name resolution

149
00:07:44,110 --> 00:07:45,760
to the Windows box.

150
00:07:45,760 --> 00:07:48,340
Notice that you cannot
ping Windows by default,

151
00:07:48,340 --> 00:07:50,110
that's security.

152
00:07:50,110 --> 00:07:52,310
For the simple reason
that Windows firewall

153
00:07:52,310 --> 00:07:54,323
disallows incoming ping.

154
00:07:55,250 --> 00:07:56,880
Next on Ansible control,

155
00:07:56,880 --> 00:07:59,543
you need sudo pip three install pywinrm.

156
00:08:00,580 --> 00:08:02,110
Now, what is that all about?

157
00:08:02,110 --> 00:08:04,050
Well, that is about telling python

158
00:08:04,050 --> 00:08:07,803
about how to install and manage Windows.

159
00:08:08,670 --> 00:08:11,040
You will notice that
this is often required

160
00:08:11,040 --> 00:08:14,580
if you wanna go beyond
managing Linux with Ansible

161
00:08:14,580 --> 00:08:17,700
you need PIP install to
install additional stuff.

162
00:08:17,700 --> 00:08:20,400
And this is the first time
that we are seeing it.

163
00:08:20,400 --> 00:08:22,717
And once you have done all of this,

164
00:08:22,717 --> 00:08:25,710
you should be able to do a simple command

165
00:08:25,710 --> 00:08:29,830
like ansible win minus I
inventory minus M win_ping.

166
00:08:29,830 --> 00:08:33,030
That's the win_ping module
that is going to ping

167
00:08:34,090 --> 00:08:38,600
or Ansible win minus I
inventory minus M setup

168
00:08:38,600 --> 00:08:41,973
which is going to check facts.

169
00:08:42,880 --> 00:08:44,603
Now let's go do it.

170
00:08:45,870 --> 00:08:48,980
So here I'm on the Ansible control machine

171
00:08:48,980 --> 00:08:52,390
in the Ansible CVC git repository.

172
00:08:52,390 --> 00:08:54,030
Before we are going to do anything,

173
00:08:54,030 --> 00:08:56,920
I need to install the PIP packets.

174
00:08:56,920 --> 00:09:01,920
So sudo dnf install python-pip
should take care of it.

175
00:09:13,730 --> 00:09:17,290
So let me do sudo dnf
search python grep pip.

176
00:09:17,290 --> 00:09:18,123
And what do we see?

177
00:09:18,123 --> 00:09:20,880
We see Python three PIP, no arc.

178
00:09:20,880 --> 00:09:21,860
That sounds good enough.

179
00:09:21,860 --> 00:09:26,860
So sudo dnf install
python3-pip should install it

180
00:09:29,800 --> 00:09:33,130
and oh, already installed.

181
00:09:33,130 --> 00:09:35,770
Well, that is good.

182
00:09:35,770 --> 00:09:38,230
So PIP is showing me what?

183
00:09:38,230 --> 00:09:40,640
PIP is showing me that
the name is not PIP.

184
00:09:40,640 --> 00:09:43,720
The name is PIP three, right?

185
00:09:43,720 --> 00:09:48,283
Sudo pip three install pywinrm.

186
00:09:51,130 --> 00:09:52,390
Just ignore the complaint

187
00:09:52,390 --> 00:09:54,810
about running PIP way to root privileges.

188
00:09:54,810 --> 00:09:57,810
In this case, we do need
the root privileges.

189
00:09:57,810 --> 00:10:01,130
I am going to the Windows directory

190
00:10:01,130 --> 00:10:03,240
in the course git repository.

191
00:10:03,240 --> 00:10:06,940
And in the Windows
directory we have inventory.

192
00:10:06,940 --> 00:10:08,580
So what is in inventory?

193
00:10:08,580 --> 00:10:13,580
In inventory, we have
the required information.

194
00:10:14,070 --> 00:10:16,050
I can clean that up a little bit

195
00:10:16,050 --> 00:10:18,890
because the only thing
I need is the win group.

196
00:10:18,890 --> 00:10:21,910
This inventory has some variables as well.

197
00:10:21,910 --> 00:10:25,650
I'll tell you all about inventory
variables later, not now.

198
00:10:25,650 --> 00:10:28,090
I do need to change my password

199
00:10:28,090 --> 00:10:32,033
to set it to this very secret password.

200
00:10:32,900 --> 00:10:34,290
Hey, no worries.

201
00:10:34,290 --> 00:10:37,870
We can enter passwords in
a much more secure way,

202
00:10:37,870 --> 00:10:41,060
but for now, this is good enough.

203
00:10:41,060 --> 00:10:43,470
I'll teach you about Ansible vault

204
00:10:43,470 --> 00:10:45,500
and stuff like that later as well.

205
00:10:45,500 --> 00:10:48,640
So this is not how you are
going to use it in real life.

206
00:10:48,640 --> 00:10:50,330
Now we have the Ansible connection

207
00:10:50,330 --> 00:10:53,200
and the Ansible winrm
server search validation

208
00:10:53,200 --> 00:10:55,770
set to ignore that should be doing it.

209
00:10:55,770 --> 00:11:00,770
And with it, I should be able
to use the Ansible commands.

210
00:11:01,600 --> 00:11:03,840
What do we have in ansible.cfg?

211
00:11:03,840 --> 00:11:05,280
In ansible.cfg,

212
00:11:05,280 --> 00:11:07,760
you can see the privilege
escalation parameters

213
00:11:07,760 --> 00:11:12,430
are not there because these
need to be specific for Windows.

214
00:11:12,430 --> 00:11:16,210
And these are defined
right now in inventory

215
00:11:16,210 --> 00:11:17,700
which is also an option.

216
00:11:17,700 --> 00:11:22,700
So I can just use Ansible
win minus M win ping.

217
00:11:24,500 --> 00:11:26,640
So the win in this command

218
00:11:27,573 --> 00:11:29,540
is addressing the Windows house group

219
00:11:29,540 --> 00:11:34,540
and minus M win ping is using
the Windows ping module.

220
00:11:34,880 --> 00:11:36,160
Let's give it some time

221
00:11:36,160 --> 00:11:39,236
and then hopefully it'll
get back with a pong.

222
00:11:39,236 --> 00:11:40,069
There we go.

223
00:11:40,069 --> 00:11:41,800
Windows is answering with a pong

224
00:11:41,800 --> 00:11:43,780
and it means that we are good

225
00:11:43,780 --> 00:11:46,730
and everything else will be covered later

226
00:11:46,730 --> 00:11:49,730
in this video course where
I have a specialized lesson

227
00:11:49,730 --> 00:11:53,253
that's all about the things
that you can do with Windows.