A PowerShell script to configure a Windows host for remote management via Ansible over WinRM using HTTPS and CredSSP authentication.

• Verifies:
  • Administrator privileges
  • PowerShell version ≥ 5.1
  • WinRM service status and port availability
• Enables and configures the WinRM service and PowerShell Remoting
• Generates or reuses a self-signed certificate for HTTPS
• Sets up a WinRM HTTPS listener with the correct certificate
• Optionally removes HTTP WinRM listeners
• Adds a Windows Firewall rule to allow HTTPS traffic (port 5986)
• Configures WSMan authentication options (enable/disable Basic, Kerberos, Negotiate, etc.)
• Sets LocalAccountTokenFilterPolicy to support local user access
• Temporarily enables CredSSP delegation via registry policy, tests it, and reverts changes
• Logs to:
  • Console with timestamps
  • A log file under %TEMP%
  • Windows Event Log (Application under source oneclick.prepareWinRM)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url  = "https://raw.githubusercontent.com/oneclick-ag/ansible/oc_dev/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:TEMP\ConfigureRemotingForAnsible.ps1"
Invoke-WebRequest -Uri $url -OutFile $file -UseBasicParsing
powershell.exe -ExecutionPolicy Bypass -File $file

Example:

.\ConfigureRemotingForAnsible.ps1 -DisableBasicAuth -RemoveListenersThatRunOverHTTP

• PowerShell version 5.1 or later
• Administrator privileges
• Internet access (for downloading the script if needed)

• Console output with timestamps
• File: %TEMP%\oneclick_prepare_winrm_script_logs_<timestamp>.txt
• Windows Event Log (Application → Source: oneclick.prepareWinRM)

After running the script on a Windows host, use the following configuration in your inventory.yml or host_vars:

ansible_user: <username>
ansible_password: <password>
ansible_connection: winrm
ansible_port: 5986
ansible_winrm_transport: credssp
ansible_winrm_server_cert_validation: ignore

• CredSSP delegation policy is only temporarily enabled for testing and automatically cleaned up at the end.
• The script is idempotent and can be safely re-run.

This batch script (start.cmd) is a Windows command-line launcher that runs ConfigureRemotingForAnsible.ps1 with elevation and logging. It is designed to provide a simple, user-friendly way to initiate Ansible WinRM configuration on a Windows host.

1. Verifies the PowerShell script exists
2. Ensures the %TEMP% directory is present
3. Executes the PowerShell script with:
   • -ExecutionPolicy Bypass
   • -TryRelaunchWithElevation flag
   • Custom log path for fallback logging
4. Captures all standard output and errors into a log file
5. Detects errors by scanning logs for "ERROR:"
6. Waits (up to ~30s) for fallback logs to be written, if needed
7. Extracts error message (if any) and shows it in a message box
8. On success, displays a success message box
9. Cleans up all temporary logs

If the script fails (ExitCode ≠ 0):

• The script looks for ERROR: in the main log file
• If no errors are found, it falls back to oneclick_prepare_winrm_script_internal.log
• A message box will display a summary of the error
• If logs are missing, a generic error message is shown

The script uses PowerShell to show a GUI MessageBox:

• Error: If the configuration fails, error details are displayed
• Information: If the configuration succeeds, a confirmation is shown

• Windows with PowerShell 5.1+
• ConfigureRemotingForAnsible.ps1 must be in the same directory
• User must be able to elevate privileges (UAC prompt)

Double-click start.cmd or run from an elevated command prompt:

start.cmd

This will silently run the configuration and display the result when complete.