Sysprep Done Using Ansible

Posted on February 19, 2026 by larry

I got sysprep working at a minimal level the way I want. I now have a base windows 11 image I can use to rebuild a box relatively quickly.

After a reboot I rename it and add it to the domain.

From there ansible takes over. I am able to use a rocky 9.7 box to manage Windows Desktops via the domain through winrm

Here is how I got winrm working (not I just used a self signed cert)

Enable-PSRemoting -Force
$CertDnsName = "win11.example.com"
$Cert = New-SelfSignedCertificate `
    -DnsName $CertDnsName `
	-Provider "Microsoft RSA SChannel Cryptographic Provider" `
	-KeyLength 2048 -NotAfter (Get-Date).AddYears(5) `
    -CertStoreLocation Cert:\LocalMachine\My
$CertThumbprint = $Cert.Thumbprint

# Create Listener
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -HostName $CertDnsName -CertificateThumbPrint $CertThumbprint -Force

# Open Firewall
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow

# Verify
winrm enumerate winrm/config/listener

On the Linux side I had to make sure I had the correct ansible packages

sudo dnf -y install ansible-core epel-release
sudo dnf -y install krb5-workstation krb5-devel python3-devel gcc python3-passlib apg 
sudo dnf install -y python3-kerberos krb5-workstation

python3 -m pip install pywinrm requests
ansible-galaxy collection install community.general
ansible-galaxy collection install community.mysql
ansible-galaxy collection install ansible.posix
ansible-galaxy collection install ansible.windows:2.3.0

This got me working but my ansible.cfg needed to look like this

[defaults]
inventory = ./inventory
host_key_checking = False
retry_files_enabled = False
stdout_callback = default
timeout = 30
ansible_connection=winrm

# Optional but useful
interpreter_python = auto_silent

[connection]
pipelining = True

[winrm]
# Kerberos settings
transport = kerberos
scheme = https
port = 5986
server_cert_validation = ignore
kerberos_delegation = true

And finally some variables needed to be set in the inventory file

##### Sample inventory
[windows]
win11a.example.com
win11b.example.com
win11c.example.com

[windows:vars]
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=kerberos
ansible_winrm_scheme=https
ansible_winrm_server_cert_validation=ignore

kilist
kdestroy
kinit Admin@EXAMPLE.COM

In other news, got a new Sony earbuds, RIP my old set.

Still need to get bathroom done

Got a new UPS to install this weekend.

Weight: 321.6

This entry was posted in Coding, New Toys, Technical, Training, Weigh In. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.