Create a Windows virtual machine in Azure using Ansible | Microsoft Learn


azure-ansible/1-4-az-create-windows-vm at main · spawnmarvel/azure-ansible (

- name: Create Network Security Group
      resource_group: myResourceGroup
      name: networkSecurityGroup
        - name: 'allow_rdp'
          protocol: Tcp
          destination_port_range: 3389
          access: Allow
          priority: 1001
          direction: Inbound
        - name: 'allow_web_traffic'
          protocol: Tcp
            - 80
            - 443
          access: Allow
          priority: 1002
          direction: Inbound
        - name: 'allow_powershell_remoting'
          protocol: Tcp
            - 5985
            - 5986
          access: Allow
          priority: 1003
          direction: Inbound

  - name: Create a network interface
      name: nic
      resource_group: myResourceGroup
      virtual_network: vNet
      subnet_name: subnet
      security_group: networkSecurityGroup
        - name: default
          public_ip_address_name: pip
          primary: True

Result after running code from github

Next, Configure the WinRM Listener.

Error message: \"Failed to download all specified files. Exiting. Error Message: CustomScript failed to download the blob because it does not exist. Please create the blob and try again, the response code and message returned were: \"The remote server returned an error: (404) Not Found. Not Found\"

ConfigureRemotingForAnsible.ps1 removed from default branch? · Issue #81240 · ansible/ansible (


Lets check the vm


This error occurs when the VM extension (in this case, the WinRM extension) fails to provision on the VM. The error message indicates that the command execution finished but returned a non-zero exit code (1), which typically signifies an error.

To resolve this issue, you can try the following steps:

Check the VM extension log for more details about the error. You can do this by running the following command:

az vm extension show --name winrm-extension --vm-name <your-vm-name> --resource-group <your-resource-group> --output json
This command will return the extension log, which may provide more information about the cause of the error.
2. Ensure that the VM agent is running and configured correctly. You can check the status of the VM agent by running the following command:

az vm show --name <your-vm-name> --resource-group <your-resource-group> --query "vm.extensions[?name=='vmAgent']" --output json
If the VM agent extension is not running or is not configured correctly, you may need to restart the VM or reconfigure the VM agent extension.
3. If the issue persists, try redeploying the VM using the same or a new VM image, making sure to include the necessary extensions during deployment.
4. If the issue is specific to the WinRM extension, you can try provisioning the extension manually by running the following command:

az vm extension set --name winrm-extension --vm-name <your-vm-name> --resource-group <your-resource-group> --publisher Microsoft.Compute --settings '{"url": "<your-winrm-url>"}'
Replace <your-winrm-url> with the URL of the WinRM listener on the VM.

If you continue to face issues with provisioning the VM extension, consider reaching out to Azure support for further assistance.

Ok, lets delete all, since we added it step by step, and run the full playbook.

Since it does not seem enabled:

az vm extension show --name winrm-extension --vm-name win-wm --resource-group Rg-ansible-win01 --output json

ResourceNotFound) The Resource ‘Microsoft.Compute/virtualMachines/win-wm/extensions/winrm-extension’ under resource group ‘Rg-ansible-win01’ was not found. For more details please go to
Code: ResourceNotFound

Troubleshooting Windows VM extension failures – Azure Virtual Machines | Microsoft Learn

Well, after putting everything in the yml file, it worked:

It could be something with timing, ran it 1 time with fail, but the ymal was missing this:

- name: Get facts for one Public IP
      resource_group: myResourceGroup
      name: pip
    register: publicipaddresses

  - name: set public ip address fact
    set_fact: publicipaddress="{{ publicipaddresses | json_query('publicipaddresses[0].ip_address')}}"

  - name: wait for the WinRM port to come online
      port: 5986
      host: '{{ publicipaddress }}'
      timeout: 600

So all was created up to the vm, but nothing after.

azure-ansible/1-4-az-create-windows-vm/create_vm.yml at main · spawnmarvel/azure-ansible (

Result after adding above yml and running it.

wait for the WinRM connection:


Make the connect.yml and try to connect.

ansible-playbook connect.yml  -i,

Check the NSG

Ok, try telnet on the ctrlnode, it is not success, hm.

Is port open for outbound, do we need it?

add outbound 5985, 5986 and 80, 443.

Nope, it must be something else, internal firewall on windows or some other thing.

Login to the windows vm.


The internal firewall is on

Turn of and check telnet again, hm only 5985 works, not 5986, 80 or 443.

Run ansible, now it is super fast.

Turn on firewall again and run ansible, now it goes to timeout, same as image way above here..


Ansible WinRM HTTPS and Persistent “Unreachable” Error · Issue #98 · Orange-Cyberdefense/GOAD (

New-SelfSignedCertificate -Subject '' -TextExtension '{text}'

Thumbprint                                Subject
----------                                -------

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=""; CertificateThumbprint="TPRINT"}'

    Address =
        ResourceURI =
            Selector: Address = *, Transport = HTTPS

$FirewallParam = @{ DisplayName = 'Windows Remote Management (HTTPS-In)' Direction = 'Inbound' LocalPort = 5986 Protocol = 'TCP' Action = 'Allow' Program = 'System' } New-NetFirewallRule @FirewallParam

$FirewallParam = @{
    DisplayName = 'Windows Remote Management (HTTPS-In)'
    Direction = 'Inbound'
    LocalPort = 5986
    Protocol = 'TCP'
    Action = 'Allow'
    Program = 'System'
New-NetFirewallRule @FirewallParam

The rule is added

Now run ansible


now ping it

WinRM – the specified credentials were rejected by the server · Issue #114 · diyan/pywinrm (

The user is admin

Set same timezone? Nope

Getting Credential rejected Error when trying to win_ping to a windows host from Ansible. · Issue #43920 · ansible/ansible (

Yes, updated inventory with: ansible_winrm_transport = ntlm

# Does NTLM auth work, ansible_winrm_transport: ntlm

ansible_winrm_transport = ntlm

ansible winhosts -m win_ping -u azureuser
ansible winhosts -m win_ping

# | SUCCESS => {
#     "changed": false,
#    "ping": "pong"
# }