I keep expecting Ansible for Windows to get easier. It's gotten better. Easier is a stretch. Here's what still bites in 2026.
WinRM is still the transport
SSH for Windows works for basic tasks but breaks in enterprise scenarios. WinRM remains the path that's actually tested. That means Kerberos, which means AD-joined control nodes, which means the control node is now itself a piece of infrastructure.
The Kerberos double-hop
Most remote admin tasks eventually need to authenticate from the target to a third server — a file share, another domain controller, SQL. Out of the box, this fails. The fix is either CredSSP (fast, insecure, don't) or resource-based constrained delegation (slow to set up, correct answer).
When to hand off to DSC
Ansible is excellent for orchestration and state verification. It's mediocre for continuous drift detection. For a server that must stay in a known configuration between runs, I deploy a DSC configuration and let Ansible enforce "this DSC config is applied" instead of enforcing individual settings. Cleaner, and the drift reporting is built in.
Gotchas still present
- PowerShell 5.1 vs 7 — Ansible modules default to 5.1. Force 7 explicitly where you need modern cmdlets.
- UAC remote restrictions on non-domain-joined hosts. The workaround is a registry change, which you'll need Ansible to make, which requires the restriction to be off. Bootstrap via a GPO or one-shot remote script.
- Chocolatey is still the best app provisioner. Windows Package Manager (winget) is catching up but inventory reporting is thin.