Sophos Protection for Windows: Automate deployment using Ansible

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


This article provides a high-level overview of deploying Sophos Endpoint Agent to a Windows environment using Ansible. It also includes an example YML playbook to install Sophos. The steps below are provided with the assumption that the following infrastructure is present in the environment.

  • Ansible master server


Deployment preparation:

To start deployment, we’ll need to enter the target IPs by editing the host file:



vi    / etc / ansible  / hosts

# This is the default ansible 'hosts' file.
# It should live in /etc/ansible/hosts
# - Comments begin with the '#" character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups

# Ex 1: Ungrouped hosts, specify before any group headers.




-- INSERT --


Note: [windows] and [linux] are the host groups, under that, we can put our target IPs. We’ll also need to make our inventory functional for which we need to change the config file:

vi /etc/ansible/ansible.cfg

Uncomment the below lines:



Host Requirements

For Ansible to communicate to a Windows host and use Windows modules, the following requirements must meet on the Windows host:

  1. Ansible requires PowerShell 3.0 or later and at least .NET 4.0 to be installed on the Windows host. Ansible can generally manage Windows versions under current and extended support from Microsoft. Ansible can manage desktop OSs including Windows

8.1, and 10, and server OSs including Windows Server 2012, 2012 R2, 2016, 2019, and 2022.

  1. A WinRM listener must be created and activated. Ansible connects to Windows machines and runs PowerShell scripts by using Windows Remote Management (WinRM) (as an alternative to SSH for Linux/UNIX machines), a WinRM listener must be created and activated.

Setting Up WinRM: 

There’s a Configure Remoting for Ansible script you can run on the remote Windows device (in a PowerShell console as an Admin) to turn on WinRM. To set up an HTTPS listener, build a self-signed cert and run PowerShell commands, just run the script like in the example below.

Script to download:  Configure Remoting for Ansible  

Move the script to the current directory, and run it via Powershell

Powershell.exe -ExecutionPolicy ByPass -File '.\Configure Remoting for Ansible.ps1'

WinRM Listener:

The WinRM services listen for requests on one or more ports. Each of these ports must have a listener created and configured.

To view the current listeners that are running on the WinRM service, run the following command on the windows host device: winrm enumerate winrm/config/Listener





Now to test the connection we must ping the windows host from our ansible node.

To achieve that run the below command: ansible

windows -m win_ping



Now we are all set, windows machine is now communicating to ansible node. 

Next is to write a playbook for installing Sophos, written in YAML code.


Deploying Sophos Agent:

To begin deploying the Sophos Agent, we’ll be creating an Ansible playbook that has an extension. yml.

vi windows.yml (you can give any file name)

You can write your own playbook now.

Playbook for Sophos installation:

--- #sophos Install
- hosts: windows
  user: ansible
  become: false
  connection: winrm
        - name: Download  Sophos
             url: "Sophos endpoint Download link"
             dest: C:\Windows\Temp\SophosSetup.exe

       - name: Install Sophos
             path: C:\Windows\Temp\SophosSetup.exe
             product_id: 'Sophos'
             arguments: --quiet
             state: present


To run the playbook, need to run the below command:

Ansible-playbook windows.yml



Sophos Endpoint Agent Deployment is now complete.


Updated disclaimer
[edited by: Qoosh at 9:31 PM (GMT -7) on 31 Mar 2023]