Published on 30 December 2016 by

Editor’s note: This is one in a series of posts about using Puppet to automate your Windows servers. For a deep dive into managing Windows with Puppet, check out our white paper, Managing Windows with Puppet Enterprise.

The Puppet Windows module pack is a collection of the best Windows modules available on the Puppet Forge. It has everything you need to get started using Puppet on Windows, including:


The Puppet ACL (or Access Control) module lets you control permissions for files in your Windows environments. In this example of Puppet code, we’re locking down the permissions on a particular directory down to administrators.

acl {‘c:/temp’:
    permissions         => [
    { identity => ‘Administrators’, rights => [‘full’] }
    purge               => true,
    inherit_parent_permissions  => false,

This lets you get started really quickly without having to purge or turn off inheritance. For now, the Puppet ACL module works with files, but it will soon have support for services and registries.


Chocolatey is a package manager for Windows. It lets you easily manage and configure software installations across your entire Windows infrastructure. In this simple example, we’re using Puppet to install Chocolatey itself and make sure it stays up to date.

include chocolatey

package {‘git’:
    ensure => latest,

The Chocolatey module is Puppet Supported, which means that the support you get under your Puppet Enterprise license extends to support for this module (and a number of other Supported modules).


Puppet Enterprise is integrated with Microsoft PowerShell Desired State Configuration. In this example of using the DSC module, we have a Puppet DSC resource that disables a firewall port. It’s a common task for Windows admins and it’s easy to roll out across your entire infrastructure with Puppet.

dsc_xFirewall {‘inbound-2222’:
    dsc_ensure       => ‘present’,
    dsc_name         => ‘inbound2222’,
    dsc_displayname  => ‘Inbound DSC 2222’,
    dsc_displaygroup => ‘A Puppet + DSC Test’,
    dsc_action       => ‘Allow’,
    dsc_enabled      => ‘false’,
    dsc_direction    => ‘Inbound’,


PowerShell is a staple of any Windows admin, and Puppet Enterprise has full PowerShell support. In this example, Puppet first checks to see if the Windows power management scheme is set to performance, before ensuring that it is.

# performance power scheme GUID
$guid = '8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c'

exec { 'set performance power scheme':
  command   => "PowerCfg -SetActive ${guid}",
  path      => 'C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0',
  unless    => "if((Powercfg -GetActiveScheme).Split()[3] -ne '${guid}') { exit 1 }",
  provider  => powershell,
  logoutput => true,


Have you tried rebooting? It’s (comically) the first step in any troubleshooting, but for a good reason. Every admin knows the importance of rebooting. With Puppet, you can reboot Windows machines across your entire infrastructure, if you need to. Plus, Puppet can reboot Linux machines in your environment.

There are two ways to reboot Windows machines with Puppet. In this example, the system detects there’s a pending reboot. You can also set the mode to refresh only.

reboot {‘reboot_pending’:
    when    => pending,
    timeout => 15,

The command can also be used in conjunction with configuration changes or software installations.


With the Puppet Registry module, you can create and manage Registry keys and values directly. In this example, we’re using Puppet to edit the Registry to turn off auto login ability.

registry_value {‘HKLM\SOFTWARE\Microsoft\Windows
    ensure  => present,
    type    => dword,
    data    => 0,

WSUS client

The Windows Server update services (WSUS) module lets you manage all your Windows updates internally instead of reaching out to Microsoft’s servers. In this example, the WSUS module is scheduled to make updates from an internal server every Tuesday at 2:00 a.m.

class {‘wsus_client’:
  server_url             => ‘https://internal_server:8530’,
  auto_update_option     => “Scheduled”,
  scheduled_install_day  => “Tuesday”,
  scheduled_install_hour => 2,


Download_file is a simple module that does what it says on the tin. In this example, we’re using it to download the .NET framework from Microsoft to a directory on a machine. Simple, yet effective.

    download_file { ‘.NET Framework 4.0’:
        url     =>’’,
        destination_directory => ‘C:\temp’


The Puppet IIS module lets you create sites, manage application pools, and more. In this example, we’re using Puppet to set up a pool and a site called The Server. We’re able to designate the path and port and much more.

    iis::manage_app_pool { ‘somepool’:
        enable_32_bit           => true,
        managed_runtime_version => ‘v4.0’,
    } ->

    iis::manage_site { ‘TheServer’:
        site_path   => ‘c:\sites\server’,
        port        => ‘8080’,
        ip_address  => ‘*’,
        app_pool    => ‘somepool’,

Windows environment

Managing environmental variables is very important in Windows, and you can do it with the Windows environment module. In this example, Puppet ensures a particular set of variables are installed in the c:\tools\bin path. We’re also setting the merge mode. Also note that the module will let you manage environmental factors per user.

    windows_env { ‘ValueOnPat’:
        ensure      => present,
        variable    => ‘PATH’,
        value       => ‘c:\tools\bin’,
        mergemode   => insert,


Windowsfeature is an amazing provider that allows you to turn Windows features on or off. With just a few lines of code, we can make sure that IIS is installed, and that ASP.NET is configured to be used for Windows Server 2012.

windowsfeature { ‘Web-WebServer’:
} ->
windowsfeature { ‘Web-Asp-Net45’: }

And those are just some of the modules that are included in the Windows module pack. Visit the Puppet Forge for more.

Rob Reynolds is a senior software engineer at Puppet.

Learn more

  • For a deep dive into gaining more visibility and situational awareness of your Windows infrastructure — plus efficient automation! — read our white paper, Managing Windows with Puppet Enterprise.
Share via:

Hi Rob,

Can you add some more text to the Chocolatey section that explains how doing an 'include chocolatey' and then an 'ensure=>latest' on a package labeled 'git' keeps Chocolatey up to date?

Thanks, Sean

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.