How to define Microsoft network client: Digitally sign communication (always) with ansible win_regedit

Question

I want to select Define this policy setting for Microsoft network client: Digitally sign communication (always) in the Group Policy on Windows Server with Ansible and select Disabled radio button. The following image shows the desired result. enter image description here

I am using the following role:

- name: Disable SMB signing
  win_regedit:
    path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
    name: RequireSecuritySignature
    value: 0
    type: dword
    state: present

Ansible plays the above role just fine and prints the following message:

TASK [active-directory : Disable SMB signing] **********************************
ok: [192.168.106.131]

However, nothing is changed on the Windows Server and the policy remains Not Defined. Can anybody help?

Have you thought about setting the policy in group policy? – Jim B Sep 20 '18 at 01:57 — Jim B, Sep 20 '18 at 01:57
Yes, but it has to be done with Ansible. – Singh6851 Sep 20 '18 at 02:01 — Singh6851, Sep 20 '18 at 02:01

score 1 · Answer 1 · answered Sep 28 '18 at 03:30

This is by design. Group Policy uses different types of files to push out settings, these files are the middle-men that the MMCs read. As such, unless you make the change in Group Policy, you won't see it reflected in it. The registry key itself is the absolute check.

How to define Microsoft network client: Digitally sign communication (always) with ansible win_regedit

1 Answers1