- block:
    - wait_for_connection:
        timeout: 10

  rescue:
    - name: set bootstrap password if connection fails
      set_fact:
        winrm_old_password: "{{ ansible_password }}"
        ansible_password: "{{ winrm_bootstrap_password }}"


- name: gather facts
  setup:
    gather_facts:
      - min


- name: fail if Windows version is not 10
  fail:
    msg: "only Windows 10 is supported"
  when: (ansible_os_family != 'Windows') or (ansible_distribution_major_version|int < 10)


- name: setup service account for remote control
  win_user:
    name: "{{ winrm_remote_user }}"
    account_disabled: no
    account_locked: no
    password: "{{ winrm_old_password | d(ansible_password) }}"
    password_expired: no
    password_never_expires: yes
    groups:
      - S-1-5-32-544
      - S-1-5-32-580
    groups_action: add


- name: set correct password if it was changed earlier
  set_fact:
    ansible_password: "{{ winrm_old_password }}"
  when: winrm_old_password is defined


- name: ensure LocalAccountTokenFilterPolicy is set to 1
  win_regedit:
    path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    name: LocalAccountTokenFilterPolicy
    data: 1
    type: dword


- name: setup winrm service
  win_service:
    name: WinRM
    start_mode: auto
    state: started