Installing Chef Client On Windows

Chef is a very popular infrastructure automation framework. It is also getting popular in windows based environment. Installing Chef Client on Windows is sometime a challenge for developer. In order to install the Chef client on Windows, there are three basic options to be performed, as follows:

  • Use the knife-windows plugin to bootstrap the host as described previously.
  • Download and manually install the client using the MSI installer.
  • Deploy the software via an in-place update tool such as WSUS

Bootstrap Windows hosts

Bootstrapping a host is the process of installing any components required to initially incorporate a host into your infrastructure. Typically, this will involve installing Ruby along with the Chef client and any certificates required for authentication, as well as registering the host with your Chef server or hosted Chef account. In order to do this, you will need to have a workstation configured with the knife-windows gem installed. You can install the gem easily with the following command:

gem install knife-windows

Before proceeding to the bootstrap phase, you need to ensure that the following things are configured on the Windows host:

  • Windows Remote Management is enabled
  • Any firewalls in between you and the Windows host permit WinRM traffic
  • You are able to authenticate with WinRM

Enabling Windows Remote Management

Most modern Windows server OS installations enable Windows RM by default, but if it is not already enabled (or if you are unsure), you can quickly configure it by running the following command from a command prompt (as an Administrator):

winrm quickconfig

The preceding command performs the following tasks:

  • Starts the Windows Remote Management service and sets it to autostart on boot-up
  • Defines firewall rules for the Windows Remote Management service and opens the ports for HTTP and HTTPS

Configuring firewall ports

In order to use WinRM, the firewall on the end host will need to be configured to permit traffic to the ports that WinRM uses. There are two versions of WinRM, 1.0 and 2.0; each version has a different set of default ports. For version 2.0 of Windows Remote Management, the default ports are as follows:

  • HTTP: 5985
  • HTTPS: 5986

For version 1.0, the default ports are as follows:

  • HTTP: 80
  • HTTPS: 443

Enabling basic authentication

To allow the authentication to WinRM from the outside and via basic, non-encrypted HTTP authentication, you will need to run the following commands from the command prompt (not via the PowerShell prompt):

winrm set winrm/config/client/auth @{Basic="true"}
winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}

Bootstrapping a Windows host

Once the knife-windows gem is installed on the workstation, you can proceed to execute the bootstrapping process, such as the following bootstrapping of an EC2 Windows host:

knife bootstrap windows winrm -x Administrator 

In the preceding command, we are executing the knife utility with the bootstrap command, specifying that we want to use the Windows bootstrap script through the Windows Remote Management protocol on host ec2-xx-xxx-xxx-xxx.compute-1. as the Administrator user (via the x command-line flag).

This will take some time, as it will need to download and install the Chef client and then register itself with the Chef server. While it is running, the following is an overview of what it is doing

  • The knife command will render a batch file from an ERB template located on the workstation (the one initiating the bootstrapping) and write it to a file on the target node.
  • After generating the batch file from the ERB file template, the node will execute the newly created batch file.
  • The generated script will download the Chef client MSI installer onto the node and perform the installation.
  • Once the installation of the client has succeeded, knife will store any files needed to get the host registered including certificates and configuration data.
  • The Chef client will perform an initial pass to execute any initial run lists that were specified on the command line (in our case, none).
  • Once the Chef client has completed its initial set of work, it will print out what it did and how long it took to complete that task.

Once the target node has completed the boot strapping, you should validate that it was provisioned with the following command:

[user@workstation]% knife node list

Installing via MSI

An alternative, for those who already have tools in place to deploy software using Microsoft installer packages (MSIs), is to use an MSI that is available for installing the Chef client on a Microsoft Windows machine. To download the Chef client for Windows systems, perform the following steps:

  • Go to
  • Click on the Chef Client tab.
  • Click on Windows and choose an appropriate version and architecture.
  • Under Downloads, select the version of the Chef client to download, and then click on the link that appears below the drop-down menu to download the package.

The web page shown in the following screenshot appears when the preceding steps are performed:

Once the installer has downloaded successfully, launch the installer as follows:

Select the default options (refer to the information box after the following screenshot for information about the service):

By default, the Chef client is only run manuallysomeone must execute the command through a WinRM session or on the console. In order to run the client periodically in the background, you must enable the service or configure a scheduled task. If you check the Chef Client Service box during the installation phase, the service will be set to run automatically. If you want to enable this later, you can do so with the following command:

 chef-service-manager -a install  

If you choose to run the client in the background, you will not be able to see the console output. To find the execution logs, refer to the file chef-client.log under c:\chef.

Note : Installing the Chef client manually through the MSI download option will not automatically register the host with the Chef service. In order to do this, you will need to copy the validator key and a functional client.rb configuration file onto the end host.

For reference, a sample client.rb file for a self-managed Chef service would look like the following:

log_level :info
log_location STDOUT
chef_server_url ''
validation_client_name 'chef-validator'
validation_key "C:/chef/validator.pem"
A client.rb file when using the hosted Chef service would look like the following:
log_level :info
log_location STDOUT
chef_server_url ''
validation_key "C:/chef/ORGNAME-validator.pem"
validation_client_name 'ORGNAME-validator'

For a self-managed Chef service, the validator.pem file will likely be located under /etc/chef. For a hosted Chef service, you can download your validator key from the management console.