Chef Workstation with Windows

Given how scripting makes processes faster when operating across large, distributed IT resource fleets, Chef uses PowerShell scripting for all commands. Although not necessary, still it is recommended that you run a specific on-prem or cloud server for the Chef Infra Server. While the Chef Infra Server runs only on Linux systems, the Chef client is platform agnostic and can be installed on any operating system. Ideally, installing Chef Workstation is the easiest way to work with all Chef tools from one control center.

What is Chef Workstation?

Chef Workstation is a collection of tools that enable your fleet devices to interact securely with your Chef Server. It includes Chef Knife, InSpec, Cookstyle, Habitat, and Test Kitchen. It also contains embedded Ruby and other dependencies, so you don’t have to install anything else to start working with Chef tools

Chef Infra

The Chef Infra Server acts as a hub for configuration data. It stores cookbooks, the policies applied to nodes, and metadata that describes each registered node that the Chef Infra client manages.

A Chef-Client is an agent that runs locally on every node under management by Chef.

Get started by Downloading Chef Workstation to access Chef Infra server and Client.

Set up the Environment

Chef Server

To get started and install Infra Server, follow the guide “Install the Chef Infra Server”.

Chef Client

Download and install Workstation for Windows here. Verify the installation in your PowerShell with the command $ chef -v

After the installation of Chef Infra Client, it is located at C:\opscode. The main configuration file for Chef Infra Client is at C:\chef\client.rb

On Windows, Chef Infra Client must have two entries added to the PATH environment variable:


This is typically done during the installation of Chef Infra Client automatically. If these values (for any reason) are not in the PATH environment variable, Chef Infra Client will not run properly.

On the Windows target node, ensure WinRM is enabled and the ports 5985 and 5986 are listening.

Set up the $ knife credentials file with the command $ knife configure init-config and fill in all the required details.

By default, this file would be in C:\Users\<username>\.chef

Edit the file from the PowerShell or directly from GUI using any text editor and include cookbook_path .


Copy the user.pem file from the Automate server to your .chef directory

Create a new Chef repo to store all your chef content.

$ chef generate repo chef-repo

The default path of this repo would be “C:\Users\<username>\chef-repo&rdquo; From the PowerShell, run the $ knife command to fetch and verify the configuration.

$ knife ssl fetch
$ knife ssl check
$ knife client list

You must enable the WS-Management protocol on your workstation and set up the default configuration for remote management with the command.

$ winrm quickconfig

Adjust your firewall behaviour to make it public and listen on port 5985.

$ netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any

To set the configuration for the WinRM client, use the Winrm Set command and specify the client.

$ winrm set winrm/config/client/auth '@{Basic="true"}'

To set the configuration for the WinRM server, use the Winrm Set command and specify the service.

$ winrm set winrm/config/service/auth '@{Basic="true"}'

The $ knife windows subcommand is to interact with Windows systems managed by Chef Infra. Configuring nodes using WinRM allows external applications to call native objects like batch scripts, Windows PowerShell scripts, or scripting library variables. Bootstrap target nodes using knife bootstrap.

More information on knife windows

$ Knife bootstrap -o winrm <IP of VM> -U “<Username>” -P “<Password>” –node-name “<Nodename>”

$ knife bootstrap -o winrm -U Administrator -P '.&2T$AWo2GaV(j6H(.h33cRmD=&j-&H' --node-name "windows1"

You can get details of the node by using $ knife node show <node-name>

Create a Cookbook

On your cookbook repo (~/chef-repo/cookbooks/), execute the following $ chef generate cookbook nginx -k dokken  where nginx is a cookbook name. This will create a new cookbook and auto-create a kitchen.yml file.

Default path of the cookbook will be C:\Users\<user-name>\chef-repo\cookbooks

In the new nginx cookbooks directory, ~/chef-repo/cookbooks/nginx/ create a new recipe.

$ chef generate recipe webserver

Where weberver is the name of the recipe, and this will create ~/chef-repo/cookbooks/nginx/recipes/webserver.rb along with an existing default.rb recipe file.

Edit the webserver.rb file and include the below code.

# Cookbook:: nginx
# Recipe:: webserver
# Copyright:: 2021, Akshay Parvatikar.
include_profile: 'nginx::webserver'
if platform?(‘windows’)
windows_feature ‘Web-Server’ do
    action :install
windows_feature ‘Web-Mgmt-Console’ do
    action :install

You can edit the default recipe default.rb or create a new recipe webserver.rb to ensure it runs on your bootstrapped nodes. If you’re creating a new recipe don’t forget to include the recipe filename in your default file.

include_recipe 'cookbook-name::recipe-file-name'
include_recipe 'nginx::webserver'

The next step is to create an attributes file.

Attributes represent information about your node. You can set attributes in Chef recipes or separate attribute files. Attributes can also be set directly in recipes. You must precede the attribute name with the node when you set an attribute directly in a recipe.

Edit your default.rb file in the attribute directory.

$ chef generate attribute default

default['audit']['reporter'] = %w(chef-server-automate cli)

Once created and saved run $ cookstyle -a to check the syntax of your recipes, and other files and correct them.

When your recipes are error-free, you can upload them to the Chef server using the command.

$ knife cookbook upload <cookbook_name>

Create an InSpec profile to verify your cookbooks

You can now place compliance profiles inside a cookbook and upload as part of a Policyfile workflow all in one step.

$ mkdir compliance

you can have more than one profile. Use inspec to generate a profile called webserver.

$ inspec init profile <profile-name>

$ inspec init profile webserver

The inspec command creates a directory named webserver and a sub-directory called controls. Inside controls is an example.rb file. You can rename the file as per your naming convention.

InSpec profiles contain controls, which describe each test you want to perform. You can have multiple control files based on your solutioning.

In the example below the control is called windows-client and it has an impact of 1.0, which is the highest priority. The control then adds logic to run different tests based on whether the target node is Windows or not. The described entries tell Chef to check those resources on each system.

control 'windows-client' do
impact 1.0
title 'Check Softwares'
if os.windows?
    describe windows_feature('Web-Server') do
    it { should be_installed }
    describe windows_feature(‘Web-Mgmt-Console’)do
      it { should be_installed }

Assign the recipes to the bootstrapped node with the command.

$ knife node run_list add

Next would be to make changes to your policy file Policyfile.rb where the cookbooks and compliance profiles are packaged together and pushed to the Chef server.

$ chef install Policyfile.rb
$ chef push <policy_group> Policyfile.lock.json

The last step would be to login to remote node and run $ sudo chef-client, which will take the recipe from the Chef server and install/run on the nodes.

Alternative is, instead of going in client and giving the command $ sudo chef-client , you can directly get the results with $ knife ssh command from your workstation.

$ knife ssh 'name: *' 'sudo chef-client' -a <ip-addressof VM>


This document explains on how to implement Chef with Windows environment, and how to run your first recipes with InSpec profiles.

Next Steps

Once you have knowledge on Chef basics you can get into real-life scenarios by looking at the Chef Infra 101: The Road to Best Practices guide.

As you get to experience on Chef infra, Working with InSpec with existing infrastructure becomes easy.


Learn Chef is great place to start your journey with workstation and InSpec.

Want to Learn more about Chef InSpec?

Understand how Chef work with multi-cloud setup.

Watch a Chef InSpec training video


Akshay Parvatikar

Akshay Parvatikar is a Technical Product Marketing Manager at Progress. With a career of over seven years and a bachelor's degree in Engineering, Akshay has worked in various roles such as solution engineering, customer consulting, and business development in web performance for Telecom and the e-commerce industry.