diff --git a/doc/source/admin/components.rst b/doc/source/admin/components.rst
index 438cb08323..37dff282a3 100644
--- a/doc/source/admin/components.rst
+++ b/doc/source/admin/components.rst
@@ -499,6 +499,21 @@ The following sections of ``zuul.conf`` are used by the executor:
 
       SSH private key file to be used when logging into worker nodes.
 
+   .. attr:: winrm_cert_key_file
+      :default: ~/.winrm/winrm_client_cert.key
+
+      The private key file of the client certificate to use for winrm
+      connections to Windows nodes.
+
+   .. attr:: winrm_cert_pem_file
+      :default: ~/.winrm/winrm_client_cert.pem
+
+      The certificate file of the client certificate to use for winrm
+      connections to Windows nodes.
+
+      .. note:: Currently certificate verification is disabled when
+                connecting to Windows nodes via winrm.
+
    .. _admin_sitewide_variables:
 
    .. attr:: variables
diff --git a/releasenotes/notes/winrm-af968bf3269c25d9.yaml b/releasenotes/notes/winrm-af968bf3269c25d9.yaml
new file mode 100644
index 0000000000..9769d11c6a
--- /dev/null
+++ b/releasenotes/notes/winrm-af968bf3269c25d9.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Client certificate locations to be used by winrm connections can be
+    configured now.
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index ab1f35b70d..1c33381d2e 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -634,6 +634,12 @@ class AnsibleJob(object):
         self.private_key_file = get_default(self.executor_server.config,
                                             'executor', 'private_key_file',
                                             '~/.ssh/id_rsa')
+        self.winrm_key_file = get_default(self.executor_server.config,
+                                          'executor', 'winrm_cert_key_file',
+                                          '~/.winrm/winrm_client_cert.key')
+        self.winrm_pem_file = get_default(self.executor_server.config,
+                                          'executor', 'winrm_cert_pem_file',
+                                          '~/.winrm/winrm_client_cert.pem')
         self.ssh_agent = SshAgent()
 
         self.executor_variables_file = None
@@ -1071,6 +1077,18 @@ class AnsibleJob(object):
                 connection_type = node.get('connection_type')
                 if connection_type:
                     host_vars['ansible_connection'] = connection_type
+                    if connection_type == "winrm":
+                        host_vars['ansible_winrm_transport'] = 'certificate'
+                        host_vars['ansible_winrm_cert_pem'] = \
+                            self.winrm_pem_file
+                        host_vars['ansible_winrm_cert_key_pem'] = \
+                            self.winrm_key_file
+                        # NOTE(tobiash): This is necessary when using default
+                        # winrm self-signed certificates. This is probably what
+                        # most installations want so hard code this here for
+                        # now.
+                        host_vars['ansible_winrm_server_cert_validation'] = \
+                            'ignore'
 
                 host_keys = []
                 for key in node.get('host_keys'):