Hi,
these are the steps to enable Windows Powershell remoting secured by TLS
Check your Network connection profile. Set-WSManQuickConfig expects that the Network profile is at least private or domain.
Enable Windows Remoting. By powershell
PS D:\> Set-WSManQuickConfig
or command line
D:\> winrm quickconfig
Enable Powershell remoting
PS D:\> Enable-PSRemoting
Check for a machine Certificate. In a domain environment a certificate should be installed.
PS D:\> dir CERT:\LocalMachine\My\
If no certicate is installed create self signed certificate
PS D:\> New-SelfSignedCertificate -DnsName "$ENV:COMPUTERNAME" -KeyAlgorithm RSA -KeyLength 2048 -NotAfter ((Get-Date).AddYears(10)) -CertStoreLocation "cert:\LocalMachine\My" PS D:\> dir CERT:\LocalMachine\My\ Thumbprint ---------- F3880C95203CA33770BFC314FC5923EF74C47000
If you use a domain machine certificate enable https and disable http
C:\> winrm quickconfig -transport:https
If you use a selfsigned certicate determine CertificateThumbprint and the hostname
PS D:\> (Get-ChildItem Cert:\LocalMachine\my).Thumbprint F3880C95203CA33770BFC314FC5923EF74C47000 PS D:\> (Get-ChildItem Cert:\LocalMachine\my).DnsNameList Punycode Unicode -------- ------- yourHostname yourHostname
Change to a cmd windows and enable https
C:\> winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="yourHostname";CertificateThumbprint="F3880C95203CA33770BFC314FC5923EF74C47000";Port="5986"}
or with powershell
PS D:\> New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint "F3880C95203CA33770BFC314FC5923EF74C47000" -Hostname "yourHostname" –Force
Disable http the winrm way
C:\> winrm delete winrm/config/Listener?Address=*+Transport=HTTP
Or the powershell way
PS D:\> Get-ChildItem WSMan:\localhost\Listener | ?{$_.Keys -contains "Transport=HTTP"}|remove-item -recurse -Confirm:$false
Check listener
Winrm enumerate winrm/config/listener
If not member of a domain the trusted host(s) must be set.
C:\> winrm set winrm/config/client '@{TrustedHosts="yourComputerWhoShouldAbleToConnect"}'
Install a firewall rule
C:\> netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in protocol=tcp localport=5986 profile=any enable=yes action=allow
On the remote machine: Start a session. When a selfsigned certicate is used:
PS D:\> Enter-PSSession -ComputerName theRemoteComputer -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential (Get-Credential) [theRemoteComputer ]: PS C:\Users\myUser\Documents>
The Session Option (New-PSSessionOption -SkipCACheck -SkipCNCheck) can omitted if the selfsigned certificate is imported to the Root CA store
Or with certificate signed by a CA
PS D:\> Enter-PSSession -ComputerName theRemoteComputer -UseSSL [theRemoteComputer ]: PS C:\Users\myUser\Documents>
This opens the GUI to alter the permissions of the WinRM service
PS D:\> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
To just show the permissions
PS D:\> ConvertFrom-SddlString (get-item WSMan:\localhost\Service\RootSDDL).Value
Michael
Hi Michls,
Here is my situation. I am installing Windows admin center on windows 2016 server which has an option to use “WInRM over https”. I have CA certificate. I have install the certificate on the server and use the certificate thumbprint to work with Windows admin center, I have ran the two below command on the server
CMD /C ‘netsh advfirewall firewall add rule name=”WinRM HTTPS” dir=in action=allow protocol=TCP localport=5986’
CMD /C ‘winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”wac.ms.com”;CertificateThumbprint=”xxxxxx”}’
I do not understand the client side – what do i need to configure on win10 computer.
I have enable-psremoting on win 10
what certificate to install?
what ports to open
Thank you and looking forward for yor reply.
umang
Hi Umang,
you need also a certificate at client. If it is member of a domain and there are a certificate rollout service it should already have one. Or create a self signed computer certifcate for the client.
Check at the client if there is already one:
Then you can use this certificate / Thumbprint for the WinRM command.
Michael