Windows knowhow

Powershell: Enable secure Windows/Powershell Remoting over https

2 Comments

Hi,

these are the steps to enable Windows Powershell remoting secured by TLS

Check your Network connection profile. Set-WSManQuickConfig expects that the Network profile is at least private or domain.



Enable Windows Remoting. By powershell 

PS D:\> Set-WSManQuickConfig

or command line

D:\> winrm quickconfig

Enable Powershell remoting

PS D:\> Enable-PSRemoting

Check for a machine Certificate. In a domain environment a certificate should be installed.

PS D:\> dir CERT:\LocalMachine\My\

If no certicate is installed create self signed certificate

PS D:\> New-SelfSignedCertificate  -DnsName "$ENV:COMPUTERNAME" -KeyAlgorithm RSA -KeyLength 2048 -NotAfter ((Get-Date).AddYears(10)) -CertStoreLocation "cert:\LocalMachine\My" 
PS D:\> dir CERT:\LocalMachine\My\
Thumbprint
----------
F3880C95203CA33770BFC314FC5923EF74C47000

If you use a domain machine certificate enable https and disable http 

C:\> winrm quickconfig -transport:https

If you use a selfsigned certicate determine CertificateThumbprint and the hostname 

PS D:\> (Get-ChildItem Cert:\LocalMachine\my).Thumbprint
F3880C95203CA33770BFC314FC5923EF74C47000
PS D:\> (Get-ChildItem Cert:\LocalMachine\my).DnsNameList
Punycode     Unicode
--------     -------
yourHostname yourHostname

Change to a cmd windows and enable https

C:\> winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="yourHostname";CertificateThumbprint="F3880C95203CA33770BFC314FC5923EF74C47000";Port="5986"}

or with powershell

PS D:\> New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint "F3880C95203CA33770BFC314FC5923EF74C47000" -Hostname "yourHostname" –Force

Disable http the winrm way

C:\> winrm delete winrm/config/Listener?Address=*+Transport=HTTP

Or the powershell way

PS D:\> Get-ChildItem WSMan:\localhost\Listener | ?{$_.Keys -contains "Transport=HTTP"}|remove-item -recurse -Confirm:$false

Check listener

Winrm enumerate winrm/config/listener

If not member of a domain the trusted host(s) must be set.

C:\> winrm set winrm/config/client '@{TrustedHosts="yourComputerWhoShouldAbleToConnect"}'

Install a firewall rule

C:\> netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in protocol=tcp localport=5986 profile=any enable=yes action=allow

On the remote machine: Start a session. When a selfsigned certicate is used:

PS D:\> Enter-PSSession -ComputerName theRemoteComputer -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential (Get-Credential)
[theRemoteComputer ]: PS C:\Users\myUser\Documents>

The Session Option (New-PSSessionOption -SkipCACheck -SkipCNCheck) can omitted if the selfsigned certificate is imported to the Root CA store

Or with certificate signed by a CA

PS D:\> Enter-PSSession -ComputerName theRemoteComputer -UseSSL 
[theRemoteComputer ]: PS C:\Users\myUser\Documents>

This opens the GUI to alter the permissions of the WinRM service 

PS D:\> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

To just show the permissions 

PS D:\> ConvertFrom-SddlString (get-item WSMan:\localhost\Service\RootSDDL).Value

Michael

Advertisment to support michlstechblog.info

2 thoughts on “Powershell: Enable secure Windows/Powershell Remoting over https”

  1. Hi Michls,
    Here is my situation. I am installing Windows admin center on windows 2016 server which has an option to use “WInRM over https”. I have CA certificate. I have install the certificate on the server and use the certificate thumbprint to work with Windows admin center, I have ran the two below command on the server
    CMD /C ‘netsh advfirewall firewall add rule name=”WinRM HTTPS” dir=in action=allow protocol=TCP localport=5986’

    CMD /C ‘winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”wac.ms.com”;CertificateThumbprint=”xxxxxx”}’

    I do not understand the client side – what do i need to configure on win10 computer.
    I have enable-psremoting on win 10

    what certificate to install?
    what ports to open
    Thank you and looking forward for yor reply.
    umang

    Reply

    1. Hi Umang,

      you need also a certificate at client. If it is member of a domain and there are a certificate rollout service it should already have one. Or create a self signed computer certifcate for the client.

      Check at the client if there is already one:

      PS D:\> dir Cert:\LocalMachine\My\


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
8462716F4ACF655AC63CD8498D980D7F3         CN=yourComputer.YourDomain

      Then you can use this certificate / Thumbprint for the WinRM command.

      Michael

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.