{"id":5425,"date":"2018-04-26T21:21:43","date_gmt":"2018-04-26T19:21:43","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=5425"},"modified":"2019-07-03T16:33:19","modified_gmt":"2019-07-03T14:33:19","slug":"powershell-enable-secure-windows-powershell-remoting-over-https","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/powershell-enable-secure-windows-powershell-remoting-over-https\/","title":{"rendered":"Powershell: Enable secure Windows\/Powershell Remoting over https"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_5425 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_5425')){$('.twoclick_social_bookmarks_post_5425').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Powershell%3A%20Enable%20secure%20Windows%2FPowershell%20Remoting%20over%20https\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Athese%20are%20the%20steps%20to%20enable%20Windows%20Powershell%20remoting%20secured%20by%20TLS%0D%0A%0D%0ACheck%20your%20Network%20connection%20profile.%20Set-WSManQuickConfig%20expects%20that%20the%20Network%20profile%20is%20at%20least%20private%20or%20domain.%0D%0A%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/powershell-enable-secure-windows-powershell-remoting-over-https\\\/\",\"post_id\":5425,\"post_title_referrer_track\":\"Powershell%3A+Enable+secure+Windows%2FPowershell+Remoting+over+https\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>these are the steps to enable Windows Powershell remoting secured by TLS<\/p>\n<p><a href=\"https:\/\/michlstechblog.info\/blog\/windows-change-a-lan-interface-networkprofile-to-private\/\">Check <\/a>your Network connection profile. Set-WSManQuickConfig expects that the Network profile is at least private or domain.<\/p>\n<p><!--more--><br \/>\n<!--Enable-PSRemoting -SkipNetworkProfileCheck\nPS D:\\> Enable-PSSessionConfiguration * \nWinrm get http:\/\/schemas.microsoft.com\/wbem\/wsman\/1\/config\nwinrm quickconfig -transport:https\n\n--><br \/>\nEnable Windows Remoting. By powershell <\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Set-WSManQuickConfig\r\n<\/pre>\n<p>or command line<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; winrm quickconfig\r\n<\/pre>\n<p>Enable Powershell remoting<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Enable-PSRemoting\r\n<\/pre>\n<p>Check for a machine Certificate. In a domain environment a certificate should be installed.<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; dir CERT:\\LocalMachine\\My\\\r\n<\/pre>\n<p>If no certicate is installed create self signed certificate<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; New-SelfSignedCertificate  -DnsName &quot;$ENV:COMPUTERNAME&quot; -KeyAlgorithm RSA -KeyLength 2048 -NotAfter ((Get-Date).AddYears(10)) -CertStoreLocation &quot;cert:\\LocalMachine\\My&quot; \r\nPS D:\\&gt; dir CERT:\\LocalMachine\\My\\\r\nThumbprint\r\n----------\r\nF3880C95203CA33770BFC314FC5923EF74C47000\r\n<\/pre>\n<p><!--Export the selfsigned certificate \n[powershell]\nPS D:\\&gt; Export-Certificate -Cert Cert:\\LocalMachine\\my\\F3880C95203CA33770BFC314FC5923EF74C47000 -FilePath C:\\Windows\\Temp\\exportedCert.cer\n[\/powershell]--><\/p>\n<p>If you use a domain machine certificate enable https and disable http <\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nC:\\&gt; winrm quickconfig -transport:https\r\n\r\n<\/pre>\n<p>If you use a selfsigned certicate determine CertificateThumbprint and the hostname <\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; (Get-ChildItem Cert:\\LocalMachine\\my).Thumbprint\r\nF3880C95203CA33770BFC314FC5923EF74C47000\r\nPS D:\\&gt; (Get-ChildItem Cert:\\LocalMachine\\my).DnsNameList\r\nPunycode     Unicode\r\n--------     -------\r\nyourHostname yourHostname\r\n<\/pre>\n<p>Change to a cmd windows and enable https<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nC:\\&gt; winrm create winrm\/config\/listener?Address=*+Transport=HTTPS @{Hostname=&quot;yourHostname&quot;;CertificateThumbprint=&quot;F3880C95203CA33770BFC314FC5923EF74C47000&quot;;Port=&quot;5986&quot;}\r\n<\/pre>\n<p>or with powershell<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; New-Item -Path WSMan:\\LocalHost\\Listener -Transport HTTPS -Address * -CertificateThumbPrint &quot;F3880C95203CA33770BFC314FC5923EF74C47000&quot; -Hostname &quot;yourHostname&quot; \u2013Force\r\n<\/pre>\n<p>Disable http the winrm way<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nC:\\&gt; winrm delete winrm\/config\/Listener?Address=*+Transport=HTTP\r\n<\/pre>\n<p>Or the powershell way<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Get-ChildItem WSMan:\\localhost\\Listener | ?{$_.Keys -contains &quot;Transport=HTTP&quot;}|remove-item -recurse -Confirm:$false\r\n<\/pre>\n<p>Check listener<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nWinrm enumerate winrm\/config\/listener\r\n<\/pre>\n<p>If not member of a domain the trusted host(s) must be set.<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nC:\\&gt; winrm set winrm\/config\/client '@{TrustedHosts=&quot;yourComputerWhoShouldAbleToConnect&quot;}'\r\n<\/pre>\n<p>Install a firewall rule<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nC:\\&gt; netsh advfirewall firewall add rule name=&quot;Windows Remote Management (HTTPS-In)&quot; dir=in protocol=tcp localport=5986 profile=any enable=yes action=allow\r\n<\/pre>\n<p>On the remote machine: Start a session. When a selfsigned certicate is used:<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Enter-PSSession -ComputerName theRemoteComputer -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential (Get-Credential)\r\n&#x5B;theRemoteComputer ]: PS C:\\Users\\myUser\\Documents&gt;\r\n<\/pre>\n<p>The Session Option (New-PSSessionOption -SkipCACheck -SkipCNCheck) can omitted if the selfsigned certificate is imported to the Root CA store<\/p>\n<p>Or with certificate signed by a CA<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Enter-PSSession -ComputerName theRemoteComputer -UseSSL \r\n&#x5B;theRemoteComputer ]: PS C:\\Users\\myUser\\Documents&gt;\r\n<\/pre>\n<p>This opens the GUI to alter the permissions of the WinRM service <\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI\r\n<\/pre>\n<p>To just show the permissions <\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; ConvertFrom-SddlString (get-item WSMan:\\localhost\\Service\\RootSDDL).Value\r\n<\/pre>\n<p>Michael<br \/>\n<!--\nhttps:\/\/support.microsoft.com\/en-us\/help\/2019527\/how-to-configure-winrm-for-https\nhttps:\/\/docs.microsoft.com\/en-us\/powershell\/module\/pkiclient\/new-selfsignedcertificate?view=win10-ps\nhttps:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.wsman.management\/providers\/wsman-provider?view=powershell-6\nhttps:\/\/4sysops.com\/archives\/powershell-remoting-over-https-with-a-self-signed-ssl-certificate\/\n--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, these are the steps to enable Windows Powershell remoting secured by TLS Check your Network connection profile. Set-WSManQuickConfig expects that the Network profile is at least private or domain.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[1354,628,133,137,1172,1177,20,1173],"class_list":["post-5425","post","type-post","status-publish","format-standard","hentry","category-windowsknowhow","tag-alter-permissions-winrm","tag-https","tag-powershell","tag-remote","tag-secure","tag-selfsigned-certificate","tag-windows-2","tag-winrm"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/5425","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=5425"}],"version-history":[{"count":51,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/5425\/revisions"}],"predecessor-version":[{"id":6502,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/5425\/revisions\/6502"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=5425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=5425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=5425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}