Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Configuring PowerShell Remoting (WinRM) over HTTPS

February 1, 2022 PowerShellWindows 10Windows Server 2019

Configuring PowerShell Remoting (WinRM) over HTTPS

By default, traffic in a PowerShell Remoting session is encrypted no matter whether HTTP (TCP/5985) or HTTPS (TCP/5986) transport protocol is used. Anyway, all traffic is encrypted using AES-256 key. However, if you connect to a remote computer outside your AD forest or in a workgroup (Kerberos cannot establish a trust relationship with), you are at risk of man-in-the-middle attacks. Microsoft recommends always using HTTPS transport for PSRemoting when you connect to third-party computers.

In this article, we’ll show how to configure PowerShell Remoting over HTTPS using an SSL certificate. PSRemoting sessions over HTTPS provide a higher session security level when connecting to computers outside of your AD domain/forest.

The steps below describe how to configure a remote device running Windows you want to connect to using PowerShell Remoting over HTTPS.

Make sure that your network location in Windows is set to Private or Domain:

Get-NetConnectionProfile

Enable WinRM and PSRemoting using the command:

Enable-PSRemoting -Force

In a domain, you can configure WinRM using GPO.

To configure HTTPS for WinRM, you first need to create an SSL certificate on a computer you want to connect to. The certificate will be used to encrypt WinRM traffic. It is easier to create a self-signed certificate using PowerShell. In a domain environment, you can issue WinRM certificates automatically using Auto-Enrollment.

Specify the computer name and its IP address as the DNS name of the certificate (it is convenient if your network doesn’t have a DNS server). You can get both values for the Subject Alternative Name of the certificate and generate a self-signed certificate with PowerShell:

$hostName = $env:COMPUTERNAME
$hostIP=(Get-NetAdapter| Get-NetIPAddress).IPv4Address|Out-String
$srvCert = New-SelfSignedCertificate -DnsName $hostName,$hostIP -CertStoreLocation Cert:\LocalMachine\My
$srvCert

The new SSL certificate will appear in the personal certificate store on the computer.

generate a self-signed ssl certificate using powershell

By default, two listeners on different ports are created for PowerShell Remoting in Windows:

  • HTTP on Port 5985
  • HTTPS on Port 5986

You can get a list of active WSMan listeners as shown below:

Get-ChildItem wsman:\localhost\Listener

Remove default HTTP and HTTPS listeners:

Get-ChildItem wsman:\localhost\Listener\ | Where-Object -Property Keys -like 'Transport=HTTP*' | Remove-Item -Recurse

Create a new HTTPS listener and bind your certificate to it:

New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbPrint $srvCert.Thumbprint -Force

create https listener in winrm

Create a Windows Firewall rule that allows WinRM HTTPS traffic or make sure that it is active:

New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP

Restart the WinRM service:

Restart-Service WinRM

You can check which certificate thumbprint a WinRM HTTPS listener is bound to using this command:

WinRM e winrm/config/listener

The remote host is configured. Now you have to export the SSL certificate to a CER file:

Export-Certificate -Cert $srvCert -FilePath c:\PS\SSL_PS_Remoting.cer

Keep in mind that WinRM server and client configurations don’t allow unencrypted connections (by default):

dir WSMan:\localhost\Service | ? Name -eq AllowUnencrypted
dir WSMan:\localhost\Client | ? Name -eq AllowUnencrypted

WinRM dosn't allow Unencrypted connections

If necessary, you can disable unencrypted connections as follows:

winrm set winrm/config/service '@{AllowUnencrypted="false"}'
winrm set winrm/config/client '@{AllowUnencrypted="false"}
‘

Copy the CER file to the admin computer and import it using the command below (or deploy the certificate to other computers using GPO):

Import-Certificate -FilePath c:\PS\SSL_PS_Remoting.cer -CertStoreLocation Cert:\LocalMachine\root\

Then, to connect to a remote Windows host using WinRM HTTPS, you must use the -UseSSL argument in the Enter-PSSession and Invoke-Command cmdlets. In the following example, we’ll connect to a remote host from the PowerShell console by its IP address (note that we haven’t added this IP address to TrustedHosts):

$SessionOption = New-PSSessionOption -SkipCNCheck
Enter-PSSession -Computername 192.168.13.4 -UseSSL -Credential maxbak -SessionOption $SessionOption

powershell remoting over https using the UseSSL option

When connecting by an IP address without the SkipCNCheck option, the following error occurs: The SSL certificate contains a common name (CN) that does not match the hostname.

1 comment
2
Facebook Twitter Google + Pinterest
previous post
The Sign-in Method Isn’t Allowed to Logon Windows
next post
How to Install Windows 11 on Unsupported Hardware (Without TPM & Secure Boot)?

Related Reading

Using PowerShell Behind a Proxy Server

July 1, 2022

How to Deploy Windows 10 (11) with PXE...

June 27, 2022

Checking Windows Activation Status on Active Directory Computers

June 27, 2022

Configuring Multiple VLAN Interfaces on Windows

June 24, 2022

How to Disable or Enable USB Drives in...

June 24, 2022

1 comment

Lumpy February 6, 2022 - 6:33 am

Immensely useful and simple to follow, thank you for this!

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Using PowerShell Behind a Proxy Server

    July 1, 2022
  • How to Access VMFS Datastore from Linux, Windows, or ESXi?

    July 1, 2022
  • How to Deploy Windows 10 (11) with PXE Network Boot?

    June 27, 2022
  • Checking Windows Activation Status on Active Directory Computers

    June 27, 2022
  • Configuring Multiple VLAN Interfaces on Windows

    June 24, 2022
  • How to Disable or Enable USB Drives in Windows using Group Policy?

    June 24, 2022
  • Adding Domain Users to the Local Administrators Group in Windows

    June 23, 2022
  • Viewing a Remote User’s Desktop Session with Shadow Mode in Windows

    June 23, 2022
  • How to Create a Wi-Fi Hotspot on your Windows PC?

    June 23, 2022
  • Configuring SSH Public Key Authentication on Windows

    June 15, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Hide Installed Programs in Windows 10 and 11?
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Tracking and Analyzing Remote Desktop Connection Logs in Windows
  • PowerShell: Get Folder Sizes on Disk in Windows
  • How to Disable or Enable USB Drives in Windows using Group Policy?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top