Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Configuring PowerShell Remoting (WinRM) over HTTPS

February 1, 2022 PowerShellWindows 10Windows Server 2019

Configuring PowerShell Remoting (WinRM) over HTTPS

By default, traffic in a PowerShell Remoting session is encrypted no matter whether HTTP (TCP/5985) or HTTPS (TCP/5986) transport protocol is used. Anyway, all traffic is encrypted using AES-256 key. However, if you connect to a remote computer outside your AD forest or in a workgroup (Kerberos cannot establish a trust relationship with), you are at risk of man-in-the-middle attacks. Microsoft recommends always using HTTPS transport for PSRemoting when you connect to third-party computers.

In this article, we’ll show how to configure PowerShell Remoting over HTTPS using an SSL certificate. PSRemoting sessions over HTTPS provide a higher session security level when connecting to computers outside of your AD domain/forest.

The steps below describe how to configure a remote device running Windows you want to connect to using PowerShell Remoting over HTTPS.

Make sure that your network location in Windows is set to Private or Domain:

Get-NetConnectionProfile

Enable WinRM and PSRemoting using the command:

Enable-PSRemoting -Force

In a domain, you can configure WinRM using GPO.

To configure HTTPS for WinRM, you first need to create an SSL certificate on a computer you want to connect to. The certificate will be used to encrypt WinRM traffic. It is easier to create a self-signed certificate using PowerShell. In a domain environment, you can issue WinRM certificates automatically using Auto-Enrollment.

Specify the computer name and its IP address as the DNS name of the certificate (it is convenient if your network doesn’t have a DNS server). You can get both values for the Subject Alternative Name of the certificate and generate a self-signed certificate with PowerShell:

$hostName = $env:COMPUTERNAME
$hostIP=(Get-NetAdapter| Get-NetIPAddress).IPv4Address|Out-String
$srvCert = New-SelfSignedCertificate -DnsName $hostName,$hostIP -CertStoreLocation Cert:\LocalMachine\My
$srvCert

The new SSL certificate will appear in the personal certificate store on the computer.

generate a self-signed ssl certificate using powershell

By default, two listeners on different ports are created for PowerShell Remoting in Windows:

  • HTTP on Port 5985
  • HTTPS on Port 5986

You can get a list of active WSMan listeners as shown below:

Get-ChildItem wsman:\localhost\Listener

Remove default HTTP and HTTPS listeners:

Get-ChildItem wsman:\localhost\Listener\ | Where-Object -Property Keys -like 'Transport=HTTP*' | Remove-Item -Recurse

Create a new HTTPS listener and bind your certificate to it:

New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbPrint $srvCert.Thumbprint -Force

create https listener in winrm

Create a Windows Firewall rule that allows WinRM HTTPS traffic or make sure that it is active:

New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP

Restart the WinRM service:

Restart-Service WinRM

You can check which certificate thumbprint a WinRM HTTPS listener is bound to using this command:

WinRM e winrm/config/listener

The remote host is configured. Now you have to export the SSL certificate to a CER file:

Export-Certificate -Cert $srvCert -FilePath c:\PS\SSL_PS_Remoting.cer

Keep in mind that WinRM server and client configurations don’t allow unencrypted connections (by default):

dir WSMan:\localhost\Service | ? Name -eq AllowUnencrypted
dir WSMan:\localhost\Client | ? Name -eq AllowUnencrypted

WinRM dosn't allow Unencrypted connections

If necessary, you can disable unencrypted connections as follows:

winrm set winrm/config/service '@{AllowUnencrypted="false"}'
winrm set winrm/config/client '@{AllowUnencrypted="false"}
‘

Copy the CER file to the admin computer and import it using the command below (or deploy the certificate to other computers using GPO):

Import-Certificate -FilePath c:\PS\SSL_PS_Remoting.cer -CertStoreLocation Cert:\LocalMachine\root\

Then, to connect to a remote Windows host using WinRM HTTPS, you must use the -UseSSL argument in the Enter-PSSession and Invoke-Command cmdlets. In the following example, we’ll connect to a remote host from the PowerShell console by its IP address (note that we haven’t added this IP address to TrustedHosts):

$SessionOption = New-PSSessionOption -SkipCNCheck
Enter-PSSession -Computername 192.168.13.4 -UseSSL -Credential maxbak -SessionOption $SessionOption

powershell remoting over https using the UseSSL option

When connecting by an IP address without the SkipCNCheck option, the following error occurs: The SSL certificate contains a common name (CN) that does not match the hostname.

3 comments
2
Facebook Twitter Google + Pinterest
previous post
The Sign-in Method Isn’t Allowed to Logon Windows
next post
How to Install Windows 11 on Unsupported Hardware (Without TPM & Secure Boot)?

Related Reading

How to Run Program without Admin Privileges and...

March 24, 2023

Configure Network Settings on Windows with PowerShell: IP...

March 24, 2023

Exchange Offline Address Book Not Updating in Outlook

March 21, 2023

Attaching Host USB Devices to WSL or Hyper-V...

March 20, 2023

Print Screen Key Not Working in Windows

March 17, 2023

3 comments

Lumpy February 6, 2022 - 6:33 am

Immensely useful and simple to follow, thank you for this!

Reply
40tude December 31, 2022 - 9:13 am

Bonjour.
The procedure works like a charm. Many many thanks
One question, however…

I’m in a Workgroup (home network)
My remote PC is a Surface Book running Windows 10 latest version (as today).
I’m the admin of the Surface and I connect to it either by face recognition (is it the right term?) or using a PIN code.
On the Surface, Windows is linked to a Microsoft account.
I was not able to follow the procedure above and to connect remotely until I created, for testing purpose only, a new local account with admin rights a name and a password.
Then, and only then I was able to connect to the Surface using his name and password.

So, the one million $ question is: which parameters should be used in the Enter-PSSession line when the admin of the remote station use a Microsoft account and a code PIN. I believe the question will come more and more often as Microsoft request a Microsoft account and an PIN code when installing latest versions of Windows.

I tried many things : email address, the 5 letters Id returned by whoami, the machine_name\5lettersId… and the PIN code but nothing worked.

Any help will be more than welcome
Regards, 40tude

Reply
admin January 9, 2023 - 4:22 am

Try the following:
Enter-PSSession -ComputerName Server1 -Credential MicrosoftAccount\email@domain.tld

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Run Program without Admin Privileges and Bypass UAC Prompt?

    March 24, 2023
  • Configure Network Settings on Windows with PowerShell: IP Address, DNS, Default Gateway, Static Routes

    March 24, 2023
  • Exchange Offline Address Book Not Updating in Outlook

    March 21, 2023
  • Attaching Host USB Devices to WSL or Hyper-V VM

    March 20, 2023
  • Sending an E-mail to a Microsoft Teams Channel

    March 17, 2023
  • How to Restore Deleted Users in Azure AD (Microsoft 365)?

    March 16, 2023
  • Fix: Remote Desktop Services Is Currently Busy

    March 15, 2023
  • Send-MailMessage: Sending E-mails with PowerShell

    March 14, 2023
  • Clear Cache and Temp Files in User Profiles on Windows (RDS) with PowerShell and GPO

    March 13, 2023
  • Prevent Users from Creating New Groups in Microsoft 365 (Teams/Outlook)

    March 6, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configuring Port Forwarding in Windows
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • How to Delete Old User Profiles in Windows?
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Hide Installed Programs in Windows 10 and 11?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top