Configuring for HTTPS involves the following steps.
- Check whether the WinRM service is running
- Create the HTTPS listener
- Add a firewall exception
- Validate the HTTPS listener
- Verify you can connect to the machine via HTTPS
Check whether WinRM service is running
WinRM is installed by default in all supported Windows machines.
Ensure that service is in running state in services.
Get-Service -Name winrmStatus Name DisplayName
------ ---- -----------
Running winrm Windows Remote Management
Create HTTPS listener
By default when you run winrm quickconfig command WinRM is only configured for HTTP (port 5985). You can check already registered listeners by running following command:
WinRM e winrm/config/listener
You will see output like this:
WinRM e winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1, fe80::8d60:91fb:e11f:d27c%12
To enable HTTPS for WinRM, you need to open port 5986 and add HTTPS listener on the target machine. Before doing that, you will first need to create a self-signed certificate and get its thumbprint. To create a self signed certificate you can use either the makecert command or a New-SelfSignedCertificate powershell commandlet.
New-SelfSignedCertificate -DnsName "YOUR_DNS_NAME" -CertStoreLocation Cert:\LocalMachine\My
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
542DAFF8F021FC3D1EF3678543D89ACFE10A1ADB CN=YOUR_DNS_NAME
Copy the thumbprint to the clipboard and run the following command.
This command will register the HTTPS listener in WinRM:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="YOUR_DNS_NAME"; CertificateThumbprint="COPIED_CERTIFICATE_THUMBPRINT"}'
Add firewall exception
Add an exception to your firewall to allow inbound port 5986 traffic at the target machine.
Validate HTTPS listener
You can verify the listener you added by running the same command you used above:
WinRM e winrm/config/listener
This will show the new HTTP listener now along with previous HTTPS listener.
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1, fe80::8d60:91fb:e11f:d27c%12
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = YOUR_DNS_NAME
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 542DAFF8F021FC3D1EF3678543D89ACFE10A1ADB
ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1
Verify you can connect to the machine via HTTPS
You are done with your WinRM configuration and now you need to verify if you can connect using HTTPS.
Run the following commands in PowerShell window as Administrator:
$hostName="YOUR_DNS_NAME"
$winrmPort = "5986"
# Get the credentials of the machine
$cred = Get-Credential
# Connect to the machine
$soptions = New-PSSessionOption -SkipCACheck
Enter-PSSession -ComputerName $hostName -Port $winrmPort -Credential $cred -SessionOption $soptions -UseSSL