05 October 2021

How to configure WinRM for HTTPS

Configuring for HTTPS involves the following steps.
  1. Check whether the WinRM service is running
  2. Create the HTTPS listener
  3. Add a firewall exception
  4. Validate the HTTPS listener
  5. Verify you can connect to the machine via HTTPS

Check whether WinRM service is running

WinRM is installed by default in all supported Windows machines.
Ensure that service is in running state in services.
Get-Service -Name winrm
Status   Name               DisplayName
------   ----               -----------
Running  winrm              Windows Remote Management

Create HTTPS listener

By default when you run winrm quickconfig command WinRM is only configured for HTTP (port 5985). You can check already registered listeners by running following command:
WinRM e winrm/config/listener

You will see output like this:
WinRM e winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1, fe80::8d60:91fb:e11f:d27c%12
To enable HTTPS for WinRM, you need to open port 5986 and add HTTPS listener on the target machine. Before doing that, you will first need to create a self-signed certificate and get its thumbprint. To create a self signed certificate you can use either the makecert command or a New-SelfSignedCertificate powershell commandlet.
New-SelfSignedCertificate -DnsName "YOUR_DNS_NAME" -CertStoreLocation Cert:\LocalMachine\My

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject

542DAFF8F021FC3D1EF3678543D89ACFE10A1ADB  CN=YOUR_DNS_NAME
Copy the thumbprint to the clipboard and run the following command.
This command will register the HTTPS listener in WinRM:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="YOUR_DNS_NAME"; CertificateThumbprint="COPIED_CERTIFICATE_THUMBPRINT"}'
 

Add firewall exception

Add an exception to your firewall to allow inbound port 5986 traffic at the target machine.

Validate HTTPS listener

You can verify the listener you added by running the same command you used above:
WinRM e winrm/config/listener
This will show the new HTTP listener now along with previous HTTPS listener.
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1, fe80::8d60:91fb:e11f:d27c%12

Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname = YOUR_DNS_NAME
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = 542DAFF8F021FC3D1EF3678543D89ACFE10A1ADB
    ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1

Verify you can connect to the machine via HTTPS

You are done with your WinRM configuration and now you need to verify if you can connect using HTTPS.

Run the following commands in PowerShell window as Administrator:
$hostName="YOUR_DNS_NAME"
$winrmPort = "5986"

# Get the credentials of the machine
$cred = Get-Credential

# Connect to the machine
$soptions = New-PSSessionOption -SkipCACheck
Enter-PSSession -ComputerName $hostName -Port $winrmPort -Credential $cred -SessionOption $soptions -UseSSL

No comments:

Post a Comment