# Setting up WinRM

## Overview

Customers are responsible for the configuration of their servers and environments. For reference and testing, the below PowerShell script can be run on a target machine to enable WinRM with a self-signed certificate. We recommend creating a certificate with a public CA in your production environment.

<pre class="language-powershell" data-overflow="wrap" data-line-numbers><code class="lang-powershell"><strong># Enable WinRM
</strong>Set-NetConnectionProfile -NetworkCategory Private
winrm quickconfig -force
Enable-PSRemoting -force

# Allow non-SSL traffic (port 5985)
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'

# Create a cert for SSL (port 5986)
$Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
$Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
$A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A

# Firewall Rules
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5985" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5985" -Profile Public
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5986" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5986" -Profile Public
</code></pre>

Below is a breakdown of what this script performs to configure WinRM on a Windows machine:

1. Set the network connection profile to Private:

   <pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell">Set-NetConnectionProfile -NetworkCategory Private
   </code></pre>
2. Configure and enable WinRM:

   <pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell">winrm quickconfig -force
   Enable-PSRemoting -force
   </code></pre>
3. Allow non-SSL (unencrypted) traffic on port 5985:

   <pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell">winrm set winrm/config/service '@{AllowUnencrypted="true"}'
   winrm set winrm/config/service/auth '@{Basic="true"}'
   winrm set winrm/config/client/auth '@{Basic="true"}'
   </code></pre>
4. Create a self-signed SSL certificate for encrypted traffic on port 5986:

   <pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell">$Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
   $Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
   $A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
   winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A
   </code></pre>
5. Create Windows Firewall rules to allow inbound traffic on ports 5985 (non-SSL) and 5986 (SSL):

   <pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell">New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5985" -Profile Domain,Private
   New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5985" -Profile Public
   New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5986" -Profile Domain,Private
   New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5986" -Profile Public
   </code></pre>

After running this script, WinRM will be configured to allow both unencrypted (port 5985) and encrypted (port 5986) remote connections. Additionally, Windows Firewall rules will be created to allow inbound traffic on these ports.

From a Windows server, you can test the connectivity to the target machine through PowerShell:

```
Test-NetConnection -ComputerName <host> -Port <port>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/setting-up-winrm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.