Setting up WinRM

Example guide for setting up WinRM on target machines

Overview

Customers are responsible for the configuration of their servers and environments. For reference and testing, the below PowerShell script can be run on a target machine to enable WinRM with a self-signed certificate. We recommend creating a certificate with a public CA in your production environment.

# Enable WinRM
Set-NetConnectionProfile -NetworkCategory Private
winrm quickconfig -force
Enable-PSRemoting -force

# Allow non-SSL traffic (port 5985)
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'

# Create a cert for SSL (port 5986)
$Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
$Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
$A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A

# Firewall Rules
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5985" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5985" -Profile Public
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5986" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5986" -Profile Public

Below is a breakdown of what this script performs to configure WinRM on a Windows machine:

  1. Set the network connection profile to Private:

    Set-NetConnectionProfile -NetworkCategory Private
  2. Configure and enable WinRM:

    winrm quickconfig -force
    Enable-PSRemoting -force
  3. Allow non-SSL (unencrypted) traffic on port 5985:

    winrm set winrm/config/service '@{AllowUnencrypted="true"}'
    winrm set winrm/config/service/auth '@{Basic="true"}'
    winrm set winrm/config/client/auth '@{Basic="true"}'
  4. Create a self-signed SSL certificate for encrypted traffic on port 5986:

    $Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
    $Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
    $A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
    winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A
  5. Create Windows Firewall rules to allow inbound traffic on ports 5985 (non-SSL) and 5986 (SSL):

    New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
      -Protocol TCP -LocalPort "5985" -Profile Domain,Private
    New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
      -Protocol TCP -LocalPort "5985" -Profile Public
    New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
      -Protocol TCP -LocalPort "5986" -Profile Domain,Private
    New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
      -Protocol TCP -LocalPort "5986" -Profile Public

After running this script, WinRM will be configured to allow both unencrypted (port 5985) and encrypted (port 5986) remote connections. Additionally, Windows Firewall rules will be created to allow inbound traffic on these ports.

From a Windows server, you can test the connectivity to the target machine through PowerShell:

Test-NetConnection -ComputerName <host> -Port <port>

Last updated