Print

Configure WinRM for HTTPS

Configure WinRM for HTTPS manually

Configuring for HTTPS involves following steps.

    1. Check whether WinRM service is running
    2. Create HTTPS listener
    3. Add firewall exception
    4. Validate HTTPS listener

Check whether WinRM service is running

Get-Service WiRM

PS C:\Users\wintel> Get-Service WinRM
 
Status Name DisplayName
------ ---- -----------
Running WinRM Windows Remote Management (WS-Manag...​


If the WinRM service is not running, you might need to configure WinRM using winrm quickconfig. When you configure winrm first time, it is configured to use 5985 by default.

check already registered listeners by running following command

PS C:\Users\Administrator> WinRM e winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 172.20.20.1, ::1, fe80::5efe:172.20.20.1%15, fe80::d071:b058:c541:a212%12

Create HTTPS listener


To create a HTTPS listener, you need to have a certificate.

Generate SSL Certificate with one of these options

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<YOUR_DNS_NAME>"; CertificateThumbprint="<COPIED_CERTIFICATE_THUMBPRINT>"}

C:\>winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="vc01.winadmin.org";CertificateThumbprint="9
 

a20b7dab60933e3ce2ba6fddc02025dcdb83558"}

ResourceCreated

Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

ReferenceParameters

ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener

SelectorSet

Selector: Address = *, Transport = HTTPS​

 

Add firewall exception


You can use command and GUI tool to configure firewall exception.

 

Via command

# Add a new firewall rule

netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986

Using Windows Firewall with Advanced Security GUI tool.

Open Windows Firewall with Advanced Security and click New Rule.
Configure WinRM for https

Select Port
Configure WinRM for https

Specific local ports – Enter 5986
040718 1653 ConfigureWi3

Select Allow the connection
040718 1653 ConfigureWi4

Select the options whatever is required
040718 1653 ConfigureWi5

And give a name and click Finish
040718 1653 ConfigureWi6

Now check the WinRM Listener. The output should be as follows.

C:\>WinRM e winrm/config/listener
 
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 172.20.20.2, 192.168.20.2, ::1, fe80::5efe:172.20.20.2%17, fe80::5efe:192.168.20.2%16, fe80
::1c21:cbdc:66d9:967%12, fe80::4d34:b19b:402c:ae3a%13
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = vc01.winadmin.org
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 9a20b7dab60933e3ce2ba6fddc02025dcdb83558
ListeningOn = 127.0.0.1, 172.20.20.2, 192.168.20.2, ::1, fe80::5efe:172.20.20.2%17, fe80::5efe:192.168.20.2%16, fe80
::1c21:cbdc:66d9:967%12, fe80::4d34:b19b:402c:ae3a%13

Verify you can connect to the machine via HTTPS

PS C:\Users\Administrator> Enter-PSSession -Cn vc01.winadmin.org -UseSSL
 
[vc01.winadmin.org]: PS C:\Users\wintel\Documents>


If you give only host name, it will give errors and will not connect.

PS C:\Users\Administrator> Enter-PSSession -Cn vc01 -UseSSL
 

Enter-PSSession : Connecting to remote server vc01 failed with the following error message : The server certificate on

the destination computer (vc01:5986) has the following errors:

The SSL certificate contains a common name (CN) that does not match the hostname. For more information, see the

about_Remote_Troubleshooting Help topic.

At line:1 char:1

+ Enter-PSSession -Cn vc01 -UseSSL

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: (vc01:String) [Enter-PSSession], PSRemotingTransportException

+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed​