Configuring WinRM over HTTPS to enable PowerShell remoting

Note: After making this post I created some additional posts describing how to automate this process further using PowerShell. The final post in the series is here: http://www.techdiction.com/2016/02/12/powershell-function-to-enable-winrm-over-https-on-an-azure-resource-manager-vm/ which includes a function to carry out the below without the need to log onto the server or portal.

PowerShell remoting allows machines to be remotely managed using PowerShell. PowerShell remoting is commonly used with virtual machines running on Azure. When we create a classic/service manager VM on Azure it is automatically configured with a WinRM endpoint so that we can connect using PowerShell remoting. However, if we create a VM using Resource Manager WinRM over HTTPS is not configured by default. I had a query from a colleague regarding enabling WinRM over HTTPS so have documented the steps I provided to get them up and running.

The virtual machines I tested this with were running Windows Server 2012 R2, and the client OS was Windows 10. Both were clean installs with no prior configuration beyond the default configuration made by Azure.

Modify Network Security Group

WinRM over HTTPS uses port 5896. The first step is to enable traffic directed to this port to pass to the VM. This is done by adding a rule to the Network Security Group (NSG).

  1. Navigate to Virtual Machines | <your_vm> | Settings | Network Interfaces | <your_nic>
  2. Click on the NSG name:
  3. Go to Settings | Inbound Security Rules
  4. Add a rule called WinRM_HTTPS for TCP port 5986. You may choose to (and I would recommend) restricting the source address you your client’s public IP.
  5. The NSG should now look like this:

Create Firewall Rule inside the server OS

We must enable traffic over 5986 through Windows Firewall.

  1. Open Windows Firewall with Advanced Security
  2. Navigate to Inbound Rules | New Rule…
  3. In the Wizard select Port, TCP, 5986, Allow the connection, leave all network profiles selected, and name it WinRM HTTPS. The rule will look something like this:

Create Cert

To secure the connection a certificate needs to be created inside the server VM. You may choose to use a publically trusted certificate, but for our purposes we are using a self signed certificate as I just want to get up and running as quickly as possible. You need to provide a DNS name, later in the post we will sconnect via IP address and skip the DNS name check so it doesn’t actually matter what you set this to. However best practice would be to ensure you have a DNS name resolving to your Azure VM’s public IP address and use that DNS name.

  1. Log onto the server using RDP.
  2. Open a PowerShell prompt as Administrator and execute the following:

    New-SelfSignedCertificate -DnsName <your_server_dns_name_or_whatever_you_like> -CertStoreLocation Cert:\LocalMachine\My

  3. Copy the certificate thumbprint returned by the command to the clipboard:

Configure WinRM to listen on 5986

By default WinRM over HTTP is configured to listed on 5985. We need to enable it on 5986 and bind the certificate.

  1. Open a command prompt window as Administrator (not PowerShell)
  2. Run the following command, pasting your new certificate’s thumbprint into the command (all on one line):

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”<your_server_dns_name_or_whatever_you_like>”; CertificateThumbprint=”<certificate_thumbprint_from powershell>”}

You should get the following returned:


Connect from the client PC

To connect from the client PC open a PowerShell prompt and execute the following, using your server IP address/DNS name and local admin username. Please note that as we are using a self signed certificate I have skipped the Certification Authority (CA) check and as I am using an IP address skipped the Common Name (CN) check. You will be prompted for the password.

$so = New-PsSessionOptionSkipCACheck -SkipCNCheck

Enter-PSSession -ComputerName <ip_address_or_dns_name_of_server> -Credential <local_admin_username> -UseSSL -SessionOption $so

You should now get a prompt as follows:


You can now execute commands on your remote server!

7 Comments

  1. Pete Cossack

    Good guide thanks! PS: you can always import the cert in your workstation's trust store, if you don't want to be bothered with '–SkipCACheck -SkipCNCheck' session option.

    Reply
  2. Conrad

    Thanks! This was very helpful .. I had to pass the session options a little differently because for whatever reason it didn't work when I used your command above.

    Enter-PSSession -ComputerName 3.156.45.215 -Credential Administrator -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)

     

     

    Reply
  3. Pingback: PowerShell and Azure – Video | Jon Grassley

  4. Gunjan

    Hi,

    thanks for your blog. I execute each step but I am getting this error when I try to conenct to my azure VM from my client.

    PS C:\WINDOWS\system32> Enter-PSSession -ComputerName 100.78.64.17 -Credential gunjain -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)

    Enter-PSSession : Connecting to remote server 100.78.64.17 failed with the following error message : WinRM cannot complete

    the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that

    a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall

    exception for public profiles limits access to remote computers within the same local subnet. For more information, see the

    about_Remote_Troubleshooting Help topic.

    At line:1 char:1

    + Enter-PSSession -ComputerName 100.78.64.17 -Credential gunjain -UseSS …

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : InvalidArgument: (100.78.64.17:String) [Enter-PSSession], PSRemotingTransportException

    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    Reply
  5. Ram

    Thanks , This was useful for one of my Azure File Copy VSTS Tasks…

     

    Reply
  6. AKP

    Thanks for the useful tip, but what if I need to configure it for bunch of servers approx 200 servers? Do i need to follow these steps manually but it would be very tedius taks. please suggest

    Reply
    1. Marcus (Post author)

Leave a Comment

Your email address will not be published. Required fields are marked *