I have already setup a Certificate Authority (CA) on my Domain Controller and also have the GPOs setup to issue certificates.
So if the machine has a valid certificate, then use the following powershell command to enable WinRM on https.
# Get FQDN and certificate thumbprint
$hostname = [System.Net.Dns]::GetHostEntry([System.Net.Dns]::GetHostName()).HostName
$thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -match "CN=$hostname" }).Thumbprint
# Create HTTPS listener and open port
Invoke-Expression "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$hostname`"; CertificateThumbprint=`"$thumbprint`"}'"
New-NetFirewallRule -Name "WinRM HTTPS" -DisplayName "WinRM HTTPS" -Protocol TCP -LocalPort 5986 -Action Allow
# Verify listener
winrm enumerate winrm/config/listenerTo check run:
winrm enumerate winrm/config/listenerListener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 192.168.1.6
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = syswin01.ad.mitsuk.com
Enabled = true
URLPrefix = wsman
CertificateThumbprint = DD99350AB160A749A684E6A5BD4DAA4F4D5D0793
ListeningOn = 127.0.0.1, 192.168.1.6PS C:\Users\adjoin> Test-WSMan -ComputerName “syswin01.ad.mitsuk.com”
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
Leave a Reply