Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

This is an old revision of the document!

Configuration of WinRM

In this tutorial we will go through configuration of WinRM which is necessary for using WinRM connector

WinRM or Windows remote management, is a remote management protocol that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. WinRM is a command-line tool.

Check if Winrm is running

Test-WSMan

The output should be following:

If you get some error then you need to do the quick default configuration

Now execute the first command again and it should without error now.

Show current configuration

Display WinRM listener. It will show useful information about port, address, … where WinRM is listening for incoming connections. After quick config you will probably see only one listener for HTTP. 

winrm e winrm/config/listener

Display current winrm configuration 

winrm get winrm/config

Show SDDL setting, this command will show dialog window 

winrm configSDDL default

Authentications methods

Type of user Credential delegation Message encryption
Basic local no no
NTLM local, domain no yes
Kerberos domain yes yes
CredSSP local, domain yes yes

You can configure trusted host which will be able to connect. If you don't want to specify this use 

winrm set winrm/config/client @{TrustedHosts="*"}

We can use several methods for authentication.

  • Basic - the second command will allow unencrypted data transfer, so it's not recommended to use it with HTTP. For some testing purpose it's ok.
winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}
  • NTLM
winrm set winrm/config/service/auth @{Negotiate="true"}
  • Kerberos
winrm set winrm/config/service/auth @{Kerberos="true"}
  • CredSSP
winrm set winrm/config/service/auth @{CredSSP="true"}

Permission configuration

Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth It's tested with local user + group and with domain user + group. For the following steps you can use one of these groups WinRMRemoteWMIUsers__ or Remote Management Users It should work with both.

Assign user into group

Set WMI access for group.

  • Computer Management → Services and Application → right click WMI Control → Properties
  • In new dialog window → tab Security → Root → CIMV2 and click button Security
  • Next dialog window will appear - you need to add group here
  • You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable
  • Click on Advanced - select and edit group → Set "Applies to" This namespace and subnamespaces
  • Confirm all changes in dialog windows and close them

Set SDDL 

  • winrm configSDDL default

  • Add group and give it Full Control
  • Confirm changes

Restart WinRM 

Restart-Service winrm
  • by kucerar