Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
tutorial:adm:configuration_-_winrm [2024/01/30 06:51] erbenrtutorial:adm:configuration_-_winrm [2024/11/21 09:04] (current) – [Check if Winrm is running] erbenr
Line 9: Line 9:
 <code powershell> <code powershell>
 Test-WSMan Test-WSMan
 +
  
 </code> </code>
Line 15: Line 16:
  
 If you get some error then you need to do the [[https://docs.microsoft.com/en-us/windows/desktop/winrm/installation-and-configuration-for-windows-remote-management#quick-default-configuration|quick default configuration]] If you get some error then you need to do the [[https://docs.microsoft.com/en-us/windows/desktop/winrm/installation-and-configuration-for-windows-remote-management#quick-default-configuration|quick default configuration]]
 +<code>
 +
 +winrm quickconfig
 +
 +</code>
  
 Now execute the first command again and it should without error now. Now execute the first command again and it should without error now.
 +
  
 ===== Show current configuration ===== ===== Show current configuration =====
Line 92: Line 99:
  
 <code powershell> <code powershell>
-winrm set winrm/config/service/auth '@{CredSSP="true"}'===  === +winrm set winrm/config/service/auth '@{CredSSP="true"}'
-{{.:winrm_wmi2.png?400|Level 4 Headline}}+
 winrm set winrm/config/client/auth '@{CredSSP="true"}' winrm set winrm/config/client/auth '@{CredSSP="true"}'
 Enable-WSManCredSSP -Role Server Enable-WSManCredSSP -Role Server
- 
 </code> </code>
- 
 ===== Permission configuration ===== ===== Permission configuration =====
  
Line 107: Line 111:
 Assign user into group Set WMI access for group. Assign user into group Set WMI access for group.
  
-* Computer Management → Services and Application → right click WMI Control → Properties * In new dialog window → tab Security → Root → CIMV2 and click button Security * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) here * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable * Click on Advanced - select and edit group → Set "Applies to" This namespace and subnamespaces * Confirm all changes in dialog windows and close them+  * Computer Management → Services and Application → right click WMI Control → Properties  
 +  * In new dialog window → tab Security → Root → CIMV2 and click button Security 
 +  * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) here 
 +  * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable 
 +  * Click on Advanced - select and edit group → Set "Applies to" This namespace and subnamespaces 
 +  * Confirm all changes in dialog windows and close them
  
 {{.:winrm_wmi.png?nolink&600}}{{.:winrm_wmi2.png?nolink&800}} {{.:winrm_wmi.png?nolink&600}}{{.:winrm_wmi2.png?nolink&800}}
Line 118: Line 127:
 </code> </code>
  
-{{.:winrm_sddl.png?nolink&400}}* Add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) and give it Full Control * Confirm changes Restart WinRM+{{.:winrm_sddl.png?nolink&400}} 
 +  * Add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) and give it Full Control 
 +  * Confirm changes Restart WinRM
  
 <code powershell> <code powershell>
Line 214: Line 225:
 </code> </code>
  
-To turn the credentials delegation on. Open Group policy setting and navigate to Computer ConfigurationAdministrative templateWindows ComponentsWindows Remote Management (WinRM)WinRM Service.+To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative Templates\System\Credentials Delegation.
  
 The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. The correct value is WSMAN/SPN of your server. For example The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. The correct value is WSMAN/SPN of your server. For example
Line 315: Line 326:
 <code powershell> <code powershell>
 $pathToCertificate="C:\Users\Administrator.ZOO\Desktop\certificate"  ## Specify your preferred location for export $pathToCertificate="C:\Users\Administrator.ZOO\Desktop\certificate"  ## Specify your preferred location for export
-$hostname='bear.zoo.bcv' #hostname your machine+$hostname='ad.idstory.idm' #hostname your machine
 $params = @{ $params = @{
     Subject = "CN=winrm.$hostname"     Subject = "CN=winrm.$hostname"
-    DnsName = 'bear.zoo.bcv'+    DnsName = 'ad.idstory.idm'
     CertStoreLocation = 'Cert:\LocalMachine\My' #Certificate for WinRM, must be in stored in Local Computers     CertStoreLocation = 'Cert:\LocalMachine\My' #Certificate for WinRM, must be in stored in Local Computers
     KeyExportPolicy ='Exportable'      KeyExportPolicy ='Exportable' 
Line 327: Line 338:
 } }
  
-#$cert = New-SelfSignedCertificate -Subject "CN=bear.zoo.bcv" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256    ## Replace {certificateName} 
 $cert = New-SelfSignedCertificate @params $cert = New-SelfSignedCertificate @params
 Export-Certificate -Cert $cert -FilePath "$pathToCertificate\$hostname.cer"  Export-Certificate -Cert $cert -FilePath "$pathToCertificate\$hostname.cer" 
Line 346: Line 356:
 </code> </code>
  
-Restart WinRM+Create firewall rule for WinRM HTTPS: 
 +<code powershell> 
 +New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP 
 +</code>
  
 +Restart WinRM
 <code powershell> <code powershell>
 Restart-Service winrm Restart-Service winrm
- 
 </code> </code>
  
Line 356: Line 369:
  
  
 +===== Powershell 7 support =====
 +
 +Install powershell 7: https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4#installing-the-msi-package
 +
 +Run app ''C:\Program Files\PowerShell\7\pwsh.exe'' and execute
 +<code powershell>
 +Enable-PSRemoting 
 +</code>
  
  
  • by erbenr