How to configure WinRM for HTTPS manually

May 21, 2016 |

Twitter Facebook Linkedin Email WhatsApp

In this post we will see how you can configureWinRM (Windows Remote Management) service to work with HTTPS manually.

Configuring for HTTPS involves following steps.

Check whether WinRM service is running
Create HTTPS listener
Add firewall exception
Validate HTTPS listener
Verify you can connect to the machine via HTTPS

For the demo purposes I have built a new VM using AzureDevTestLab. We will perform the above steps in this VM and enable it for HTTPS communication.

Check whether WinRM service is running

WinRM is installed by default in all supported Windows machines. Ensure that service is inrunning state inservices.

Service Status

Create HTTPS listener

By default when you runwinrm quickconfig command WinRM is only configured for HTTP (port 5985). You can check already registered listeners by running following command.

WinRM e winrm/config/listener

You will see output like below.

WinRM Listener

To enable HTTPS for WinRM, you need to open port 5986 and add HTTPS listener in the VM.

Before we start doing that, we will first need to create a self-signed certificate and get its thumbprint. To create a self signed certificate we can use eithermakecert command or aNew-SelfSignedCertificate powershell commandlet. I am using powershell commandlet here. Open your powershell window inAdminstrator mode and run the below command.

New-SelfSignedCertificate-DnsName"<YOUR_DNS_NAME>"-CertStoreLocationCert:\LocalMachine\My

This command will create a new self signed certificate and output the certificate thumbprint.

WinRM Self Signed Certificate

DNS name used in the above command is your machine hostname and for Aure portal VM’s you can get it from the portal from VM properties.

WinRM DNS Name

Copy the thumbprint to clipboard and run the following command. This command will register the HTTPS listener in WinRM

winrmcreatewinrm/config/Listener?Address=*+Transport=HTTPS'@{Hostname="<YOUR_DNS_NAME>"; CertificateThumbprint="<COPIED_CERTIFICATE_THUMBPRINT>"}'

You will see output as below.

WinRM HTTPS Listener

Add firewall exception

Via Firewall applet from Control Panel

OpenWindows Firewall from Control Panel
Go toInbound Rules then clickNew Rule
This will open the wizard

WinRM Firewall Wizard

Select Port and then TCP
Enter port as5986

WinRM Firewall Port

In the next screens selectAllow the connection
In the profile page check all the checkboxes.
Finally give a name to the rule.

Via command

You can also do the same operation and add firwall exception for port5986 by running the following command in powershell console asAdministrator.

# Add a new firewall ruleport=5986netshadvfirewallfirewalladdrulename="Windows Remote Management (HTTPS-In)"dir=inaction=allowprotocol=TCPlocalport=$port

WinRM Firwall Port Add

Validate HTTPS listener

You can verify listener you added by running the same command you used above -WinRM e winrm/config/listener. This will show the new HTTP listener now along with previous HTTPS listener.

WinRM HTTPS Listener

Verify you can connect to the machine via HTTPS

We have done with your WinRM configuration and now we need to verify we can connect to this VM using HTTPS.

Run the following commands in powershell window asAdministrator

$hostName="<DNS_NAME>"# example: "mywindowsvm.westus.cloudapp.azure.com"$winrmPort="5986"# Get the credentials of the machine$cred=Get-Credential# Connect to the machine$soptions=New-PSSessionOption-SkipCACheckEnter-PSSession-ComputerName$hostName-Port$winrmPort-Credential$cred-SessionOption$soptions-UseSSL

On entering the last command, you will be logged in to remote machine’s powershell session. As you can see in the screenshot below, you are connected and you can get the items from the remote virtual machine.

WinRM Validate