Basically I use these 3 steps to implement WinRM HTTPS:
1. Setup certificate for WinRM HTTPS via GPO:
https://www.darkoperator.com/blog/2015/3/24/bdvjiiw1ybzfdjulc5pprgpkm8os0b
2. Enable WSMan Service and Windows Firewall for WinRM HTTPS via GPO:
https://greencircle.vmturbo.com/docs/DOC-3324-wsmanwinrm-over-https-service-configuration
3. Create WinRM HTTPS Listener via SCCM Compliance Rule:
Discover script:
# WinRM HTTPS Remediation Discover Script
# Rui Qiu
# v2.0
# 6/19/2020
# 3/12/2021
#$Result = winrm enumerate winrm/config/listener | Select-String -Pattern “Transport = HTTPS” -CaseSensitive
#$Result = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -lt “3/5/2023”}
$cert1 = winrm enumerate winrm/config/listener | Select-String -Pattern “CertificateThumbprint = ” -CaseSensitive | Out-String
$cert1 = $cert1.trim().substring(24)
$cert2 = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}}
$cert2 = $cert2.Thumbprint
if($cert1 -eq $cert2)
{$Compliance = “Yes”}
Else
{$Compliance = “No”}
$Compliance
Remediation script:
# WinRM HTTPS
# Rui Qiu
# v1.1
# 06192020
# 03102021
# Check for old cert
$Result = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -lt “3/5/2023”}
if ($Result -ne $null)
{write-host “Removing old cert”
Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Remove-Item
gpupdate /force
}
Else
{write-host “You have the lastest cert”}
# Define variables
$pc = hostname
$sub = ‘CN=' + $pc + ‘.corp.lan'
#$thumbprint = get-childitem cert:\localmachine\my | where-object {$_.EnhancedKeyUsageList -like “*Server Authentication*”} | where-object {$_.Subject -eq $sub} | Select-Object Thumbprint
#$thumbprint = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Select Thumbprint
# Start WinRM Service
# Set-Service -Name “WinRM” -StartupType Automatic -Status Running
# Remove any existing WinRM HTTPS listener
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
# Set up WinRM HTTPS Listener
#New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $thumbprint.Thumbprint –Force
WinRM quickconfig -transport:https -quiet
Troubleshooting
1. Verify is WinRM HTTPS is working
Enter-PSSession -Cn ComputerName -UseSSL
2. Check the listener and see if it is running
WinRM e winrm/config/listener
3. Check port connection
Test-NetConnection -ComputerName remote_computer_name -port 5986
4. Check WinRM HTTPS connection
Test-WSMan -UseSSL -ComputerName remote_computer_name
Update:
There is also another option to deploy the WinRM HTTPS listener: instead of using SCCM compliance rule, we can create a task scheduler in GPO and run a PowerShell script to do that.