Implement WinRM HTTPS by GPO and SCCM

Basically I use these 3 steps to implement WinRM HTTPS:

1. Setup certificate for WinRM HTTPS via GPO:
https://www.darkoperator.com/blog/2015/3/24/bdvjiiw1ybzfdjulc5pprgpkm8os0b

2. Enable WSMan Service and Windows Firewall for WinRM HTTPS via GPO:
https://greencircle.vmturbo.com/docs/DOC-3324-wsmanwinrm-over-https-service-configuration

3. Create WinRM HTTPS Listener via SCCM Compliance Rule:

Discover script:

# WinRM HTTPS Remediation Discover Script
# Rui Qiu
# v2.0
# 6/19/2020
# 3/12/2021

#$Result = winrm enumerate winrm/config/listener | Select-String -Pattern “Transport = HTTPS” -CaseSensitive
#$Result = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -lt “3/5/2023”}

$cert1 = winrm enumerate winrm/config/listener | Select-String -Pattern “CertificateThumbprint = ” -CaseSensitive | Out-String
$cert1 = $cert1.trim().substring(24)

$cert2 = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}}
$cert2 = $cert2.Thumbprint

if($cert1 -eq $cert2)
{$Compliance = “Yes”}
Else
{$Compliance = “No”}

$Compliance

Remediation script:

# WinRM HTTPS
# Rui Qiu
# v1.1
# 06192020
# 03102021

# Check for old cert

$Result = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -lt “3/5/2023”}

if ($Result -ne $null)
{write-host “Removing old cert”
Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Remove-Item
gpupdate /force
}
Else
{write-host “You have the lastest cert”}

# Define variables
$pc = hostname
$sub = ‘CN=' + $pc + ‘.corp.lan'
#$thumbprint = get-childitem cert:\localmachine\my | where-object {$_.EnhancedKeyUsageList -like “*Server Authentication*”} | where-object {$_.Subject -eq $sub} | Select-Object Thumbprint
#$thumbprint = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Select Thumbprint

# Start WinRM Service
# Set-Service -Name “WinRM” -StartupType Automatic -Status Running

# Remove any existing WinRM HTTPS listener
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

# Set up WinRM HTTPS Listener
#New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $thumbprint.Thumbprint –Force
WinRM quickconfig -transport:https -quiet

 

Troubleshooting

1. Verify is WinRM HTTPS is working

Enter-PSSession -Cn ComputerName -UseSSL

 

2. Check the listener and see if it is running

WinRM e winrm/config/listener

3. Check port connection

Test-NetConnection -ComputerName remote_computer_name -port 5986

4. Check WinRM HTTPS connection

Test-WSMan -UseSSL -ComputerName remote_computer_name

 

Update:

There is also another option to deploy the WinRM HTTPS listener: instead of using SCCM compliance rule, we can create a task scheduler in GPO and run a PowerShell script to do that.

Leave a Comment