Implement WinRM HTTPS by GPO and SCCM

Basically I use these 3 steps to implement WinRM HTTPS:

1. Setup certificate for WinRM HTTPS via GPO:

https://www.darkoperator.com/blog/2015/3/24/bdvjiiw1ybzfdjulc5pprgpkm8os0b

2. Enable WSMan Service and Windows Firewall for WinRM HTTPS via GPO:

https://greencircle.vmturbo.com/docs/DOC-3324-wsmanwinrm-over-https-service-configuration

3. Create WinRM HTTPS Listener via SCCM Compliance Rule:

Discover script:

# WinRM HTTPS Remediation Discover Script
# Rui Qiu
# v1.0
# 6/19/2020

$Result = winrm enumerate winrm/config/listener | Select-String -Pattern “Transport = HTTPS” -CaseSensitive

if ($Result -ne $null)
{$Compliance = “Yes”}
Else
{$Compliance = “No”}
$Compliance


Remediation script:

# WinRM HTTPS
# Rui Qiu
# v1.0
# 06192020

# Check for old cert

$Result = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -lt “08/22/2022”}

if ($Result -ne $null)
{write-host “Removing old cert”
Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Remove-Item
gpupdate /force
}
Else
{write-host “You have the lastest cert”}

# Define variables
$pc = hostname
$sub = ‘CN=' + $pc + ‘.corp.lan'
#$thumbprint = get-childitem cert:\localmachine\my | where-object {$_.EnhancedKeyUsageList -like “*Server Authentication*”} | where-object {$_.Subject -eq $sub} | Select-Object Thumbprint
$thumbprint = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match “Certificate Template Information” -and $_.Format(0) -like “*Web Server – Auto*”}} | Select Thumbprint

# Start WinRM Service
# Set-Service -Name “WinRM” -StartupType Automatic -Status Running

# Remove any existing WinRM HTTPS listener
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

# Set up WinRM HTTPS Listener
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $thumbprint.Thumbprint –Force


 

Troubleshooting

1. Verify is WinRM HTTPS is working

Enter-PSSession -Cn ComputerName -UseSSL

2. Check the listener and see if it is running

WinRM e winrm/config/listener

3. Check port connection

Test-NetConnection -ComputerName remote_computer_name -port 5986

4. Check WinRM HTTPS connection

Test-WSMan -UseSSL -ComputerName remote_computer_name

Leave a Comment