WinRM remote management

To be able to remotely manage a Windows Server, we need to enable the WinRM service and make sure that traffic is allowed through the firewall. The Enable-PSRemoting command takes care of both requirements. Get-Service (and related commands) can be used to monitor the service status. We also use quick config (winrm qc) to set the LocalAccountTokenFilterPolicy (there is an open bug for Enable-PSRemoting, as this should also be done by the command):

# On works on PowerShell 5
Enable-PSRemoting -Confirm:$false

winrm qc
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
Make these changes [y/n]? y
WinRM has been updated for remote management.

Get-Service WinRM

Status  Name   DisplayName
------  ----   -----------
Running winrm  Windows Remote Management (WS-Manag...

As Enable-Remoting does not currently work on PowerShell Core you will have to run a script (included in the installation folder) to enable remoting for PowerShell Core. When connecting to the server (using New-PSSession or Enter-PSSession) you will also have to identify the endpoint by name using the ConfigurationName parameter:

C:Program FilesPowerShell6.0.0-beta.4Install-PowerShellRemoting.ps1
 -PowerShellHome "C:Program FilesPowerShell6.0.0-beta.4"
 -PowerShellVersion "6.0.0-alpha.9"

If the client is also running Windows Server but is not part of the domain of the server, you will also have to white-list the server (using winrm in this example). In the following script, we add our server name to the TrustedHosts setting and then we establish a connection. The ComputerName variable set in this setting needs to be resolved by the client's DNS. Depending on your settings, you may have to use the server's fully qualified name or manually map the IP to the name in the hosts file of the client:

winrm s winrm/config/client '@{TrustedHosts="testb"}'
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = testb

New-PSSession -ComputerName testb -Credential $creds

Id Name     ComputerName ComputerType  State 
 -- ----    ------------ ------------  ----- 
 11 WinRM11 testb        RemoteMachine Opened

If using basic authentication from Linux, you will also need to configure the Windows Server to allow basic authentication and unencrypted traffic (remember, this is not secure):

Set-Item -Path WSMan:localhostServiceAuthBasic -Value $true
Set-Item -Path WSMan:localhostServiceAllowUnencrypted -Value $true
Restart-Service -Name WinRM

We should now be able to connect remotely from a macOS/Linux client. Notice in the following example that we do not qualify the administrator account with either a domain (not supported with basic authentication) or the name of the computer (for example, testbAdministrator will not work):

PS /home/psuser> $creds = Get-Credential Administrator
Windows PowerShell credential request Enter your credentials.
Password for user Administrator: ****************

PS /home/psuser> New-PSSession -ComputerName testb -Credential $creds
 -Authentication Basic
Id Name    ComputerName ComputerType  State  
-- ----    ------------ ------------  ----- 
21 WinRM21 testb        RemoteMachine Opened
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.40.32