################################################################################################################################# # Name : Configure-WinRM.ps1 # # # # Description : Configures the WinRM on a local machine # # # # Arguments : HostName, specifies the FQDN of machine or domain # ################################################################################################################################# param ( [Parameter(Mandatory = $true)] [string] $HostName ) ################################################################################################################################# # Helper Functions # ################################################################################################################################# function Delete-WinRMListener { try { $config = Winrm enumerate winrm/config/listener foreach($conf in $config) { if($conf.Contains("HTTPS")) { Write-Verbose "HTTPS is already configured. Deleting the exisiting configuration." winrm delete winrm/config/Listener?Address=*+Transport=HTTPS break } } } catch { Write-Verbose -Verbose "Exception while deleting the listener: " + $_.Exception.Message } } function Create-Certificate { param( [string]$hostname ) # makecert ocassionally produces negative serial numbers # which golang tls/crypto <1.6.1 cannot handle # https://github.com/golang/go/issues/8265 $serial = Get-Random .\makecert -r -pe -n CN=$hostname -b 01/01/2012 -e 01/01/2022 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -# $serial 2>&1 | Out-Null $thumbprint=(Get-ChildItem cert:\Localmachine\my | Where-Object { $_.Subject -eq "CN=" + $hostname } | Select-Object -Last 1).Thumbprint if(-not $thumbprint) { throw "Failed to create the test certificate." } return $thumbprint } function Configure-WinRMHttpsListener { param([string] $HostName, [string] $port) # Delete the WinRM Https listener if it is already configured Delete-WinRMListener # Create a test certificate $cert = (Get-ChildItem cert:\LocalMachine\My | Where-Object { $_.Subject -eq "CN=" + $hostname } | Select-Object -Last 1) $thumbprint = $cert.Thumbprint if(-not $thumbprint) { $thumbprint = Create-Certificate -hostname $HostName } elseif (-not $cert.PrivateKey) { # The private key is missing - could have been sysprepped # Delete the certificate Remove-Item Cert:\LocalMachine\My\$thumbprint -Force $thumbprint = Create-Certificate -hostname $HostName } $WinrmCreate= "winrm create --% winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$hostName`";CertificateThumbprint=`"$thumbPrint`"}" invoke-expression $WinrmCreate winrm set winrm/config/service/auth '@{Basic="true"}' } function Add-FirewallException { param([string] $port) # Delete an exisitng rule netsh advfirewall firewall delete rule name="Windows Remote Management (HTTPS-In)" dir=in protocol=TCP localport=$port # Add a new firewall rule netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$port } ################################################################################################################################# # Configure WinRM # ################################################################################################################################# $winrmHttpsPort=5986 # The default MaxEnvelopeSizekb on Windows Server is 500 Kb which is very less. It needs to be at 8192 Kb. The small envelop size if not changed # results in WS-Management service responding with error that the request size exceeded the configured MaxEnvelopeSize quota. winrm set winrm/config '@{MaxEnvelopeSizekb = "8192"}' # Configure https listener Configure-WinRMHttpsListener $HostName $port # Add firewall exception Add-FirewallException -port $winrmHttpsPort ################################################################################################################################# #################################################################################################################################