How To Enable WinRM Securely?

Article 1: Enabling WinRM over HTTPS Using the GUI

This article will guide you through the steps to enable Windows Remote Management (WinRM) over HTTPS on multiple servers using the GUI. You will also configure certificate auto-enrollment and create a Group Policy Object (GPO) to automate this process.

Step 1: Prepare the Certificate Authority (CA)
  1. Open the Certificate Authority (CA) Management Console:
  2. Press Win + R, type certsrv.msc, and press Enter.

  3. Expand the CA tree and select Certificate Templates.

  4. Duplicate the Web Server Template:

  5. Right-click Certificate Templates and select Manage.
  6. Find and right-click the Web Server template and choose Duplicate Template.

  7. Select Windows Server 2008 R2 or later as the Minimum Supported CA.

  8. Configure the New Template:

  9. Name the new template, e.g., "WinRM HTTPS".
  10. In the Subject Name tab, choose Supply in the request.
  11. Under the Request Handling tab, ensure Allow private key to be exported is checked if needed.

  12. In the Extensions tab, ensure Server Authentication is set as the intended purpose.

  13. Publish the New Template:

  14. Go back to the Certificate Templates in the CA Management Console.
  15. Right-click and choose New > Certificate Template to Issue.
  16. Select the newly created WinRM HTTPS template and click OK.
Step 2: Configure Auto-Enrollment in Group Policy
  1. Open Group Policy Management Console (GPMC):

  2. Press Win + R, type gpmc.msc, and press Enter.

  3. Create a New GPO:

  4. Right-click the domain or the Organizational Unit (OU) where you want to apply the policy and select Create a GPO in this domain, and Link it here....

  5. Name the GPO "Enable WinRM with HTTPS and Auto-Enrollment".

  6. Edit the GPO:

  7. Right-click the new GPO and select Edit.

  8. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  9. Configure Certificate Auto-Enrollment:

  10. Double-click Certificate Services Client - Auto-Enrollment.
  11. Set it to Enabled.
  12. Check both:
    • Renew expired certificates, update pending certificates, and remove revoked certificates.
    • Update certificates that use certificate templates.
Step 3: Configure WinRM Settings in Group Policy
  1. Enable Remote Management Through WinRM:
  2. In the GPO editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
  3. Double-click Allow remote server management through WinRM.
  4. Set it to Enabled.

  5. Under IPv4 and IPv6 Filter, enter * to allow connections from any IP address.

  6. Set WinRM Service to Start Automatically:

  7. Go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
  8. Locate Windows Remote Management (WS-Management).
  9. Set the Startup type to Automatic.
Step 4: Configure Firewall Rules
  1. Open Windows Defender Firewall with Advanced Security:

  2. In the GPO editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound Rules.

  3. Allow Inbound WinRM Traffic:

  4. Right-click Inbound Rules and select New Rule....
  5. Select Predefined and choose Windows Remote Management.
  6. Choose both Windows Remote Management (HTTP-In) and Windows Remote Management (HTTPS-In).
  7. Select Allow the connection and click Finish.
Step 5: Configure WinRM HTTPS Listener on Each Server
  1. Open PowerShell as Administrator:

  2. Right-click on the Start menu and select Windows PowerShell (Admin).

  3. Get the Correct Certificate for WinRM:

  4. Run the following PowerShell command to find the certificate issued with the "WinRM" template:

powershell Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.NotAfter -gt (Get-Date) } | ForEach-Object { $templateName = ($_.Extensions | Where-Object { $_.Oid.Value -eq "1.3.6.1.4.1.311.21.7" }).Format($false); if ($templateName -like "*WinRM*") { [PSCustomObject]@{ Subject = $_.Subject; TemplateName = $templateName } } }

  1. Configure WinRM Listener:
  2. Use the certificate thumbprint found in the previous step to create an HTTPS listener:

powershell winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<hostname>";CertificateThumbprint="<thumbprint>"}

Step 6: Apply and Verify Configuration
  1. Force Group Policy Update:
  2. On each server, open a command prompt as an administrator and run:

powershell gpupdate /force

  1. Test WinRM Configuration:
  2. Run the following command to test the WinRM connection:

powershell Test-WsMan -ComputerName <ServerName>

Summary

By following these steps, you have enabled WinRM over HTTPS using a certificate issued with a specific template and ensured that all necessary settings are configured using Group Policy.

Table of Contents