PowerShell Remoting HTTPS Group Policy Configuration

Edited to add – This document apparently only works with Windows Server 2008 R2.  When tested with Server 2012 R2 the steps fail, so keep this in mind.

…and the first restoration is the PDF I wrote about PowerShell Remoting configuration with HTTPS and Group Policy, including ACLs.  The reason I started the old blog; you didn’t think I’d lose this file did you?

For your viewing pleasure, download here.

14 thoughts on “PowerShell Remoting HTTPS Group Policy Configuration”

  1. I tried the single quotes as you suggested, and that failed. Below I’ve copied the winrm create EXAMPLE which I copied and pasted and put values in to – and it still fails.

    From winrm create /? ==>

    Example: Create instance of HTTPS Listener on all IPs:
    winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”HOST”;CertificateThumbprint=”XXXXXXXXXX”}
    Note: XXXXXXXXXX represents a 40-digit hex string; see help config.

    PS C:\Windows\system32> winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue}
    Error: Invalid use of command line. Type “winrm -?” for help.

    PS C:\Windows\system32> winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”EAGLE.RAC.DS”;CertificateThumbprint=”DD4CE6B74E0188008D9C15646DF3399829D7E480″}
    Error: Invalid use of command line. Type “winrm -?” for help.

    PS C:\Windows\system32> winrm create winrm/config/Listener?Address=*+Transport=HTTPS ‘@{Hostname=”EAGLE.RAC.DS”;CertificateThumbprint=”DD4CE6B74E0188008D9C15646DF3399829D7E480″}’
    WSManFault
    Message
    ProviderFault
    WSManFault
    Message = An internal error occurred.

    Error number: -2147023537 0x8007054F
    An internal error occurred.

    It may not be worth pursuing this further.

    Thanks for all your help, anyway.

    1. Inside the comment editor here, the last command example seems to have a mismatched quote in the CertificateThumbprint section – a double at the front and and a single quote or a backtick at the end. When I copied and pasted it to Notepad it stuck around. Not sure if that’s a fault of the blog’s comment section or not. Other than that, that’s the syntax that seemed to work for me, so I’m not sure what’s going on there. You might try replacing that single quote/backtick if it’s really there and trying again.

      Some people say that the thumbprint needs the spaces in it too but I’ve never done it that way.

      Let me know if it makes a difference.

      Thanks for the help with testing!

  2. Hey, Eric!

    Thanks for getting back to me. Yeah, something’s really screwy.

    I tried using the “winrm” command as you suggested, but still got an error.

    I actually pulled the help from winrm create which has the same exact syntax you recommended, and then substituted in my hard values for hostname and thumbprint, and I still got the subsequent error:

    Error: Invalid use of command line. Type “winrm -?” for help.

    Someone’s sleeping at the wheel at Microsoft.

      1. I did some really quick testing before I left work (just saw the comment notification on my way out the door), and I think I might have an answer.

        I don’t believe that the @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue} is really an array – I think it is meant to be a string. I didn’t have any VMs up or anything but I tried it right on my local machine, and while I didn’t have the correct certs to actually set up the listener on my work laptop, if I enclose the @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue} in single quotes it does not give me an error about the usage being incorrect.

        Additionally, reports from online seem to indicate that the command only works without being quoted if you run it from a standard Command Prompt window, not a PowerShell window. You can read what I read here, but the quick test results seem to confirm it.

        The problem with this is a string inside single quotes won’t have its variables expanded, so it would be a literal string. I didn’t try the same test with double quotes, but it’s worth looking into I think. You could also try the same trick with the New-WSManInstance cmdlet and I assume get the same results.

        This seems to be a Microsoft documentation failure if it is true.

        Have a good Halloween and let me know how it goes!

  3. Hey, Erik.

    Well, I’ve just about got everything put together – thanks to you pointing out the MS article on auto-enroll certificates with the GPO.

    Except I’m getting an error in the last line of your GPO script when it goes to create the listener.

    As you’ll see below, the issue seems to be related to the “Enhanced Key Usage” field of the certificate.

    I’m running a native Server 2012 AD and Certificate Server. I’m not sure if that would make a difference.

    In the template, I tried first to ADD “Server Authentication” and then to replace “Client” with “Server Authentication” in the Extensions, but I’m still getting the same error.

    Any ideas?

    The GPO Script

    $ipProperties = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()
    $Hostname = “{0}.{1}” -f $ipProperties.Hostname,$ipProperties.DomainName
    $CertThumbprint = Get-ChildItem “Cert:\LocalMachine\My” | Select -First 1
    $CertThumbprintValue = $CertThumbprint | foreach-Object {$_.Thumbprint}
    New-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”HTTPS”} -ValueSet @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue}

    The Error

    New-WSManInstance : The WinRM client cannot process the request. The Enhanced Key Usage (EKU) field of the certificate is not set to “Server Authentication”. Retry the request with a certificate that has the correct EKU.

    At C:\Users\administrator\Desktop\WinRM-config-https-listener.ps1:5 char:1
    + New-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”HT …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [New-WSManInstance], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.NewWSManInstanceCommand

    1. I just checked the certificate in the local certificate manager. The certificate is there in Personal > Certificates AND in the Certificate Details, the Enhanced Key Usage shows as “Server Authentication (1.3.6.1.5.5.7.3.1)”.

      So close, and yet…

      1. I’m afraid I don’t know what’s wrong here. I suppose I should qualify that post by saying it has only been tested on Server 2008 R2/PS v2 – I don’t know what PS v3/v4 or 2012R2 affects when attempting this. It might be a cause for investigation on my side.

        The other thing to know is that PS Remoting requests are encrypted by default – if you use HTTPS the only extra encryption it does is the headers. Your commands and auth requests are already taken care of – I checked it with Wireshark just because I didn’t believe it at first.

        I can’t see anything wrong with what you are doing, so it might be a failure of my instructions. I can work on this with some VMs and get back to you; but as I said, you aren’t really gaining too much with HTTPS.

        Let me know if you’ve got more questions.

        1. Thanks for your quick reply. I was aware that pretty much everything was encrypted. I was mostly pushing ahead as an interesting exercise and learning experience. I’d like to be able to get this up and fully running, but it’s not critical.

          If you get a chance to poke at it, that would be great.

          I’ll probably post to a MS forum as well and see if someone might have an answer.

          Thanks again. Much appreciated.

        2. Hi, Eric.

          So the Certificate error is no longer presenting. I’m guessing that a reboot of the client/workstation machines has resolved that.

          This is great.

          However, I’m still getting an error on the last line of the script:

          New-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”HTTPS”} -ValueSet @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue}

          The issue seems to be with the “SelectorSet” parameter – at least when I run “New-WSManInstance ” from the PS prompt and enter the parameters in 1 at a time as I’m prompted.

          The PowerShell detailed help has an example with almost the same parameters — except they don’t have “Address” in the hash table for SelectorSet.

          But that fails as well, stating that it failed “because the request did not contain all required selectors”.

          Here is the error I’m getting:

          PS C:\Users\tsalciccia\Desktop> New-WSManInstance winrm/config/Listener -SelectorSet @{Address=”*”;Transport=”HTTPS”} -ValueSet @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue}
          New-WSManInstance : An internal error occurred.
          At line:1 char:1
          + New-WSManInstance winrm/config/Listener -SelectorSet @{Address=”*”;Transport=”HT …
          + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo : InvalidOperation: (:) [New-WSManInstance], InvalidOperationException
          + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.NewWSManInstanceCommand

          I noticed in the TechNet Article http://technet.microsoft.com/en-us/library/hh849866.aspx that -SelectorSet doesn’t support wildcards. I don’t know if that’s the issue.

          Any ideas?

          Thanks.

          1. Sorry – I’ve been super busy at work and haven’t had a chance to play around with this yet in the lab.

            You could try avoiding the New-WsManInstance altogether maybe.

            Something like “winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue}” (without the enclosing quotes).

            I am guessing from the comparison between the actual winrm command and the results from the New-WSManInstance cmdlet that there is some sort of change between PowerShell 2 and 3 that changes the command syntax in the backend but I can’t tell for sure until I get some time to mess around with it.

            Thanks for the info on how it’s going for you! Let me know if the winrm change works.

  4. Hi. I was reading through your document for PS Remoting with HTTPS. Great document. Thanks for doing that.

    I’m good with everything, except I need help with the Computer Certificate part. You reference a demo environment.

    I did a search for “computer certificate” on your site, but didn’t get any hits. Do you maybe have a document for that? I’m on Win 2012 native domain with Win7 and Win8.1 clients. I have a Certificate Server running, but am not well versed in it.

    Any help – or point me to some articles – or whatever would be appreciated.

    1. Hey, sorry for the delay in responding. You will want to issue computer certificates for all the machines you’ll be using HTTPS remoting with. The easiest way to do this is using Group Policy. Basically, you will create an autoenrollment template on your certificate server, then create a Group Policy referencing the autoenrollment template you created. Then, you just apply the Group Policy to the group of machines. You can find a walk-through on Microsoft’s site here that explains what steps you’ll need to take to get it set up.

      Let me know if you have questions.

      Thanks for the feedback!

      1. Thanks, Erik !! I just got back to check your site. I really appreciate your response. Very helpful. Thanks again.

Leave a Reply

Your email address will not be published. Required fields are marked *