PowerShell Remoting for Non-Domain Workstation

Tutorial on how to enable PowerShell Remoting for Non-Domain Workstation

PowerShell Remoting uses **Windows Remote Management (WinRM), which is the Microsoft implementation of the Web Services for Management (WS-Management) protocol, to allow users to run PowerShell commands on remote computers

Windows Remote Management (WinRM) , is a Windows-native built-in remote management and listening on 5985 (HTTP) and 5986 (HTTPS)

By default, only HTTP Listener with Kerberos Authentication enabled.

Get-ChildItem -Path WSMan:\localhost\Listener
   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Listener
Type            Keys                                Name
----            ----                                ----
Container       {Transport=HTTPS, Address=*}        Listener_1305953032
Container       {Transport=HTTP, Address=*}         Listener_1084132640

Get-ChildItem -Path WSMan:\localhost\Service\Auth\
   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   Basic                                          false
System.String   Kerberos                                       true
System.String   Negotiate                                      true
System.String   Certificate                                    false
System.String   CredSSP                                        false
System.String   CbtHardeningLevel                              Relaxed

PowerShell Remoting from Domain Workstation

PowerShell remoting is enabled by default on Windows 2012 Server or above and you can access to Remote Windows Server with Enter-PSSession

Enter-PSSession -Computername AVENTIS-AD01
[AVENTIS-AD01]: PS C:\Users\Administrator\Documents> hostname
AVENTIS-AD01

Verify the PowerShell Remoting is established with Get-NetTCPConnection

Get-NetTCPConnection |? RemotePort -eq "5985"

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
192.168.1.137                       50674     192.168.1.230                       5985       Established Datacenter
192.168.1.137                       50672     192.168.1.230                       5985       TimeWait

PowerShell Remoting from Non-Domain Workstation

PowerShell Remoting from Non-Domain workstation will failed even with the correct credential due to the security design from Window Server

Enter-PSSession -ComputerName UAT-WIN2019.lab.aventislab.com -Credential (Get-Credential)

PowerShell credential request
Enter your credentials.
User: lab\mydcadmin
Password for user lab\mydcadmin: ************

Enter-PSSession: Connecting to remote server UAT-WIN2019.lab.aventislab.com failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

TrustedHosts configuration in Windows 10

Verify the WinRM Service is started

Get-Service -Name WinRM| Select -Property Name, DisplayName, Status, StartType

Name  DisplayName                                Status StartType
----  -----------                                ------ ---------
WinRM Windows Remote Management (WS-Management) Running    Manual

By default, there is no Trusted Hosts configured

Get-Item WSMan:\localhost\Client\TrustedHosts
   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   TrustedHosts                                   aventis-ad01.aventis.local,192.168.1.188

Add the FQDN or IP Address of the Remote Server

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'aventis-ad01.aventis.local,192.168.1.188'

Verify the WinRM connection can be established for now.

winrm identify -u:administrator -p:P@ssw0rd!@#$ -r:http://aventis-ad01.aventis.local:5985

IdentifyResponse
    ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor = Microsoft Corporation
    ProductVersion = OS: 10.0.17763 SP: 0.0 Stack: 3.0
    SecurityProfiles
        SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos, http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/spnego-kerberos

Login to Remote Server via WinRM

Enter-PSSession -ComputerName aventis-ad01.aventis.local -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
[aventis-ad01.aventis.local]: PS C:\Users\Administrator\Documents>

Enable WinRM via HTTPS

Enable WinRM via HTTPS with Microsoft Certificate Authority (CA) to allow PowerShell Remoting from Non-Domain workstation follow the steps below

1. Generate a Server Certificate with the FQDN of Server by following Request SSL Certificate from Microsoft CA with Certreq

2. Create a new WinRM listener with HTTPS with the Certificate Thumbprint

PS C:\Temp> New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint A7DCA3E1A452388890A97513230CCF2D11D729C7 -Force

   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Listener

Type            Keys                                Name
----            ----                                ----
Container       {Transport=HTTPS, Address=*}        Listener_1305953032

3. Windows Firewall Rule to allow inbound TCP 5986

New-NetFirewallRule -DisplayName "In-TCP-5986" -Description "WinRM-HTTPS" -Direction Inbound -Protocol TCP -LocalPort 5986 -RemoteAddress 192.168.1.0/24 -Action Allow

4. Export the CA Root Certificate from Microsoft CA Server to C:\Temp\AVENTISLAB-ROOT.cer

certutil -ca.cert C:\temp\AVENTISLAB-ROOT.cer
CA cert[0]: 3 -- Valid
CA cert[0]:
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

CertUtil: -ca.cert command completed successfully.

5. Copy the AVENTISLAB-ROOT.cer to the workstation and import it to Certificate – Local Computer – Trusted Root Certificate Authorities

Import-certificate -FilePath C:\temp\AVENTISLAB-ROOT.cer -CertStoreLocation Cert:\LocalMachine\AuthRoot\


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\AuthRoot

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
A85CD7DA6159CEF6315BA6FD4FC6FDC134D7DFBF  CN=AventisLab Root …

6. Add the FQDN of the server to local host file if required and ensure that you can ping the FQDN of the server which you would like to Remote to

7. You should be able to connect to Remote Server with PowerShell Remoting now

-SkipRevocationCheck is used to skip the Revocation check to prevent the error message below

The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.

$Username = "lab\mydcadmin"
$Password = ConvertTo-SecureString 'P@ssw0rd!@#$' –asplaintext –force 
$Credential = new-object -typename System.Management.Automation.PSCredential -ArgumentList $UserName,$Password
$SessionOption = New-PSSessionOption -SkipRevocationCheck
$Server = "UAT-WIN2019.lab.aventislab.com"

Enter-PSSession -ComputerName $Server -UseSSL -Credential $Credential -SessionOption $SessionOption
[UAT-WIN2019.lab.aventislab.com]: PS C:\Users\administrator.LAB\Documents> 

Deploy WinRM SSL Certificate with GPO

Group Policy (GPO) can be used to generate SSL Certificate for all servers with Auto Enrollment Features

Create a new Certificate Template from Web Server

Enter WinRM for this Template

Select Build from Active Directory Information with Subject Name Format = Common Name. Check DNS Name

Add Domain Computers and assign allow permission for Read, Enroll and Autoenroll. Domain Controllers can be added to allow Domain Controllers to obtain the SSL Certificate automatically

Issue the new WinRM Certificate Template and verify it is displayed in Certificate Template.

Create a new GPO and link it to OU with Computer Configuration – Security Settings – Public Key Policies – Certifcate Service Client – Auto-Enrollment configured as below

Configuration Model = Enabled with renew expired certificate, update pending certificate, and remove revoked certificates and update certificate that use certificate template checked

Perform "gpupdate /force" on computer to apply the GPO immediately and verify the SSL Certificate is installed successfully in LocalMachine Personal Store

Get-ChildItem -path Cert:\LocalMachine\My
   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
268276E7F90702CB611BA4825CE9AD6D95F2CFA0  CN=AVENTIS-AD01.AVENTIS.LOCAL

Create a new HTTPS Listener using the thumbprint of the Auto Enrolled SSL Cerificate

New-Item -Path WSMan:\Localhost\Listener -Transport HTTPS -Address * -CertificateThumbprint 268276E7F90702CB611BA4825CE9AD6D95F2CFA0

You should be able to connect to remote server via HTTPS listner successfuly now.

$Username = "AVENTIS\Administrator"
$Password = ConvertTo-SecureString -String "P@ssw0rd!@#$" -Force -AsPlainText
$Credential = new-object -typename System.Management.Automation.PSCredential -ArgumentList $UserName,$Password
$Server = "AVENTIS-AD01.AVENTIS.LOCAL"
$Session = New-PSSessionOption -SkipRevocationCheck

Enter-PSSession -ComputerName $Server -Credential $Credential -UseSSL -SessionOption $Session

Refer to Auto Enroll Certificates with Group Policy for more detail information