Setting up a machine with WinRM remoting over HTTPs

A quick getting started script to set up a server to allow WinRM remoting - ideal for use with target environments for deployment with TFS and VSTS Release Management remote tasks.

This uses a self-signed certificate and is meant to be a "getting up and running fast" approach, NOT a production-ready approach (you probably want to consider a public trusted certificate and DNS records rather than a self-signed cert and IP addreses.

Complete the following script with your relevant information, and run it on your target machine:

#Enable Remoting
Enable-PSRemoting -SkipNetworkProfileCheck -Force

#Remove the default HTTP listener
Get-ChildItem WSMan:\Localhost\listener | Where -Property Keys -eq "Transport=HTTP" | Remove-Item -Recurse

#Create a new self-signed certificate
$Cert = New-SelfSignedCertificate -DnsName <MyServerNameOrFQDN>  -CertStoreLocation Cert:\LocalMachine\My

#Add the new HTTPs listener
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint –Force

#Add a new firewall rule for the listener
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" Profile Any -LocalPort 5986 -Protocol TCP

#Remove the default HTTP firewall rule
Disable-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"

#Get the existign trusted hosts
$curValue = (get-item wsman:\localhost\Client\TrustedHosts).value
#Add your new trusted hosts to the value
set-item wsman:\localhost\Client\TrustedHosts -value "$curValue, <my new IP/FQDNs>"

#For sanity - list the trusted hosts for a manual check
Get-Item WSMan:\localhost\Client\TrustedHosts

If your server is in Azure or on site, you will probably need to open up the 5986 port on your firewall or Network Security Group:

Tagged: Powershell, Remoting,
Categorised: PowerShell,