Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# This Sets up WinRM Remote PowerShell with delegated authentication while creating a self signed certificate
########################################################################
################ Do this on the Server
########################################################################
#Enable WinRM on a VM - with on-demand certificate creation
Function RemotePowerShell {
$process = 'cmd.exe'
$arguments = '/c winrm invoke restore winrm/config @{}'
start-process $process -ArgumentList $arguments -Wait
#enable Server Manager Remoting
Configure-SMRemoting.exe -enable
#Enable WinRM
Enable-PSRemoting -SkipNetworkProfileCheck -Force
<# Only if you really want to tighten up security, however this can break certain DSC functions which call various things locally on port HTTP
Get-ChildItem WSMan:\Localhost\listener | Where -Property Keys -eq "Transport=HTTP" | Remove-Item -Recurse
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
#>
$Hostname = $env:COMPUTERNAME
$CertificateThumbprint = (New-SelfSignedCertificate -DnsName $Hostname -CertStoreLocation Cert:\LocalMachine\My).Thumbprint;
$CommandLine = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$($Hostname)`";CertificateThumbprint=`"$($CertificateThumbprint)`"}";
CMD.EXE /C $CommandLine
Set-Item wsman:\localhost\client\trustedhosts * -Force
# Enable delegation of credentials
Enable-WSManCredSSP -Role Server -Force
Restart-Service winrm
}
Function FirewallRules {
################ Firewall Rules
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP
New-NetFirewallRule -DisplayName "RemotePowerShell" -Direction Inbound –LocalPort 5985-5986 -Protocol TCP -Action Allow
}
RemotePowerShell
FirewallRules
########################################################################
################ Do this on the Client to setup delegated authentication
########################################################################
Enable-PSRemoting -Force
Enable-WSManCredSSP -Role Client -DelegateComputer * -Force
$allowed = @('WSMAN/*.domain.com')
$TopKey = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $TopKey)) {
md $TopKey
}
New-ItemProperty -Path $TopKey -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name AllowFreshCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name AllowSavedCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowFresh -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowFreshNTLMOnly -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowSavedNTLMOnly -Value 1 -PropertyType Dword -Force
$key = Join-Path $TopKey 'AllowFreshCredentialsWhenNTLMOnly'
if (!(Test-Path $key)) {
md $key
}
$i = 1
$allowed |% {
# Script does not take into account existing entries in this key
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
$i++
}
$key = Join-Path $TopKey 'AllowSavedCredentialsWhenNTLMOnly'
if (!(Test-Path $key)) {
md $key
}
$i = 1
$allowed |% {
# Script does not take into account existing entries in this key
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
$i++
}
$key = Join-Path $TopKey 'AllowFreshCredentials'
if (!(Test-Path $key)) {
md $key
}
# Script does not take into account existing entries in this key
$i = 1
New-ItemProperty -Path $key -Name $i -Value 'wsman/*' -PropertyType String -Force
Restart-Service WinRM
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment