Setup WinRM with a trusted certificate.ps1

# This Sets up WinRM Remote PowerShell with delegated authentication for an existing trusted SSL cert

########################################################################
################ Do this on the Server
########################################################################

#Enable WinRM on a VM - with on-demand certificate creation
Function RemotePowerShell {
$process = 'cmd.exe'
$arguments = '/c winrm invoke restore winrm/config @{}'
start-process $process -ArgumentList $arguments -Wait
 
#enable Server Manager Remoting
Configure-SMRemoting.exe -enable
 
#Enable WinRM
Enable-PSRemoting -SkipNetworkProfileCheck -Force

<# Only if you really want to tighten up security, however this can break certain DSC functions which call various things locally on port HTTP
Get-ChildItem WSMan:\Localhost\listener | Where -Property Keys -eq "Transport=HTTP" | Remove-Item -Recurse
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
#>

$domain = 'domain.com'
$Hostname = "{0}$domain" -f '*.'
$CertificateThumbprint = (Get-ChildItem Cert:\LocalMachine\My | ? {$_.Subject -match $domain}).Thumbprint;
$CommandLine = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$($Hostname)`";CertificateThumbprint=`"$($CertificateThumbprint)`"}";
CMD.EXE /C $CommandLine

Set-Item wsman:\localhost\client\trustedhosts * -Force

# Enable delegation of credentials
Enable-WSManCredSSP -Role Server -Force

Restart-Service winrm
}

Function FirewallRules {
################ Firewall Rules

New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP
New-NetFirewallRule -DisplayName "RemotePowerShell" -Direction Inbound –LocalPort 5985-5986 -Protocol TCP -Action Allow
 
}

RemotePowerShell
FirewallRules

########################################################################
################ Do this on the Client to setup delegated authentication
########################################################################

Enable-PSRemoting -Force

Enable-WSManCredSSP -Role Client -DelegateComputer * -Force

$allowed = @('WSMAN/*.domain.com')

$TopKey = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $TopKey)) {
    md $TopKey
}
New-ItemProperty -Path $TopKey -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name AllowFreshCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name AllowSavedCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowFresh -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowFreshNTLMOnly -Value 1 -PropertyType Dword -Force
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowSavedNTLMOnly -Value 1 -PropertyType Dword -Force

$key = Join-Path $TopKey 'AllowFreshCredentialsWhenNTLMOnly'
if (!(Test-Path $key)) {
    md $key
}
$i = 1
$allowed |% {
    # Script does not take into account existing entries in this key
    New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
    $i++
}

$key = Join-Path $TopKey 'AllowSavedCredentialsWhenNTLMOnly'
if (!(Test-Path $key)) {
    md $key
}
$i = 1
$allowed |% {
    # Script does not take into account existing entries in this key
    New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
    $i++
}

$key = Join-Path $TopKey 'AllowFreshCredentials'
if (!(Test-Path $key)) {
    md $key
}

# Script does not take into account existing entries in this key
$i = 1
New-ItemProperty -Path $key -Name $i -Value 'wsman/*' -PropertyType String -Force



Restart-Service WinRM