Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Configure Windows 2008R2/2012/2012R2 for SSL-based remoting
Param (
[string]$SubjectName = $env:COMPUTERNAME,
[int]$CertValidityDays = 365,
$CreateSelfSignedCert = $true
#region function defs
Function New-LegacySelfSignedCert
Param (
[int]$ValidDays = 365
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$SubjectName", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = (get-date).addDays(-1)
$cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
#return the thumprint of the last installed cert
ls "Cert:\LocalMachine\my"| Sort-Object notbefore -Descending | select -First 1 | select -expand Thumbprint
#Start script
$ErrorActionPreference = "Stop"
#Detect PowerShell version
if ($PSVersionTable.PSVersion.Major -lt 3)
Write-Error "PowerShell/Windows Management Framework needs to be updated to 3 or higher. Stopping script"
#Detect OS
$Win32_OS = Get-WmiObject Win32_OperatingSystem
switch ($Win32_OS.Version)
"6.2.9200" {$OSVersion = "Windows Server 2012"}
"6.1.7601" {$OSVersion = "Windows Server 2008R2"}
#Set up remoting
Write-verbose "Verifying WS-MAN"
if (!(get-service "WinRM"))
Write-Error "I couldnt find the winRM service on this computer. Stopping"
Elseif ((get-service "WinRM").Status -ne "Running")
Write-Verbose "Starting WinRM"
Start-Service -Name "WinRM" -ErrorAction Stop
#At this point, winrm should be running
#Check that we have a ps session config
if (!(Get-PSSessionConfiguration -verbose:$false) -or (!(get-childitem WSMan:\localhost\Listener)))
Write-Verbose "PS remoting is not enabled. Activating"
Enable-PSRemoting -Force -ErrorAction SilentlyContinue
Write-Verbose "PS remoting is already active and running"
#At this point, test a remoting connection to localhost, which should work
$result = invoke-command -ComputerName localhost -ScriptBlock {$env:computername} -ErrorVariable localremotingerror -ErrorAction SilentlyContinue
$options = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$resultssl = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $options -ErrorVariable localremotingsslerror -ErrorAction SilentlyContinue
if (!$result -and $resultssl)
Write-Verbose "HTTP-based sessions not enabled, HTTPS based sessions enabled"
ElseIf (!$result -and !$resultssl)
Write-error "Could not establish session on either HTTP or HTTPS. Breaking"
#at this point, make sure there is a SSL-based listener
$listeners = dir WSMan:\localhost\Listener
if (!($listeners | where {$_.Keys -like "TRANSPORT=HTTPS"}))
#HTTPS-based endpoint does not exist.
if (($CreateSelfSignedCert) -and ($OSVersion -notmatch "2012"))
$thumprint = New-LegacySelfSignedCert -SubjectName $env:COMPUTERNAME
if (($CreateSelfSignedCert) -and ($OSVersion -match "2012"))
$cert = New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation "Cert:\LocalMachine\My"
$thumprint = $cert.Thumbprint
# Create the hashtables of settings to be used.
$valueset = @{}
$selectorset = @{}
Write-Verbose "Enabling SSL-based remoting"
New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
Write-Verbose "SSL-based remoting already active"
#Check for basic authentication
$basicauthsetting = Get-ChildItem WSMan:\localhost\Service\Auth | where {$_.Name -eq "Basic"}
if (($basicauthsetting.Value) -eq $false)
Write-Verbose "Enabling basic auth"
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
Write-verbose "basic auth already enabled"
netsh advfirewall firewall add rule Profile=public name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow
Write-Verbose "PS Remoting successfully setup for Ansible"

This comment has been minimized.

Copy link
Owner Author

@trondhindenes trondhindenes commented Jul 4, 2014

Run PowerShell as admin, and then paste in the following in order to run:

$VerbosePreference = "Continue"
iex ((new-object net.webclient).DownloadString(""))


This comment has been minimized.

Copy link

@barioucha barioucha commented Apr 3, 2019


In case I run the command as mentioned above it should enable WinRM on the target server?
I mean on the server where this script was executed, I'm right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment