Powershell remoting in the enterprise
Sponsored Links
This presentation is the property of its rightful owner.
1 / 23

PowerShell Remoting in the Enterprise PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

PowerShell Remoting in the Enterprise. What you need to know. Speaker. 9+ years experience in Microsoft-based IT Microsoft System Center 2012 R2 Windows PowerShell since 2007 Started writing VBscript in 2005 Worked in many enterprise environments with 10-70k+ systems. Why use remoting ?.

Download Presentation

PowerShell Remoting in the Enterprise

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Powershell remoting in the enterprise

PowerShell Remoting in the Enterprise

What you need to know.



  • 9+ years experience in Microsoft-based IT

  • Microsoft System Center 2012 R2

  • Windows PowerShell since 2007

    • Started writing VBscript in 2005

  • Worked in many enterprise environments with 10-70k+ systems

Why use remoting

Why use remoting?

  • Fan-out management of Windows Server systems

  • Desired State Configuration (DSC) in PowerShell v4

  • PowerShell Workflow

  • Interactive remote management (similar to SSH)

  • Quicker than RDP

How does remoting work

How does remoting work?



PowerShell Session

PowerShell Session



Windows Remote Management

Windows Remote Management


TCP 5986

TCP 5985




Remoting configuration

Remoting Configuration

SSL requires a “Server Authentication” certificate

  • Enable-PSRemoting -Force;

  • Set-WsmanQuickConfig -UseSSL;

  • Use Group Policy

Manual Configuration Process

Winrm service gpo configuration

WinRM Service GPO Configuration

Don’t leave listeners blank!

Windows powershell gpo settings

Windows PowerShell GPO Settings

  • Use either:

  • Remote Signed

  • Unrestricted

powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1

Winrm client configuration

WinRM Client Configuration

  • Authentication

    • Basic

    • Negotiate

    • Kerberos

    • Client certificate mapping

    • Credential Security Support Provider (CredSSP)

  • TrustedHosts

  • DefaultPorts

TrustedHosts is useful in multi-forest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “.”

Winrm client configuration1

WinRM Client Configuration

Winrm shell configuration

WinRM Shell Configuration

Set-Location –Path wsman:\localhost\shell;


Windows remote shell gpo configuration

Windows Remote Shell GPO Configuration

Windows Server 2012 Default Values

Quota Management for Remote Shells


Powershell remoting cmdlets

PowerShell Remoting Cmdlets

  • Enter-PSSession

  • New-PSSession

  • Remove-PSSession

  • Connect-PSSession

  • Invoke-Command

  • New-PSSessionConfigurationFile

  • about_Session_Configuration_Files

  • about_Session_Configurations

Cim cmdlets

CIM Cmdlets

Replace the WMI cmdlets in PowerShell v2.

  • Get-CimAssociatedInstance

  • Get-CimClass

  • Get-CimInstance

  • Get-CimSession

  • Invoke-CimMethod

  • New-CimInstance

  • New-CimSession

  • New-CimSessionOption

  • Register-CimIndicationEvent

  • Remove-CimInstance

  • Remove-CimSession

  • Set-CimInstance

Cim session remoting protocols

CIM Session Remoting Protocols

Session configurations

Session Configurations

  • Restrict the commands that can be executed in a remote session

  • Restrict who can access the session configuration

  • Default session configurations can be removed or modified

  • Use Enable-PSRemoting to restore original configurations (after deleting)

Credential security support provider credssp

Credential Security Support Provider (CredSSP)



  • Allows double-hop scenario

  • Three types of credentials.PowerShell uses one.

    • Default credential

    • Saved credential

    • Fresh credential

  • Can be configured via GPO


  • CredSSP PowerShell Commands

  • Get-WSManCredSSP

  • Enable-WSManCredSSP

  • Disable-WSManCredSSP

Credssp group policy configuration

CredSSP Group Policy Configuration



  • Enable-PSWsmanCombinedTrace;

    • Get-WinEvent –Oldest $PSHome\Traces\pstrace.etl

  • Enable the Microsoft-Windows-WinRM/Operational event log

  • Read the error messages

  • Use Nmap to test ports (http://nmap.org)

    • nmap.exe –p5985,5986 server.domain.com

  • Use netstat –aon to ensure port is listening



  • Missing Service Principal Name (SPN) causes CredSSP connections to fail

  • Windows Firewall prevents communication (TCP 5985)

  • Windows Remote Management (WinRM) Listeners are empty in GPO configuration

  • SSL Certificate is expired or has mismatched DNS name in Subject Name field

  • Mismatching certificate thumbprints for WinRM“Service” and “Listener” configurations

    • Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>;

    • Get-ChildItem –Path wsman:\localhost\service;

    • Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint

  • Restart PowerShell after Enable-WSManCredSSP -Role Client;

  • Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service from reading the SSL certificate

  • Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve)

  • Use FQDN to connect to remote system with CredSSP or SSL

  • Certificate Revocation List (CRL) is outdated

    • Fix with: certutil.exe –CRL



  • Starting a remote session from within a remote session

  • Interactive command-line utilities don’t work well under remotingsessions

    • diskpart

    • nslookup

    • psexec

  • CredSSP is required to access network resources from a remote session

Built in variables

Built-in Variables

  • $PSSenderInfo – Use this automatic variable to explore the remote session configuration (authentication type, SSL, etc.)

  • $PSSessionOption – A preference variable that allows you to set the default remote session options

Powershell remoting in the enterprise


  • Login