Summary: Understanding Windows PowerShell remote management.

Weekend Scripter: Enabling Windows remote management

Microsoft Scripting Guy, Ed Wilson, is here. Today I thought I would share a portion of my new Windows PowerShell 3.0 Step by Step book published by Microsoft Press. This book is available for pre-order now.

WinRM – Windows Remote Management

Windows Server 2012 installs with WinRm configured and running to support remote Windows PowerShell commands. WinRm is Microsoft’s implementation of the industry standard WS-Management Protocol. As such, WinRM provides a firewall friendly method of accessing remote systems in an interoperable manner. It is the remoting mechanism used by the new CIM cmdlets. As soon as the Windows Server 2012 is up and running, you can make a remote connection and run commands, or open an interactive Windows PowerShell console. Windows 8 client, on the other hand, ships with WinRm locked down. Therefore, the first step is to use the Enable-PSRemoting function to configure. When running the Enable-PSRemoting function, the following steps occur.

1. Start or restart the WinRM service.
2. Setts the WInRM service startup type to Automatic.
3. Creates a listener to accept requests from any Internet Protocol address.
4. Enables inbound firewall excepts for ws-man traffic.
5. Sets a target listener named Microsoft.powershell.
6. Sets a target listener named Microsoft.powershell.workflow.
7. Sets a target listener named Microsoft.powershell32.

During each step of this process the function prompts you to agree or not to performing the specified action. If you are familiar with the steps the function performs, and you do not make any changes from the defaults, you can run the command with the force switched parameter and it will not prompt prior to making the changes. The syntax of this command appears here.

Enable-PSRemoting -Force

The use of the Enable-PSRemoting function in interactive mode appears here, along with all associated output from the command.

PS C:\> Enable-PSRemoting

WinRM Quick Configuration 
Running command "Set-WSManQuickConfig" to enable remote management of this computer by using the Windows Remote Management (WinRM) service. This includes: 

1. Starting or restarting (if already started) the WinRM service 
2. Setting the WinRM service startup type to Automatic 
3. Creating a listener to accept requests on any IP address 
4. Enabling Windows Firewall inbound rule exceptions for WS-Management traffic 

(for http only). 
Do you want to continue? 
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help 
(default is "Y"):y 
WinRM has been updated to receive requests. 
WinRM service type changed successfully. 
WinRM service started. 
WinRM has been updated for remote management. 
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this mac 
hine. 
WinRM firewall exception enabled. 
Confirm 
Are you sure you want to perform this action? 
Performing operation "Set-PSSessionConfiguration" on Target "Name: 
microsoft.powershell SDDL: 
O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD). This will 
allow selected users to remotely run Windows PowerShell commands on this computer". 
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help 
(default is "Y"):y 
Confirm 
Are you sure you want to perform this action? 
Performing operation "Set-PSSessionConfiguration" on Target "Name: 
microsoft.powershell.workflow SDDL: 
O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD). This will 
allow selected users to remotely run Windows PowerShell commands on this computer". 
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help 
(default is "Y"):y 
Confirm 
Are you sure you want to perform this action? 
Performing operation "Set-PSSessionConfiguration" on Target "Name: 
microsoft.powershell32 SDDL: 
O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD). This will 
allow selected users to remotely run Windows PowerShell commands on this computer". 
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help 
(default is "Y"):y 
PS C:\>

Once configured, use the Test-WSMan cmdlet to ensure that the WinRM remoting is properly configured and is accepting requests. A properly configured system replies with the information appearing here.

PS C:\> Test-WSMan -ComputerName w8c504 
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd 
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd 
ProductVendor : Microsoft Corporation 
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

This cmdlet works with Windows PowerShell 2.0 remoting as well. The output appearing here is from a domain controller running Windows Server 2008 with Windows PowerShell 2.0 installed and WinRM configured for remote access.

PS C:\> Test-WSMan -ComputerName dc1

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd

ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd

ProductVendor : Microsoft Corporation

ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 2.0

If WinRM is not configured, an error returns from the system. Such an error from a Windows 8 client appears here.

PS C:\> Test-WSMan -ComputerName w8c10 
Test-WSMan : <f:WSManFault 
xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" 
Machine="w8c504.iammred.net"><f:Message>WinRM cannot complete the operation. Verify 
that the specified computer name is valid, that the computer is accessible over the 
network, and that a firewall exception for the WinRM service is enabled and allows 
access from this computer. By default, the WinRM firewall exception for public 
profiles limits access to remote computers within the same local subnet. 
</f:Message></f:WSManFault> 
At line:1 char:1 
+ Test-WSMan -ComputerName w8c10 
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
+ CategoryInfo : InvalidOperation: (w8c10:String) [Test-WSMan], Invali 
dOperationException 
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManComman 
D

Keep in mind that configuring WinRM via the Enable-PSRemoting function does not enable the Remote Managementfirewall exception, and therefore PING commands will not work by default when pinging to a Windows 8 client system. This appears here.

PS C:\> ping w8c504 
Pinging w8c504.iammred.net [192.168.0.56] with 32 bytes of data: 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Ping statistics for 192.168.0.56: 
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss).

Pings to a Windows Server 2012, do however, work. This appears here.

PS C:\> ping w8s504 
Pinging w8s504.iammred.net [192.168.0.57] with 32 bytes of data: 
Reply from 192.168.0.57: bytes=32 time<1ms TTL=128 
Reply from 192.168.0.57: bytes=32 time<1ms TTL=128 
Reply from 192.168.0.57: bytes=32 time<1ms TTL=128 
Reply from 192.168.0.57: bytes=32 time<1ms TTL=128 
Ping statistics for 192.168.0.57: 
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
Approximate round trip times in milli-seconds: 
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Well, that is about it for understanding and enabling WinRM. Join me tomorrow as I bring another excerpt from my new Windows PowerShell 3.0 Step by Step book.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy