One other thing - maybe you go into it in another place - is that for large deployments, it's not realistic to run that command on every system... I'll check out your site though, you obviously know your stuff so I imagine you address it through some sort of a script option with a gpo or similar =)
Thanks for watching! The client certificate gets distributed to the machines automagically through the group policy we set up. As long as there are no other certificates that fit the requirements, the WinRM certificate is assigned automatically to port 5986. If that is not the case however you may need to utilize a startup script like this to ensure the correct recent certificate is assigned New-Item -Path "$env:TEMP\Script\Logs" -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null Try { Start-Transcript -Path "$env:TEMP\Script\Logs\PSTranscript_WinRM_Config.txt" -Append -ErrorAction SilentlyContinue } Catch { Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Transcript already logging session" } Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Begin script execution" $ScriptResult = "Successfully" $Icon = "*" $Today = Get-Date $RootCA = "$env:USERDOMAIN-CA01-CA" $WinRMCertTemplateName = "WinRM over HTTPS" $FQDN = ([System.Net.Dns]::GetHostByName(($env:COMPUTERNAME))).Hostname $WinRMCertificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object -FilterScript { $_.Extensions.Format(0) -match "$TemplateName" } $Thumbprint = $WinRMCertificate.Thumbprint $CurrentListener = Get-ChildItem -Path WSMAN:\Localhost\Listener | Where-Object -Property Keys -like "Transport=HTTPS" If ($CurrentListener ) { Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Deleting the current WinRM over HTTPS Listener" $CurrentListener | Remove-Item -Recurse -Force Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Configuring WinRM over HTTPS listener to use certificate $Thumbrint" New-WSManInstance -ResourceURI WinRM/Config/Listener -SelectorSet @{Address="*"; Transport="HTTPS"} -ValueSet @{Hostname=$Hostname; CertificateThumbprint=$Thumbprint} } ElseIf (!($CurrentListener)) { Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Configuring WinRM over HTTPS listener to use certificate $Thumbrint" New-WSManInstance -ResourceURI WinRM/Config/Listener -SelectorSet @{Address="*"; Transport="HTTPS"} -ValueSet @{Hostname=$Hostname; CertificateThumbprint=$Thumbprint} } Else { Write-Output -InputObject "[x] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') FAILED to retrieve a certificate to assign to port 5986" $ScriptResult = "in Failure" $Icon = "x" } # End If ElseIf Else Write-Output -InputObject "[$Icon] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') End script execution ended $ScriptResult" Stop-Transcript -ErrorAction SilentlyContinue
The registry key has to do with how unidentified networks are handled. There is a Microsoft article on it here support.microsoft.com/en-us/topic/windows-7-network-connections-are-stuck-in-public-mode-bc3eb261-ae89-d913-9814-6c660f69eb70 The registry setting ensures that if a network is unidentified it is categorized as public www.sevenforums.com/tutorials/71408-unidentified-networks-set-private-public.html
Thanks for watching! I apologize for the late response. The GPO's you configured on the Domain Controllers should be pushed out/linked to the client computers in your environment. The settings are used to trust the Root CA certificate, assign certificates port the clients listening port 5986, open the firewall to allow traffic on 5986, start the WinRM service automatically, and perform filtering to allow IP address ranges you define to be able to reach each other. If it helps for copy and pasting I have included the same info in the video here btpssecpack.osbornepro.com/en/latest/#configure-winrm-over-https
![Securing DNS (DNSSEC, DoH, LLMNR, NetBIOS, LMHOSTS) [Windows Server 2019]](http://i.ytimg.com/vi/6ymgjHRKZ20/mqdefault.jpg)
![Securing DNS (DNSSEC, DoH, LLMNR, NetBIOS, LMHOSTS) [Windows Server 2019]](/img/tr.png)
![Securing LDAP over SSL Safely [Windows Server 2019]](http://i.ytimg.com/vi/8rlk2xDkgLw/mqdefault.jpg)
![Securing RADIUS with EAP-TLS [Windows Server 2019]](/img/1.gif)
Much Appreciated! Just something to note, that registry key on that website, the website is down. I had to manually type it in LOL.
Thanks I need to update it. The new location for that site is btpssecpack.osbornepro.com/en/latest/#configure-winrm-over-https
Thank you your video helped so much :)
Thanks for watching! Glad it helped!
Nice. Thank you!
Thanks for watching!
You skipped New > Certificate Template to Issue under Certsrv after creating the template.
One other thing - maybe you go into it in another place - is that for large deployments, it's not realistic to run that command on every system... I'll check out your site though, you obviously know your stuff so I imagine you address it through some sort of a script option with a gpo or similar =)
Thanks for watching! The client certificate gets distributed to the machines automagically through the group policy we set up.
As long as there are no other certificates that fit the requirements, the WinRM certificate is assigned automatically to port 5986. If that is not the case however you may need to utilize a startup script like this to ensure the correct recent certificate is assigned
New-Item -Path "$env:TEMP\Script\Logs" -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null
Try { Start-Transcript -Path "$env:TEMP\Script\Logs\PSTranscript_WinRM_Config.txt" -Append -ErrorAction SilentlyContinue } Catch { Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Transcript already logging session" }
Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Begin script execution"
$ScriptResult = "Successfully"
$Icon = "*"
$Today = Get-Date
$RootCA = "$env:USERDOMAIN-CA01-CA"
$WinRMCertTemplateName = "WinRM over HTTPS"
$FQDN = ([System.Net.Dns]::GetHostByName(($env:COMPUTERNAME))).Hostname
$WinRMCertificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object -FilterScript { $_.Extensions.Format(0) -match "$TemplateName" }
$Thumbprint = $WinRMCertificate.Thumbprint
$CurrentListener = Get-ChildItem -Path WSMAN:\Localhost\Listener | Where-Object -Property Keys -like "Transport=HTTPS"
If ($CurrentListener ) {
Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Deleting the current WinRM over HTTPS Listener"
$CurrentListener | Remove-Item -Recurse -Force
Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Configuring WinRM over HTTPS listener to use certificate $Thumbrint"
New-WSManInstance -ResourceURI WinRM/Config/Listener -SelectorSet @{Address="*"; Transport="HTTPS"} -ValueSet @{Hostname=$Hostname; CertificateThumbprint=$Thumbprint}
} ElseIf (!($CurrentListener)) {
Write-Output -InputObject "[*] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Configuring WinRM over HTTPS listener to use certificate $Thumbrint"
New-WSManInstance -ResourceURI WinRM/Config/Listener -SelectorSet @{Address="*"; Transport="HTTPS"} -ValueSet @{Hostname=$Hostname; CertificateThumbprint=$Thumbprint}
} Else {
Write-Output -InputObject "[x] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') FAILED to retrieve a certificate to assign to port 5986"
$ScriptResult = "in Failure"
$Icon = "x"
} # End If ElseIf Else
Write-Output -InputObject "[$Icon] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') End script execution ended $ScriptResult"
Stop-Transcript -ErrorAction SilentlyContinue
If it helps I have some more info on the setup here
btpssecpack.osbornepro.com/en/latest/index.html#useful-winrm-info-and-commands-to-know
Hi, I don't understand what the registry key is for. Can you elaborate?
The registry key has to do with how unidentified networks are handled. There is a Microsoft article on it here support.microsoft.com/en-us/topic/windows-7-network-connections-are-stuck-in-public-mode-bc3eb261-ae89-d913-9814-6c660f69eb70
The registry setting ensures that if a network is unidentified it is categorized as public
www.sevenforums.com/tutorials/71408-unidentified-networks-set-private-public.html
Hi, what I don't understand, does the GPO only need to be linked to the DCs?
Thanks for watching! I apologize for the late response. The GPO's you configured on the Domain Controllers should be pushed out/linked to the client computers in your environment. The settings are used to trust the Root CA certificate, assign certificates port the clients listening port 5986, open the firewall to allow traffic on 5986, start the WinRM service automatically, and perform filtering to allow IP address ranges you define to be able to reach each other. If it helps for copy and pasting I have included the same info in the video here btpssecpack.osbornepro.com/en/latest/#configure-winrm-over-https