Configure https for Windows Remote Management (WinRM) on Windows 2012 R2

Abstract: For security reasons you wish to configure Windows Remote Management (WinRM) on your Windows 2012 R2 OS to use an SSL certificate.

This is for example required if an the Microsoft SharePoint environment should be hardened and this action requires the following steps:

Preparation:

At first check if WinRM is already running via https. To do that open a powershell (run as admin) an enter:

Get-ChildItem WSMan:\localhost\Client\DefaultPorts

This will show the default configured ports like:

   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client\DefaultPorts

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   HTTP                                           5985
System.String   HTTPS                                          5986

As you know the default/configured port now, you can check the function via telnet “telnet localhost 5986”.

Steps to implement WinHTTPS for WinRM:

1.) At first create an appropriate SSL certificate (you can use MMC and the Certificate Snapin to request that from your internal Microsoft CA). As friendly name you can choose “WinRM Certificate” or something which fits your company guidelines. As CN I used the full qualified hostname. Additional to that I added the IP address and the DNS names as an alias. The certificate usage must be “Server Authentication”.

2.) Once you have the needed certificate open a Windows Powershell (run as admin) and search for the thumbprint via:

Get-ChildItem -Path cert: -Recurse | select Subject, FriendlyName, Thumbprint | Format-List

or

Get-ChildItem -Path cert: -Recurse | select FriendlyName, Thumbprint | Format-List

or

Get-ChildItem -path cert:\LocalMachine\My

It will show the SSL certificates you have on your system. Make sure that you pick up the correct one and make a note from the thumbprint from the certifcate.

3.) Now run a CMD as admin and run:

 C:\Windows\system32>winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”server01.int.contoso.com”;CertificateThumbprint=”1C60E58F827A6F16F1ADD93C76A2BB1EE9431F15″}

which will output something like:

ResourceCreated
    Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    ReferenceParameters
        ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener
        SelectorSet
            Selector: Address = *, Transport = HTTPS

Note: If you do the same action inside a powershell you will get an error like:

PS C:\Windows\system32> winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="server01.int.contoso.com";CertificateThumbprint="1C60E58F827A6F16F1ADD93C76A2BB1EE9431F15"}
Error: Invalid use of command line. Type "winrm -?" for help.

if you picked the wrong certificate here you can fix that via:

winrm set winrm/config/service @{CertificateThumbprint=”1C60E58F827A6F16F1ADD93C76A2BB1EE9431F15″}

4.) If you have enabled the Windows OS firewall, you might need to create a rule for https WinRM via:

New-NetFirewallRule -DisplayName “Windows Remote Management (HTTPS-In)” -Name “Windows Remote Management (HTTPS-In)” -Profile Any -LocalPort 5986 -Protocol TCP

Created with the help from:
https://blogs.technet.microsoft.com/heyscriptingguy/2013/11/27/powertip-use-powershell-to-discover-certificate-thumbprints/
https://blogs.msdn.microsoft.com/wmi/2009/03/17/three-ways-to-configure-winrm-listeners/
https://support.microsoft.com/en-us/kb/2019527