Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Configure PowerShell Remoting (WinRM) for Non-Domain (Workgroup) Computers

February 3, 2023 PowerShellWindows 10Windows Server 2019

Configure PowerShell Remoting (WinRM) for Non-Domain (Workgroup) Computers

PowerShell Remoting is a great tool that allows you to connect and run commands on remote computers via WinRM. If computers are joined to the Active Directory domain, then PSRemoting uses Kerberos to authenticate to remote hosts. However, if your computers are in a workgroup, you will have to use NTLM (TrustedHosts) or SSL certificates for authentication. Let’s look at how to configure and use PSRemoting (WinRM) in a Workgroup (Non-Domain) environment.

In this example, there are two hosts in a Windows workgroup:

  • Administrator workstation — 192.168.13.100
  • User’s computer — 192.168.13.222

Our task is to connect to the user’s computer remotely via PowerShell Remoting.

The first step is to enable and configure WinRM on the remote host. You will have to enable WinRM locally or remotely (for example, using RDP, psexec, or GPO).

Make sure that the WinRM service is running on the target user computer:

Get-Service -Name "*WinRM*" | select status

If the service is not running, enable it:

Enable-PSRemoting

WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.
WinRM has been updated for remote management.
WinRM firewall exception enabled.
Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

enable psremoting (winrm) on a workgroup computer

As you can see, the LocalAccountTokenFilterPolicy UAC option is automatically enabled to allow remote access under administrator accounts.

If the Public type of network connection is set on a computer, you will see the following error when enabling WinRM:

Set-WSManQuickConfig : ... WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.

Change the network type to Private (Set-NetConnectionProfile -NetworkCategory Private) or run the command below:

Enable-PSRemoting –SkipNetworkProfileCheck

Open the port TCP/5985 in Windows Defender Firewall to connect to WinRM. The easiest way is to open a Windows Firewall port using PowerShell. In this example, we will open the remote access only for the IP address of the administrator’s computer (more secure), but you can open it for everyone (specify Any instead of an IP address):

Set-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)" -RemoteAddress 192.168.13.100
Enable-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"

On the administrator computer, make sure that the user’s computer now accepts remote connections via PSRemoting:

Test-NetConnection 192.168.13.222 –Port 5985
Test-WsMan 192.168.13.222

Test-WsMan - test WinRM connectivity via PowerShell

However, if you try to connect to a user computer remotely using the Invoke-Command or Enter-PSSession cmdlets, the following error appears:

Enter-PSSession 192.168.13.222

Enter-PSSession : Connecting to remote server 192.168.13.222 failed with the following error message: The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. PSRemotingTransportException.

The WinRM HTTP Listener on the remote computer only allows connection with Kerberos authentication.

Get-ChildItem -Path WSMan:\localhost\Service\Auth\

WSMan authentication types - kerberos and negotiate

In order to use Negotiate authentication with NTLM, your computer must trust the remote computer. In a domain, this is achieved using Kerberos, while in a workgroup environment, you’ll have to add the computer’s IP addresses to TrustedHosts.

Add a user computer to TrustedHosts on the administrator’s computer (you can do it using its IP address or FQDN):

Set-Item wsman:\localhost\client\TrustedHosts -Value 192.168.13.222 -Force

List computers in TrustedHosts:

get-Item WSMan:\localhost\Client\TrustedHosts

To clear the TrustedHosts list:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "" –Force

To add a new computer to the TrustedHosts list, use the -Concatenate option:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 192.168.13.200 -Concatenate

You can also allow remote connection to all computers (usually, it is not recommended as one of the major disadvantages of NTLM authentication is vulnerable to various malicious attacks).

Set-Item wsman:\localhost\Client\TrustedHosts -value *

Then try to connect to the remote computer over PSRemoting:

Enter-PSSession -ComputerName 192.168.13.222 -Credential 192.168.13.222\root

Enter the remote computer’s administrator password and make sure that the connection has been established successfully (the hostname or the IP address of the remote computer is displayed in the PowerShell prompt).

enter-pssession on a workgroup computer

Now you can execute commands and scripts on remote workgroup computers using the Invoke-Command. For example, restart a computer remotely:

Invoke-Command -ComputerName 192.168.13.222 -Credential 192.168.13.222\root –ScriptBlock {Restart-Computer}

Or run a PowerShell script:

Invoke-Command -ComputerName 192.168.13.222 -Credential 192.168.13.222\root -FilePath c:\Scripts\GetComputerInfo.ps1

In WinRM, you can also use HTTPS to connect to remote computers. To do it, you need to issue an SSL certificate on a remote computer and import it to the administrator’s computer. In this case, you don’t need to add the remote computer IP address to the TrustedHosts list. Learn more about how to configure PowerShell Remoting (WinRM) over HTTPS.

Note that in order to authenticate on a remote computer, you must enter a user password using the –Credential option. If you have many computers in your network with different local admin passwords, it is convenient to store connection passwords in a vault. It may be either a Windows Credential Manager password vault or an external store, like KeePass, LastPass, HashiCorp Vault, Azure Key Vault, or Bitwarden.

You can use the PowerShell Secret Management module to access saved passwords in such a vault. Now, in order to connect to a remote computer via PSRemoting, it is enough to:

  1. Save a connection password, for example, to Credential Manager: cmdkey /add:192.168.13.222 /user:root /pass:Password1
  2. Get the name and the password from the vault using the CredentialManager module: $psCred = Get-StoredCredential -Target "192.168.13.222"
  3. Connect to the remote computer using PSRemoting and the saved password: Enter-PSSession -ComputerName 192.168.13.222 -Credential $psCred
If you store passwords in another vault type, use Microsoft.PowerShell.SecretManagement module to get the saved credentials.

In new PowerShell versions (v6 or v7), you can use the Secure Shell (SSH) protocol to connect to a remote computer via PowerShell Remoting. To do this, the built-in SSH server must be enabled in Windows. You can even authenticate to Windows using an SSH key:

Enter-PSSession -HostName [email protected]:22 -KeyFilePath c:\PS\your_rsa_key

By default, WinRM allows remote connection to administrators only. However, you can allow remote access using PSRemoting for non-admin users.

1 comment
2
Facebook Twitter Google + Pinterest
previous post
How to Run Multiple Commands in One Line in PowerShell and CMD
next post
Fix: Group Policy Processing Error in Windows

Related Reading

How to Connect VPN Before Windows Logon

November 14, 2023

Using WPAD (Web Proxy Auto-Discovery Protocol) on Windows

November 7, 2023

Send Emails with Microsoft Graph API and PowerShell

November 6, 2023

Zabbix: How to Get Data from PowerShell Scripts

October 27, 2023

Tracking Printer Usage with Windows Event Viewer Logs

October 19, 2023

1 comment

Savas July 11, 2023 - 5:37 pm

Excellent article. It’s critical to get the trusted hosts list set up properly and also the firewall config to open the port at the receiver.
This saved me a ton of work, thanks again!

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Connect VPN Before Windows Logon

    November 14, 2023
  • Removing Azure Arc Setup Feature on Windows Server 2022

    November 9, 2023
  • Using WPAD (Web Proxy Auto-Discovery Protocol) on Windows

    November 7, 2023
  • Send Emails with Microsoft Graph API and PowerShell

    November 6, 2023
  • Zabbix: How to Get Data from PowerShell Scripts

    October 27, 2023
  • Tracking Printer Usage with Windows Event Viewer Logs

    October 19, 2023
  • PowerShell: Configure Certificate-Based Authentication for Exchange Online (Azure)

    October 15, 2023
  • Reset Root Password in VMware ESXi

    October 12, 2023
  • How to Query and Change Teams User Presence Status with PowerShell

    October 8, 2023
  • How to Increase Size of Disk Partition in Ubuntu

    October 5, 2023

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Configuring Port Forwarding in Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • How to Install Remote Server Administration Tools (RSAT) on Windows
  • How to Delete Old User Profiles in Windows
  • Get-ADUser: Find Active Directory User Info with PowerShell
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top