PowerShell|Windows 10

How to Enable PowerShell Remoting in Windows 10

Unlike Windows Server, PowerShell Remoting isn’t enabled by default in Windows 10. PowerShell Remoting is a secure management protocol (WSMan) for connecting to and managing remote devices. In its default configuration, PowerShell Remoting secures traffic over HTTP. It’s primarily designed to be used in an Active Directory (AD) environment, which protects the authentication phase using a secure channel between devices and Kerberos.

You can optionally configure PowerShell Remoting to use HTTPS for securing connections to workgroup computers, i.e. devices not joined to AD. Regardless of which transport protocol you choose to use, communication between devices is always encrypted after the authentication phase.

HTTPS vs SSH

HTTPS is a pain to configure because it requires IT to acquire, provision, and manage certificates. To solve this problem, Microsoft introduced the ability to use SSH for PowerShell Remoting in PowerShell Core (PowerShell version 6 or higher). Older versions of PowerShell, and the version that is installed by default in Windows, is known as Windows PowerShell.

If you are managing AD domain-joined devices and you have direct network connectivity, either because you are connected to the same physical network or have a VPN configured for ‘manage out’ scenarios, then PowerShell Remoting over HTTP should work just fine. And it may be the easiest and best option. But if your goal is to manage remote devices that are disconnected from your management network, regardless of whether they are AD domain-joined, SSH is easier to set up and maintain than HTTPS.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

PowerShell Remoting using HTTP

In this article, I’m going to show you how to enable PowerShell Remoting in Windows 10 using the default transport protocol, HTTP. We will also assume that the remote device is joined to your AD domain. In a future article, I will show you how to set up PowerShell Remoting using SSH in PowerShell 6.

Log in to the computer on which you want to enable PowerShell Remoting and then start a PowerShell session with administrator privileges:

  • In the search box on the taskbar, type powershell and in the search results, click the arrow (>) to the right of Windows PowerShell. In the options on the right, click Run as Administrator. You may be prompted to enter administrator credentials or give consent to run PowerShell.
Image #1 Expand
How to Enable PowerShell Remoting in Windows 10 (Image Credit: Russell Smith)

 

  • In the PowerShell window, type Get-NetConnectionProfile and press ENTER. We need to check that the network connection profile is set to Private or DomainAuthenticated before enabling PowerShell Remoting.
  • If NetworkCategory isn’t set to Private or DomainAuthenticated, you can set it to Private using the following command:

Set-NetConnectionProfile -NetworkCategory Private

  • Now we can enable PowerShell Remoting using the following command:

Enable-PSRemoting -Force

Image #2 Expand
How to Enable PowerShell Remoting in Windows 10 (Image Credit: Russell Smith)

 

According to Microsoft’s website, when you run Enable-PSRemoting it performs the following tasks:

  • Starts the WinRM service
  • Sets the startup type on the WinRM service to Automatic
  • Creates a listener to accept requests on any IP address
  • Enables a firewall exception for WS-Management communications
  • Registers the Microsoft.PowerShell and Microsoft.PowerShell.Workflow session configurations, if it they are not already registered
  • Registers the Microsoft.PowerShell32 session configuration on 64-bit computers, if it is not already registered
  • Enables all session configurations
  • Changes the security descriptor of all session configurations to allow remote access
  • Restarts the WinRM service to make the preceding changes effective

And that is it! Now you should be able to connect to the device from a management workstation using PowerShell Remoting, providing that you are physically located on the same network or you have a VPN configured for ‘manage out’ scenarios.

For more information on how to connect to devices using PowerShell Remoting, check out PowerShell Remoting Basics on Petri.

Enabling PowerShell Remoting on public networks

Running Enable-PSRemoting turns on a default Windows Firewall rule called Windows Remote Management (HTTP-In). It opens inbound HTTP access on port 5985 for Domain and Private network connection profiles. It is possible to add the -SkipNetworkProfileCheck parameter to Enable-PSRemoting if you want to turn on PowerShell Remoting for use with Public network connection profiles.

By default, -SkipNetworkProfileCheck configures Windows Firewall to allow remote connections from devices on public networks in the same local subnet. If you want to allow connections from devices on public networks from any location, you’ll need to modify the WINRM-HTTP-In-TCP firewall rule using Set-NetFirewallRule as shown below.

Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any

PowerShell Remoting is better for managing servers

If you need to manage a small number of client devices, PowerShell Remoting might be option for your organization. But it is better suited to managing servers because they are static, always available, and they are typically connected directly to your management network and devices.

In contrast, client devices are not always available, and they may connect from different networks and different types of network connection. Services designed for managing endpoints, like Microsoft Intune and Microsoft Endpoint Configuration Manager, allow devices to connect when they come online and regardless of their network location. Microsoft Endpoint Manager helps to ensure that devices are always configured according to company policy without having to wait for an engineer to connect via PowerShell Remoting.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: