Setting up Powershell Remoting (Server 2012 R2)….

By | 9 December, 2013

powershell_icon_thumb2….bit of an experiment this one. I wanted to set up a Windows Server 2012 R2 instance, not hooked up to Active Directory (so just in a workgroup), with a self signed certificate (mainly because I couldn’t be bothered to setup a full certificate chain).

** WARNING: This process shouldn’t be used to open up powershell remoting on production servers. The same commands would be used, but proper certificates should be obtained, and a good security model should be adopted where remoting ports shouldn’t be allowed out on to the internet **

Took a few attempts, but here is the process.

1) Create a self signed certificate.

Fortunately for me, I use Visual Studio to do bits of programming and this allows the use of makecert.exe. Its a Microsoft utility that was created so that developers can test out what to do when signing code or see how an IIS site acts under https://

If you’re having trouble finding it, launch a cmd.exe windows from the Visual Studio tools folder, (mines labelled: VS2013 x86 Native Tools Command Prompt) and it should be in your path. I copied it to my test server to run it from there, as the certificate it generated couldn’t be exported with the private key.

There are other ways to get hold of it (download the Windows DDK for example).

To create a self signed certificate, run the following from the command line:

makecert -sk "192.168.1.97" -ss My -sr localMachine -r 
       -n "CN=DUMBLEDORE,o=techfrontier.co.uk, L=WestYorks" 
       -a sha1 -eku "1.3.6.1.5.5.7.3.1"

The CN is the name of my server. O is my Organization (so technically could be anything).  The -eku specifies that the extended key usage of the certificate is to secure server communications. (Command should be one line). The -sk would be the domain that the machine we’re joined to, if it was in a domain. Since this is a workgroup server, I’ve just put the IP in.

If you want to see it existing in the certificate store, in Powershell type (so you can grab the thumbprint of the certificate for later for example:

  ls cert:\localmachine\My

2) Configure the WinRM service

First we need to get the WinRM service going…

      WinRM quickconfig

For this example, I’m going to accept the defaults.

3) Assign the certificate to the WinRM service

Now this was the tricky bit to work out. To allow secure communication between client and server we want to redirect all remote powershell interactions over https (hence we need a certificate).

     winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname=
        "DUMBLEDORE";CertificateThumbprint="AEF23A9876C2E408A07CF0F44D4069B22D7B0097"}

This command is all one line, what it does is creates a WinRM listener to the hostname specified, using the certifcate thumbprint we found earlier. It’s set to listen on all IPs on the server, and you can add a ‘;Port=”xxxx”‘ if you want to narrow down the scope of the service.

I’ve read on the internet, that its probably a good idea to run this command through cmd.exe rather than a powershell.

If you see any errors, check the spaces between the @ sign and HTTPS (that was where I went wrong last night), and that the certificate was created with the correct eku string.

 4) How do I connect from a client?

 Assuming you got this far, the final step should be to try and connect to the server from a client.  So from a powershell window:

      $so = New-PsSessionOption -SkipCACheck
      etsn -cn Dumbledore -Credential dumbledore\administrator -UseSSL -SessionOption $so

 (That’s two seperate commands by the way…)

I made this into a scriptlet to save me from typing it over and over again….and that’s it. Here’s a generic scriptlet, that takes the servername as an argument:

      $serverName = $args[0]
      if ($serverName.Length -eq 0) {$serverName = Read-Host "Which server?"}
      $so = New-PsSessionOption -SkipCACheck
      etsn -cn $serverName -Credential $serverName\administrator -UseSSL -SessionOption $so

Leave a Reply