PowerShell Remoting is a great tool that allows you to connect and execute commands on remote computers via WinRM. If the computers are in the same Active Directory domain, then PSRemoting uses Kerberos to authenticate to remote hosts. However, if your computers are in a workgroup, then you will need to use NTLM (TrustedHosts) or SSL certificates for authentication. In this article, we'll look at how to set up PSRemoting to connect remotely to a computer in a workgroup.
In our example, there are two hosts on the Windows workgroup-based LAN:
- Administrator Workstation - 192.168.13.100
- User computer - 192.168.13.222
Our task is to remotely connect to the user's computer via PowerShell Remoting.
The first step is to enable and configure WinRM on the remote computer. You will need to enable WinRM on a remote computer locally or remotely (for example, via RDP or psexec).
Verify that the WinRM service is running on the computer:
Get-Service -Name "*WinRM*" | select statusIf the service is not running, start it:
Enable-PSRemoting
WinRM has been updated to receive requests. WinRM service type changed successfully. WinRM service started. WinRM has been updated for remote management. WinRM firewall exception enabled. Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
As you can see, the LocalAccountTokenFilterPolicy UAC setting is automatically enabled to allow remote access under an account with administrator rights.
If the network connection on the computer is set to the network type Public (public), then when WinRM is enabled, an error will appear:
Set-WSManQuickConfig : ... WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.You need to change the network type to private ( Set-NetConnectionProfile -NetworkCategory Private ), or use the command:
Enable-PSRemoting –SkipNetworkProfileCheck.Open a port (TCP 5985) to connect to WinRM in Windows Defender Firewall. The easiest way to open a port is with PowerShell. In this example, we will open remote access only for the IP address of the administrator's computer (more secure), but you can open it for everyone (specify Any instead of the IP address):
Set-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)" -RemoteAddress 192.168.13.100From the administrator's computer, verify that the user's computer now allows remote connections through PSRemoting:
Enable-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"
Test-NetConnection 192.168.13.222 –Port 5985However, if you try to remotely connect to the user's computer using the Invoke-Command or Enter-PSSession commands, you will receive an error:
Test-WsMan 192.168.13.222
Enter-PSSession 192.168.13.222
Enter-PSSession : Connecting to remote server 192.168.13.222 failed with the following error message: The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. PSRemotingTransportException.
The WinRM HTTP Listener on the remote computer only allows connection through Kerberos authentication.
Get-ChildItem -Path WSMan:\localhost\Service\Auth\
For Negotiate NTLM authentication to work, your computer must be trusted by the remote computer. In a domain, this is achieved using Kerberos, and in a workgroup, you will have to add the computer's IP addresses to TrustedHosts.
Add the user's computer to TrustedHosts on the administrator's computer (can be added by IP address or FQDN):
Set-Item wsman:\localhost\client\TrustedHosts -Value 192.168.13.222 -Force
You can also allow remote connections to all computers (usually not recommended, because one of the main disadvantages of NTLM is that it does not authenticate).
- List computers in TrustedHosts:
get-Item WSMan:\localhost\Client\TrustedHosts
- To clear the list of TrustedHosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "" –Force
- To add a new host to the TrustedHosts list, use the -Concatenate option:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 192.168.13.200 -Concatenate
Set-Item wsman:\localhost\Client\TrustedHosts -value *Now try to connect to the remote computer via PSRemoting:
Enter-PSSession -ComputerName 192.168.13.222 -Credential 192.168.13.222\root
Enter the remote computer's administrator password and verify that the connection is successful (the PowerShell prompt now displays the name or IP of the remote computer).
With Invoke-Command, you can execute commands on remote computers. For example, to perform a remote reboot of the computer:Invoke-Command -ComputerName 192.168.13.222 -Credential 192.168.13.222\root –ScriptBlock {Restart-Computer}Or run a PowerShell script:
Invoke-Command -ComputerName 192.168.13.222 -Credential 192.168.13.222\root -FilePath c:\PS\Scripts\GetComputerInfo.ps1
You can also use the HTTPS protocol in WinRM to connect to remote computers. To do this, you need to issue an SSL certificate on a remote computer and import it to the administrator's computer. In this case, you do not need to add the address of the remote computer to TrustedHosts.
Note that to authenticate on a remote computer, you must specify the user's password to connect using the –Credential option . If you have many computers on your network and each of them uses a different local administrator password, it is convenient to store connection passwords in a vault. This can be either Windows Credential Manager local password storage or KeePass, LastPass, HashiCorp Vault, Azure Key Vault, Bitwarden external storage.
You can use the PowerShell Secret Management module to access stored passwords in such a vault. Now, to connect to a remote computer via PSRemoting, all you need to do is:
- Save the connection password, for example in Credential Manager: cmdkey /add:192.168.13.222 /user:root /pass:Password
- Get the name and password from the vault using the CredentialManager module: $psCred = Get-StoredCredential -Target "192.168.13.222"
- Connect to remote computer via PSRemoting with saved password: Enter-PSSession -ComputerName 192.168.13.222 -Credential $psCred
If you store passwords in another type of storage, use the Microsoft.PowerShell.SecretManagement module to retrieve the stored credentials.In newer versions of PowerShell (v6 and v7), you can use the Secure Shell (SSH) protocol to connect to a remote computer via PowerShell Remoting. To do this, the built-in SSH server must be enabled in Windows. You can even authenticate over SSH using an RSA key:
Enter-PSSession -HostName root@192.168.13.222:22 -KeyFilePath c:\PS\your_rsa_key
By default, WinRM only allows administrators to connect remotely. However, you can allow remote access through PSRemoting for normal users as well.