How to setup WinRM in a WorkGroup Non Domain Environment


Disclaimer:

This will create a very basic unsecured/not encrypted connection. This should only be done in a test lab environment. This is being setup in a Non Domain/Work group setting.

There is no certificate or DNS infrastructure in place. The connections will be going over TCP 5985. This is the Default TCP Port for not encrypted WinRM connections.

Environment:

2 x Windows 10 Virtual Machines on the same subnet.

WinRM1

WinRM1 HostName and IP

WinRM2

WinRM2 HostName and IP

Prerequisites:

Set Network Category to Private:

All network adapters should be set to “Private” or “DomainAuthenticated”.

If even one network adapter is set to Public, the firewall rule will NOT be added.

Since we are in a workgroup setting, the adapters will be set to “Private”

To Check what the network adapters Network Category is set to, run the following PowerShell command.

Get-NetConnectionProfile | Select InterfaceAlias,NetworkCategory

Windows Network Category Setting

As can be seen above by default this is set to Public.

If you try to enable WinRM using this powerShell command

Enable-PSRemoting –force

You will get similar error message to this

“Set-WSManQuickConfig : <f:WSManFault xmlns:f=”http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=”2150859113″ Machine=”localhost”><f:Message><f:ProviderFault
provider=”Config provider” path=”%systemroot%\system32\WsmSvc.dll”><f:WSManFault xmlns:f=”http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=”2150859113″
Machine=”WinRM1″><f:Message>WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network
connection type to either Domain or Private and try again. </f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault>
At line:116 char:17
+ Set-WSManQuickConfig -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand”
No Firewall exceptions have been made because at least one network adapter has its Network category set to “Public”

How to Fix This:

A quick and insecure way to change all network adapters to “Private” can be done via the following powershell command.

Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private

 

Setting the Network Category

Enabling WinRM:

On each Device run the following powershell command:

Enable-PSRemoting –force

This time you should see:

WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.
WinRM has been updated for remote management.
WinRM firewall exception enabled.
Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.”

Enable PSRemoting

Check if WinRM is listening for Connections:

To check if the service is listening use the following PowerShell command

Get-NetTCPConnection | Where-Object -Property LocalPort -EQ 5985

You should see something like.
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess
———— ——— ————- ———- —– ————– ————-
:: 5985 :: 0 Listen 4

NetTCP Connection Display
NetTCP Connection Port 5985

At this stage we are still unable to establish a connection as the “Remote/Destination” device is not in our Local devices “TrustedHosts List”.
As we do not have DNS available IP Addresses will be used.
Attempting to establish a session from WinRM1/10.10.10.11 to WinRM2/10.10.10.12

If we try to establish a PSSession to the other Device we will get the following error.

$Session = New-PSSession -ComputerName 10.10.10.12

New-PSSession : [10.10.10.12] Connecting to remote server 10.10.10.12 failed with the following error message : The WinRM client cannot process the request. If the
authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must
be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated.
You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $Session = New-PSSession -ComputerName 10.10.10.12
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : ServerNotTrusted,PSSessionOpenFailed

Remote Host Not in Local TrustedHost List
Remote Host not in Local Trusted Host List

Adding Trusted Hosts:

Run the following command to add the other Device into the TrustedHosts List.

winrm set winrm/config/client '@{TrustedHosts="10.10.10.11,11.10.10.12"}'

Both servers have been added in the command above so that it is obvious how to add in multiple hosts

Remote Host Added to Local TrustedHost List.
Remote Hosts added to Local TrustedHosts List

Making a connection:

Now lets attempt a connection from from WinRM1/10.10.10.11 to WinRM2/10.10.10.12

$Session = New-PSSession -ComputerName 10.10.10.12

It works!

PSSession Established
WinRM PSSession Established

Verify the connection:

PS C:\> Invoke-Command -Session $Session -ScriptBlock {hostname}

WinRM1

WinRM Verify PSSession is Working.
WinRM Verify PSSession Working

Inspect the port being used:

Get-NetTCPConnection | Where-Object -Property RemotePort -EQ 5985 | ft -AutoSize

LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess
———— ——— ————- ———- —– ————– ————-
10.10.10.11 1565 10.10.10.12 5985 Established Internet 3904
10.10.10.11 1563 10.10.10.12 5985 TimeWait 0
10.10.10.11 1558 10.10.10.12 5985 Established Internet 3904

Inspect TCP Port WinRM is On
RinRM Inspect TCP Port it is running on

The Script the Code:

Below is the essential commands needed to get WinRM up and running between the two Non Domain/Workgroup Windows 10 Devices
WinRM1 10.10.10.11
WinRM2 10.10.10.12
#Run this on both devices
#Set all network adapters to Private

Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private

#Enable PSRemoting

Enable-PSRemoting –force

#Add Trusted Hosts

winrm set winrm/config/client '@{TrustedHosts="10.10.10.11,11.10.10.12"}'

,