If you want to remotely manage a standalone computer that is not a member of an Active Directory domain with PowerShell, things can get a bit tricky. This post explains how you can enable PowerShell Remoting on workgroup computers.
Latest posts by Michael Pietroforte (see all)

In a previous article, Tim explained how to enable PowerShell Remoting on computers that are members of an Active Directory domain. On workgroup computers, things are a little more complicated, and you might stumble into a few pitfalls along the way.

The reason is that enabling PowerShell Remoting is a security risk because the bad guys certainly would love to automate their hacking efforts remotely on your computer. Thus, you have to jump through a few additional hoops.

We have to distinguish here between things that need to be done on the local and the remote computer. Let’s start with the remote machine.

On the remote computer

As on a domain member, you also enable PowerShell Remoting with the Enable-PSRemoting cmdlet. Make sure that your PowerShell host has administrator rights; otherwise, you will receive this error message:

Enable-PSRemoting : Access is denied. To run this cmdlet, start Windows PowerShell with the "Run as administrator" option.

Even if you considered this pitfall, you will get the next error message on a workgroup computer:

WinRM has been updated to receive requests.
WinRM service started.

Set-WSManQuickConfig : <f:WSManFault…. WinRM firewall exception will not work since one of the network connection types on this machine is set to Public…
Change the network connection type to either Domain or Private and try again.

 

WinRM firewall exception will not work

WinRM firewall exception will not work.

You probably know that Windows has three network connection types: Private, Public, and Domain. Windows will ask for the connection type when you first connect to a network. You can set different rules for network discovery and file and printer sharing in the Network and Sharing Center.

The above error message indicates that we have set the network to Public in order to enable PowerShell Remoting. Several ways exist to change the connection type. For some reason that only Microsoft knows, you can’t do this in the Network and Sharing Center. None of the other options in the Metro interface worked for me with regard to my goal to enable PowerShell Remoting.

Update: Akos mentioned in a comment a much easier solution than what follows in the next paragraphs. You simply have to add the -SkipNetworkProfileCheck parameter:

Enable-PSRemoting -SkipNetworkProfileCheck -Force

It is odd that the error message doesn't mention the parameter. By recommending to change the network connection type to private the message put me on the wrong track. I explain in the following paragraphs how this can be done. 

Update 2: There is an much easier way to change the network connection type than editing the Registry (see below). You can simply use a PowerShell cmdlet:  Set-NetConnectionProfile -NetworkCategory Private. However, I didn't test this in combination with Enable-PSRemoting.

The only way that did work was to change the connection type in the Registry. Before you follow the procedure below, you have to ensure that the computer is connected to the network and, if possible, to the Internet. (By the way, you might also stumble upon the above error when you try to enable Remoting on a machine that has no network connection.)

This is the Registry key that you have to edit:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

You might see different profiles in the Profile folder. Make sure that you get the right network connection, where ProfileName corresponds to the name of your current network connection, as demonstrated in the screenshot below:

Change network connection type from Public to Private

Change network connection type from Public to Private.

You then have to change the Category value to 1 to set the network connection type to Private (0 stands for Public). Also ensure that the CategoryType is set to 0. After you change the Registry, you have to reboot the computer.

Now you can enable the PowerShell Remoting with this command:

Enable-PSRemoting -Force

The -Force parameter just saves you from a few confirmation prompts.

Enable-PSRemoting works now

Enable-PSRemoting works now.

Note that Microsoft’s documentation mentions another solution to solve the network connection type problem. However, for me, this way didn’t work. If it worked for you, please let me know. For the sake of completeness, this is the command that Microsoft recommends:

Set-NetFirewallRule –Name "WINRM-HTTP-In-TCP-PUBLIC" –RemoteAddress Any

On the local computer

In an Active Directory environment, you can just use the computer name to connect to a remote machine. If you remotely connect to a standalone machine, you usually have to use the IP address instead. If you try to connect to the remote computer with the Enter-PSSession cmdlet using the IP address of the remote machine, PowerShell will throw the following error:

Enter-PSSession : Connecting to remote server 10.0.2.33 failed with the following error message : The WinRM client cannot process the request….

Connecting to a remote computer via IP address errors

Connecting to a remote computer via IP address errors

The error message suggests to use the winrm command to add the IP to the trusted hosts. However, if you enter the correct command in PowerShell, you will get this error message:

winrm : Error: Invalid use of command line…

Update: Just learned that you can also run this wirm command in PowerShell, if you put the argument in quotes (winrm set winrm/config/client '@{TrustedHosts="10.0.2.33"}').

What we need here is an elevated command prompt:

winrm set winrm/config/client @{TrustedHosts="10.0.2.33"}

Adding the an IP addresses to the list of trusted hosts with winrm

Adding the IP addresses to the list of trusted hosts with winrm

You’re probably wondering why you need an old-fashioned command prompt to do this. You rightly asked. There is actually a PowerShell command that does same thing. I don’t know why the above error message doesn’t mention it. This is the PowerShell way to add an IP address to the trusted hosts:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.0.2.33" -Force

Adding an IP address to the trusted hosts with PowerShell

Adding an IP address to the trusted hosts with PowerShell

If you have to manage several remote hosts, or if the IP always changes, you might want to add all IP addresses to the trusted hosts:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force

You can also read the trusted host list with PowerShell:

Get-Item WSMan:\localhost\Client\TrustedHosts

Displaying the trusted hosts

Displaying the trusted hosts

PowerShell might then sometimes show this error:

Get-Item : Cannot find path 'WSMan:\localhost\Client\TrustedHosts' because it does not exist.

In this case, you probably only have to start the Windows Remote Management (WS-Management) Windows service manually.

Note that the list won’t change if you reboot the machine. If you want to clear the list of your trusted hosts, you can run this command:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "" -Force

Now, you are finally ready to remotely manage the machine via PowerShell Remoting:

Enter-PSSession -ComputerName 10.0.2.33 -Credential $Credentials

Connecting to a remote computer with Enter-PSSession

Connecting to a remote computer with Enter-PSSession

avatar
28 Comments
  1. Akos 8 years ago

    I had a similar issue on my laptop, I believe. I did “Enable-PSRemoting -SkipNetworkProfileCheck -Force” to fix it. Perhaps this works for you too instead of the registry change.

    avatar
  2. Akos, thanks a lot for the hint! I should have checked the available parameters first instead of following the advice of the error message. I updated the article.

  3. Kyle Howard (Rank 1) 6 years ago

    This is old, but thanks for having this out here.  Very helpful!

  4. regexaurus 5 years ago

    In my situation, I have working name resolution and use

    Set-Item WSMan:\localhost\Client\TrustedHosts “hostname.fqdn,hostname” -Force

    to trust the target/remote hostname instead of IP address. This lets me do something like:

    $WorkgroupUser = Get-Credential hostname\local_account
    Enter-PSSession hostname -Credential $WorkgroupUser

    FWIW

  5. Paul 5 years ago

    Hi,

    I am trying to connect to remote computer which is not in added to active directory (Azure VM with static domain) from domain joined VM but keep on seeing the error as
    Connecting to remote server <> failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311
    occurred while using Kerberos authentication: We can’t sign you in with this credential because your domain isn’t available. Make sure your device is connected to your organization’s
    network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

    Powershell remote session is enabled in remote computer and domain joined vm is added as trusted source in remote computer. We also set the below in remote computer

    winrm set winrm/config/service ‘@{AllowUnencrypted=”true”}’
    winrm set winrm/config/client ‘@{AllowUnencrypted=”true”}’

    also verified dir wsman:\localhost\listener and can see remote computer is listening

    can you please help me here in finding out what is wrong?
    Thanks,
    Paul

  6. Naveen (Rank 1) 5 years ago

    Hi Paul,

    After adding the Host to trusted list, Just close the PS session and open a new session and try remoting to the host.

    Thanks.

  7. loripe 5 years ago

    Very helpful, thank you very much

    it saves me a lot of time , helping me migrating very old servers

     

  8. Vladimir Kievsky 5 years ago

    Mike,
    It did not work for me.
    I have Win7 Home Premium SP1 on active computer, and Win7 Professional SP1 on remote.
    Commands were issued in Admin consoles in bot active and remote boxes.
    –Remote: enable-PSREmoting -force
    “WinRM has been updated for remote management.”

    –Active: Set-Item WSMan:\localhost\Client\TrustedHosts -Value “192.168.1.3” -Force

    –Active: Get-Item WSMan:\localhost\Client\TrustedHosts

    WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client

    Type Name SourceOfValue Value
    —- —- ————- —–
    System.String TrustedHosts 192.168.1.3

    –Active: Enter-PSSession -ComputerName 192.168.1.3 -Credential $Credentials

    PS C:\PowerShell> Enter-PSSession -ComputerName 192.168.1.3 -Credential $Credentials
    Enter-PSSession : Connecting to remote server 192.168.1.3 failed with the following error message : The client cannot
    connect to the destination specified in the request. Verify that the service on the destination is running and is
    accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most
    commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
    analyze and configure the WinRM service: “winrm quickconfig”. For more information, see the

    • Author

      The IP address you add with Set-Item WSMan:\localhost\Client\TrustedHosts -Value $IP -Force is the IP of the local computer, not the remote machine.

  9. Kyle 5 years ago

    I have this working but it won’t let me run certain cmds like get-dnsserver. Do you know how to resolve that? The particular server is one in a workgroup that runs DNS for some hands off servers. I am able to enter into the pssession but just get access denied when running the DNS cmds.

  10. Kyle 5 years ago

    Michael – This is what I get. The top 1 is the result i get after adding the remote management users group to the CIMSRV2 and then the microsoft/windows/dns for WMI controls.  I’m trying just a basic add-dnsserverresourcerecord cmd. the kyle-test is the name of the record.

    Processing DNS01
    Failed to get the zone information for domain.com on server DNS01.
    + CategoryInfo : PermissionDenied: (kyle-test:root/Microsoft/…rResourceRecord) [Add-DnsServerResourceRecord], CimException
    + FullyQualifiedErrorId : WIN32 5,Add-DnsServerResourceRecord
    + PSComputerName : 192.168.1.11

    Processing DNS02
    Cannot connect to CIM server. Access denied
    + CategoryInfo : ResourceUnavailable: (PS_DnsServerResourceRecord:String) [Add-DnsServerResourceRecord],
    CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Add-DnsServerResourceRecord
    + PSComputerName : 192.168.1.12

    This is what i get when i do an enter-pssession into the workgroup DNS server for the one i modified the WMI Controls on.

    [192.168.1.11]: PS C:\Users\kyle\Documents> get-dnsserver
    Failed to get server information on DNS01 server.
    Failed to retrieve DNS server configuration from DNS01 server.
    + CategoryInfo : PermissionDenied: (DNS01:root/Microsoft/Windows/DNS/PS_DnsServer) [Get-DnsServer], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DnsServer

    • Author

      Seems you have a permission problem. Can you logon locally with this account and manage the DNS server with the GUI?

  11. Kyle 5 years ago

    Yes – same account and everything. I can run all of the powershell dns cmds fine while logged into the server. If i do a $env:UserName it shows the correct username in there so i’m not sure what is wrong? Was hoping you or someone else may know why it wouldn’t let me use those while in a remote PS session?

    PS C:\Windows\system32> get-dnsserver
    WARNING: EnableRegistryBoot not applicable on DNS Server DNS01 version.

    ServerSetting:
    ==============

    EnableOnlineSigning True
    TcpReceivePacketSize 65536
    WriteAuthorityNs False
    SocketPoolSize 2500
    AppendMsZoneTransferTag False

    • Author

      What Windows Server version and what PowerShell version are using? Can you do other tasks that require admin rights with this account?

  12. Kyle 5 years ago

    The RDS box I’m on that I’m launching the ps session from is server 2012 R2 with 4.0 version of powershell. The DNS server is server 2016 and has 5.1.14393.2368 version of powershell.

    It does look like it’s not launching as an elevated PS session. I tried the test-isadmin and it shows my user in both servers as non-admin powershell session (https://gallery.technet.microsoft.com/scriptcenter/1b5df952-9e10-470f-ad7c-dc2bdc2ac946) and won’t let me run get-dnsserver.

    If i launch ps as admin while RDP’ed on the DNS server the cmds work.

    So how would we the session elevated once launched in the enter-pssession? Or whats your thoughts?

  13. Julo 4 years ago

    Is there any way how can WinRM run on Public profile? There are pretty good reasons why not to use Private profile (e.g. public IP). I want restrict access in firewall just on local subnet.

    It looks that -SkipNetworkProfileCheck does not help. After running it says that everything is ok, but "winrm quickconfig" returns WinRM firewall exception will not work since one of the network connection types on this machine is set to Public

    Running Win 10 1809

  14. Sal Diaz 4 years ago

    What about the opposite? I have a workgroup computer and need to manage domain workstations with Powershell, how would I get this to work?

  15. silicontrip 4 years ago

    I get an access denied when I run enter-pssession. I know the password is correct and the account is a local administrator.

  16. Nmr 3 years ago

    This works, thank you!

  17. sharath 3 years ago

    Hi,

    As said in the article, below are my settings.

    On Remote Computer:

    Enable-PSRemoting: After executing this command, it listed 4 sections to configure, then i have given 'Y' for all sections. and there was no issue.

    So i didnt run any of the following commands like Set-WSManQuickConfig / Enable-PSRemoting -SkipNetworkProfileCheck -Force / Set-NetConnectionProfile -NetworkCategory Private / Enable-PSRemoting -Force / Set-NetFirewallRule –Name "WINRM-HTTP-In-TCP-PUBLIC" –RemoteAddress Any 

    Please confirm, Still it is required to check & change 'Network Connection Type'? OR any other configurations (like Firewall or anything else) if i am missing.

    On Client/Local Computer:

    While trying to execute 'Enter-PSSession' like below.

    – Enter-PSSession -ComputerName CBXXXXXX -Credential $Credentials.

    Got the below error.

    ERROR: 

    Enter-PSSession : Connecting to remote server CBXXXXXX failed with the following error message : WinRM cannot
    process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We
    can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your
    organization's network and try again. If you previously signed in on this device with another credential, you can sign
    in with that credential.
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
    use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more
    information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + Enter-PSSession -ComputerName CBXXXXXX -Credential $Credentials
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (CBXXXXXX:String) [Enter-PSSession], PSRemotingTransportException
        + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    And gave try with IP like command 

    – Enter-PSSession -ComputerName 10.xx.xx.xx -Credential $Credentials

    ERROR: 

    Enter-PSSession : Connecting to remote server 10.xx.xx.xx failed with the following error message : Access is
    denied. For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + Enter-PSSession -ComputerName 10.xx.xx.xx -Credential $Credentials
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (10.xx.xx.xx:String) [Enter-PSSession], PSRemotingTransportException
        + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    -Added remote computer's IP address to Trusted Hosts list from command line as suggested.

    – Executed Get-Service -Name WinRM -ComputerName LOCALHOSTNAME, And output is

    Status   Name               DisplayName
    ——   —-               ———–
    Running  WinRM              Windows Remote Management (WS-Manag…

    – Executed  winrm quickconfig, got the below output as ,

    WinRM service is already running on this machine.
    WSManFault
        Message
            ProviderFault
                WSManFault
                    Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.

    Error number:  -2144108183 0x80338169
    WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.

     My main objective is to invoke the .ps1 file in the Remote Computer from Local Computer.

    – Invoke-Command -FilePath C:\Users\XX\Desktop\Test.ps1 -ComputerName CBXXXXXX -credential CBXXXXXX\User1

    Invoke-Command : Cannot find path 'C:\Users\XX\Desktop\xx.ps1' because it does not exist.
    At line:1 char:1
    + Invoke-Command -FilePath C:\Users\XX\Desktop …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (C:\Users\XX\Desktop\ps1:String) [Invoke-Command], ItemNotFoun
       dException
        + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.InvokeCommandCommand

     

    Can you let me know, where in which step i was wrong.

    • sharath 3 years ago

      But i have logged into the server via RDP with the same credentials and the File Exists.

    • Author

      Did you use a local account or domain account?

  18. sharath 3 years ago

    Hi,

    The credentials which i have given in the 'Invoke' command, the same credentials, i have used while in the RDP. And my local credentials are entirely different.

    Hope i clarified. 

    It would be good, if you clearly let me know what is local account or domain account for better understanding. And this (local account or domain account) you are asking is for Local Computer OR Remote Computer?

    • Author

      A local account exists on the remote workstation, a domain account exists in Active Directory. This tutorial is only for computers that are not in an Active Domain.

      • sharath 3 years ago

        Really appreciate your prompt response.

        I got your point that this tutorial is for accounts existed in Remote Workstation. Can you help me in resolving the issue, if its Domain Account/ Active Directory account.

         

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account