- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
In a previous article, Tim explained how to enable PowerShell Remoting on computers that are members of an Active Directory domain. On workgroup computers, things are a little more complicated, and you might stumble into a few pitfalls along the way.
The reason is that enabling PowerShell Remoting is a security risk because the bad guys certainly would love to automate their hacking efforts remotely on your computer. Thus, you have to jump through a few additional hoops.
We have to distinguish here between things that need to be done on the local and the remote computer. Let’s start with the remote machine.
On the remote computer
As on a domain member, you also enable PowerShell Remoting with the Enable-PSRemoting cmdlet. Make sure that your PowerShell host has administrator rights; otherwise, you will receive this error message:
Enable-PSRemoting : Access is denied. To run this cmdlet, start Windows PowerShell with the "Run as administrator" option.
Even if you considered this pitfall, you will get the next error message on a workgroup computer:
WinRM has been updated to receive requests.
WinRM service started.
Set-WSManQuickConfig : <f:WSManFault…. WinRM firewall exception will not work since one of the network connection types on this machine is set to Public…
… Change the network connection type to either Domain or Private and try again.
WinRM firewall exception will not work.
You probably know that Windows has three network connection types: Private, Public, and Domain. Windows will ask for the connection type when you first connect to a network. You can set different rules for network discovery and file and printer sharing in the Network and Sharing Center.
The above error message indicates that we have set the network to Public in order to enable PowerShell Remoting. Several ways exist to change the connection type. For some reason that only Microsoft knows, you can’t do this in the Network and Sharing Center. None of the other options in the Metro interface worked for me with regard to my goal to enable PowerShell Remoting.
Update: Akos mentioned in a comment a much easier solution than what follows in the next paragraphs. You simply have to add the -SkipNetworkProfileCheck parameter:
Enable-PSRemoting -SkipNetworkProfileCheck -Force
It is odd that the error message doesn't mention the parameter. By recommending to change the network connection type to private the message put me on the wrong track. I explain in the following paragraphs how this can be done.
Update 2: There is an much easier way to change the network connection type than editing the Registry (see below). You can simply use a PowerShell cmdlet: Set-NetConnectionProfile -NetworkCategory Private. However, I didn't test this in combination with Enable-PSRemoting.
The only way that did work was to change the connection type in the Registry. Before you follow the procedure below, you have to ensure that the computer is connected to the network and, if possible, to the Internet. (By the way, you might also stumble upon the above error when you try to enable Remoting on a machine that has no network connection.)
This is the Registry key that you have to edit:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
You might see different profiles in the Profile folder. Make sure that you get the right network connection, where ProfileName corresponds to the name of your current network connection, as demonstrated in the screenshot below:
Change network connection type from Public to Private.
You then have to change the Category value to 1 to set the network connection type to Private (0 stands for Public). Also ensure that the CategoryType is set to 0. After you change the Registry, you have to reboot the computer.
Now you can enable the PowerShell Remoting with this command:
Enable-PSRemoting -Force
The -Force parameter just saves you from a few confirmation prompts.
Enable-PSRemoting works now.
Note that Microsoft’s documentation mentions another solution to solve the network connection type problem. However, for me, this way didn’t work. If it worked for you, please let me know. For the sake of completeness, this is the command that Microsoft recommends:
Set-NetFirewallRule –Name "WINRM-HTTP-In-TCP-PUBLIC" –RemoteAddress Any
On the local computer
In an Active Directory environment, you can just use the computer name to connect to a remote machine. If you remotely connect to a standalone machine, you usually have to use the IP address instead. If you try to connect to the remote computer with the Enter-PSSession cmdlet using the IP address of the remote machine, PowerShell will throw the following error:
Enter-PSSession : Connecting to remote server 10.0.2.33 failed with the following error message : The WinRM client cannot process the request….
Connecting to a remote computer via IP address errors
The error message suggests to use the winrm command to add the IP to the trusted hosts. However, if you enter the correct command in PowerShell, you will get this error message:
winrm : Error: Invalid use of command line…
Update: Just learned that you can also run this wirm command in PowerShell, if you put the argument in quotes (winrm set winrm/config/client '@{TrustedHosts="10.0.2.33"}').
What we need here is an elevated command prompt:
winrm set winrm/config/client @{TrustedHosts="10.0.2.33"}
Adding the IP addresses to the list of trusted hosts with winrm
You’re probably wondering why you need an old-fashioned command prompt to do this. You rightly asked. There is actually a PowerShell command that does same thing. I don’t know why the above error message doesn’t mention it. This is the PowerShell way to add an IP address to the trusted hosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.0.2.33" -Force
Adding an IP address to the trusted hosts with PowerShell
If you have to manage several remote hosts, or if the IP always changes, you might want to add all IP addresses to the trusted hosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
You can also read the trusted host list with PowerShell:
Get-Item WSMan:\localhost\Client\TrustedHosts
Displaying the trusted hosts
PowerShell might then sometimes show this error:
Get-Item : Cannot find path 'WSMan:\localhost\Client\TrustedHosts' because it does not exist.
In this case, you probably only have to start the Windows Remote Management (WS-Management) Windows service manually.
Note that the list won’t change if you reboot the machine. If you want to clear the list of your trusted hosts, you can run this command:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "" -Force
Now, you are finally ready to remotely manage the machine via PowerShell Remoting:
Enter-PSSession -ComputerName 10.0.2.33 -Credential $Credentials
Connecting to a remote computer with Enter-PSSession
I had a similar issue on my laptop, I believe. I did “Enable-PSRemoting -SkipNetworkProfileCheck -Force” to fix it. Perhaps this works for you too instead of the registry change.
Akos, thanks a lot for the hint! I should have checked the available parameters first instead of following the advice of the error message. I updated the article.
This is old, but thanks for having this out here. Very helpful!
In my situation, I have working name resolution and use
Set-Item WSMan:\localhost\Client\TrustedHosts “hostname.fqdn,hostname” -Force
to trust the target/remote hostname instead of IP address. This lets me do something like:
$WorkgroupUser = Get-Credential hostname\local_account
Enter-PSSession hostname -Credential $WorkgroupUser
FWIW
Hi,
I am trying to connect to remote computer which is not in added to active directory (Azure VM with static domain) from domain joined VM but keep on seeing the error as
Connecting to remote server <> failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311
occurred while using Kerberos authentication: We can’t sign you in with this credential because your domain isn’t available. Make sure your device is connected to your organization’s
network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
Powershell remote session is enabled in remote computer and domain joined vm is added as trusted source in remote computer. We also set the below in remote computer
winrm set winrm/config/service ‘@{AllowUnencrypted=”true”}’
winrm set winrm/config/client ‘@{AllowUnencrypted=”true”}’
also verified dir wsman:\localhost\listener and can see remote computer is listening
can you please help me here in finding out what is wrong?
Thanks,
Paul
Paul, did you add the IPs to the trusted hosts lists as described in this article? I wouldn’t disable encryption and I would also ensure that you work with HTTPS instead of HTTP.
Hi Paul,
After adding the Host to trusted list, Just close the PS session and open a new session and try remoting to the host.
Thanks.
Very helpful, thank you very much
it saves me a lot of time , helping me migrating very old servers
Mike,
It did not work for me.
I have Win7 Home Premium SP1 on active computer, and Win7 Professional SP1 on remote.
Commands were issued in Admin consoles in bot active and remote boxes.
–Remote: enable-PSREmoting -force
“WinRM has been updated for remote management.”
–Active: Set-Item WSMan:\localhost\Client\TrustedHosts -Value “192.168.1.3” -Force
–Active: Get-Item WSMan:\localhost\Client\TrustedHosts
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
Type Name SourceOfValue Value
—- —- ————- —–
System.String TrustedHosts 192.168.1.3
–Active: Enter-PSSession -ComputerName 192.168.1.3 -Credential $Credentials
PS C:\PowerShell> Enter-PSSession -ComputerName 192.168.1.3 -Credential $Credentials
Enter-PSSession : Connecting to remote server 192.168.1.3 failed with the following error message : The client cannot
connect to the destination specified in the request. Verify that the service on the destination is running and is
accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most
commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
analyze and configure the WinRM service: “winrm quickconfig”. For more information, see the
The IP address you add with Set-Item WSMan:\localhost\Client\TrustedHosts -Value $IP -Force is the IP of the local computer, not the remote machine.
I have this working but it won’t let me run certain cmds like get-dnsserver. Do you know how to resolve that? The particular server is one in a workgroup that runs DNS for some hands off servers. I am able to enter into the pssession but just get access denied when running the DNS cmds.
What error message do you get?
Michael – This is what I get. The top 1 is the result i get after adding the remote management users group to the CIMSRV2 and then the microsoft/windows/dns for WMI controls. I’m trying just a basic add-dnsserverresourcerecord cmd. the kyle-test is the name of the record.
Processing DNS01
Failed to get the zone information for domain.com on server DNS01.
+ CategoryInfo : PermissionDenied: (kyle-test:root/Microsoft/…rResourceRecord) [Add-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Add-DnsServerResourceRecord
+ PSComputerName : 192.168.1.11
Processing DNS02
Cannot connect to CIM server. Access denied
+ CategoryInfo : ResourceUnavailable: (PS_DnsServerResourceRecord:String) [Add-DnsServerResourceRecord],
CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Add-DnsServerResourceRecord
+ PSComputerName : 192.168.1.12
This is what i get when i do an enter-pssession into the workgroup DNS server for the one i modified the WMI Controls on.
[192.168.1.11]: PS C:\Users\kyle\Documents> get-dnsserver
Failed to get server information on DNS01 server.
Failed to retrieve DNS server configuration from DNS01 server.
+ CategoryInfo : PermissionDenied: (DNS01:root/Microsoft/Windows/DNS/PS_DnsServer) [Get-DnsServer], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServer
Seems you have a permission problem. Can you logon locally with this account and manage the DNS server with the GUI?
Yes – same account and everything. I can run all of the powershell dns cmds fine while logged into the server. If i do a $env:UserName it shows the correct username in there so i’m not sure what is wrong? Was hoping you or someone else may know why it wouldn’t let me use those while in a remote PS session?
PS C:\Windows\system32> get-dnsserver
WARNING: EnableRegistryBoot not applicable on DNS Server DNS01 version.
ServerSetting:
==============
EnableOnlineSigning True
TcpReceivePacketSize 65536
WriteAuthorityNs False
SocketPoolSize 2500
AppendMsZoneTransferTag False
What Windows Server version and what PowerShell version are using? Can you do other tasks that require admin rights with this account?
The RDS box I’m on that I’m launching the ps session from is server 2012 R2 with 4.0 version of powershell. The DNS server is server 2016 and has 5.1.14393.2368 version of powershell.
It does look like it’s not launching as an elevated PS session. I tried the test-isadmin and it shows my user in both servers as non-admin powershell session (https://gallery.technet.microsoft.com/scriptcenter/1b5df952-9e10-470f-ad7c-dc2bdc2ac946) and won’t let me run get-dnsserver.
If i launch ps as admin while RDP’ed on the DNS server the cmds work.
So how would we the session elevated once launched in the enter-pssession? Or whats your thoughts?
Is there any way how can WinRM run on Public profile? There are pretty good reasons why not to use Private profile (e.g. public IP). I want restrict access in firewall just on local subnet.
It looks that -SkipNetworkProfileCheck does not help. After running it says that everything is ok, but "winrm quickconfig" returns WinRM firewall exception will not work since one of the network connection types on this machine is set to Public
Running Win 10 1809
What about the opposite? I have a workgroup computer and need to manage domain workstations with Powershell, how would I get this to work?
I get an access denied when I run enter-pssession. I know the password is correct and the account is a local administrator.
This works, thank you!
Hi,
As said in the article, below are my settings.
On Remote Computer:
– Enable-PSRemoting: After executing this command, it listed 4 sections to configure, then i have given 'Y' for all sections. and there was no issue.
So i didnt run any of the following commands like Set-WSManQuickConfig / Enable-PSRemoting -SkipNetworkProfileCheck -Force / Set-NetConnectionProfile -NetworkCategory Private / Enable-PSRemoting -Force / Set-NetFirewallRule –Name "WINRM-HTTP-In-TCP-PUBLIC" –RemoteAddress Any
Please confirm, Still it is required to check & change 'Network Connection Type'? OR any other configurations (like Firewall or anything else) if i am missing.
On Client/Local Computer:
While trying to execute 'Enter-PSSession' like below.
– Enter-PSSession -ComputerName CBXXXXXX -Credential $Credentials.
Got the below error.
ERROR:
Enter-PSSession : Connecting to remote server CBXXXXXX failed with the following error message : WinRM cannot
process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We
can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your
organization's network and try again. If you previously signed in on this device with another credential, you can sign
in with that credential.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName CBXXXXXX -Credential $Credentials
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (CBXXXXXX:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
And gave try with IP like command
– Enter-PSSession -ComputerName 10.xx.xx.xx -Credential $Credentials
ERROR:
Enter-PSSession : Connecting to remote server 10.xx.xx.xx failed with the following error message : Access is
denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName 10.xx.xx.xx -Credential $Credentials
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (10.xx.xx.xx:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
-Added remote computer's IP address to Trusted Hosts list from command line as suggested.
– Executed Get-Service -Name WinRM -ComputerName LOCALHOSTNAME, And output is
Status Name DisplayName
—— —- ———–
Running WinRM Windows Remote Management (WS-Manag…
– Executed winrm quickconfig, got the below output as ,
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.
Error number: -2144108183 0x80338169
WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.
My main objective is to invoke the .ps1 file in the Remote Computer from Local Computer.
– Invoke-Command -FilePath C:\Users\XX\Desktop\Test.ps1 -ComputerName CBXXXXXX -credential CBXXXXXX\User1
Invoke-Command : Cannot find path 'C:\Users\XX\Desktop\xx.ps1' because it does not exist.
At line:1 char:1
+ Invoke-Command -FilePath C:\Users\XX\Desktop …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\XX\Desktop\ps1:String) [Invoke-Command], ItemNotFoun
dException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.InvokeCommandCommand
Can you let me know, where in which step i was wrong.
But i have logged into the server via RDP with the same credentials and the File Exists.
Did you use a local account or domain account?
Hi,
The credentials which i have given in the 'Invoke' command, the same credentials, i have used while in the RDP. And my local credentials are entirely different.
Hope i clarified.
It would be good, if you clearly let me know what is local account or domain account for better understanding. And this (local account or domain account) you are asking is for Local Computer OR Remote Computer?
A local account exists on the remote workstation, a domain account exists in Active Directory. This tutorial is only for computers that are not in an Active Domain.
Really appreciate your prompt response.
I got your point that this tutorial is for accounts existed in Remote Workstation. Can you help me in resolving the issue, if its Domain Account/ Active Directory account.
You can find the description for domain members here.