If you want to manage Windows computers remotely with PowerShell, you first have to enable PowerShell remoting on the remote machine. You can then use the Invoke-Command and Enter-PSsession cmdlets to execute PowerShell commands on the remote machine. The commands described in this article also work in PowerShell 6 and PowerShell 7.
- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
Note that this article replaces several smaller wiki docs in a single comprehensive text and covers all possible ways and options to enable PowerShell remoting.
On a local computer with Enable-PSRemoting ^
To enable PowerShell remoting on a single machine, you can log on to this computer locally or via Remote Desktop and then execute Enable-PSRemoting at a PowerShell prompt with administrator rights.
To avoid the conformation prompts, you can use the -Force parameter:
If the computer's current connection type is set to public, the above command will produce an error message because by default PowerShell remoting is only enabled for private and domain connection types. See this blog post for more details about this issue. To avoid the error message and enable PowerShell remoting on a public network, you can use the ‑SkipNetworkProfileCheck parameter:
Enable-PSRemoting -Force -SkipNetworkProfileCheck
For more information read Microsoft's documentation about the Enable-PSRemoting cmdlet.
On workgroup group computers ^
PowerShell remoting works best in an Active Directory environment. If you want to enable remoting for workgroup or standalone computers you have to consider a few more settings.
In case your network connection type is set to public, you have to use the ‑SkipNetworkProfileCheck parameter as explained above.
Enable-PSRemoting -Force -SkipNetworkProfileCheck
Authentication in PowerShell remoting relies on Active Directory. By default, only computers that are domain members can connect via PowerShell remoting. In a workgroup environment, you have to add the IP addresses of the computers to the TrustedHosts list manually:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.0.2.33" -Force
You also have to ensure that Windows Firewall is opened for Windows Remote Management on the remote computer. On the remote computer, type "firewall" after clicking Start, and click Advanced settings in the Control Panel firewall app. Right-click Inbound Rules and then select New Rule. In the Predefined field select Windows Remote Management and then follow the wizard.
To improve security, you might consider of using HTTPS instead of HTTP for PowerShell remoting in a workgroup environment.
For non-administrators ^
By default, only administrators can connect via PowerShell remoting. If you want to enable PowerShell remoting for a single non-administrator, you can add the user account to the local Remote Management Users group.
Note that the Remote Management Users group exists only on computers running Windows 8 (or Windows Server 2012) and above.
To allow multiple non-administrators to work with PowerShell remoting, you can create a new Active Directory group (perhaps "PowerShell Remoting") and add the corresponding domain users to this group. Then add this new domain group to the local Remote Management Users group on all machines where you want to allow PowerShell remoting for these users with the help of Group Policy Restricted Groups:
Computer Configuration > Policies > Security Settings > Restricted Groups
Note that this procedure gives standard users only the right to connect via PowerShell remoting. But they will have administration privileges restricted to the rights they have on the corresponding machine.
The blog post enabling PowerShell remoting for non-administrators has more details.
Remotely with Group Policy ^
To enable PowerShell remoting on multiple computers, you can use Group Policy. Three polices are relevant:
Enable the WinRM service
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM
You have to enable this policy and set the IPv4/IPv6 filters to all (*).
Set the WS-Management service to automatic startup
Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Windows Remote Management (WS-Management)
You have to set the startup mode of the WS-Management service to automatic.
Allow Windows Remote Management in the Firewall
Navigate to the following folder in the Group Policy Management Console (GPMC), right-click Inbound Rules, and click New Rule.
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security
In the Predefined field, select Windows Remote Management and then follow the wizard to add the new firewall rule.
If you allowed the inbound remote administration exception in the Windows Firewall on the remote machines, you can right-click the container icon in GPMC and then click Group Policy Update to activate the policy immediately. If not, you have to restart the computers.
Remotely via PsExec ^
To enable PowerShell remotely on a single machine, you can use Microsoft's free remote-control tool PsExec. This option helps if Remote Desktop is not enabled on the remote machine.
However, PsExec requires that the ports for file and printer sharing or remote administration are open in the Windows Firewall. You can open these ports via Group Policy: Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
You have to enable Allow inbound file and printer sharing exception or Allow inbound remote administration exception.
Alternatively, you can also configure the Windows Firewall via Computer Configuration > Windows Settings > Security > Windows Firewall with Advanced Security.
To enable PowerShell remoting with PsExec, open a command prompt with admin rights in the folder where you copied PsExec and then execute this command:
psexec.exe \\RemoteComputerName -s powershell Enable-PSRemoting -Force
Via PowerShell Direct ^
If you want to enable remoting in virtual machine on a Hyper-V host, you can also use PowerShell Direct if the guest OS is Windows 10, Windows Server 2016 or Windows Server 2019 (see comment below). This is the PowerShell command for the task:
Testing PowerShell remoting ^
To test you have enabled PowerShell remoting correctly, you can enter this command
This will open an interactive session with a remote computer where you can then enter PowerShell commands to execute on the remote machine.
If you want to connect with a different account than the one you logged on the local machine with, you can use this command:
Enter-PSSession -Computername "host" –Credential "host\administrator"
If you no longer need PowerShell remoting on a particular machine, you should disable remoting for security reasons.
With SSH transport ^
In PowerShell Core 6, you can work with PowerShell remoting via SSH instead of WinRM/HTTP. The step-by-step guide below is from this blog post which has more details.
- Download the PowerShell 6 Core MSI and install it on your Windows machine. This is a simple next-next installation. Note that I am working with PowerShell 6.0 here because 6.1 is still in preview at the time of this writing.
- Download OpenSSH for Windows. I worked with the 64-bit version for this guide.
- Extract the OpenSSH-Win64.zip file and copy OpenSSH-Win64 to C:\Program Files\ (the 32-bit edition is fine too).
- Rename OpenSSH-Win64 to OpenSSH.
- Execute the command below to install OpenSSH:1powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\OpenSSH\install-sshd.ps1"
- Next, we'll add the OpenSSH location to the PATH environment variable to ensure the operating system finds the OpenSSH executables. At a PowerShell console you can run the commands below:12$env:Path="$env:Path;C:\Program Files\OpenSSH\"Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH -Value $env:Path
- We can now start the SSH service (sshd) with this PowerShell command:1Start-Service sshd
- To automatically star the OpenSSH service sshd, you need this command:1Set-Service sshd -StartupType Automatic
- Launch Notepad as admin (right-click and select Run as administrator) and open sshd_config in C:\ProgramData\SSH\ (change the file type to *.*, otherwise you'll only see .txt files). Note that the ProgramData folder is hidden, and you will therefore only see the file if you enabled Hidden items in the File Explorer View.
- Comment out this line in sshd_config "Subsystem sftp sftp-server.exe" and add this one instead:1Subsystem powershell c:/program files/powershell/6.0.2/pwsh.exe -sshs -NoLogo -NoProfile
Note that the path may vary if you work with another PowerShell Core version.
- To allow remote connections in the Windows Firewall, you have to open the SSH port (22). On a Windows PowerShell console you can do it with this command:1New-NetFirewallRule -DisplayName 'SSH Inbound' -Profile @('Domain', 'Private', 'Public') -Direction Inbound -Action Allow -Protocol TCP ‑LocalPort 22
Notice that this command doesn't work on PowerShell Core 6.0.
Subscribe to 4sysops newsletter!
This opens the SSH port for all three network profiles (Domain, Private, Public). Depending on your environment, you might want to open port 22 only for one of the profiles
- You now have to reboot the computer to ensure that the environment variable PATH is available systemwide
To connect to the remote host, you have to use the HostName parameter instead of ComputerName parameter: