PowerShell’s Docs PowerShell Remoting Enable PowerShell remoting

If you want to manage Windows computers remotely with PowerShell, you first have to enable PowerShell remoting on the remote machine. You can then use the Invoke-Command and Enter-PSsession cmdlets to execute PowerShell commands on the remote machine.

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

Note that this article replaces several smaller wiki docs in a single comprehensive text and covers all possible ways and options to enable PowerShell remoting.

On a local computer with Enable-PSRemoting ^

To enable PowerShell remoting on a single machine, you can log on to this computer locally or via Remote Desktop and then execute Enable-PSRemoting at a PowerShell prompt with administrator rights.

To avoid the conformation prompts, you can use the -Force parameter:

If the computer's current connection type is set to public, the above command will produce an error message because by default PowerShell remoting is only enabled for private and domain connection types. See this blog post for more details about this issue. To avoid the error message and enable PowerShell remoting on a public network, you can use the ‑SkipNetworkProfileCheck parameter:

Enable PowerShell remoting with Enable PSRemoting

Enable PowerShell remoting with Enable PSRemoting

For more information read Microsoft's documentation about the Enable-PSRemoting cmdlet.

On workgroup group computers ^

PowerShell remoting works best in an Active Directory environment. If you want to enable remoting for workgroup or standalone computers you have to consider a few more settings.
In case your network connection type is set to public, you have to use the ‑SkipNetworkProfileCheck parameter as explained above.

Authentication in PowerShell remoting relies on Active Directory. By default, only computers that are domain members can connect via PowerShell remoting. In a workgroup environment, you have to add the IP addresses of the computers to the TrustedHosts list manually:

You also have to ensure that Windows Firewall is opened for Windows Remote Management on the remote computer. On the remote computer, type "firewall" after clicking Start, and click Advanced settings in the Control Panel firewall app. Right-click Inbound Rules and then select New Rule. In the Predefined field select Windows Remote Management and then follow the wizard.

Allow Windows Remote Management on a workgroup computer in the Windows Firewall

Allow Windows Remote Management on a workgroup computer in the Windows Firewall

To improve security, you might consider of using HTTPS instead of HTTP for PowerShell remoting in a workgroup environment.

For non-administrators ^

By default, only administrators can connect via PowerShell remoting. If you want to enable PowerShell remoting for a single non-administrator, you can add the user account to the local Remote Management Users group.

Note that the Remote Management Users group exists only on computers running Windows 8 (or Windows Server 2012) and above.

To allow multiple non-administrators to work with PowerShell remoting, you can create a new Active Directory group (perhaps "PowerShell Remoting") and add the corresponding domain users to this group. Then add this new domain group to the local Remote Management Users group on all machines where you want to allow PowerShell remoting for these users with the help of Group Policy Restricted Groups:

Computer Configuration > Policies > Security Settings > Restricted Groups

Adding a new domain group to the local Remote Management Users group

Adding a new domain group to the local Remote Management Users group

Note that this procedure gives standard users only the right to connect via PowerShell remoting. But they will have administration privileges restricted to the rights they have on the corresponding machine.

The blog post enabling PowerShell remoting for non-administrators has more details.

Remotely with Group Policy ^

To enable PowerShell remoting on multiple computers, you can use Group Policy. Three polices are relevant:

Enable the WinRM service

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM

You have to enable this policy and set the IPv4/IPv6 filters to all (*).

Allow remote server management through WinRM

Allow remote server management through WinRM

Set the WS-Management service to automatic startup

Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Windows Remote Management (WS-Management)

You have to set the startup mode of the WS-Management service to automatic.

Set WS Management service to automatic startup

Set WS Management service to automatic startup

Allow Windows Remote Management in the Firewall

Navigate to the following folder in the Group Policy Management Console (GPMC), right-click Inbound Rules, and click New Rule.

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

In the Predefined field, select Windows Remote Management and then follow the wizard to add the new firewall rule.

Allow inbound connections for Windows Remote Management

Allow inbound connections for Windows Remote Management

If you allowed the inbound remote administration exception in the Windows Firewall on the remote machines, you can right-click the container icon in GPMC and then click Group Policy Update to activate the policy immediately. If not, you have to restart the computers.

Remotely via PsExec ^

To enable PowerShell remotely on a single machine, you can use Microsoft's free remote-control tool PsExec. This option helps if Remote Desktop is not enabled on the remote machine.

However, PsExec requires that the ports for file and printer sharing or remote administration are open in the Windows Firewall. You can open these ports via Group Policy: Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

You have to enable Allow inbound file and printer sharing exception or Allow inbound remote administration exception.

Allow file and printer sharing in Windows Firewall with Group Policy

Allow file and printer sharing in Windows Firewall with Group Policy

Alternatively, you can also configure the Windows Firewall via Computer Configuration > Windows Settings > Security > Windows Firewall with Advanced Security.

To enable PowerShell remoting with PsExec, open a command prompt with admin rights in the folder where you copied PsExec and then execute this command:

Enable PowerShell remoting with PsExec

Enable PowerShell remoting with PsExec

Via PowerShell Direct ^

If you want to enable remoting in virtual machine on a Hyper-V host, you can also use PowerShell Direct if the guest OS is Windows 10, Windows Server 2016 or Windows Server 2019 (see comment below). This is the PowerShell command for the task:

Testing PowerShell remoting ^

To test you have enabled PowerShell remoting correctly, you can enter this command

This will open an interactive session with a remote computer where you can then enter PowerShell commands to execute on the remote machine.

Testing PowerShell remoting

Testing PowerShell remoting

If you want to connect with a different account than the one you logged on the local machine with, you can use this command:

If you no longer need PowerShell remoting on a particular machine, you should disable remoting for security reasons.

With SSH transport ^

In PowerShell Core 6, you can work with PowerShell remoting via SSH instead of WinRM/HTTP. The step-by-step guide below is from this blog post which has more details.

  1. Download the PowerShell 6 Core MSI and install it on your Windows machine. This is a simple next-next installation. Note that I am working with PowerShell 6.0 here because 6.1 is still in preview at the time of this writing.
  2. Download OpenSSH for Windows. I worked with the 64-bit version for this guide.
  3. Extract the OpenSSH-Win64.zip file and copy OpenSSH-Win64 to C:\Program Files\ (the 32-bit edition is fine too).
  4. Rename OpenSSH-Win64 to OpenSSH.
  5. Execute the command below to install OpenSSH:
  6. Next, we'll add the OpenSSH location to the PATH environment variable to ensure the operating system finds the OpenSSH executables. At a PowerShell console you can run the commands below:

    Installing OpenSSH

    Installing OpenSSH

  7. We can now start the SSH service (sshd) with this PowerShell command:
  8. To automatically star the OpenSSH service sshd, you need this command:
  9. Launch Notepad as admin (right-click and select Run as administrator) and open sshd_config in C:\ProgramData\SSH\ (change the file type to *.*, otherwise you'll only see .txt files). Note that the ProgramData folder is hidden, and you will therefore only see the file if you enabled Hidden items in the File Explorer View.
  10. Comment out this line in sshd_config "Subsystem sftp   sftp-server.exe" and add this one instead:

    Editing sshd config

    Editing sshd config

    Note that the path may vary if you work with another PowerShell Core version.

  11. To allow remote connections in the Windows Firewall, you have to open the SSH port (22). On a Windows PowerShell console you can do it with this command:

    Notice that this command doesn't work on PowerShell Core 6.0.

    Opening the SSH port in the Windows Firewall

    Opening the SSH port in the Windows Firewall

    This opens the SSH port for all three network profiles (Domain, Private, Public). Depending on your environment, you might want to open port 22 only for one of the profiles

  12. You now have to reboot the computer to ensure that the environment variable PATH is available systemwide

To connect to the remote host, you have to use the HostName parameter instead of  ComputerName parameter:

In the blog post you'll find more details about the different ways to connect via SSH. An advantage of PowerShell remoting via SSH is that you can work with public key authentication.

Join the 4sysops PowerShell group!

4+

Users who have LIKED this post:

  • avatar
  • avatar
Share

Discussion (6)

  1. You can also use PowerShell Direct (targets can only be Windows 10 or Windows Server 2016 but I have also tested it successfully on Windows Server 2019 Preview)

    PowerShell Direct works always, even if a VM is unreachable through the network (e.g. no network interface, a firewall rule is blocking, misconfigured IP address, gateway or mask, PowerShell remoting disabled) because it does not use the network.

    Invoke-Command -VMName MyVM -ScriptBlock {Enable-PSRemoting -Force} -Credential -\Administrator

    2+

    Users who have LIKED this comment:

    • avatar
  2. Wondering if there is any way to open PSRemoting while limiting access to who can remote. Preferably via Security Group for AD, while there are times where a hosts file like system would come in handy (Powershell Core users).

    What is an effective strategy to lock down powershell (ran into a virus outbreak at a client recently that was leveraging powershell!) but still have it remain available for authorized uses?

    1+

    • David, by default only users and groups that are members of the local administrators group can connect via PowerShell remoting to this machine.  If you run this command, you will see who can connect:

      If you want that only certain admins can connect, things get tricky. You essentially have to remove the Administrators group from the session configuration. You can do this with this command:

      You then can add the users who are allowed to connect to BUILTIN\Remote Management Users. This could be done via Group Policy. But I don't know how you could remove the administrators group from the session configuration via Group Policy.

      I wrote more about restricting PowerShell remoting access to certain users here.

      If the admins who are allowed to connect work on certain computers, you could also configure the Windows Firewall on the remote machines in a way that it only allows those privileged machines to connect. I suppose that would also be useful if a PowerShell worm lives in your network.

      You also have to consider that local admins probably can undo all those configurations. However, a worm or a virus probably wouldn't be so smart.

      3+

Leave a Reply

Your email address will not be published. Required fields are marked *

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account