Enable PowerShell remoting

• Author
• Recent Posts

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

Latest posts by Michael Pietroforte (see all)

• Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
• Pip install Boto3 - Thu, Mar 24 2022
• Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022

Note that this article replaces several smaller wiki docs in a single comprehensive text and covers all possible ways and options to enable PowerShell remoting.

On a local computer with Enable-PSRemoting

To enable PowerShell remoting on a single machine, you can log on to this computer locally or via Remote Desktop and then execute Enable-PSRemoting at a PowerShell prompt with administrator rights.

To avoid the conformation prompts, you can use the -Force parameter:

Enable-PSRemoting -Force

If the computer's current connection type is set to public, the above command will produce an error message because by default PowerShell remoting is only enabled for private and domain connection types. See this blog post for more details about this issue. To avoid the error message and enable PowerShell remoting on a public network, you can use the ‑SkipNetworkProfileCheck parameter:

Enable-PSRemoting -Force -SkipNetworkProfileCheck

Enable PowerShell remoting with Enable PSRemoting

For more information read Microsoft's documentation about the Enable-PSRemoting cmdlet.

On workgroup group computers

PowerShell remoting works best in an Active Directory environment. If you want to enable remoting for workgroup or standalone computers you have to consider a few more settings.
In case your network connection type is set to public, you have to use the ‑SkipNetworkProfileCheck parameter as explained above.

Enable-PSRemoting -Force -SkipNetworkProfileCheck

Authentication in PowerShell remoting relies on Active Directory. By default, only computers that are domain members can connect via PowerShell remoting. In a workgroup environment, you have to add the IP addresses of the computers to the TrustedHosts list manually:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.0.2.33" -Force

You also have to ensure that Windows Firewall is opened for Windows Remote Management on the remote computer. On the remote computer, type "firewall" after clicking Start, and click Advanced settings in the Control Panel firewall app. Right-click Inbound Rules and then select New Rule. In the Predefined field select Windows Remote Management and then follow the wizard.

Allow Windows Remote Management on a workgroup computer in the Windows Firewall

To improve security, you might consider of using HTTPS instead of HTTP for PowerShell remoting in a workgroup environment.

For non-administrators

By default, only administrators can connect via PowerShell remoting. If you want to enable PowerShell remoting for a single non-administrator, you can add the user account to the local Remote Management Users group.

Note that the Remote Management Users group exists only on computers running Windows 8 (or Windows Server 2012) and above.

To allow multiple non-administrators to work with PowerShell remoting, you can create a new Active Directory group (perhaps "PowerShell Remoting") and add the corresponding domain users to this group. Then add this new domain group to the local Remote Management Users group on all machines where you want to allow PowerShell remoting for these users with the help of Group Policy Restricted Groups:

Computer Configuration > Policies > Security Settings > Restricted Groups

Adding a new domain group to the local Remote Management Users group

Note that this procedure gives standard users only the right to connect via PowerShell remoting. But they will have administration privileges restricted to the rights they have on the corresponding machine.

The blog post enabling PowerShell remoting for non-administrators has more details.

Remotely with Group Policy

To enable PowerShell remoting on multiple computers, you can use Group Policy. Three polices are relevant:

Enable the WinRM service

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM

You have to enable this policy and set the IPv4/IPv6 filters to all (*).

Allow remote server management through WinRM

Set the WS-Management service to automatic startup

Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Windows Remote Management (WS-Management)

You have to set the startup mode of the WS-Management service to automatic.

Set WS Management service to automatic startup

Allow Windows Remote Management in the Firewall

Navigate to the following folder in the Group Policy Management Console (GPMC), right-click Inbound Rules, and click New Rule.

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

In the Predefined field, select Windows Remote Management and then follow the wizard to add the new firewall rule.

Allow inbound connections for Windows Remote Management

If you allowed the inbound remote administration exception in the Windows Firewall on the remote machines, you can right-click the container icon in GPMC and then click Group Policy Update to activate the policy immediately. If not, you have to restart the computers.

Remotely via PsExec

To enable PowerShell remotely on a single machine, you can use Microsoft's free remote-control tool PsExec. This option helps if Remote Desktop is not enabled on the remote machine.

However, PsExec requires that the ports for file and printer sharing or remote administration are open in the Windows Firewall. You can open these ports via Group Policy: Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

You have to enable Allow inbound file and printer sharing exception or Allow inbound remote administration exception.

Allow file and printer sharing in Windows Firewall with Group Policy

Alternatively, you can also configure the Windows Firewall via Computer Configuration > Windows Settings > Security > Windows Firewall with Advanced Security.

To enable PowerShell remoting with PsExec, open a command prompt with admin rights in the folder where you copied PsExec and then execute this command:

psexec.exe \\RemoteComputerName -s powershell Enable-PSRemoting -Force

Enable PowerShell remoting with PsExec

Via PowerShell Direct

If you want to enable remoting in virtual machine on a Hyper-V host, you can also use PowerShell Direct if the guest OS is Windows 10, Windows Server 2016 or Windows Server 2019 (see comment below). This is the PowerShell command for the task:

Invoke-Command -VMName <VM name> -ScriptBlock {Enable-PSRemoting -Force} -Credential Administrator

Testing PowerShell remoting

To test you have enabled PowerShell remoting correctly, you can enter this command

Enter-PSSession -ComputerName <hostname>

This will open an interactive session with a remote computer where you can then enter PowerShell commands to execute on the remote machine.

Testing PowerShell remoting

If you want to connect with a different account than the one you logged on the local machine with, you can use this command:

Enter-PSSession -Computername "host" –Credential "host\administrator"

If you no longer need PowerShell remoting on a particular machine, you should disable remoting for security reasons.

With SSH transport

In PowerShell Core 6, you can work with PowerShell remoting via SSH instead of WinRM/HTTP. The step-by-step guide below is from this blog post which has more details.

1. Download the PowerShell 6 Core MSI and install it on your Windows machine. This is a simple next-next installation. Note that I am working with PowerShell 6.0 here because 6.1 is still in preview at the time of this writing.
2. Download OpenSSH for Windows. I worked with the 64-bit version for this guide.
3. Extract the OpenSSH-Win64.zip file and copy OpenSSH-Win64 to C:\Program Files\ (the 32-bit edition is fine too).
4. Rename OpenSSH-Win64 to OpenSSH.
5. Execute the command below to install OpenSSH:

   powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\OpenSSH\install-sshd.ps1"

6. Next, we'll add the OpenSSH location to the PATH environment variable to ensure the operating system finds the OpenSSH executables. At a PowerShell console you can run the commands below:

   $env:Path="$env:Path;C:\Program Files\OpenSSH\"
   Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH -Value $env:Path

   

   Installing OpenSSH

7. We can now start the SSH service (sshd) with this PowerShell command:

   Start-Service sshd

8. To automatically star the OpenSSH service sshd, you need this command:

   Set-Service sshd -StartupType Automatic

9. Launch Notepad as admin (right-click and select Run as administrator) and open sshd_config in C:\ProgramData\SSH\ (change the file type to *.*, otherwise you'll only see .txt files). Note that the ProgramData folder is hidden, and you will therefore only see the file if you enabled Hidden items in the File Explorer View.
10. Comment out this line in sshd_config "Subsystem sftp   sftp-server.exe" and add this one instead:

    Subsystem powershell c:/program files/powershell/6.0.2/pwsh.exe -sshs -NoLogo -NoProfile

    

    Editing sshd config

    Note that the path may vary if you work with another PowerShell Core version.

11. To allow remote connections in the Windows Firewall, you have to open the SSH port (22). On a Windows PowerShell console you can do it with this command:

    New-NetFirewallRule -DisplayName 'SSH Inbound' -Profile @('Domain', 'Private', 'Public') -Direction Inbound -Action Allow -Protocol TCP ‑LocalPort 22

    Notice that this command doesn't work on PowerShell Core 6.0.

    

    Opening the SSH port in the Windows Firewall

    This opens the SSH port for all three network profiles (Domain, Private, Public). Depending on your environment, you might want to open port 22 only for one of the profiles

12. You now have to reboot the computer to ensure that the environment variable PATH is available systemwide

To connect to the remote host, you have to use the HostName parameter instead of  ComputerName parameter:

Enter-PSsession -HostName <computer name>

In the blog post you'll find more details about the different ways to connect via SSH. An advantage of PowerShell remoting via SSH is that you can work with public key authentication.