Automating the world one-liner at a time…
There’s been a lot of great excitement that’s accompanied the release of PowerShell V2 and Windows Remote Management (WinRM) – also known as the Windows Management Framework. We’ve also heard the occasional question on whether it’s possible to install them independently.
When we’ve heard this concern, it is usually focused on security. To be clear, Windows Remote Management (WinRM) has been part of Windows since Vista and Server 2008. It does not listen to network connections by default, and must be explicitly activated. Both have advanced greatly during the release of Windows 7 – most notably by working together to support a rich PowerShell-based remoting experience.
The Windows Management Framework download (PowerShell + WinRM) simply updates the binaries on non-Win7 machines to bring them up to the same version already included in Windows 7 and Windows Server 2008 R2.
Investigating this concern further, it usually comes down to concern about increased network attack surface: automatically opening a network port to accept incoming connections. Installing the Windows Management Framework does not do this automatically. “Secure by Default” is the mantra of both our team, and Microsoft as a whole. Enabling PowerShell Remoting is an explicit step that must be run from an elevated prompt. The command fully informs you of the security implications when you do so:
[C:\Windows\system32] PS:101 > Enable-PsRemoting WinRM Quick Configuration Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM service. This includes: 1. Starting or restarting (if already started) the WinRM service 2. Setting the WinRM service type to auto start 3. Creating a listener to accept requests on any IP address 4. Enabling firewall exception for WS-Management traffic (for http only). Do you want to continue? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
[C:\Windows\system32] PS:101 > Enable-PsRemoting
WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM service.
This includes: 1. Starting or restarting (if already started) the WinRM service 2. Setting the WinRM service type to auto start 3. Creating a listener to accept requests on any IP address 4. Enabling firewall exception for WS-Management traffic (for http only).
Do you want to continue? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
While we (and Windows Security, and external security consultants that we hired for analysis and penetration testing) also believe in the security of our remoting protocol and the attack surface that it exposes, we focused from the start on letting you make that decision independently.
Lee Holmes [MSFT] Windows PowerShell Development Microsoft Corporation
Thanks for the confirmation on this one. Quick question from some reading I have done if you use quick config I get the impression that WinRM will be passing traffic in the clear. I know you could use certificate so you effectively get SSL encryption of all traffic traversing WinRM. But what happens to credentials that you pass if you are using http are they protected in some other way?
Where do you get this impression from? All WinRM traffic is encrypted unless you make a concerted effort to do otherwise.
Lee Holmes [MSFT]
Windows PowerShell Development
Thanks for the clarification I can see now that WinRM uses HTTP-SPNEGO-session-encrypted for HTTP so if this is the case why would you also want to use SSL and what advantages/disadvantages does it bring along?
Is it possible to enable this across the board with a GPO? I wish to deploy this everywhere and it will be hard if I have to do some special scripting after the fact to enable it.
I second Ian's question. What's the best way to "Enable-PSRemoting" when deploying WMF to a large server farm? Can it be done at deployment time via SMS ? Can it be done post-deployment?
I tried install manually Windows Management Framework Core package on Windows Server 2008 (32-bit) - KB968930 (Windows6.0-KB968930-x86.msu).
After few sekund after clicking msu file (after privilege elevation approvals) message "The update does not apply to your system ".
This problem I've on 3 my servers in one domain.
Do you have any suggestions?
I'll answer Ian's and my question with an RTFM. The information is in Get-Help about_Remote_Troubleshooting. I did read the FAQ before posting. I would expect to find this information about enterprise deployment there instead or perhaps in its own help topic.
Before I install it I have some question, does it support 32-bit Windows Server 2008 R1? Thanks.
I was at Teched NZ and Mir Rosenberg was show how to use powershell to shutdown and started servers, she used a scripts called PowerState. Does anyone have a copy of this scripts.
Can someone explain what is the benefit of this now *REQUIRED* update in a laptop that it is used for basic office functions: internet browsing, office, etc. and does not use the power of automation at all?
please suggest a link for power shell version 3 for windows server 2008 standard .....
Okay, so it isn't enabled by default, but before PowerShell will work on a remote computer WinRM has to be enabled. In other words "Enable-PsRemoting" has to be executed locally on the remote computer. I can't pass the command to a remote computer in order to turn on WinRM. Sounds kind of counter intuitive doesn't it? I'd have to enable remote management on every computer that I want to manage remotely and leave it on. That means they'd be listening all the time which is exactly what I don't want. That is unless I can restrict who can use PowerShell to manage those computers. Is there a way to do that or am I missing something?