Setup WinRM Via AD

Setting up WinRM via Active Directory:

Objective

This procedure provides instructions to automatically enable WinRM with HTTPS via Active Directory group policies.

Attune uses WinRM to execute commands on windows desktops and servers. WinRM, combined with improvements in PowerShell Cmdlets is Microsofts emerging solution for scriptable administration of windows servers.

Note

If you don’t have a domain and the target computers joined to the domain, then this procedure isn’t for you.

Note

This setup is straight forward with defaults, your corporate environment may require alterations to the procedure.

Setup :

  1. Windows 2012 R2 Server, with Active Directory Domain Services configured.
  2. Target servers are joined to the domain.

Procedure

The following procedure all performed via a Remote Desktop session to the domain server.

Adding Certificate Server Role

  1. Open the Server Manager
  2. Select “Add roles and features”
../../_images/add_certificate_role.png

Click through the “Before You Begin” screen


On the “Installation Type screen” :

  1. Select “Role-based or feature-based installation
  2. Click “Next”
../../_images/add_certificate_role_based.png

On the “Server Selection” screen :

  1. Select the server to install the Certificate service on
  2. Click “Next”
../../_images/add_role_server_selection.png

On the “Server Roles” screen:

  1. Select “Active Directory Certificate Service”
  2. On the popup, click “Add Features”
  3. Click Next.
../../_images/add_role_server_roles_1.png ../../_images/add_role_server_roles_2.png

On the “Features” screen:

  1. Click “Next”

On the “AD CS” screen:

  1. Click “Next”

On the “Role Services” screen:

  1. Click “Next”
../../_images/add_role_role_services.png

On the “Confirmation” screen:

  1. Check the “Restart the destination server automatically if required”
  2. Click “Yes” on the confirmation dialog.
  3. Click “Install”
../../_images/add_role_confirm_1.png ../../_images/add_role_confirm_2.png

The installation will proceed, break time.


On the “Results” screen:

  1. Click “Close”

Repeat the procedure for the other domain controllers in the domain.

Configuring Certificate Server Role

  1. Open the Server Manager
  2. Select “Notification” dropdown
  3. Click “Configure Active Directory Certificate …”
../../_images/ad_config_start.png

On the “Credentials” screen:

  1. Ensure you have entered a valid domain credential
  2. Click “Next”
../../_images/ad_config_credentials.png

On the “Role Services” screen:

  1. Check “Certificate Authority”
  2. Click “Next”
../../_images/ad_config_role_services.png

On the “Setup Type” screen:

  1. Ensure “Enterprise CA” is selected
  2. Click “Next”
../../_images/ad_config_setup_type.png

On the “CA Type” screen:

  1. Ensure “Root CA” is selected, or “Subordinate CA” if this is the second server your setting up.
  2. Click “Next”
../../_images/ad_config_ca_type.png

On the “Private Key” screen:

  1. Ensure “Create a new private key” is selected
  2. Click “Next”
../../_images/ad_config_private_key.png

If this IS the first server your setting up and the Root CA, skip this step.

If this is the second server you’re setting up, it will be a Subordinate CA and need to request signing from the root CA.

  1. Select the “Certificate Request” on the screen list on the side bar
  2. Click “Send a certificate request to a parent CA”
  3. Click “Select”
  4. Click “Next”
../../_images/ad_config_certificate_request.png
  1. Click “Confirmation” on the screen list on the side bar
  2. Then click “Configure
../../_images/ad_config_confirmation.png

Repeat the procedure for the other domain controllers in the domain.

When prompted at the “CA Type”, you will need to select “Subordinate CA” on the subsequent servers.

Configure WinRM Certificate Template

Note

Be sure to check the Certificate Services setting updates in the following section on all domain controllers.

Open “Certificate Authority” (Use the start menu search)

  1. Expand the root server
  2. Select “Certificate Templates”
  3. Right click and select “Manage”
../../_images/new_cert_certsrv.png

In the “Certificate Template Console” app

  1. Find the “Web Server” template in the list
  2. Right click and select “Duplicate Template”
../../_images/new_cert_webserver.png

In the “Properties of New Template” app

  1. Select the “General” tab
  2. Enter “WinRM in the “Template display name”
../../_images/new_cert_properties.png
  1. Select the “Subject Name” tab
  2. Select “Build from this Active Directory information”
  3. Select “Common name” for the “Subject name format”
  4. Check “User principle name (UPN)”
../../_images/new_cert_subject_name.png
  1. Select the “Security” tab

  2. Select “Add”

    ../../_images/new_cert_security_1.png
    1. On the “Select Users, Computers…” screen:

    2. Select “Object Types

      1. On the “Object Types” screen
      2. select “Computers”
      3. click “Ok”
      ../../_images/new_cert_security_2.png
    3. Back on the “Select Users, …” screen, Enter “Domain Computers” in the “Enter the object names to select” box

    4. Click “Check Names”

    5. Click “Ok”

    ../../_images/new_cert_security_3.png
  3. Back on the “Properties” screen, Select “Domain Computers”

  4. Select “Enrol”

  5. Select “Autoenroll”

  6. Click “Ok”

../../_images/new_cert_security_4.png

Back in the “Certificate Authority” app

  1. Right click on “Certificate Templates”
  2. Select “New”
  3. Select “Certificate Template to Issue”
../../_images/add_cert_new_issue.png

On the “Enable Certificate Templates” popup:

  1. Find and select the created “WinRM” certificate template.
  2. Click “Ok”
../../_images/new_cert_enable_cert_template.png

Create the Group Policy Object

The group policy object will automatically enable WinRM on Windows operating systems joined to the domain.


Open the “Group Policy Management” app

  1. Expand the Forest
  2. Expand the Domains
  3. Expand the Domain
  4. Select the “Group Policy Objects”
  5. Right click and select “New”
../../_images/new_gpo_new.png

On the “New GPO” dialog

  1. Enter “Configure WinRM” in the “Name” field
  2. Click “OK”
../../_images/new_gpo_name.png

In the “Group Policy Objects” list:

  1. Right click on “Configure WinRM”
  2. Select “Edit”
../../_images/new_gpo_edit.png

Enabling Autoenroll of Certificate Services

In the “Configure WinRM” Group Policy:

  1. Expand “Computer Configuration” → “Policies”
  2. Expand “Windows Settings”
  3. Expand “Security Settings”
  4. Select “Public Key Policies”
  5. On the right hand pane, double click “Certificate Services Client – Auto-Enrollement”
../../_images/edit_gpo_enroll_editor.png

In the “Certificate Services Client – Auto-Enroll…” properties:

  1. Set “Configuration Model” to “Enabled”
  2. Check “Renew expired certificates…”
  3. Check “Update certificates that user certificate templates”
  4. Click “OK”
../../_images/edit_gpo_enroll_properties.png

Configure Enrolment Script

Expand the following

  1. Expand “Computer Configuration” → “Policies”
  2. Expand “Windows Settings”
  3. Expand “Scripts”
  4. Double click on “Startup”
../../_images/edit_gep_enroll_script.png

On the “Startup Properties”

  1. Click “Show Files”
../../_images/edit_gpo_enroll_script_properties.png

In windows explorer

  1. Click “View”
  2. Ensure “File name extensions” is checked
  3. Right click on a blank space in the window
  4. Select “New”
  5. Select “Text Document”
../../_images/edit_gpo_enroll_script_explorer.png

In windows explorer

  1. Rename the file to “enable_winrm_https.bat”

  2. Enter the following as the file contents

    winrm quickconfig -q -transport:https
    
  3. Save the file and close notepad

  4. Close windows explorer

../../_images/edit_gpo_enroll_script_notepad.png

Back at the “Startup Properties” screen

  1. Click “Add”
../../_images/edit_gpo_enroll_script_startup_1.png
  1. On the Add Script Diaglog

    1. Click “Browse”
    2. Select the “enable_winrm_https.bat”
    3. Click Ok
    ../../_images/edit_gpo_enroll_script_startup_2.png
  2. Click “Ok” on the Startup Properties dialog.

Configure Firewall for WinRM

Expand the following

  1. Expand “Computer Configuration”
  2. Expand “Policies”
  3. Expand “Windows Settings”
  4. Expand “Security Settings”
  5. Expand “Windows Firewall with Advanced Security”
  6. Expand “Windows Firewall with Advanced Security – ….”
  7. Right click on “Inbound Rules”
  8. Click “New Rule”
../../_images/edit_gpo_firewall_new.png

On the “New Inbound rule Wizard”

  1. Click “Predefined”
  2. Select “Windows Remote Management”
  3. Click “Next”
../../_images/edit_gpo_firewall_inbound_rule.png

On the “Predefined Rules” screen

  1. Click “Next”
../../_images/edit_gpo_firewall_predefined_rule.png

On the “Action” screen

  1. Click “Finish”
../../_images/edit_gpo_firewall_action.png

Enable WinRM

Expand the following

  1. Expand “Computer Configuration”
  2. Expand “Preferences”
  3. Expand “Control Panel Settings”
  4. Expand “Services”
  5. Right click on “Services”
  6. Select “New
  7. Select “Service”
../../_images/edit_gpo_enable_winrm_service_new.png

On the “Predefined Rules” screen

  1. Change “Startup” to “Automatic (Delayed Start)”

    ../../_images/edit_gpo_enable_winrm_service_new_name.png
  2. Change “Service name:” to “WinRM”

    ../../_images/edit_gpo_enable_winrm_service_properties.png
  3. Click “OK”

Tweak WinRS

Expand the following

  1. Expand “Computer Configuration”
  2. Expand “Policies”
  3. Expand “Administrative Template Policy”
  4. Expand “Windows Components”
  5. Expand “Windows Remote Shell
../../_images/edit_gpo_tweak_rs_tree.png

In the Settings pane:

  1. Enable and Set “Specify maximum amount of memory in MB per shell”, to 1024
  2. Enable and Set “Specify maximum number of processes per shell”, to 64
  3. Enable and Set “Specify maximum number of remote shells per user”, to 64
../../_images/edit_gpo_tweak_rs_options.png

Linking Group Policy

The group policy is now complete. Link the group policy to the desired OUs, and reboot the target servers.

Complete

This procedure is now complete, You can Create new Windows Server values in Attune and set the WinRM specification to “WinRM 2.0 HTTPS”