π Introduction
In many enterprises, automation is no longer optional—it’s a necessity. Tools like Azure DevOps, Jenkins, and Ansible need a secure way to connect to Windows servers to:
- ▶️ Start/stop services
- π¦ Deploy applications
- ⚡ Run PowerShell scripts
- π ️ Perform maintenance tasks
This blog explains how to securely configure WinRM over HTTPS (port 5986) using an enterprise SSL certificate, and why this approach is production-ready.
π What is WinRM?
WinRM (Windows Remote Management) is Microsoft’s standard way to remotely manage Windows servers.
It allows you to:
- π₯️ Run PowerShell commands on remote servers
- π« Execute scripts without logging in via RDP
- π Automate tasks securely
By default, WinRM works over HTTP (port 5985), which is not secure for production. That’s where WinRM over HTTPS (port 5986) comes in.
π High-Level Flow (How It Works)
Azure DevOps Console
|
|
|
v
Azure DevOps Agent
|
| π WinRM over HTTPS (5986)
| π Encrypted using SSL Certificate
v
Target Windows Server
π’ Real-World Use Case
✅ Scenario: Production Application Automation
You have:
- 𧩠A Windows server hosting applications (WebSphere, services, schedulers)
- π An Azure DevOps pipeline
- ⛔ No permission or policy to use RDP in production
You want to:
- π Restart services
- π§Ή Clear cache folders
- π€ Deploy builds
- π€ Run scripts automatically
# ============================================================
# π WinRM over HTTPS (5986)
# π Enterprise SSL Certificate
# π€ Secure credential-based automation
# ✅ Production-ready for Azure DevOps
# ============================================================
# Architecture:
# Azure DevOps Agent / Admin Host
# → π WinRM over HTTPS (5986)
# → π₯️ Target Windows Server (172.23.XX.XX)
# ============================================================
# π Install SSL Certificate on Target Windows Server and execute below steps on POWERShell
# ============================================================
# Step 1: ✅ Verify WinRM Service is installed and running
Get-Service WinRM
# Step 2: π Check existing WinRM listeners (HTTP / HTTPS)
winrm enumerate winrm/config/Listener
# Step 3: π Verify SSL certificate availability in Local Machine store,
# ✅ Note the thumbprint for certificate
Get-ChildItem Cert:\LocalMachine\My | Select Subject, Thumbprint, NotAfter
# Step 4: π§Ύ Validate certificate usage (must support Server Authentication),
# π Replace with your certificate thumbprint
$cert = Get-Item "Cert:\LocalMachine\My\2FF032E91A3CF086C251B12D3AFCB5D71"
$cert.EnhancedKeyUsageList | Select FriendlyName
# Step 5: π Create WinRM HTTPS listener using certificate thumbprint
$Thumb = "2FF032E91A3CF086C251B12D3AFCB5D71"
New-Item -Path WSMan:\LocalHost\Listener `
-Transport HTTPS `
-Address * `
-CertificateThumbprint $Thumb
# Step 6: ▶️ Enable PowerShell Remoting and ensure WinRM auto-starts
Enable-PSRemoting -Force
Set-Service WinRM -StartupType Automatic
Start-Service WinRM
# Step 7: π Allow local admin credentials over WinRM
New-ItemProperty `
-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name LocalAccountTokenFilterPolicy `
-Value 1 `
-PropertyType DWord `
-Force
# Step 8: ✅ Final validation of WinRM listeners check for listening *5986 Port
winrm enumerate winrm/config/Listener
# Step 9: π Firewall / NSG validation
# Ensure port 5986 is allowed
# Step 10: π§ͺ Client-side connectivity test (use valid username/password)
Invoke-Command `
-ComputerName 172.23.XX.XX `
-UseSSL `
-Port 5986 `
-Credential (Get-Credential) `
-Authentication Negotiate `
-SessionOption (New-PSSessionOption -SkipCNCheck -SkipCACheck -SkipRevocationCheck) `
-ScriptBlock { hostname; whoami }
# ============================================================
# ✅ End of WinRM HTTPS Configuration
# ============================================================
No comments:
Post a Comment