Share via

How to correctly/securely setup WinRM with https for Windows Admin Center?

Armin Bruhns 5 Reputation points
2023-03-24T15:08:09.0666667+00:00

Hi,

I want to setup a Windows Admin Center Gateway in our domain to monitor and manage our servers.

The default setup with just http on the default port is NOT an option for security reasons, so I want to use the https only mode for WinRM.

The initial setup of WAC works fine, adding our internal wildcard certificate for the Admin Center Webservice also works, so I can access the Webportal and manage the gateway server itself.

But whatever I tried, I can't get it working to add other servers to the WAC. It always just says "make sure the service is running and accepts requests". I read every single entry I can find on the web and also asked the Bing AI, but couldn't find a useful manual how to achieve that.

Questions I couldn't find an answer to:

  1. Does WinRM over https generally work with wildcard (*.domain.local) certificates? Added CNs are domain.local and *.domain.local. Or do I really have to create a Webserver Certificate for every single host I want to manage?
  2. How to setup WinRM instances via GPO that use https? The only settings I find are to create a service that runs on default port with http. Seems to be not possible directly. Do I have to deploy a script for that?
  3. Is it necessary to enable basic authentication on WinRM for WAC or can I somehow just use Kerberos?

Would be cool if someone had a good manual for that, but maybe I get it up and running just with answers to these questions.

Regards

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,766 Reputation points
    2023-03-27T12:34:20.09+00:00

    Hello,

    For the question of wildcard certificates, yes, the certificate may be configured as Wildcard certificate by the access to the certificate must be on a stateful server as explained in:

    https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https

    For the question about configuring WinRM using GPO, it is possible, and you can find the options in the next path of the GPO templates:

    Computer Configuration / Policies / Administrative Template / Windows Components / Windows Remote Management (WinRM) / WinRM Service

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.