Configure Windows Remote Management in a Workgroup
Windows Remote Management (WinRM) is a component of Windows that allows us to remotely execute commands on a Windows server and retrieve the output of these commands. It is very similar in functionality to the Secure Shell (SSH) that is a standard part of Linux and UNIX distributions. While we can configure an SSH server on Windows to perform a similar role for remote command execution, the set up is more involved since WinRM is now a standard part of Windows. In this example I will configure a WinRM server and client both running Windows 7 in a Windows workgroup environment. The set up is a bit more difficult than configuring WinRM in a domain environment but still not too hard.
Configure the WinRM Server
In my experience I have only successfully configured the listener for the WinRM server successfully with the network connection set to use either the Domain or Private profile. So in this example I will configure the WinRM server’s network with the Private profile. Right click the network icon in the system tray and select “Open Network and Sharing Center”.
In my case my current active network (Network 8) is currently configured as a Public Network. Click it to change the location.
Choose Home Network which will configure the network interface to use the Private network profile.
It will automatically prompt us to set up a Homegroup. I will skip this, so at this screen I’ll click Cancel. The previous configuration change to Home Network will still go through, however.
Now we need to configure WinRM using the quick config option. Start up the Powershell console with elevated Administrator privileges. At the prompt type:
Read the actions that the script will take. It will activate the WinRM service, create a WinRM listener, and enable the firewall to allow WinRM HTTP traffic to pass. Type “Y” to continue.
By default the firewall on the WinRM server only permits clients access with the Private network profile if they are on the same subnet. This is not an issue for WinRM servers that are a part of a Windows domain and are using the Domain network profile. To allow WinRM clients from a different subnets go to Start and run the Windows Firewall Advanced Security MMC:
Select Inbound Rules on the left, they scroll down in the center and double click Windows Remote Management (HTTP-In). Be sure and select the rule that applies to the Private network profile and not the Domain profile.
Click the Scope tab, then click Add under Remote IP Address.
Enter an IP Address or Subnet to allow access from and click OK.
Configure the WinRM Client
Now we need to modify the local Group Policy on the WinRM Client to allow us to trust hosts (WinRM Server) that we’re allowed to authenticate to. Keep in mind that at if you are using WinRM with HTTP (which is the default) that the authenticity of the WinRM server is not verified, so only do this on a secure network and be cautious what server that you attempt to access remotely. Go to Start and enter:
On the left open up Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Client. On the right double click Trusted Hosts.
Enter the host or domain names of the servers that you want to use this client with. We can use wildcards to specify part of the name if desired. In this example I’ll use a single asterisk alone to allow access to all WinRM servers.
Now switch over to the Powershell console on the client and start a new remote session to the server:
C:\> new-pssession w7w
If all goes well a Powershell session will be opened. You have now configured Windows Remote Management in a workgroup setting!