Windows that use WINRM

Follow the steps to enable WINRM to allow remote connections by using a self-signed certificate.

For Windows® 2016 Server, Windows® 2019 Server, Windows® 2022 Server, and Windows® 2025 Server, the WINRM service is started automatically. However, remote management is not enabled by default. To enable WINRM to allow remote connections by using a self-signed certificate, follow these steps.
  • Enable WINRM to accept HTTPS connections that authenticate with user ID and password
  • Associate a self-signed certificate with the HTTPS listener for WINRM that was enabled
  • Modify the Windows firewall to allow inbound connections through port 5986 (the default WINRM HTTPS port)
The following commands prepare WINRM to allow remote connections over HTTPS:
  • Determine the current state of the WINRM service by using this command: winrm get winrm/config/service
    Figure 1. Remote connection through HTTPS
    Remote connection through HTTPS
  • The value for AllowUnencrypted must be false. If true, use the following command to change to false.
    winrm set winrm/config/service @{AllowUnencrypted="false"}
  • The value for Basic must be true. If false, use the following command to change to true. 
    winrm set winrm/config/service/auth @{Basic="true"}
  • Determine whether WINRM has an HTTPS listener by using this command:
    winrm enumerate winrm/config/listener
    Figure 2. Listener
    Listener
  • In the command example, only an HTTP listener exists, so an HTTPS listener needs to be configured. To enable the HTTPS listener if not configured, go through the following steps.
    • Using PowerShell, create a self-signed certificate: 
      New-SelfSignedCertificate -DnsName "myHost@example.com" -CertStoreLocation Cert:\LocalMachine\My
      Note: Replace the DnsName (myHost@example.com) in the example with the Windows fully qualified domain name for the Windows server.
    • Save the certificate thumbprint for the next step
      Figure 3. Thumbprint
      PowerShell
    • Create the HTTPS listener: 
      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="myHost@example.com"; CertificateThumbprint="[COPIED_CERTIFICATE_THUMBPRINT]"}
    • Check to make sure that HTTPS is now configured:
      winrm enumerate winrm/config/listener
    • Modify the Windows firewall to allow inbound remote connections to WINRM:
      • Go to Control Panel > System and Security > Windows Firewall
      • Click Advanced settings. The Windows Firewall with Advanced Security window is displayed.
      • Click Inbound Rules.
      • Select the Actions menu and click New Rule. The New Inbound Rule wizard is displayed.
      • Select Port and click Next.
      • Select TCP > Specific local ports and specify 5986. Click Next.
      • Select Allow the connection option and click Next.
      • Select the Domain, Private, and Public check boxes if not already selected and click Next.
      • Give the new rule a name (such as Windows Remote Management (HTTPS-In) and click Finish.