How to configure servers for remote access (WinRM and PSRemoting)

Note: WinRM is enabled by default on all Windows Server operating systems since Windows Server 2012 and above, but disabled on all client operating systems like Windows 10 etc.

On the Windows server, you literally do not have anything to do to have this service enabled.

To configure your servers for remote access, follow the steps below.
Enable PSReomoting

Launch your server
Fire up a PowerShell terminal
Type "Enable-PSRemoting" 

This will enable the server for PSRemoting and allow the server to be accessed via remote access.

Add the servers to TrustedHosts list
Add the host to the TrustedHosts list with the command, for more information, see https://techdirectarchive.com/2020/03/25/how-to-add-servers-to-trustedhosts-list-via-powershell/

RestartWinRM service with the command below via PowerShell

Restart-Service winrm

To test the WinRM Configuration, run the command below.

winrm quickconfig

Method 1: To test remote access using PowerShell Remoting, use the command below, replace “ansible” with your remote computer

Enter-PSSession -ComputerName Ansibleserver

Method 2: To permit a remote connection via PowerShell remoting, use the command below

Enter-PSSession -ComputerName TechDArchive -Credential $Credentials

As shown below, the authentication is successful and I am able to remotely manage the machine via PowerShell Remoting.

For other related links
https://blogs.technet.microsoft.com/christwe/2012/06/20/what-port-does-powershell-remoting-use/
https://docs.microsoft.com/en-us/previous-versions//dd347668(v=technet.10)?redirectedfrom=MSDN
https://4sysops.com/archives/enable-powershell-remoting-on-a-standalone-workgroup-computer/

Connecting to a remote server failed and WinRM cannot process the request. The following error code 0x8009030e occurred while using Kerberos authentication: A specified logon session does not exist

I have put together three similar error types I simulated in my Test laboratory. When you are prompted with the following error when using the invoke-command, the following solutions and explanation below will help you resolve this issue.

Error 1: Below is the command run to install and reboot the TechDArchive

Invoke-Command -ComputerName TechDArchive -Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll -AutoReboot | Out-File C:\PSWindowsUpdate.log  } -Verbose

Error 2: When you also run the Enter-PSSession to initiate a connection to the remote server the following error above will also be displayed.

Enter-PSSession -ComputerName TechDArchive

Error 3: The invoke-command used to run the script locally or on remote computers. Once remoting is enabled on remote machines, we can run Invoke-Command as shown below to query the WinRM service. But WE are FACED with an ERROR.

Invoke-Command -ComputerName ServerDC -ScriptBlock {Get-Service winrm}

How do we solve this? | Solution: This error is as a result of my login method as you can see in the error message above.

– This issue was as a result of the host machine (Ansibleserver) from where I was trying to connect to. I was logged into the server as a local user with the Administrators account, whereas the remote machine to which I was trying to connect was running as a domain user. 
– So, when I switched to the domain user account (Chris) on the host machine, Kerberos started working and the issue got resolved.

As you can see below, the invoke-command is working correctly to get the WinRM service.

Also the invoke-command to have windows updates installed is running executing as well.

Below are the tips to ensure you are able to use the invoke-command.
– Ensure PSRemoting is enabled on the remote device.
Ensure WinRM is running on the remote device, To determine this, run WinRM using the following command.
– Ensure the computers (servers) are added in the TrustedHosts. Instead of adding an individual host, use the asterisk to all subsequent hosts

For a similar error where the computer account could not be found, see https://techdirectarchive.com/2020/03/25/error-message-winrm-cannot-process-the-request-the-following-error-occurred-while-using-kerberos-authentication-cannot-find-the-computer-serverdc/

Error message: WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer

The Following error as shown was because the “ServerDC” could not be found. There was simply no computer on my domain named “ServerDC”.

This error is self-explanatory as shown in the error prompted.
– Simple enter the right name as shown below “TechDArchive”

Also, ensure you are not logged on to the server via the local user account. Else you will be prompted with the following error as shown below

The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A specified logon session does not exist

How to automate Windows Update with PowerShell and Task Scheduler

In order to orchestrate Windows Update with PowerShell, the module “PSWindowsUpdate” needs to be installed. This module contains cmdlets to manage the Windows Update Client (severs). This module is vital because it helps automate the deployment of Windows Update using the
– “Invoke-WUInstall” command to install Windows Updates remotely on computers or with the following below that can be configured via task scheduler to automate updates on individual computers.
– “Install-WindowsUpdate” for installing updates from Microsoft Update Center or with the
– “Get-WindowsUpdate” to update Windows from WSUS.

Note: This module is not installed by default on Windows Servers and when installed it contains a set of functions to check, download and install updates from PowerShell.

First, Install the PSWindowsUpdateModule: To have the module installed in PowerShell 5 and above, use the cmdlets below.

Install-Module PSWindowsUpdate

Note: To automate this installation in an unattended (silent) mode, use the command by adding the “-Force” flag as shown below

Install-Module PSWindowsUpdate -Force

To list all the module installed, use the command below

Get-Command –module PSWindowsUpdate

Next, run the command below. If the updates are not already downloaded, the command will contact the WSUS and pull the updates, have the updates installed and restart the server.

Here is the meaning of the module command.
Get-WUInstall, Install-WindowsUpdate (alias for Get-WindowsUpdate –Install) – install updates

Microsoft Updates: For Updates directly from Microsoft update center, use the command below.

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

The command below might not work correctly, because of this, the “install-WindowsUpdate” is my desired choice.

Get-WUInstall –MicrosoftUpdate –AcceptAll –AutoReboot

To have this run at a specific period of time, create PowerShell script and create a scheduled task to automate Windows Update with the code below.

Install-Module PSWindowsUpdate -Force
#installs everything (newest version) along with required modules.

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot
#Will ensure that updates are downloaded, installed completely and then restarted.

The AcceptAll key accepts installation of all update packages, and AutoReboot allows Windows to automatically restart after the updates are installed.

WSUS Updates (Windows Server Update Services): For WSUS updates, the following commands works correctly.

Get-WindowsUpdate -install -AcceptAll -AutoReboot

Next steps! Have your script automated
– Create a scheduled task, see the following link below for more details https://techdirectarchive.com/2020/03/24/how-to-create-a-scheduled-task-on-windows-server-2019/

For Task Scheduled task error and success code, see https://techdirectarchive.com/2020/03/24/task-scheduler-errors-and-success-code-what-does-code-0x41301-mean/

How to add servers to TrustedHosts list via PowerShell and command Prompt for the WinRM client

The WSMan provider for PowerShell lets you add, change, clear, and delete WS-Management configuration data on local or remote computers. The WSMan provider exposes a PowerShell drive with a directory structure that corresponds to a logical grouping of WS-Management configuration settings. For more on WSMan, see https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/about/about_wsman_provider?view=powershell-7

Windows by default has an empty TrustedHosts list, a list that contains those remote computers (hosts) that you can remotely manage from a client without authentication. In Windows environments using Windows Remote Management (WinRM) can help discover servers using the WinRM protocol. To run PowerShell commands on a device from a remote computer, we have to add the remote machine to the trusted hosts list of the host machine.

When you want to remotely manage a list of computer through WinRM (Windows Remote Management), you have to add computers to the TrustedHosts list. Otherwise, you may most likely encounter errors when communicating between the two sides. Using PowerShell, you can see what the current records are in the TrustedHosts file but also how to add new records depending on your scenario.

– Ensure the computers (servers) are added in the TrustedHosts. Instead of adding an individual host, use the asterisk (a wild-card) to add all subsequent hosts. Note, this is not recommended.

Below are the steps to add a server to the TrustedHosts for WinRM client.

Set-Item WSMan:localhost\client\trustedhosts -value *

To view the result below, use the command as shown below “Get-Item WSMan:localhost\client\TrustedHosts”

Note: You can add individual servers to the TrustHost via the following methods below.

Set-Item WSMan:localhost\client\trustedhosts -value ServerDC 

In this way, you can add multiple servers to the TrustedHosts for WinRM, provide a single, comma-separated, string of computer names.

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'ServerDC,AnsibleClient'

To make this command run in an unattended mode (silently) without prompting you to acknowledge the security configuration, add the -Force to the command as shown below.

Set-Item WSMan:localhost\client\trustedhosts -value ServerDC -Force

You can also read the trusted host list with PowerShell, run the command below.

Get-Item WSMan:\localhost\Client\TrustedHosts

To add all domain computers to the TrustedHosts list, use the command as follow, Set-Item WSMan:\localhost\Client\TrustedHosts *.yourdomain.com

Set-Item WSMan:\localhost\Client\TrustedHosts *.techdirect.local

Via the Command Prompt: Run the following command below

winrm set winrm/config/client @{TrustedHosts="RemoteComputerName"}

I hope you find these tips useful 😉
– For some troubleshooting tips, see https://www.codetwo.com/kb/troubleshooting-remote-powershell-connections/
– For errors connecting to a remote server failed and WinRM cannot process the request, see https://techdirectarchive.com/2020/03/25/connecting-to-remote-server-failed-and-winrm-cannot-process-the-request-the-following-error-with-error-code-0x8009030e-occurred-while-using-kerberos-authentication-a-specified-logon-session-does-not/
– For Windows Admin Center Error: Failed to create a scheduled task, there is no disconnected command associated with the runspace, see https://techdirectarchive.com/2020/03/26/windows-admin-center-error-failed-to-create-a-scheduled-task-there-is-no-disconnected-command-associated-with-the-runspace/
– Error: Failed to create a scheduled task, cannot perform the operation because the runspace pool is not in the open state, see https://techdirectarchive.com/2020/03/26/error-failed-to-create-a-scheduled-task-cannot-perform-the-operation-because-the-runspace-pool-is-not-in-the-open-state/

How to install Microsoft PSWindowsUpdate module Silently (unattended) mode

Run the module command you wish to install silently followed by the switch “-Force” as shown below

This will install everything (newest version) along with required modules.

I hope you found this useful? Kindly comment other methods below.

WMI Commands

WMI (Windows Management Instrumentation) is part of Windows since Windows 2000. It is a service that can query almost every detail about a computer system. PowerShell ships with full WMI support.

These are the most important CIM (Common Information Model) cmdlets and are fully supported by PowerShell.

Cmdlets used in PowerShellDescription
Get-CimInstance
Gets instances of WMI classes. This is the most important cmdlet  
Get-CimClassGets a WMI class. Use it to access static WMI methods.
Invoke-CimMethodRuns a WMI method, and returns results.
Set-CimInstanceWrites back changed properties.
New-CimSessionCreates a new remoting session to one or more remote systems
New-CimSessionOptionDefines special options for remoting connections.
Remove-CimSessionCloses and removes a remoting session that is no longer used.
New-CimInstanceCreates a new instances of a WMI class, i.e. for temporary use.

WMI Commands – How to query information using WMI (Get-CimInstance).

To get information from WMI, you ask for instances of a given class. The PowerShell code for this is always the same, so the hardest part in WMI is to figure out the name of the class that describes what you are after.

1: BIOS

Get-CimInstance -ClassName Win32_BIOS

Or run

Get-CimInstance

And enter the class name at the prompt

Win32_BIOS

2. DISK – list logical disk information

Get-CimInstance -ClassName Win32_LogicalDisk

or run

Get-CimInstance

And enter the class name at the prompt.

Win32_LWin32_LogicalDisk

The WMI namespace root/cimv2 is the default namespace and contains classes for computer hardware and configuration.

root/cimv2 contains the following 276 classes:

The namespace root/cimv2 contains many more classes that may serve internal purposes (link classes to define relationships, abstract classes that serve as a template for inherited classes, etc.

Take a look at the other class types http://powershell.one/wmi/root/cimv2