PowerShell WinRM QuickConfig

chrisrakowitz · 2016-06-22T16:55:08.000Z

Description

PSEXEC has always been the go-to for getting WinRM quickconfig run on a remote computer. I was slightly unhappy with having to use a 3rd party tool to be able to get something done on a remote computer. So I wrote this script to configure Windows Remote Management myself.

The Script has a required parameter -Mode that will accept only Enable or Disable as options.
-ComputerName is an optional parameter if you want to run it on the local machine. It also accepts a single remote Computer, a comma-separated list of computers or a path to a text file list of computers as input. This way the script can be automated if needed.

This also Enables/Disables Remote Registry as needed as well. Remote Registry is how the script creates the registry key for the WinRM Listener.

Source Code

#------------------------------------------------------------------------------------
#\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/
#/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\
#------------------------------------------------------------------------------------
#|\--
#|-\-Author:  Chris Rakowitz
#|--\Purpose:  Allows for Enabling and Disabling of the Windows Remote Managment
#|--/			Service.
#|-/-Date:  October 10, 2015
#|/--Updated:  June 21, 2016 (1.01)
#|\--			[+] WinRM now enabled using native PowerShell commands instead of
#|-\-			PSEXEC.
#|-/-		   June 22, 2016 (1.02)
#|/--			[+] Now properly enables/disables rules for Windows 8.1.
#|\--			[+] Creates WSMAN Listener manually using registry.
#|-\-			[+] Creates Windows Firewall Exceptions.
#|--\			[+] Enable Windows Remote Management.
#|--/			[-] Script no longer relies on PSEXEC at all to configure WinRM.
#|-/-Version:  1.02
#|/--
#------------------------------------------------------------------------------------
#\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/\|-|-|/
#/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\/|-|-|\
#------------------------------------------------------------------------------------

<#
	.SYNOPSIS
	Enables or Disables the Windows Remote Management services on a target
	computer.  Performs the same actions as winrm.cmd quickconfig.
	
	.PARAMETER $ComputerName
	Accepts a single computer name or IP Address.  Also accepts a
	comma-separated list or a path to a text file list as input.
	Leaving this parameter blank will result in the script running on
	the local machine.
	
	.PARAMETER $Mode
	Valid Options are Enable or Disable.  This tells the script
	what option to perform.
	
	.EXAMPLE
	Manage-WindowsRM.ps1 -Mode Enable
	
	Enables the Windows Remote Management services on the Local
	computer.
	
	.EXAMPLE
	Manage-WindowsRM.ps1 -Mode Enable -ComputerName TEST-1234
	
	Enables Windows Remote Management services on the computer TEST-1234.
	
	.EXAMPLE
	Manage-WindowRM.PS1 -Mode Disable -ComputerName "C:\My\List.txt"
	
	Will disable the Windows Remote Management services on all the computers
	in the list provided.
	
	.EXAMPLE
	Manage-WindowsRM.ps1 -Mode Enable -ComputerName Test-1, Test-2, Test-3
	
	Enable the Windows Remote Management services on the computers Test-1,
	Test-2 and Test-3.
	
	.NOTES
	This is required to be run as a local administrator or as a Domain
	account that has Administrator rights on the target computer or
	computers.
#>

[cmdletbinding()]
param
(
	[Parameter(Mandatory=$True)] $Mode,
	[Parameter(Mandatory=$False)] [string[]]$ComputerName = $env:computername
)
# Tell Powershell to ignore any errors that may fill up the screen.
#$ErrorActionPreference = 'silentlycontinue'

If($ComputerName -Like "*.txt")
{
	$CompList = Get-Content ([regex]::matches($ComputerName,'[^\"]+') | %{$_.value})
}
Else
{
	$CompList = $ComputerName
}

Foreach($Computer in $CompList)
{
	# Enable the Windows RM Service and Enable Firewall Inbound Rules.
	# Creates WinRM Listener Manually in the Registry.  WinRM will detect these
	# settings when it is started.
	# The Remote Registry service is enabled to allow for the Listener to be created
	# in the Registry.
	If($Mode -Like "Enable")
	{
		$CompOS = (Get-WMIObject -Class Win32_OperatingSystem -ComputerName $Computer).caption
		
		Write-Host "Enabling Remote Management" -Foreground green -Background black
		
		# Enable the Remote Registry service on the target computer.  This allows keys to read/modified.
		# Create the WinRM Listener manually here.  Once the WinRM Service is enabled it will read this key.
		Write-Host "Enabling Remote Registry and Creating WinRM Listener" `
			-Foreground yellow -Background black
		Set-Service -ComputerName $Computer -StartUpType Manual -Status Running `
			-Name RemoteRegistry -DisplayName "Remote Registry"
			
		# Access the registry and create the needed subkey for the HTTP Listener that WinRM Requires.
		$RegBaseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBasekey('LocalMachine', "$Computer")
		$WSMANKeys = $RegBaseKey.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Listener", $True)
		$WSMANKeys.CreateSubKey("*+HTTP") | Out-Null
		$NewKey = $RegBaseKey.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Listener\\*+HTTP", $True)
		$NewKey.SetValue("certThumbprint","",[Microsoft.Win32.RegistryValueKind]::String)
		$NewKey.SetValue("enabled","1",[Microsoft.Win32.RegistryValueKind]::DWORD)
		$NewKey.SetValue("hostname","",[Microsoft.Win32.RegistryValueKind]::String)
		$NewKey.SetValue("Port","5985",[Microsoft.Win32.RegistryValueKind]::DWORD)
		$NewKey.SetValue("uriprefix","wsman",[Microsoft.Win32.RegistryValueKind]::String)

		# Manually Enable Windows Remote Management using PowerShell.
		Write-Host "Starting Windows Remote Management Service" `
			-Foreground yellow -Background black
		Set-Service -ComputerName $Computer -StartUpType Manual -Status Running `
			-Name WinRM
		
		# Create the needed Windows Firewall Inbound Exceptions.
		If($CompOS -Like '*7*')
		{
			Write-Host "Enabling Windows 7 Remote Management Firewall Rules" `
				-Foreground yellow -Background black
			NETSH -r $Computer ADVFIREWALL FIREWALL SET RULE name="Windows Remote Management (HTTP-In)" `
				profile=domain new remoteip=localsubnet localport=5985 enable=yes
			NETSH -r $Computer ADVFIREWALL FIREWALL SET RULE name="Windows Remote Management (HTTP-In)" `
				profile=private new remoteip=any localport=5985 enable=yes
		}
		Elseif($CompOS -Like '*8*')
		{
			Write-Host "Enabling Windows 8.1 Remote Management Firewall Rules" `
				-Foreground yellow -Background black
			NETSH -r $Computer ADVFIREWALL FIREWALL SET RULE name="Windows Remote Management (HTTP-In)" `
				profile="Domain,Private" new remoteip=any localport=5985 enable=yes
		}
		break
	}
	# Completely Disables Windows Remote Management on the Target computer if it is enabled.
	# Deletes WinRM Listener from registry, Stops and sets the WinRM service back to manual.
	# Closes all Windows Firewall In-bound rules that were created for WinRM.
	ElseIf($Mode -Like "Disable")
	{
		$CompOS = (Get-WMIObject -Class Win32_OperatingSystem -ComputerName $Computer).caption

		# Disable WinRM.
		Write-Host ""
		Write-Host "Disabling Remote Management" -Foreground cyan -Background black

		$RegBaseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBasekey('LocalMachine', "$Computer")
		$WSMANKeys = $RegBaseKey.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Listener", $True)
		
		# Delete the WinRM Listener.
		Write-Host "Deleting WinRM Listener" -Foreground yellow -Background black
		$WSMANKeys.DeleteSubKey("*+HTTP")
		
		# Disable all the WinRM Firewall Rules.
		If($CompOS -Like '*7*')
		{
			Write-Host "Disabling Windows 7 Remote Management Firewall Rules" `
				-Foreground yellow -Background black
			NETSH -r $Computer ADVFIREWALL FIREWALL SET RULE name="Windows Remote Management (HTTP-In)" `
				profile=domain new enable=no
			NETSH -r $Computer ADVFIREWALL FIREWALL SET RULE name="Windows Remote Management (HTTP-In)" `
				profile=private new enable=no
		}
		Elseif($CompOS -Like '*8*')
		{
			Write-Host "Disabling Windows 8.1 Remote Management Firewall Rules" `
				-Foreground yellow -Background black
			NETSH -r $Computer ADVFIREWALL FIREWALL SET RULE name="Windows Remote Management (HTTP-In)" `
				profile="Domain,Private" new enable=no
		}
		
		# Disable Windows Remote Management.
		Write-Host "Stopping Windows Remote Management Service" `
			-Foreground yellow -Background black
		(Get-Service -ComputerName $Computer -Name WinRM).stop()
		Write-Host "Setting Windows Remote Management Service to Manual" `
			-Foreground yellow -Background black
		Set-Service -ComputerName $Computer -StartUpType Manual -Name WinRM
		
		# Disable the Remote Registry service.
		Write-Host "Stopping Remote Registry Service" -Foreground yellow -Background black
		(Get-Service -ComputerName $Computer -Name RemoteRegistry).stop()
		Write-Host "Disabling Remote Registry Service" -Foreground yellow -Background black
		Set-Service -ComputerName $Computer -StartUpType Disabled -Name RemoteRegistry
		Write-Host ""
		break
	}
	Else
	{
		Write-Host "That is not a recognized option." -Foreground red -Background black
		Write-Host "Valid Options are: Enable | Disable" -Foreground red -Background black
		Write-Host ""
	}
}