Config
MaxEnvelopeSizekb = 150
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 80
HTTPS = 443
TrustedHosts = CorpServer65
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX)
MaxConcurrentOperations = 4294967295
EnumerationTimeoutms = 60000
MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 80
HTTPS = 443
IPv4Filter = *
IPv6Filter = *
CertificateThumbprint
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 180000
MaxConcurrentUsers = 5
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 15
MaxMemoryPerShellMB = 150
MaxShellsPerUser = 5
If
you examine the listing, you’ll notice there is a hierarchy of
information. The base of this hierarchy, the Config level, is
referenced with the path winrm/config. Then there are sublevels for
client, service, and WinRS, referenced as winrm/config/client,
winrm/config/service, and winrm/config/winrs, respectively. You can
change the value of most configuration parameters by using the
following command:
winrm set ConfigPath @{ParameterName="Value"}
where ConfigPath is the configuration path, ParameterName is the name of the parameter you want to work with, and Value sets the value for the parameter, such as:
winrm set winrm/config/winrs @{MaxShellsPerUser="4"}
In this example, the MaxShellsPerUser parameter is set under
WinRM/Config/WinRS. Keep in mind that some parameters are read-only and
cannot be set in this way.
WinRM requires at least one listener to indicate the transports and
IP addresses on which management requests can be accepted. The
transport must be HTTP, HTTPS, or both. With HTTP, messages can be
encrypted only using NTLM or Kerberos encryption. With HTTPS, Secure
Sockets Layer (SSL) is used for encryption. You can examine the
configured listeners by typing winrm enumerate winrm/config/listener.
By default, your computer is likely to be configured to listen on
any IP address. If so, you won’t see any output. To limit WinRM to
specific IP addresses, the computer’s local loopback address (127.0.01)
and assigned IPv4 and IPv6 addresses can be explicitly configured for
listening. You can configure a computer to listen for requests on HTTP
on all configured IP addresses by typing:
winrm create winrm/config/listener?Address=*+Transport=HTTP
You can listen for requests on HTTPS on all IP addresses configured on the computer by typing:
winrm create winrm/config/listener?Address=*+Transport=HTTPS
In this case, the * indicates all configured IP addresses. Note that
the CertificateThumbprint property must be empty for the SSL
configuration to be shared with another service.
You can enable or disable a listener for a specific IP address by typing:
winrm set winrm/config/listener?Address=IP:192.168.1.225+Transport=HTTP @{Enabled="true"}
or
winrm set winrm/config/listener?Address=IP:192.168.1.225+Transport=HTTP @{Enabled="false"}
You can enable or disable basic authentication on the client by typing:
winrm set winrm/config/client/auth @{Basic="true"}
or
winrm set winrm/config/client/auth @{Basic="false"}
You can enable or disable Windows authentication using either NTLM or Kerberos (as appropriate) by typing:
winrm set winrm/config/client @{TrustedHosts="<local>"}
or
winrm set winrm/config/client @{TrustedHosts=""}
In addition to managing WinRM at the command line, you can
manage the service by using Group Policy. Keep in mind that Group
Policy settings might override any other settings you enter.
