Manage client workstations with Remote Powershell via SSL

Question

I am looking for a solution to remotely manage around 100 workstations.

I will be connecting to these systems to complete several local system tasks. (3rd party updates, security auditing, incident response)

Remote Powershell over SSL seems ideal.

To enable the WinRM HTTPS listener on each workstation - will I need a local certificate installed on every workstation? I believe this is correct, I just want to be sure.

Is there a more graceful way to implement a solution like this? Or will I have to physically visit each workstation I wish to remote into - to install a certificate?

I'd also welcome any suggestions that do not use powershell or winrm at all!

Thanks!

Answer 1

You can use Group Policy to deploy the certificates, TechNet article explains how to do so:

1. Open Group Policy Management Console.

2. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

3. Right-click the GPO, and then select Edit.

   Group Policy Management Editor opens, and displays the current contents of the policy object.

4. In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.

5. Click the Action menu, and then click Import.

6. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

7. If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.