#StackBounty: #windows #winrm How do I configure winrm ssl/tls to lo listen on 5896 with a GPO

Bounty: 50

I have a piece of monitoring software with which I want to start monitoring securely. My goals are:

  • Use TLS for transport encryption and not rely on message encryption
  • Use a certrificate authority
  • I want to avoid running some powershell script on every machine before I can start monitoring. I want to use GPO’s or something similar (I’m no sysadmin) that does the changes globally.
  • I don’t want to use the Compatibility server because IIS or some other webserver might already be present on the monitored host.
  • It should preferably work on any server version > 2008

Following this tutorial we (read, my colleague) came this far

C:Windowssystem32>winrm e winrm/config/listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Enabled = true
    URLPrefix = wsman
    ListeningOn =, 

However at the end we have to run this CMD command to enable HTTPS on 5986

winrm create winrm/config/Listener?Address=*+Transport=HTTPS
@{Hostname="<HOSTNAME HERE>"; CertificateThumbprint="<THUMBPRINT HERE>"}

I can’t be the only one who has these goals? I can’t believe that doing it in a way that feels correct (to me) is just impossible.

We’ve also found this workaround but would prefer a more straight-forward solution.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.