How to Set Up PSRemoting in a Workgroup Environment


The Best WordPress plugins!

1. WP Reset

2. WP 301 Redirects

3. WP Force SSL

This how to will guide you through the process of setting up PSRemoting in a workgroup environment. It is not meant for Domain Admins, but rather IT Professionals who are responsible for managing and configuring computers that run on Microsoft Windows operating systems

The “enter-pssession” is a command that allows users to enter a remote session. This means, when you are in the remote session, you can see and control what’s happening on your computer remotely.

How to Set Up PSRemoting in a Workgroup Environment

PSRemoting is a terrific method to execute commands on remote machines, but authentication is difficult if you’re not in an Active Directory (AD) domain. PSIf you don’t have Kerberos, remoting in a workgroup needs a few steps to set up.

In this article, you’ll learn how to set up a PSRemoting connection in a workgroup utilizing a username and password from both a client and a server.

The Ultimate Guide to PowerShell Remoting


If you want to follow along, make sure you have the following things before you start:

  • As a client, you’ll need a Windows 7 or above PC. The Windows 10 build 20H2 will be used in this tutorial.
  • To serve as a server, you’ll need a Windows 7+ PC. Windows Server 2019 will be used in this tutorial.
  • On both the client and the server, access to an administrator user account.

PSProblems with Remote Workgroups

PSRemoting works well in AD. If both the client and the server are domain-joined and you have the necessary permissions, you can just execute Invoke-Command and it will work.

You’ll see that just the ComputerName and ScriptBlock parameters are required. It merely works assuming PSRemoting is already enabled on the server.

Write-Host ‘I am operating on the remote server.’ Invoke-Command -ComputerName SRV -ScriptBlock

Related: The Best Way to Run Remote Code with Invoke-Command

When the client and server are both members of the domain, AD may be used to verify that the other is who they claim to be. This is built into the Kerberos authentication technique and may be found all throughout an AD system.

When you remove the domain from the equation, the troubles begin. You may now only authenticate the client (using the password), but not the server. That is a serious security issue that must be addressed.

Solution Possibilities

To set up PSRemoting in a workgroup requires a couple of different Solution Possibilities; using the trusted hosts list (as covered below) or setting up an HTTPS/SSL connection.

The simplest way to proceed is to use trustworthy hosts, as you’ll see in this lesson. The client has a list of trusted hostnames or IP addresses with which it may connect. This list enables PowerShell to circumvent the connection’s usual server validation.

It is not advised to use the trusted hosts technique in production since it is considerably less secure than setting WinRM the “proper” way with SSL.

You may also use HTTPS to set up WinRM. The certificate used for the HTTPS connection gives a mechanism to verify that the server is who it claims to be. This is the recommended method, however it necessitates the establishment of a public key infrastructure.

While a self-signed certificate may be used for HTTPS connections, this method does not verify the server. It’s possible that the self-signed certificate came from someone you don’t trust.

PSRemoting in a Workgroup Setup

PSRemoting is still set up in a workgroup, despite the fact that it’s a little more complicated. Before you may connect, you must first establish trust and setup the firewall. Let’s get this party underway with reputable hosts.

Activating the Firewall

The Domain network profile is used by both the client and the server when they are both members of the same domain. The Domain network profile permits connections from any subnet by default. Things change when both the client and the server are in the same workgroup. The computers will be assigned to one of two network profiles: public or private, both of which restrict traffic.

There are no firewall adjustments required if both the client and the server are running Windows Server and are on the same network.

Check what network profile you’ve chosen if you’re using a client OS for the destination or if your client and server are on separate subnets. Run Get-NetConnectionProfile on the server, and you should see something like this.

When you execute, the output Get-NetConnectionProfileWhen you execute, the output Get-NetConnectionProfile

If you’re using a client OS like Windows 10, and the network category is set to Public, you’ll need to perform Enable-PSRemoting -SkipNetworkCheck. You don’t need to use -SkipNetworkCheck if you’re running a server OS like Server 2019.

If you need to connect to a workgroup using PSRemoting from a different subnet while on a public network, use the command below on the destination machine.

@ $FirewallParam $FirewallParam $FirewallParam $Firewall ‘Windows Remote Management (HTTP-In)’ is the display name. ‘Inbound’ is the direction. 5985 is the local port number. Action = ‘Allow’ Program = ‘System’ Profile = ‘Public’ Protocol = ‘TCP’ @FirewallParam New-NetFirewallRule

Setting up an HTTP Connection with Trusted Hosts

The trusted host list is a list of hostnames and/or IP addresses that the WinRM client checks to see whether you trust the server you’re connecting to. You may see this list by using the command below.

WSMan:localhostClientTrustedHosts Get-Item

Only use the trustworthy host list as a last resort. Adding hosts to this list informs PowerShell that you absolutely trust them. You should not add a server to this list if it provides a mechanism to verify for authenticity, such as via an HTTPS connection or Kerberos.

Assume you’re attempting to connect to an untrusted server. If that’s the case, you’ll see the error notice below.

WinRm server with a bad reputationWinRm server with a bad reputation

To avoid this problem and enable you to connect, use the Set-Item cmdlet and reference the WSMAN PowerShell drive to add the remote server to the TrustedHosts list, as shown below.

In the example below, a remote server named ServerB is added to the TrustedHosts list. Because the TrustedHosts list might include a variety of hosts, the Concantenate argument appends the host name instead of overwriting the whole list.

WSMan:localhostClientTrustedHosts -Value ‘ServerB’ -Concatenate Set-Item WSMan:localhostClientTrustedHosts -Value ‘ServerB’

If at all feasible, utilize the particular server name. You may also use a wildcard address, such as 192.168.1. However, employing a wildcard and immediately trusting all servers isn’t the most secure option.

Setting up an HTTP connection is the sole reason you’re adding a host to the TrustedHosts list. Because authentication techniques that reveal the password to the remote server might be utilized, PowerShell has this capability in place. Instead, you may set up an HTTPS listener as a more secure option.

You may alternatively execute the command below to empty the list and reset it to zero.

WSMan:localhostClientTrustedHosts -Value ” Set-Item WSMan:localhostClientTrustedHosts -Value “

PS Remoting on the Server is Enabled

PS Remoting is normally turned on by default, but you may need to turn it on explicitly. Log into the server and perform the PowerShell command below to activate PS Remoting:

Obtaining a connection to the WinRm Server

You should be able to connect to the server in a workgroup after adding the hostname to the trusted hosts list on the client.

Use the Credential argument on a PSRemoting command like Invoke-Command or Enter-PSSession to connect to the server.

Related: The Best Way to Run Remote Code with Invoke-Command

Make sure to include the server’s local login and password, as well as permissions to connect, in the credential.

All local users in the Remote Management Users and Administrators group authenticate to the server through PSRemoting by default.

To connect to a remote server, you'll need a credential.To connect to a remote server, you’ll need a credential.

Steps to Follow

Now that you’re all set up with PSRemoting in a workgroup and know the gist of things, why not look into setting up WinRM with HTTPS <link here to the How to Securely Run PSRemoting with WinRM and SSL article> or really dig into PSRemoting by taking a look at the PowerShell Remoting Ultimate Guide post?

“Enable-psremoting” is a PowerShell command that allows users to set up PSRemoting in a workgroup environment. The “enable-psremoting” command will allow users to configure the remote machine’s firewall settings and other settings.

Frequently Asked Questions

How do I enable PSRemoting in group policy?

A: If you dont already have it enabled, you can enable remote PS4 from the group policy editor. The Group Policy Editor is a Windows application that lets administrators manage remote computers in their network.

How do you configure PSRemoting?

A: PSRemoting is a way for you to connect and play your games on an external display. You can find the instructions here:

How do I enable PSRemoting on multiple servers?

A: You can enable PSRemoting on multiple servers by creating a network for each of the different accounts.

Related Tags

  • secrets of powershell remoting
  • configure localaccounttokenfilterpolicy to grant administrative rights remotely to local users.
  • powershell remoting step by step
  • secure powershell remoting
  • enable-psremoting trustedhosts

Table of Content