Configuring WINRM for HTTPS

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.



By default WinRM uses Kerberos for authentication so Windows never sends the password to the system requesting validation... To get a list of your authentication settings type the following:

winrm get winrm/config

The purpose of configuring WinRM for HTTPS is to encrypt the data being sent across the wire. 

WinRM HTTPS requires a local computer "Server Authentication" certificate with a CN matching the hostname, that is not expired, revoked, or self-signed to be installed.

To install or view certificates for the local computer:

- click Start, run, MMC, "File" menu, "Add or Remove Snap-ins" select "Certificates" and click "Add"Go through the wizard selecting "Computer account".  

- Install or view the certificates under:
Certificates (Local computer)

If you do not have a Sever Authenticating certificate consult your certicate administrator.  If you have a microsoft Certificate server you may be abel to request a certificate using the web certificate template from HTTPS://<MyDomainCertificateServer>/certsrv

Once the certificate is installed type the following to configure WINRM to listen on HTTPS:

winrm quickconfig -transport:https

 If you do not have an appropriate certificate you can run the following with the authentication methods configured for WinRM however the data will not be encrypted. 

winrm quickconfig


More Information

By default WinRM HTTP uses port 80.  On Windows 7 and higher the default port is 5985.
By default WinRM HTTPS uses port 443.  On Windows 7 and higher the default port is 5986.

To confirm WinRM is listening on HTTPS type the following:

 winrm enumerate winrm/config/listener

To confirm a computer certificate has been installed use the Certificates MMC add-in or type the following:

Winrm get

If you get the following error message: 

Error number:  -2144108267 0x80338115
         Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and  not be expired, revoked, or self-signed.

open the certificates MMC add-in and confirm the following attributes are correct:
- The date of the computer falls between the "
Valid from:" to the "To:" date on the General tab
- Host name matches the "
Issued to:" on the General tab or it matches one of the "Subject Alternative Name" exactly as displayed on the Details tab.
- That the "Enhanced Key Usage" on the
Details tab contains "Server authentication"
- On the Certification Path tab that the Current Status: is "
This certificate is OK"

If you have more than one local computer account server certificate installed confirm the CertificateThumbprint displayed by:

Winrm enumerate winrm/config/listener

is the same Thumbprint on the Details tab of the certificate.


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2019527 - Last Review: 07/18/2012 09:09:00 - Revision: 9.0

Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003 R2 Enterprise x64 Edition, Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise x64 Edition, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Vista Enterprise, Windows Vista Ultimate, Windows 7 Enterprise, Windows 7 Professional, Windows 7 Ultimate, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise

  • KB2019527