72 lines
3.6 KiB
Markdown
72 lines
3.6 KiB
Markdown
**Purpose**:
|
|
You will need to enable secure WinRM management of the Windows devices you are running playbooks against, as compared to the Linux devices. The following powershell script needs to be ran on every Windows device you intend to run Ansible playbooks on. This script can also be useful for simply enabling / resetting WinRM configurations for Hyper-V hosts in general, just omit the Powershell script remote signing section if you dont plan on using it for Ansible.
|
|
|
|
``` powershell
|
|
# Script to configure WinRM over HTTPS on the Hyper-V host
|
|
|
|
# Ensure WinRM is enabled
|
|
Write-Host "Enabling WinRM..."
|
|
winrm quickconfig -force
|
|
|
|
# Generate a self-signed certificate (Optional: Use your certificate if you have one)
|
|
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "$(Get-WmiObject -Class Win32_ComputerSystem).DomainName"
|
|
$certThumbprint = $cert.Thumbprint
|
|
|
|
# Function to delete existing HTTPS listener
|
|
function Remove-HTTPSListener {
|
|
Write-Host "Removing existing HTTPS listener if it exists..."
|
|
$listeners = Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate
|
|
foreach ($listener in $listeners) {
|
|
if ($listener.Transport -eq "HTTPS") {
|
|
Write-Host "Deleting listener with Address: $($listener.Address) and Transport: $($listener.Transport)"
|
|
Remove-WSManInstance -ResourceURI winrm/config/listener -SelectorSet @{Address=$listener.Address; Transport=$listener.Transport}
|
|
}
|
|
}
|
|
Start-Sleep -Seconds 5 # Wait for a few seconds to ensure deletion
|
|
}
|
|
|
|
# Remove existing HTTPS listener
|
|
Remove-HTTPSListener
|
|
|
|
# Confirm deletion
|
|
$existingListeners = Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate
|
|
if ($existingListeners | Where-Object { $_.Transport -eq "HTTPS" }) {
|
|
Write-Host "Failed to delete the existing HTTPS listener. Exiting script."
|
|
exit 1
|
|
}
|
|
|
|
# Create a new HTTPS listener
|
|
Write-Host "Creating a new HTTPS listener..."
|
|
$listenerCmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$(Get-WmiObject -Class Win32_ComputerSystem).DomainName`"; CertificateThumbprint=`"$certThumbprint`"}'"
|
|
Invoke-Expression $listenerCmd
|
|
|
|
# Set TrustedHosts to allow connections from any IP address (adjust as needed for security)
|
|
Write-Host "Setting TrustedHosts to allow any IP address..."
|
|
winrm set winrm/config/client '@{TrustedHosts="*"}'
|
|
|
|
# Enable the firewall rule for WinRM over HTTPS
|
|
Write-Host "Enabling firewall rule for WinRM over HTTPS..."
|
|
$existingFirewallRule = Get-NetFirewallRule -DisplayName "WinRM HTTPS" -ErrorAction SilentlyContinue
|
|
if (-not $existingFirewallRule) {
|
|
New-NetFirewallRule -Name "WINRM-HTTPS-In-TCP-PUBLIC" -DisplayName "WinRM HTTPS" -Enabled True -Direction Inbound -Protocol TCP -LocalPort 5986 -RemoteAddress Any -Action Allow
|
|
}
|
|
|
|
# Ensure Kerberos authentication is enabled
|
|
Write-Host "Enabling Kerberos authentication for WinRM..."
|
|
winrm set winrm/config/service/auth '@{Kerberos="true"}'
|
|
|
|
# Configure the WinRM service to use HTTPS and Kerberos
|
|
Write-Host "Configuring WinRM service to use HTTPS and Kerberos..."
|
|
winrm set winrm/config/service '@{AllowUnencrypted="false"}'
|
|
|
|
# Configure the WinRM client to use Kerberos
|
|
Write-Host "Configuring WinRM client to use Kerberos..."
|
|
winrm set winrm/config/client/auth '@{Kerberos="true"}'
|
|
|
|
# Ensure the PowerShell execution policy is set to allow remotely running scripts
|
|
Write-Host "Setting PowerShell execution policy to RemoteSigned..."
|
|
Set-ExecutionPolicy RemoteSigned -Force
|
|
|
|
Write-Host "Configuration complete. The Hyper-V host is ready for remote management over HTTPS with Kerberos authentication."
|
|
```
|