Windows Remote Management

A large part of the client management functions are executed via remote PowerShell using WinRM. The clients to be managed must be configured for this.

https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx

Configuration on a client to be managed

Commandline call: winrm qc -quiet -transport:http –force

dadurch wird ...

  • the WinRM service is started and its startup type is set to automatic
  • a "listener" is created to accept incoming connections
  • the default port is set to 5985
  • added a firewall rule

For security reasons the port can be changed. The following command line call must be made for this purpose:

winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="1234"}

The firewall rule should then be adjusted accordingly for this port.

Signed PowerShell scripts and different domains

If your domain security policies require signed PowerShell scripts, you must customize all scripts within the PS1 directory of the SCCM Manager server installation.

{installation path}\PS1\DEFAULT

Signed PowerShell scriptIf you want to manage clients in different domains and the scripts need to be signed differently accordingly, do the following.e and different domains.

  1. Copy directory "DEFAULT" and rename to domain name (example: SMCTEAM.DE)
  2. Sign scripts within the new script directory accordingly
  3. Enable the PSEnabledDomainFolderLookup value in the web service configuration.
  4. If the respective domain of a client can now be resolved correctly, the respective matching script directory is used.