I have an environment with 16 vms on a host. They all run Windows2008R2. At one point I had powershell remoting work on all servers but one. Then I lost contact with two more. This is annoying, to say the least. Every time I come back to the fact that WinRM is running as a service, but it still doesn't work.
It is setup to use ssl. Invoke-Command -ComputerName "BadMachine" -ScriptBlock {Get-Service | Where-Object {($_.Name -eq "WinRM") -and ($_.Status -eq "Running")}} -ErrorAction Stop -UseSSL -Credential(Get-Credential) results in the well known
[BadMachine] Connecting to remote server BadMachine failed with the
following error message : WinRM cannot complete the operation. Verify...
etc.,etc.,etc.
On the bad machine, 'winrm quickconfig` says that the WinRM service is already running and then shows the above error.
On the bad machine, Get-Service "WinRM" returns a nice object saying the service is running.
On the bad machine winrm id doesn't return anything (on good machines it gives a full IdentifyResponse).
winrm get wmicimv2/Win32_Service?Name=WinRM gives the above error (on a good machine it returns the status).
cd wsman: allows me to switch to the wsman provider, and there is localhost. But after navigating to localhost, there is nothing in there. So, cd WSMan:\localhost\Listener results in a Cannot find path.
netsh http show urlacl does not result in anything (on a good machine it returns URL reservations.)
Most articles describe how to setup the powershell remoting and may discuss how to troubleshoot some parts. But, apparently there is so much that can go wrong about winrm and powershell remoting, that my questions are:
How to repair this WinRM installation?
Does the fact that they are VMs on a Hyper-V host complicate things?
What is still left to test to get to the heart of the problem?
Best Answer
An article on the WinRM architecture led me to investigate Http.sys. Since IIS is running normally, I wouldn't have suspected Http.sys. The command
netsh http show urlaclshowed there were no reserved urls.https://support.microsoft.com/en-us/help/820129/http.sys-registry-settings-for-windows helped me compare the registry of the bad machine with a good machine. The registry values for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\UrlAclInfo did not exist on the bad machine. Also the values for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\SslBindingInfo\0.0.0.0:5986 (binding for winrm) did not exist. I don't have a clue what caused this.
Since all servers in my environment look rather the same, I exported the above keys and imported the keys in the registry of the bad machine. I guess this is only possible if the two machines are similar enough. But, it solved the problem for me. After running
Enable-PSRemotingI can now reach all my machines in the environment.With experimentation, I found that SslBindingInfo (
netsh http show sslcert) should show a binding for ports 5986 (winrm, the certificate you want to use for -UseSSL), The acl should contain reservations for ports 5357 & 5358 (http & https for network discovery?), 47001 (http, wsman), 5985 & 5986 (http & https for winrm).