I'm running into issues trying to use WinRM over HTTPS from my domain-joined machine to an Entra-joined device, which shows as a workgroup machine. Here's what I have going on: My source machine is part of the domain, while the target machine is Entra-joined and isn't in Active Directory. I've ensured that HTTPS (port 5986) is open, a certificate is deployed on the remote device, and the WinRM listener is properly set up for HTTPS. However, when I execute `Test-WSMan -ComputerName "xxx" -UseSSL -ErrorAction Stop`, I receive an error saying that the WinRM client cannot complete the operation, suggesting I verify the computer name, network accessibility, and firewall settings. Notably, this works perfectly with other domain-joined machines using Kerberos. The Entra device isn't listed in our DNS, which seems normal, but I'm facing name resolution issues unless I use the IP directly. I have a few specific questions: 1. Are there any known limitations when using WinRM from a domain device to an Entra-joined device? 2. What authentication method is best in this situation (like NTLM, Basic over HTTPS, or maybe a certificate)? 3. Do I need DNS registration, or can I rely on using the IP or the hosts file? 4. Are there specific configurations for WinRM needed for Entra devices? I feel like I'm missing something crucial about how WinRM handles authentication without AD or Kerberos. Any insights would be appreciated!
3 Answers
Remember that WinRM can necessitate multiple ports! Check if additional ports are open on your firewall because it can use a range of ports in addition to 5986 for full functionality. You might need to adjust your firewall rules accordingly.
You might want to check the trusted hosts setting on your domain-joined machine. It could be causing the communication issues since the Entra device isn’t recognized in DNS. If you can add the Entra device to your trusted hosts list, this might resolve your WinRM connection problems. Just keep in mind that managing trusted hosts for a large number of devices can be tricky.
You should try using the IP address directly in your WinRM command—might help bypass some of the DNS issues. Also, pertaining to your authentication method, if you're not using Kerberos, NTLM is generally a safe bet for WinRM when dealing with non-domain machines.
What about using a $ sign at the end of the device name? I’ve heard some people having to do that—wasn’t sure if it applies here.
Yeah, setting up trusted hosts can get complicated if you’re dealing with a lot of devices. Just make sure you have local admin rights to make those changes.