PowerShell protocols and troubleshooting

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of PowerShell protocols and troubleshooting

    PowerShell uses Windows Management Instrumentation (WMI) and Windows Remote Management (WinRM) protocols to enable orchestration activities that execute commands on remote Windows hosts. These protocols provide structured methods for managing and retrieving data from local or remote systems.

    Show full answer Show less

    WMI (Windows Management Instrumentation)

    WMI offers a uniform interface for applications or scripts to access management data across systems. It includes:

    • Managed objects and WMI providers: COM objects that monitor components like disks, network adapters, or services.
    • WMI infrastructure: The WMI service (winmgmt) running on Windows, consisting of the WMI core and repository organized into namespaces such as root\cimv2.
    • WMI consumers: Applications or scripts that query, run methods, or subscribe to events via COM or scripting APIs.

    Configuration requirements: To enable remote WMI connections through the MID Server, TCP port 135 must be open. Windows firewall automatically creates an inbound rule named Windows Management Instrumentation (DCOM-In) to allow this traffic.

    WinRM (Windows Remote Management)

    WinRM is Microsoft’s implementation of the WS-Management protocol, a SOAP-based standard for cross-platform hardware and OS interoperability. It includes:

    • WinRM Scripting API: Used by orchestration to perform WS-Management operations on remote computers.
    • WMI service integration: Runs alongside WinRM, allowing access to WMI classes such as Win32Process through a WMI plug-in.

    Configuration: WinRM is pre-installed on Windows 2008 R2 and newer but requires configuration using winrm quickconfig. This command starts the WinRM service, sets it to auto-start, configures listeners for HTTP/HTTPS on all IPs, and creates the necessary firewall exceptions.

    MID Server PowerShell Files

    PowerShell functions used by the MID Server are stored in script files with a .ps1 extension and organized into PowerShell Script module files with a .psm1 extension, enabling modular management of PowerShell activities.

    Troubleshooting

    Common issues include authentication failures and access denied errors, which can prevent PowerShell activities from successfully running commands on target hosts. Ensuring proper permissions, open ports, and correct configuration of WMI and WinRM is essential for reliable remote orchestration.

    PowerShell uses the Windows Management Instrumentation (WMI) and Windows Remote Management (WinRM) protocols to enable Orchestration activities to run commands on remote Windows hosts.

    Windows Management Instrumentation (WMI)

    WMI provides a uniform interface for any local or remote applications or scripts that obtain management data from a computer system, a network, or an enterprise. WMI contains these components:
    • Managed objects and WMI providers: A WMI provider is a COM object that monitors one or more managed objects for WMI. A managed object is a logical or physical enterprise component, such as a hard disk drive, network adapter, database system, operating system, process, or service.
    • WMI infrastructure: The WMI infrastructure is a Microsoft Windows operating system component know as the WMI service (winmgmt). The WMI infrastructure is composed of the WMI Core and the WMI repository. The WMI repository is organized by WMI namespaces. The WMI service creates namespaces, such as root\default, root\cimv2, and root\subscription, at system startup and preinstalls a default set of class definitions, including the Win32 Classes, the WMI System Classes, and others. The remaining namespaces found on your system are created by providers for other parts of the operating system or products.
    • WMI consumers: A WMI consumer is a management application or script that interacts with the WMI infrastructure. A management application can query, enumerate data, run provider methods, or subscribe to events by calling either the COM API or the Scripting API for WMI.

    WMI installation and configuration

    For the MID Server to successfully make a remote connection to the target host, TCP port 135 must be open. The Windows firewall automatically creates an inbound rule for WMI connectivity called Windows Management Instrumentation (DCOM-In).

    Windows Remote Management (WinRM)

    WinRM is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP) protocol that allows hardware and operating systems from different vendors to interoperate.

    WinRM contains these components:
    • WinRM Scripting API: This scripting API enables Orchestration to obtain data from remote computers, using scripts that perform WS-Management protocol operations.
    • WMI Service: The WMI service continues to run side-by-side with WinRM and provides requested data or control through the WMI plug-in. You can continue to obtain data from standard WMI classes, such as as Win32_Process.

    WinRM configuration

    WinRM is automatically installed on Windows 2008 R2 and above operating systems, but must be configured before use.
    1. In a command prompt, enter winrm quickconfig. This command is not case sensitive.
    2. When the console displays Make these changes [y/n]?, enter y.

      The winrm quickconfig command performs the following operations:

      • Starts the WinRM service, and sets the service startup type to auto start.
      • Configures a listener for the ports that send and receive WS-Management protocol, using either HTTP or HTTPS on any IP address.
      • Creates a firewall exception for the current user profile.