{"id":2508,"date":"2013-11-27T00:01:00","date_gmt":"2013-11-27T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/11\/27\/remoting-week-configuring-remoting\/"},"modified":"2013-11-27T00:01:00","modified_gmt":"2013-11-27T00:01:00","slug":"remoting-week-configuring-remoting","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/remoting-week-configuring-remoting\/","title":{"rendered":"Remoting Week: Configuring Remoting"},"content":{"rendered":"<p><strong>Summary<\/strong>: Richard Siddaway explains how to configure remoting.\n<img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" alt=\"Hey, Scripting Guy! Question\">&nbsp;Hey, Scripting Guy! I&rsquo;ve just starting learning WindowsPowerShell, and I understand how to use it as a scripting language and shell on the local machine. How do I work with remote machines?\n&mdash;AP\n<img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" alt=\"Hey, Scripting Guy! Answer\">&nbsp;Hello AP,\nHonorary Scripting Guy, Richard Siddaway, here today filling in for my good friend, The Scripting Guy. This is the third part in a series of five posts about remoting. The series includes:<\/p>\n<ol>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/11\/25\/remoting-week-remoting-recap.aspx\" target=\"_blank\">Remoting Recap<\/a><\/li>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/11\/26\/remoting-week-remoting-sessions-in-powershell.aspx\" target=\"_blank\">Remoting Sessions<\/a><\/li>\n<li>Configuring Remoting<\/li>\n<li>Remoting security<\/li>\n<li>Non-domain remoting<\/li>\n<\/ol>\n<p>In the first post, you saw how Windows PowerShell supplies a number of options for individual cmdlets to access remote machines. This was followed in the second post by a look at using Windows PowerShell sessions to give you a reusable connection to the remote machine for efficiency.\nIn this third post, you will learn about three things:<\/p>\n<ul>\n<li>Overcoming the second hop issue<\/li>\n<li>Using HTTPS instead of HTTP for your WSMAN connection<\/li>\n<li>Configuring endpoints<\/li>\n<\/ul>\n<h2>Overcoming second hop<\/h2>\n<p>First off, what&rsquo;s the second hop issue?\nImagine this scenario&hellip;\nYou&rsquo;re working on your local machine (Win81) and you need to perform some tasks on two remote machines (Win12R2 and W08R2SQL08).\nYou can create sessions to both remote machines:<\/p>\n<p style=\"padding-left: 30px\">$sessw12 = New-PSSession -ComputerName Win12R2<\/p>\n<p style=\"padding-left: 30px\">$sessw08 = New-PSSession -ComputerName W08R2SQL08\nAnd you can run commands against both machines:<\/p>\n<p style=\"padding-left: 30px\">Invoke-Command -Session $sessw12 -ScriptBlock {Get-Service}<\/p>\n<p style=\"padding-left: 30px\">Invoke-Command -Session $sessw08 -ScriptBlock {Get-Service}<\/p>\n<p style=\"padding-left: 30px\">Invoke-Command -Session $sessw12, $sessw08 -ScriptBlock {Get-Service}\nNow, if you try to access W08R2SQL08 through a remote session from Win12R2, what will happen?<\/p>\n<p style=\"padding-left: 30px\">Invoke-Command -Session $sessw12 -ScriptBlock {Get-Service -ComputerName w08r2sql08}<\/p>\n<p style=\"padding-left: 30px\">Cannot open Service Control Manager on computer &#8216;w08r2sql08&#8217;. This operation might require other privileges.<\/p>\n<p style=\"padding-left: 30px\">&nbsp;&nbsp;&nbsp; + CategoryInfo&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : NotSpecified: (:) [Get-Service], InvalidOperationException<\/p>\n<p style=\"padding-left: 30px\">&nbsp;&nbsp;&nbsp; + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand<\/p>\n<p style=\"padding-left: 30px\">&nbsp;&nbsp;&nbsp; + PSComputerName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Win12R2\nSo you perform a quick test:<\/p>\n<p style=\"padding-left: 30px\">Get-Service -ComputerName w08r2sql08\nAnd you discover that it works!\nYou have just tripped over the second hop issue. You aren&rsquo;t allowed to remote into one machine and run commands from that machine against other machines. It is essentially a permissions issue in that your credentials haven&rsquo;t been delegated to the second machine, so it doesn&rsquo;t have the rights to perform those actions.\nThere is one caveat to this that I&rsquo;ve discovered. If the machine you are remoting to is a domain controller, you will be able to run some, but not all, commands against another machine. I haven&rsquo;t fully explored this, but because it&rsquo;s not a best practice to use your domain controllers in this manner, I&rsquo;ll say no more.\nHow do we overcome this?\nThe answer is that you have to delegate your permissions to the second machine. This is achieved by using <strong>CredSSP<\/strong>.&nbsp; You get three cmdlets for working with <strong>CredSSP<\/strong>:<\/p>\n<p style=\"padding-left: 30px\">Disable-WSManCredSSP<\/p>\n<p style=\"padding-left: 30px\">Enable-WSManCredSSP<\/p>\n<p style=\"padding-left: 30px\">Get-WSManCredSSP\nEnabling <strong>CredSSP<\/strong> has to be performed on the local and the remote machine. On the local machine, you enable the client role:<\/p>\n<p style=\"padding-left: 30px\">&pound;&gt; Enable-WSManCredSSP -Role Client -DelegateComputer win12r2.manticore.org -Force<\/p>\n<p style=\"padding-left: 30px\">cfg&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/schemas.microsoft.com\/wbem\/wsman\/1\/config\/client\/auth<\/p>\n<p style=\"padding-left: 30px\">lang&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : en-GB<\/p>\n<p style=\"padding-left: 30px\">Basic&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">Digest&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">Kerberos&nbsp;&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">Negotiate&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">Certificate : true<\/p>\n<p style=\"padding-left: 30px\">CredSSP&nbsp;&nbsp;&nbsp;&nbsp; : true\nThe <strong>Force<\/strong> parameter stops you from being prompted for confirmation. You could use wildcard characters for delegated computers, which could be <strong>*.manticore.org<\/strong> for all machines in the domain&mdash;or even <strong>* <\/strong>for all machines. You can verify the settings:<\/p>\n<p style=\"padding-left: 30px\">&pound;&gt; Get-WSManCredSSP<\/p>\n<p style=\"padding-left: 30px\">The machine is configured to allow delegating fresh credentials to the following target(s): wsman\/Win12R2.manticore.org<\/p>\n<p style=\"padding-left: 30px\">This computer is not configured to receive credentials from a remote client computer.\nOn the remote machine, you enable the server role:<\/p>\n<p style=\"padding-left: 30px\">&pound;&gt; Enable-WSManCredSSP -Role server -Force<\/p>\n<p style=\"padding-left: 30px\">cfg&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/schemas.microsoft.com\/wbem\/wsman\/1\/config\/service\/auth<\/p>\n<p style=\"padding-left: 30px\">lang&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : en-US<\/p>\n<p style=\"padding-left: 30px\">Basic&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : false<\/p>\n<p style=\"padding-left: 30px\">Kerberos&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">Negotiate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">Certificate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : false<\/p>\n<p style=\"padding-left: 30px\">CredSSP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">CbtHardeningLevel : Relaxed\nCompare the information from the two commands. The client has all options enabled, but the server is more limited in its authentication options. Again, you can verify the settings:<\/p>\n<p style=\"padding-left: 30px\">&pound;&gt; Get-WSManCredSSP<\/p>\n<p style=\"padding-left: 30px\">The machine is not configured to allow delegating fresh credentials.<\/p>\n<p style=\"padding-left: 30px\">This computer is configured to receive credentials from a remote client computer.\nNow re-create the remote session to use <strong>CredSSP<\/strong>:<\/p>\n<p style=\"padding-left: 30px\">$cred = Get-Credential<\/p>\n<p style=\"padding-left: 30px\">$sessw12 = New-PSSession -ComputerName win12r2 -Authentication credssp -Credential $cred\nYou can then use the session as normal against the remote machine:<\/p>\n<p style=\"padding-left: 30px\">Invoke-Command -Session $sessw12 -ScriptBlock {get-service}\nYou can also utilize the second hop and your <strong>CredSSP<\/strong> configuration to access other machines from the target machine:<\/p>\n<p style=\"padding-left: 30px\">Invoke-Command -Session $sessw12 -ScriptBlock {get-service -ComputerName w08r2sql08}\nNow comes the big question. Just because I can, does it mean I should?\nI would recommend against routinely working over the second hop. It weakens the security in your domain because credential delegation is blocked by default. If you find yourself using <strong>CredSSP<\/strong>, I would recommend thinking about if there is a better way. If not, use it with care, and remember to disable <strong>CredSSP<\/strong> after you have finished.<\/p>\n<h2>Using HTTPS<\/h2>\n<p>The second topic on the list is using HTTPS instead of HTTP. This also raises a fair amount of discussion, and I would only see a need for this in a minority of cases. There are a number of steps you need to go through to enable remoting over HTTPS:<\/p>\n<ul>\n<li>Obtain an SSL certificate for the server, and make sure it is issued to the FQDN of the host server<\/li>\n<li>Install the SSL certificate in the computer&rsquo;s certificate store (not in the user&rsquo;s store)<\/li>\n<li>Create a new WSMAN listener for HTTPS as follows:<\/li>\n<\/ul>\n<p style=\"padding-left: 30px\">&gt; New-WSManInstance -ResourceURI winrm\/config\/Listener -SelectorSet @{Transport=&#8217;HTTPS&#8217;, Address=&#8221;IP:10.10.54.59&#8243;} -ValueSet @{Hostname=&#8221;Win12R2.Manticore.org&#8221;, CertificateThumbprint=&#8221;XXXXXXX&#8221;}<\/p>\n<p style=\"padding-left: 30px\">&hellip;where XXXXXXX is the thumbprint of the certificate.\nYou then connect to the remote server from your client:<\/p>\n<p style=\"padding-left: 30px\">$sess = New-PSSession &ndash;ComputerName = Win12R2 &ndash;UseSSL<\/p>\n<h2>Configuring endpoints<\/h2>\n<p>The final topic for this part of the series is configuring endpoints. This is another area where you have a lot of options; but in reality, you won&rsquo;t be using many of them. In my experience, and that of my co-authors of <a href=\"http:\/\/www.manning.com\/jones2\/\" target=\"_blank\">PowerShell in Depth<\/a>, 99.99% of the time, the standard remoting endpoint configurations will be what you want. The configuration options are for the odd time you step outside of the norm.\nHow are the standard endpoints configured?<\/p>\n<p style=\"padding-left: 30px\">&pound;&gt; Get-PSSessionConfiguration<\/p>\n<p style=\"padding-left: 30px\">Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : microsoft.powershell<\/p>\n<p style=\"padding-left: 30px\">PSVersion&nbsp;&nbsp;&nbsp;&nbsp; : 4.0<\/p>\n<p style=\"padding-left: 30px\">StartupScript :<\/p>\n<p style=\"padding-left: 30px\">RunAsUser&nbsp;&nbsp;&nbsp;&nbsp; :<\/p>\n<p style=\"padding-left: 30px\">Permission&nbsp;&nbsp;&nbsp; : BUILTINAdministrators AccessAllowed, BUILTINRemote Management Users AccessAllowed\nThis is the standard endpoint that you connect to for remoting. The other standard endpoints in later versions of Windows are:<\/p>\n<p style=\"padding-left: 30px\">microsoft.powershell<\/p>\n<p style=\"padding-left: 30px\">microsoft.powershell.workflow<\/p>\n<p style=\"padding-left: 30px\">microsoft.powershell32<\/p>\n<p style=\"padding-left: 30px\">microsoft.windows.servermanagerworkflows\nThe names explain their purposes rather well. The full configuration of the default endpoint is:<\/p>\n<p style=\"padding-left: 30px\">Architecture&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 64<\/p>\n<p style=\"padding-left: 30px\">Filename&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : %windir%system32pwrshplugin.dll<\/p>\n<p style=\"padding-left: 30px\">ResourceUri&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/schemas.microsoft.com\/powershell\/microsoft.powershell<\/p>\n<p style=\"padding-left: 30px\">MaxConcurrentCommandsPerShell : 1000<\/p>\n<p style=\"padding-left: 30px\">Capability&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : {Shell}<\/p>\n<p style=\"padding-left: 30px\">xmlns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/schemas.microsoft.com\/wbem\/wsman\/1\/config\/PluginConfiguration<\/p>\n<p style=\"padding-left: 30px\">MaxConcurrentUsers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 5<\/p>\n<p style=\"padding-left: 30px\">Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;: microsoft.powershell<\/p>\n<p style=\"padding-left: 30px\">SupportsOptions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">ProcessIdleTimeoutSec&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<\/p>\n<p style=\"padding-left: 30px\">ExactMatch&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False<\/p>\n<p style=\"padding-left: 30px\">RunAsUser&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :<\/p>\n<p style=\"padding-left: 30px\">IdleTimeoutms&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 7200000<\/p>\n<p style=\"padding-left: 30px\">OutputBufferingMode&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Block<\/p>\n<p style=\"padding-left: 30px\">PSVersion&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 4.0<\/p>\n<p style=\"padding-left: 30px\">SecurityDescriptorSddl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)<\/p>\n<p style=\"padding-left: 30px\">MaxShellsPerUser&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 25<\/p>\n<p style=\"padding-left: 30px\">AutoRestart&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : false<\/p>\n<p style=\"padding-left: 30px\">MaxShells&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">MaxIdleTimeoutms&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: 2147483647<\/p>\n<p style=\"padding-left: 30px\">Uri&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/schemas.microsoft.com\/powershell\/microsoft.powershell<\/p>\n<p style=\"padding-left: 30px\">SDKVersion&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2<\/p>\n<p style=\"padding-left: 30px\">XmlRenderingType&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : text<\/p>\n<p style=\"padding-left: 30px\">RunAsPassword&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :<\/p>\n<p style=\"padding-left: 30px\">MaxProcessesPerShell&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 15<\/p>\n<p style=\"padding-left: 30px\">ParentResourceUri&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/schemas.microsoft.com\/powershell\/microsoft.powershell<\/p>\n<p style=\"padding-left: 30px\">Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : true<\/p>\n<p style=\"padding-left: 30px\">UseSharedProcess&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : false<\/p>\n<p style=\"padding-left: 30px\">MaxMemoryPerShellMB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1024<\/p>\n<p style=\"padding-left: 30px\">lang&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : en-US<\/p>\n<p style=\"padding-left: 30px\">Permission&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: BUILTINAdministrators AccessAllowed, BUILTINRemote Management Users AccessAllowed\nHaving said that, what can you do? You can:<\/p>\n<ul>\n<li>Create a restricted language endpoint (only a small subset of the Windows PowerShell language is available)<\/li>\n<li>Create a No-Language endpoint (you can&rsquo;t use any of the Windows PowerShell language; you can only run cmdlets)<\/li>\n<li>Restrict who can access the endpoint<\/li>\n<li>Restrict which modules can be loaded into the endpoint<\/li>\n<li>Define the environment variables to load into the endpoint<\/li>\n<li>Define the aliases to be available through the endpoint<\/li>\n<li>Define the execution policy<\/li>\n<li>Define the Windows PowerShell version<\/li>\n<li>Define scripts to run on connection to the endpoint<\/li>\n<li>Define the session type:<br \/> <strong>Empty<\/strong>: Nothing is loaded. <br \/> <strong>Default<\/strong>: Windows PowerShell core commands plus your definitions are loaded. <br \/> <strong>Restricted<\/strong>: Seven basic commands, plus what you&rsquo;ve defined are loaded.<\/li>\n<\/ul>\n<p>Create the definition file for the endpoint by using <strong>New-PSSessionConfigurationFile<\/strong>. You then create the endpoint by using <strong>Register-PSSessionConfiguration<\/strong>.\nFor more information, see the Help files for:<\/p>\n<p style=\"padding-left: 30px\">New-PSSessionConfigurationFile<\/p>\n<p style=\"padding-left: 30px\">Register-PSSessionConfiguration<\/p>\n<p style=\"padding-left: 30px\">about_Session_Configurations<\/p>\n<p style=\"padding-left: 30px\">about_Session_Configuration_Files\nAlso, you can discover more about configuring remoting and some other edge cases in Chapter 10 of <a href=\"http:\/\/www.manning.com\/jones2\/\" target=\"_blank\">PowerShell in Depth<\/a> by myself, Don Jones, and Jeffery Hicks.\nBye for now.\n~Richard\nThanks, Richard. This is a very informative series.\nI invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"http:\/\/blogs.technet.commailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.\n<strong>Ed Wilson, Microsoft Scripting Guy<\/strong>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Richard Siddaway explains how to configure remoting. &nbsp;Hey, Scripting Guy! I&rsquo;ve just starting learning WindowsPowerShell, and I understand how to use it as a scripting language and shell on the local machine. How do I work with remote machines? &mdash;AP &nbsp;Hello AP, Honorary Scripting Guy, Richard Siddaway, here today filling in for my good [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[57,189,4,45],"class_list":["post-2508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-remoting","tag-richard-siddaway","tag-scripting-techniques","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Richard Siddaway explains how to configure remoting. &nbsp;Hey, Scripting Guy! I&rsquo;ve just starting learning WindowsPowerShell, and I understand how to use it as a scripting language and shell on the local machine. How do I work with remote machines? &mdash;AP &nbsp;Hello AP, Honorary Scripting Guy, Richard Siddaway, here today filling in for my good [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2508"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2508\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}