WinRM App related (Mobile client)
How can I manage the same machine where WinRM bridge service is installed?
Type localhost to the host field when adding new computer configuration.
Is it secure to enter passwords when adding new connection configuration? How are they treated?
Passwords are encrypted with random secure string which is stored in the keychain. If your device is protected by PIN or Touch ID, no one is able to read your passwords even if your device was stolen.
How to copy connection configuration settings to another mobile device?
Tap on the settings icon in upper left corner, choose export connection configurations, then select connections you wish to transfer and send them as an attachment via e-mail. For security reasons, passwords won’t be exported.
I got an error message: The secure connection failed because the server’s certificate is not trusted.
There are possibly one or more reasons why you got this message:
- Server’s certificate does not match the URL. Check the SSL section in WinRM Bridge Service Configuration Utility. The server certificate must have the same name as the host in URL of the bridge service you typed on the device.
- The Server certificate is signed by an untrusted issuer. This is definitely the case, if you created the certificate by WinRM Bridge Service Configuration Utility hence your certificate is considered as untrusted by default. You should send and install this self-signed certificate authority to your device. The easiest way to do so is to send exported .CER file to your e-mail address , open e-mail on the device, tap on the attachment and confirm profile installation.
- Used certificate is expired, invalid or not suitable for SSL connection.
- You can completely turn off certificate validation by checking the switch in WinRM App settings: Allow untrusted certificates
I got an error message: The secure connection failed for an unknown reason.
- Used certificate is expired, invalid or not suitable for SSL connection
- Server certificate uses unsupported encryption or hash function. Don’t use SHA512 hash function, these are not fully supported.
What does WinRM remote activation mean? What is it for?
By default, Windows Remote Management (WS-Management) service is not configured to accept PowerShell connections. WinRM bridge tries to configure this service remotely to accept secured remote PowerShell connections.
Remote activation does not work. I got timeout or an error message: PAExec service could not be installed or started on remote computer.
- If your computer is not connected to a Windows domain, WinRM bridge must be running under a local user account to make remote activation work properly. If the WinRM bridge is hosted on IIS, the same applies to web application’s AppPool identity. If you are running WinRM bridge under another account besides NETWORK SERVICE, don’t forget to grant sufficient privileges to LOG folder next to WmBridge.exe and add URL reservation for the same user account.
- If your computer is connected to a Windows domain, WinRM bridge service or AppPool can be running under NETWORK SERVICE account, this is not an issue.
- Remote activation uses PsExec-like approach to configure WinRM service remotely. To try to diagnose activation issues, run PsExec using runas command with the same user as WinRM bridge is running and then try to connect to a target computer on which you wish to configure WinRM.
- If PsExec doesn’t connect either and you have only a few computers to manage, enable WinRM manually on them.
I got an error message: A specified logon session does not exist. It might already have been terminated.
Login account you entered in computer’s credentials should contain a domain or computer name. CredSSP switch in security section should be enabled too.
I am successfully connected to a computer, but I'm still getting the Access denied messages for the most actions I've done despite the fact I'm a local administrator on this managed computer.
This is caused by UAC settings on the server or client machine. Please turn on the CredSSP switch in computer’s configuration.
I get an error message when I execute Enter-PSSession cmdlet in PowerShell console.
Enter-PSSession doesn’t work when it is being run in remote session. Using WinRM App you are always connected via PowerShell remote session.
WinRM Bridge (Server-side)
Do I need to buy SSL certificate when I want to connect to a WinRM bridge service over SSL?
No, you can create self-signed certificate and install it to your device. Use WinRM Bridge Service Configuration Utility to create one.
Can I install the WinRM bridge on a computer with dynamic IP?
Yes, you can register your computer with some dyn DNS service and then use this DNS name for SSL certificate. If you are planning to manage other computers on your network through the WinRM bridge, consider allocating static IP reservation on your DHCP configuration.
Is it OK to install WinRM bridge on busy server? Is WinRM bridge resource-hungry?
WinRM bridge has less than 20 MB of private memory footprint (depends on OS). More resources are utilized by the PowerShell hosting process which is terminated after the user session expires.
WinRM bridge service could not start. I got an error message: The application was unable to start correctly (0xc000007b).
Install full .NET Framework 4.5
WinRM bridge service could not start. I got an error message: Could not load the file or assembly 'System.Management.Automation, Version=188.8.131.52...
Install PowerShell 3.0 or higher
I got an error message: Failed to map the path '/myapp'.
It is a known bug of IIS7 when you are hosting MVC Web API (which is exactly this WinRM bridge implementation) as a web application under Default Site.
AppPool identity didn’t have correct permissions to the site’s path. Read more
I have a WinRM bridge service installed and running with auto-discovery enabled, but on a device I can't see any accessible URLs on the network. Auto-discovery is not working.
- Auto-discovery feature works only if you have installed WinRM bridge as a Windows service. Auto-discovery is not possible on IIS hosted web application. Read more
- Only WinRM bridge on the same local network as a mobile device is accessible.
- Examine your firewall settings: UDP port 53581 must by allowed for inbound traffic.