Tags:
PowerShell remoting can use SSL/TLS encryption when the -UseSSL switch is used with the Enter-PSSession or Invoke-Command cmdlets. But simply installing a TLS-compatible certificate is not enough to enable remoting with TLS. The WS-Management (WSMAN) listener for PowerShell must be configured correctly to use a TLS certificate, and this isn't very much fun to do by hand.
In the Securing Windows and PowerShell Automation (SEC505) course at SANS, we use a PowerShell script to configure the WSMAN listener with a certificate automatically, or, if there are multiple available computer certificates, to list the available certificates and simply ask the user which one to use. The script is named Enable-RemotingTLS.ps1. It is located in the SEC505 zip file in the Day2\Remoting folder from BlueTeamPowerShell.com. All the other scripts in the zip file are in the public domain too.
Command-Line Use
There are no command-line parameters for the script, just run it to have a certificate selected automatically or to be prompted which certificate to use. If you already have a TLS certificate configured for remoting, the script will prompt whether to replace those settings (not the certificate, just the settings) or to exit without changes. The script is deliberately simple so that it is appropriate for teaching and easy to edit. Feel free to customize for your environment.
Requirements
Note that the script will not install PowerShell, enable remoting, or install a certificate from your PKI. There are plenty of guides for these tasks on the Internet, and the SEC505 course has a day on PKI too. Remoting requires PowerShell 2.0 or later, and the user must be a member of the Administrators local group to manage WSMAN settings. The about_Remote_Requirements file also has more information about these prerequisites (in PowerShell, run "get-help about_Remote_Requirements"). Cheers
Caveats & Legal Disclaimers
The script is free and in the public domain, you may use it for any purpose whatsoever without restriction. However, that being said...
THIS SCRIPT IS PROVIDED "AS IS" WITH NO WARRANTIES OR GUARANTEES OF ANY KIND, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. ALL RISKS OF DAMAGE REMAINS WITH THE USER, EVEN IF THE AUTHOR, SUPPLIER OR DISTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH DAMAGE. IF YOUR STATE DOES NOT PERMIT THE COMPLETE LIMITATION OF LIABILITY, THEN DO NOT DOWNLOAD OR USE THE SCRIPT. NO TECHNICAL SUPPORT WILL BE PROVIDED.