Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
SOLVED

Windows Admin Center: Revert "Use WinRM over HTTPS only" setting

Copper Contributor

We just upgraded our Windows Admin Center install and I accidentally checked the "Use WinRM over HTTPS only" setting during the update / prior to configuring our hosts for that feature.  We want to use this, but need more time to troubleshoot roll-out.

 

Is there a line command or anything that will allow me to undo that setting?  I know if I run setup again I can (for example) change SSL thumbprint, but that setting to "Use WinRM over HTTPS only" is not available in setup again for toggling.

 

Thanks!

 

 

8 Replies
best response confirmed by tbwork (Copper Contributor)

@tbworkI realize this was answered already however I would say you should use WinRM over HTTPS anyway rather than uninstall and reinstall to revert it. For anyone else that comes across this answer through Google I put together a video detailing how to set WinRM over HTTPS which is easier to do than it may sound. I cover the certificates, commands, and group policy settings. I could not find any centralized source for this info so I made one.

The YouTube video is at the below site. The below site also lists the GPO settings if that is all you need or if you speak a different language and need to simply copy and paste.
https://btpssecpack.osbornepro.com/en/latest/#configure-winrm-over-https

@tobor88 I 100% agree with you - the limiting factor was learning how to do this safely and effectively, and as you said the documentation available out there to date was limited.  Thanks so much for sharing your tutorial!  It's now in my queue to work on! :D

@tbworkNo problem. If you end up having questions or whatever about set up I am happy to answer whatever questions I can.

@tobor88 Thank you, it's in my queue also.

@tobor88 What's kind of hilarious (the sad kind) is that when attempting to browse to the URL you provided, I got the following error "btps-secpack.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH" on Chrome and on Firefox "SSL_ERROR_NO_CYPHER_OVERLAP". While I agree that https is a good thing in general, to highlight the mess that is WinRM with https, you have to use fqdn's for your computer names else you'll get "The SSL certificate contains a common name (CN) that does not match the hostname" and in WAC 2110, I was getting the "SSL Certificate could not be checked for revocation" using standard machine certs that they get from ADCS despite the fact that both http and ldap distribution points were valid and allowed the crl to be downloaded. Coupled with the fact that there is no standard firewall rule for WinRM over https, nor a way to enable WinRM over https via GPO easily, instead requiring a "winrm quickconfig -transport:https" to be run via a script is really just a big pile of disappoint in general and its almost 2022. So back to kerberos and standard WinRM. At the least, I can confirm that the the best response at the top does work though, the magic needed to undo the "https only" option is: Set-ItemProperty -path "hklm:\SOFTWARE\Microsoft\ServerManagementGateway" -name WinRMHTTPS -value 0

Thanks I forgot I had placed a link a couple years ago. I moved the information over to readthedocs.io because it did not make sense to keep paying for the domain or the site. I have updated the post so it has the new link.
https://btpssecpack.osbornepro.com/en/latest/#configure-winrm-over-https

That is just not me, to each his own
This was my exact solution that I needed. Thank you!
1 best response

Accepted Solutions