Forum Discussion

tbwork's avatar
tbwork
Copper Contributor
Aug 12, 2020

Windows Admin Center: Revert "Use WinRM over HTTPS only" setting

We just upgraded our Windows Admin Center install and I accidentally checked the "Use WinRM over HTTPS only" setting during the update / prior to configuring our hosts for that feature.  We want to use this, but need more time to troubleshoot roll-out.

 

Is there a line command or anything that will allow me to undo that setting?  I know if I run setup again I can (for example) change SSL thumbprint, but that setting to "Use WinRM over HTTPS only" is not available in setup again for toggling.

 

Thanks!

 

 

  • tobor88's avatar
    tobor88
    Copper Contributor

    tbworkI realize this was answered already however I would say you should use WinRM over HTTPS anyway rather than uninstall and reinstall to revert it. For anyone else that comes across this answer through Google I put together a video detailing how to set WinRM over HTTPS which is easier to do than it may sound. I cover the certificates, commands, and group policy settings. I could not find any centralized source for this info so I made one.

    The YouTube video is at the below site. The below site also lists the GPO settings if that is all you need or if you speak a different language and need to simply copy and paste.
    https://btpssecpack.osbornepro.com/en/latest/#configure-winrm-over-https

    • tbwork's avatar
      tbwork
      Copper Contributor

      tobor88 I 100% agree with you - the limiting factor was learning how to do this safely and effectively, and as you said the documentation available out there to date was limited.  Thanks so much for sharing your tutorial!  It's now in my queue to work on! 😄

      • tobor88's avatar
        tobor88
        Copper Contributor

        tbworkNo problem. If you end up having questions or whatever about set up I am happy to answer whatever questions I can.

    • RBarb's avatar
      RBarb
      Copper Contributor

      tobor88 What's kind of hilarious (the sad kind) is that when attempting to browse to the URL you provided, I got the following error "btps-secpack.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH" on Chrome and on Firefox "SSL_ERROR_NO_CYPHER_OVERLAP". While I agree that https is a good thing in general, to highlight the mess that is WinRM with https, you have to use fqdn's for your computer names else you'll get "The SSL certificate contains a common name (CN) that does not match the hostname" and in WAC 2110, I was getting the "SSL Certificate could not be checked for revocation" using standard machine certs that they get from ADCS despite the fact that both http and ldap distribution points were valid and allowed the crl to be downloaded. Coupled with the fact that there is no standard firewall rule for WinRM over https, nor a way to enable WinRM over https via GPO easily, instead requiring a "winrm quickconfig -transport:https" to be run via a script is really just a big pile of disappoint in general and its almost 2022. So back to kerberos and standard WinRM. At the least, I can confirm that the the best response at the top does work though, the magic needed to undo the "https only" option is: Set-ItemProperty -path "hklm:\SOFTWARE\Microsoft\ServerManagementGateway" -name WinRMHTTPS -value 0

Resources