Secure vRO PowerShell Host

2 minute read

Certificates can be a pain to configure in Windows and especially when trying to use with WINRM\Powershell.  Follow this post to secure Powershell with HTTPS and add a secure “PowerShell Host” to VMware Orchestrator.


What’s Needed

For this setup you will need a Microsoft Active Directory CA setup and configured.

CA Template

For this setup you could use an existing certificate template such as “Web Server” but for this guide we are going to create a template that is active directory integrated making things a little easier.

Create Template

Start by logging into your CA and opening up certifcate templates.  You will need to open up MMC add the snapin “Certificate Templates”.  Find the template “Web Server” and duplicate.


Let’s rename the template for this purpose and extend the validity peiord if needed.


I selected to have the ability to export the private key.  Not really needed but a nice to have.


Change the mininum key size to be at least 2048


Add the required group or users that will be requesting this certificate.  I just used ‘Domain Admins’ for this example.


Set to use AD for the request and format it comes in.  This allows no additonal information required for the request.


Hit OK to save template

Publish Template

Open up “Certificate Authority” from the start menu and select “Certificate Templates”


And select the template you created in the previous step


Now the certificate template is ready to go

Powershell Host Configuration

Certificate Request

Let’s open up the certificates snapin on our Powershell Host. Run MMC and open Certificates




Now from the local computer personal store request a new certificate


Select Active directory and from the template selection check the template created earlier.


Hit enroll to request and download the new certificate

Document the certficate thumbprint for future steps.  Copy into notepad and remove spaces with find and replace.


Bind Certificate to WINRM

We first need to enable WINRM and open firewall rules.  Open up a command prompt under administrator and run.

winrm quickconfig -transport:https

If there is only one certificate in the personal certificate store chances are everything is ready to go.  Run the following command and verify the the thumbprint matches.

winrm get winrm/config/listener?Address=*+Transport=HTTPS


If it doesn’t match or if you have multiple certificates you will need to run the following commands.

Delete the current HTTPS listener

winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

And now re-create with correct certificate we created.  Make sure to use the thumbprint without spaces and verify it gets copied correctly.  For some reason I have had issues where a rouge ‘?’ gets added to the thumbprint string. (Note the hostname is in common name format and not FQDN)

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="iaas01";CertificateThumbprint="‎7c0cdc758bb93d70858e6352225a668eaee66da1"}

Now verify the listener is using the correct certificate.

winrm get winrm/config/listener?Address=*+Transport=HTTPS

If you prefer to allow remote access only from the VMware Orchestrator server run the following command

winrm s winrm/config/client @{TrustedHosts=""}

If you prefer to open to all remote connections

winrm s winrm/config/client @{TrustedHosts="*"}

We are now ready to add to vRO

Add PowerShell Host

From the vro client start the workflow “Add a PowerShell Host” and enter the information for the PS host.  Make sure to use port 5986.


Select HTTPS as the transport type, accept all certificates and make sure kerberos is selected for authentication.


When entering the credentials for the PowerShell user make sure to type in as UPN format ([email protected])


PowerShell host should now be successfully added and ready for some action!

If preferred, you can run the “Validate a PowerShell host” to verify


Leave a comment