How to Configure WinRM over HTTPS (Port 5986)

By default, WinRM over HTTP (port 5985) uses Kerberos to encrypt communications post-authentication, but the initial connection lacks TLS-based protection.
Switching to WinRM over HTTPS (port 5986) adds both encryption and server identity validation via certificates, offering enhanced security.

Prerequisites Check

WinRM Service:
Run the following command to confirm WinRM is installed and to view the current authentication settings:

Certificate Requirements:

• A valid Server Authentication certificate must be present in the Local Computer → Personal → Certificates store.

• It must:

  • Have a matching Common Name (CN) or Subject Alt Name (SAN) for the host.

  • Be current (not expired or revoked).

You can configure WinRM over HTTPS using either:

• Option 1: A CA-signed certificate (recommended for production)

• Option 2: A self-signed certificate (for testing or internal lab environments)

If you don’t have one, request it from your corporate CA or Microsoft Certificate Server.
After installation, list certificates and copy the thumbprint:

Get-ChildItem Cert:\LocalMachine\My 

You can do this in one of two ways:

Option A: Quick Configuration

winrm quickconfig -transport:https 

This command:

• Starts the WinRM service

• Sets it to auto-start

• Creates an HTTPS listener

• Adds a firewall rule for port 5986

Option B: Manual Configuration

# Replace hostname.domain.com and THUMBPRINT with actual values

winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname='hostname.domain.com'; CertificateThumbprint='THUMBPRINT'}"

netsh advfirewall firewall add rule name="WinRM HTTPS" dir=in action=allow protocol=TCP localport=5986 

winrm enumerate winrm/config/listener 

Ensure Transport=HTTPS and Port=5986 are displayed.

Then test connectivity:

$cred = Get-Credential
Enter-PSSession -ComputerName hostname.domain.com -Port 5986 -UseSSL -Credential $cred

If you don’t have a CA-signed certificate, you can create and use a self-signed certificate.

Stop-Service WinRM -Force -ErrorAction SilentlyContinue 

winrm quickconfig -q winrm set winrm/config/service '@{AllowUnencrypted="false"}' winrm set winrm/config/service/auth '@{Basic="true"}'

winrm set winrm/config/service/auth '@{Certificate="true"}'

winrm set winrm/config/client/auth '@{Basic="true"}'

winrm set winrm/config/client/auth '@{Certificate="true"}'

$hostname = $env:COMPUTERNAME

$cert = New-SelfSignedCertificate -DnsName $hostname -CertStoreLocation Cert:\LocalMachine\My -KeyUsage DigitalSignature,KeyEncipherment -KeyAlgorithm RSA -KeyLength 2048

 $thumbprint = $cert.Thumbprint

Get-ChildItem WSMan:\localhost\Listener | Where-Object {$_.Keys -contains "Transport=HTTPS"} | Remove-Item -Recurse -Force 

winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"$hostname`";CertificateThumbprint=`"$thumbprint`";Port=`"5986`"}" 

netsh advfirewall firewall add rule name="WinRM HTTPS" dir=in action=allow protocol=TCP localport=5986 

Start-Service WinRM Set-Service WinRM -StartupType Automatic 

List Listeners:

winrm enumerate winrm/config/listener 

Test Local Connection:

Test-WsMan -ComputerName $env:COMPUTERNAME -Port 5986 -UseSSL 

Test Remote Connection (Skip CA Validation):

$cred = Get-Credential Enter-PSSession -ComputerName $hostname -Port 5986 -UseSSL -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck) 

⚠️ Note:
Self-signed certificates are not trusted by default.
For remote connections, either:

• Use -SkipCACheck, or

• Import the self-signed certificate into the Trusted Root Certification Authorities store on the client system.

References

https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https