Last active
December 15, 2025 23:31
-
-
Save divideby0/0f0a560ca89dae82a7aec792d9fd73d6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================ | |
| # STEP 1: Enable Remote Desktop | |
| # ============================================ | |
| # Enable Remote Desktop | |
| Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0 | |
| # Enable Network Level Authentication (more secure) | |
| Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1 | |
| # Enable firewall rule for Remote Desktop | |
| Enable-NetFirewallRule -DisplayGroup "Remote Desktop" | |
| # ============================================ | |
| # STEP 2: Enable and Configure WinRM for Ansible | |
| # ============================================ | |
| # Enable WinRM | |
| Enable-PSRemoting -Force -SkipNetworkProfileCheck | |
| # Set WinRM to auto-start | |
| Set-Service WinRM -StartupType Automatic | |
| Start-Service WinRM | |
| # Configure WinRM memory and settings for Ansible | |
| Set-Item -Path WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value 2048 | |
| # ============================================ | |
| # STEP 3: Configure WinRM Authentication | |
| # ============================================ | |
| # For Tailscale (trusted network), we can use Basic auth | |
| # This is simpler than certificate-based auth | |
| Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true | |
| # Allow unencrypted (OK over Tailscale's encrypted tunnel) | |
| Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $true | |
| # ============================================ | |
| # STEP 4: Configure WinRM Listener | |
| # ============================================ | |
| # Remove any existing HTTP listeners and create fresh one | |
| Get-ChildItem WSMan:\localhost\Listener | Where-Object { $_.Keys -contains "Transport=HTTP" } | Remove-Item -Recurse -Force | |
| New-Item -Path WSMan:\localhost\Listener -Transport HTTP -Address * -Force | |
| # ============================================ | |
| # STEP 5: Configure Firewall for WinRM | |
| # ============================================ | |
| # Allow WinRM through firewall | |
| New-NetFirewallRule -Name "WinRM-HTTP-In-TCP" -DisplayName "WinRM (HTTP-In)" -Enabled True -Direction Inbound -Protocol TCP -LocalPort 5985 -Action Allow -Profile Any -ErrorAction SilentlyContinue | |
| # ============================================ | |
| # STEP 6: Set Trusted Hosts (for Ansible connection) | |
| # ============================================ | |
| # Trust connections from Tailscale network | |
| Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "100.*" -Force | |
| # ============================================ | |
| # STEP 7: Restart WinRM to apply all changes | |
| # ============================================ | |
| Restart-Service WinRM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Test WinRM is listening | |
| Test-WSMan -ComputerName localhost | |
| # Check WinRM configuration | |
| winrm get winrm/config/service | |
| winrm get winrm/config/service/auth | |
| # Verify listeners | |
| Get-ChildItem WSMan:\localhost\Listener | |
| Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 | |
| # Start and enable SSH service | |
| Start-Service sshd | |
| Set-Service -Name sshd -StartupType Automatic | |
| # Confirm firewall rule exists (should be auto-created) | |
| Get-NetFirewallRule -Name *ssh* | |
| # Set PowerShell as default shell for SSH (better for Ansible) | |
| New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force | |
| tailscale status | |
| # 2. Verify WinRM is listening | |
| Test-NetConnection -ComputerName localhost -Port 5985 | |
| # 3. Verify SSH is listening | |
| Test-NetConnection -ComputerName localhost -Port 22 | |
| # 4. Verify Remote Desktop is enabled | |
| (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server').fDenyTSConnections | |
| # Should return 0 | |
| # 5. Test local WinRM authentication | |
| $cred = Get-Credential -UserName "ansible" -Message "Test ansible credentials" | |
| Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock { $env:COMPUTERNAME } | |
| # Should return the computer name |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Password = Read-Host -Prompt "Password for remoteadmin" -AsSecureString | |
| New-LocalUser -Name "remoteadmin" -Password $Password -PasswordNeverExpires -FullName "Remote Admin" | |
| Add-LocalGroupMember -Group "Administrators" -Member "remoteadmin" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Test WinRM is listening | |
| Test-WSMan -ComputerName localhost | |
| # Check WinRM configuration | |
| winrm get winrm/config/service | |
| winrm get winrm/config/service/auth | |
| # Verify listeners | |
| Get-ChildItem WSMan:\localhost\Listener |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment