Summary: Learn how to use Windows PowerShell to run WMI commands on remote computers without opening a lot of holes in your firewall.
Hey, Scripting Guy! I have a problem. We have a number of remote systems that I need to manage. We are running the Windows firewall on all systems, and our security team is reluctant to open up a bunch of remote ports. But it seems to me that usability and security should not be completely opposed to each other. How can I use WMI to manage my remote systems and still make our security people happy?
—CG
Hello CG,
Microsoft Scripting Guy, Ed Wilson, is here. Things are in a constant state of confusion around here. Just when it seemed things were settling down from TechEd, I have to get ready to go to Seattle because I am speaking at TechReady 15. TechReady is an internal Microsoft conference that is just like TechEd. It is also nearly as large of an event with the exception that it is a true international event because we have Microsoft people from all over the world descend on Seattle for a week. It is a great event to speak at, and a great event to attend. I look forward to it each year because I get to see my friends from all over the world.
The Scripting Wife and I had a great lunch the other day with Microsoft PowerShell MVP, Jim Christopher (who heads up the Charlotte Windows PowerShell User Group) and Brian Wilhite (who assists in that endeavor). We were discussing the second PowerShell Saturday event. The first PowerShell Saturday, as you may know, was in Columbus, Ohio. It was extremely well received, and it sold out in 13 days. The second one will be in Charlotte, North Carolina on September 15, 2012. This one will probably be no exception. So stay tuned for the opening registration announcement. It is confirmed that I will be speaking there (the Scripting Wife put it on my calendar).
Using WMI for remote management in a firewall-constrained environment
CG, the best way to use WMI against a remote system, and to still run your Windows firewall, is to use Windows PowerShell remoting. With Windows PowerShell 2.0, you use WinRM. There are two ways of doing this. The first involves making a remote connection, opening a session, and then using the commands. When you are finished, you close the WinRM session. This is great for one-to-one types of operations. Following are the steps for this type of operation.
Just the Steps
To run a WMI command on a remote machine by using WinRM
- Store the credential that is returned from Get-Credential in a variable.
- Use the Enter-PSSession cmdlet to create a remote session.
- Supply the credential from Get-Credential.
- Type your WMI commands.
- Exit the PSSession by using EXIT.
The following commands illustrate these steps:
$cred = Get-Credential iammred\administrator
Enter-PSSession -ComputerName dc1 -Credential $cred
gwmi win32_operatingsystem
exit
The commands and the associated output appear in the image that follows. The image also illustrates that after you type the EXIT command from within the PS Session, the PS Session no longer exists. Exiting the PS Session automatically removes it.
Storing a remote session
Now, suppose you need to perform multiple operations on your remote system. To do this, create a new PS Session by using the New-PSSession cmdlet. Enter the PS Session by using the Enter-PSSession cmdlet. When you have finished your management tasks, you remove the PS Session by using the Remove-PSSession cmdlet.
Just the Steps
To create and use a remote PS Session
- Store the credential that is returned from Get-Credential in a variable.
- Store the PS Session that is returned from the New-PSSession cmdlet in a variable. Use the credential object that you created in Step 1.
- Enter a remote PS Session by using the Enter-PSSession cmdlet, and specify the session that you created in Step 2.
- Remove the PS Session by using the Remove-PSSession cmdlet.
The following commands illustrate the this process:
$cred = Get-Credential iammred\administrator
$dc1 = New-PSSession -ComputerName dc1 -Credential $cred
Enter-PSSession -Session $dc1
gwmi win32_bios
exit
Get-PSSession | Remove-PSSession
The image that follows illustrates performing each of the steps and the output associated with those commands. In addition, it illustrates re-entering the stored PS Session, exiting the session, and removing the PS Session.
Running a WMI command on multiple computers
One of the really powerful things to do is to create a new Windows PowerShell session that connects to multiple computers. To do this, follow these steps.
Just the Steps
To create and use a multicomputer PS Session
- Create and store a credential by using the Get-Credential cmdlet.
- Create a new PS session by using the New-PSSession cmdlet. Specify multiple computer names for the cn parameter and use the credential object that you created in Step 1.
- Store the returned PS Session object in a variable.
- Use the Invoke-Command cmdlet to run a command against all the computers that are specified in the stored PS Session.
The following commands illustrate using this procedure:
$cred = Get-Credential iammred\administrator
$dc = New-PSSession -ComputerName dc1,dc3 -Credential $cred
Invoke-Command -Session $dc -ScriptBlock {gwmi win32_bios}
Note You cannot use the Enter-PSSession cmdlet to enter a PS Session that connects to more than one computer. You can, however, use the Invoke-Command cmdlet to run a command against multiple computers at once.
The image that follows illustrates creating a credential object and storing it in a variable. The command creates a PS Session object that connects to two computers: dc1 and dc3. A variable, $dc, stores the returned session object. Next, an error appears when attempting to use the Enter-PSSession cmdlet with the session pointing to two computers. This illustrates that you cannot have an interactive remote PS session with more than one computer at the same time. Finally, the correct method to run the WMI command on multiple computers is shown, which illustrates using the Invoke-Command cmdlet.
CG, that is all there is to using WMI via a remote Windows PowerShell session. Join me tomorrow for more Windows PowerShell cool stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy