{"id":12319,"date":"2026-03-27T19:24:15","date_gmt":"2026-03-28T00:24:15","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=12319"},"modified":"2026-05-27T16:27:15","modified_gmt":"2026-05-27T21:27:15","slug":"verifying-winrm-access-to-capi","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=12319","title":{"rendered":"Verifying WinRM access to CAPI"},"content":{"rendered":"

Powershell script that verifies WinRM access and lists certs from CAPI store.<\/p>\n

# ============================================================================
\n# User-configurable variables
\n# ============================================================================<\/p>\n

$TargetHost = ‘hostname.example.com’
\n$TargetLocalComputerName = ‘HOSTNAME
\n$Username = ‘localuserid’
\n$Password = ‘localuserpassword’
\n$Port = 5985<\/p>\n

Set-StrictMode -Version Latest
\n$ErrorActionPreference = ‘Stop’<\/p>\n

# Remote certificate store to inspect.
\n# Common values:
\n# Cert:\\LocalMachine\\My
\n# Cert:\\LocalMachine\\WebHosting
\n# Cert:\\LocalMachine\\Root
\n# Cert:\\LocalMachine\\CA
\n$RemoteCertStorePath = ‘Cert:\\LocalMachine\\My’<\/p>\n

# Optional subject filter. Leave blank to return everything in the store.
\n$CertificateSubjectFilter = ”<\/p>\n

# ============================================================================
\n# Build local SAM credential
\n# ============================================================================<\/p>\n

# Unqualified – fails
\n# $QualifiedUsername = $Username
\n# .\\ – works
\n# $QualifiedUsername = ‘{0}\\{1}’ -f ‘.’, $Username
\n# With hostname – works
\n$QualifiedUsername = ‘{0}\\{1}’ -f $TargetLocalComputerName, $Username<\/p>\n

$SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force
\n$Credential = [System.Management.Automation.PSCredential]::new($QualifiedUsername, $SecurePassword)<\/p>\n

# ============================================================================
\n# Check TrustedHosts on the client
\n# ============================================================================<\/p>\n

$trustedHostsValue = (Get-Item WSMan:\\localhost\\Client\\TrustedHosts).Value
\n$trustedHostEntries = @()<\/p>\n

if (-not [string]::IsNullOrWhiteSpace($trustedHostsValue)) {
\n$trustedHostEntries = $trustedHostsValue -split ‘\\s*,\\s*’ | Where-Object {
\n-not [string]::IsNullOrWhiteSpace($_)
\n}
\n}<\/p>\n

$trustedHostMatch = $false
\nforeach ($entry in $trustedHostEntries) {
\nif ($TargetHost -like $entry -or $TargetLocalComputerName -like $entry) {
\n$trustedHostMatch = $true
\nbreak
\n}
\n}<\/p>\n

Write-Host ”
\nWrite-Host ‘=== Client Context ===’ -ForegroundColor Cyan
\n[pscustomobject]@{
\nRunningAs = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
\nTargetHost = $TargetHost
\nPort = $Port
\nCredentialUser = $Credential.UserName
\nTrustedHostsValue = $trustedHostsValue
\nTrustedHostMatched = $trustedHostMatch
\nRemoteCertStorePath = $RemoteCertStorePath
\nCertificateSubjectFilter = $CertificateSubjectFilter
\n} | Format-List<\/p>\n

if (-not $trustedHostMatch) {
\nWrite-Warning “TrustedHosts does not appear to include $TargetHost or $TargetLocalComputerName. HTTP\/5985 with a local account will usually fail until that is fixed.”
\n}<\/p>\n

# ============================================================================
\n# Raw TCP check
\n# ============================================================================<\/p>\n

Write-Host ”
\nWrite-Host ‘=== TCP Connectivity Check ===’ -ForegroundColor Cyan<\/p>\n

$tcpClient = [System.Net.Sockets.TcpClient]::new()
\ntry {
\n$asyncResult = $tcpClient.BeginConnect($TargetHost, $Port, $null, $null)
\nif (-not $asyncResult.AsyncWaitHandle.WaitOne(3000, $false)) {
\nthrow “Timed out connecting to $TargetHost`:$Port”
\n}<\/p>\n

$null = $tcpClient.EndConnect($asyncResult)
\nWrite-Host “TCP connect to $TargetHost`:$Port succeeded.” -ForegroundColor Green
\n}
\ncatch {
\nWrite-Host “TCP connect to $TargetHost`:$Port failed: $($_.Exception.Message)” -ForegroundColor Red
\nthrow
\n}
\nfinally {
\n$tcpClient.Dispose()
\n}<\/p>\n

# ============================================================================
\n# WinRM over HTTP\/5985 test + remote machine-store certificate inventory
\n# ============================================================================<\/p>\n

Write-Host ”
\nWrite-Host ‘=== WinRM HTTP\/5985 Test ===’ -ForegroundColor Cyan<\/p>\n

$session = $null<\/p>\n

try {
\n$session = New-PSSession `
\n-ComputerName $TargetHost `
\n-Port $Port `
\n-Authentication Negotiate `
\n-Credential $Credential `
\n-ErrorAction Stop<\/p>\n

$remoteResult = Invoke-Command -Session $session -ErrorAction Stop -ArgumentList $RemoteCertStorePath, $CertificateSubjectFilter -ScriptBlock {
\nparam(
\n[string]$StorePath,
\n[string]$SubjectFilter
\n)<\/p>\n

$latfp = $null
\ntry {
\n$latfp = Get-ItemPropertyValue `
\n-Path ‘HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System’ `
\n-Name ‘LocalAccountTokenFilterPolicy’ `
\n-ErrorAction Stop
\n}
\ncatch {
\n$latfp = $null
\n}<\/p>\n

$identity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
\n$principal = [System.Security.Principal.WindowsPrincipal]::new($identity)
\n$isAdmin = $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)<\/p>\n

if (-not (Test-Path -Path $StorePath)) {
\nthrow “Certificate store path not found: $StorePath”
\n}<\/p>\n

$certs = Get-ChildItem -Path $StorePath -ErrorAction Stop<\/p>\n

if (-not [string]::IsNullOrWhiteSpace($SubjectFilter)) {
\n$certs = $certs | Where-Object { $_.Subject -like “*$SubjectFilter*” }
\n}<\/p>\n

$certInventory = foreach ($cert in $certs | Sort-Object NotAfter, Subject) {
\n$sanEntries = @()
\n$dnsNameList = $null<\/p>\n

try {
\n$dnsNameList = $cert.DnsNameList
\n}
\ncatch {
\n$dnsNameList = $null
\n}<\/p>\n

if ($null -ne $dnsNameList) {
\nforeach ($dnsName in $dnsNameList) {
\nif ($null -ne $dnsName -and -not [string]::IsNullOrWhiteSpace($dnsName.Unicode)) {
\n$sanEntries += $dnsName.Unicode
\n}
\n}
\n}<\/p>\n

$ekuEntries = @()
\nforeach ($eku in $cert.EnhancedKeyUsageList) {
\nif (-not [string]::IsNullOrWhiteSpace($eku.FriendlyName)) {
\n$ekuEntries += $eku.FriendlyName
\n}
\nelseif (-not [string]::IsNullOrWhiteSpace($eku.ObjectId)) {
\n$ekuEntries += $eku.ObjectId
\n}
\n}<\/p>\n

[pscustomobject]@{
\nStorePath = $StorePath
\nSubject = $cert.Subject
\nThumbprint = $cert.Thumbprint
\nNotBefore = $cert.NotBefore
\nNotAfter = $cert.NotAfter
\nHasPrivateKey = $cert.HasPrivateKey
\nIssuer = $cert.Issuer
\nSerialNumber = $cert.SerialNumber
\nSignatureAlgorithm = $cert.SignatureAlgorithm.FriendlyName
\nPublicKeyOid = $cert.PublicKey.Oid.FriendlyName
\nArchived = $cert.Archived
\nDnsNames = ($sanEntries -join ‘; ‘)
\nEnhancedKeyUsage = ($ekuEntries -join ‘; ‘)
\nPSParentPath = $cert.PSParentPath
\n}
\n}<\/p>\n

[pscustomobject]@{
\nRemoteComputerName = $env:COMPUTERNAME
\nRemoteIdentity = $identity.Name
\nIsAdministrator = $isAdmin
\nLocalAccountTokenFilterPolicy = $latfp
\nWinRMServiceStatus = (Get-Service -Name WinRM).Status.ToString()
\nPSVersion = $PSVersionTable.PSVersion.ToString()
\nQueriedStorePath = $StorePath
\nCertificateCount = @($certInventory).Count
\nCertificates = @($certInventory)
\n}
\n}<\/p>\n

Write-Host ‘WinRM HTTP\/5985 test succeeded.’ -ForegroundColor Green<\/p>\n

Write-Host ”
\nWrite-Host ‘=== Remote Probe Data ===’ -ForegroundColor Cyan
\n[pscustomobject]@{
\nRemoteComputerName = $remoteResult.RemoteComputerName
\nRemoteIdentity = $remoteResult.RemoteIdentity
\nIsAdministrator = $remoteResult.IsAdministrator
\nLocalAccountTokenFilterPolicy = $remoteResult.LocalAccountTokenFilterPolicy
\nWinRMServiceStatus = $remoteResult.WinRMServiceStatus
\nPSVersion = $remoteResult.PSVersion
\nQueriedStorePath = $remoteResult.QueriedStorePath
\nCertificateCount = $remoteResult.CertificateCount
\n} | Format-List<\/p>\n

Write-Host ”
\nWrite-Host “=== Certificates in $($remoteResult.QueriedStorePath) ===” -ForegroundColor Cyan<\/p>\n

if ($remoteResult.CertificateCount -eq 0) {
\nWrite-Host ‘No certificates matched the requested store\/filter.’ -ForegroundColor Yellow
\n}
\nelse {
\n$remoteResult.Certificates |
\nSelect-Object Subject, Thumbprint, NotAfter, HasPrivateKey, DnsNames, EnhancedKeyUsage |
\nFormat-Table -Wrap -AutoSize
\n}<\/p>\n

Write-Host ”
\nWrite-Host ‘=== Computed Summary ===’ -ForegroundColor Cyan
\n[pscustomobject]@{
\nHttp5985Success = $true
\nRemoteIdentity = $remoteResult.RemoteIdentity
\nIsAdministrator = $remoteResult.IsAdministrator
\nLocalAccountTokenFilterPolicy = $remoteResult.LocalAccountTokenFilterPolicy
\nWinRMServiceStatus = $remoteResult.WinRMServiceStatus
\nQueriedStorePath = $remoteResult.QueriedStorePath
\nCertificateCount = $remoteResult.CertificateCount
\n} | Format-List
\n}
\ncatch {
\nWrite-Host “WinRM HTTP\/5985 test failed: $($_.Exception.Message)” -ForegroundColor Red<\/p>\n

[pscustomobject]@{
\nHttp5985Success = $false
\nErrorMessage = $_.Exception.Message
\nHResult = (‘0x{0:X8}’ -f ($_.Exception.HResult -band 0xffffffff))
\nFullyQualifiedErrorId = $_.FullyQualifiedErrorId
\n} | Format-List
\n}
\nfinally {
\nif ($null -ne $session) {
\nRemove-PSSession -Session $session -ErrorAction SilentlyContinue
\n}
\n}<\/p>\n","protected":false},"excerpt":{"rendered":"

Powershell script that verifies WinRM access and lists certs from CAPI store. # ============================================================================ # User-configurable variables # ============================================================================ $TargetHost = ‘hostname.example.com’ $TargetLocalComputerName = ‘HOSTNAME $Username = ‘localuserid’ $Password = ‘localuserpassword’ $Port = 5985 Set-StrictMode -Version Latest $ErrorActionPreference = ‘Stop’ # Remote certificate store to inspect. # Common values: # Cert:\\LocalMachine\\My # Cert:\\LocalMachine\\WebHosting # Cert:\\LocalMachine\\Root …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1525],"tags":[622,136,2204],"class_list":["post-12319","post","type-post","status-publish","format-standard","hentry","category-windows","tag-powershell","tag-windows","tag-winrm"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12319"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12319\/revisions"}],"predecessor-version":[{"id":12320,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12319\/revisions\/12320"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}