Configure Windows Server Core for Remote access/management

The Windows Server Core option is a minimal installation option available during Standard or Datacenter edition of Windows Server. Basically there is no desktop in Server Core, by design. There are some versions of Windows Server available only in Core option. The Hyper-V Server 2019 is such a server which is very popular for running Virtual Machines in a very efficient way. The Remote access and remote management is sometime not configured by default in core server. Here is this blog, we will see how to configure the same.

The configuration process involves executing several steps in both Server and the Client side.


Server side configuration

We will execute a set of commands one after another in Admin mode of command prompt. The first thing we need to do is to enable CredSSP authentication. For this first check whether it is enabled or not using Get-WSManCredSSP command.

1C:\>Get-WSManCredSSP
2The machine is not configured to allow delegating fresh credentials.
3This computer is not configured to receive credentials from a remote client computer.

If that is not enabled, let us execute following command and confirm with 'Y' when asked to to enable CredSSP authentication.

 1C:\>Enable-WSManCredSSP -Role "Server"
 2CredSSP Authentication Configuration for WS-Management
 3CredSSP authentication allows the server to accept user credentials from a remote computer. If you enable CredSSP
 4authentication on the server, the server will have access to the user name and password of the client computer if the
 5client computer sends them. For more information, see the Enable-WSManCredSSP Help topic.
 6Do you want to enable CredSSP authentication?
 7[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
 8
 9
10cfg               : http://schemas.microsoft.com/wbem/wsman/1/config/service/auth
11lang              : en-US
12Basic             : false
13Kerberos          : true
14Negotiate         : true
15Certificate       : false
16CredSSP           : true
17CbtHardeningLevel : Relaxed

Next we need to configure WinRM to allow remote access for management. Let us run the winrm quickconfig command.

 1c:\> winrm quickconfig
 2WinRM service is already running on this machine.
 3WinRM is not set up to allow remote access to this machine for management.
 4The following changes must be made:
 5
 6Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
 7
 8Make these changes [y/n]? y
 9
10WinRM has been updated for remote management.

We can run the same command once again to test if the remote management setup is successful.

1C:\>winrm quickconfig
2WinRM service is already running on this machine.
3WinRM is already set up for remote management on this computer.

Now we need to set the firewall so that incoming WinRM connection is allowed using following command/

 1C:\>New-NetFirewallRule -DisplayName "Allow WinRM" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5985
 2
 3Name                  : {c96321ab-7f4c-44f4-9e8d-10cf7169cfad}
 4DisplayName           : Allow WinRM
 5Description           :
 6DisplayGroup          :
 7Group                 :
 8Enabled               : True
 9Profile               : Any
10Platform              : {}
11Direction             : Inbound
12Action                : Allow
13EdgeTraversalPolicy   : Block
14LooseSourceMapping    : False
15LocalOnlyMapping      : False
16Owner                 :
17PrimaryStatus         : OK
18Status                : The rule was parsed successfully from the store. (65536)
19EnforcementStatus     : NotApplicable
20PolicyStoreSource     : PersistentStore
21PolicyStoreSourceType : Local

Here we will configure an extra things which is commonly needed in Core server. Enabling File and Printer sharing so that we can upload any files, specially ISO images for Hyper-V server, from remote client machines.

To do this, we have to enable the respective firewall rule as below:

1c:\>netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes


Client Configuration:

If all the above commands are completed successfully, the server side configuration is pretty much done. Now we need to configure the client machine from which we want to connect to the Hyper-V or Core server. This requires only correctly enabling the group policy.

For this we need to run the gpedit.msc from Start -> Run. Then go to following path and change the settings as stated.

  • Go to Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials

    • Set this to enabled and add WSMAN/* to the "add servers to the list"
    • Keep the check box checked for "Concatenate OS defaults with input above"
  • Go to Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication

    • Set it to enabled


Now we should be good to go for remote access and remote management to the newly configured server.


comments powered by Disqus