Invoke-Command with -UseSSL

PowerShell Remoting uses Windows Remote Management (WinRM), which is the Microsoft implementation of the Web Services for Management (WS-Management) protocol, to allow users to run PowerShell commands on remote computers.   To run a command on one or more computers, use the Invoke-Command cmdlet

Invoke-Command -ComputerName Server01 -ScriptBlock {Get-UICulture}

As of PowerShell version 2.0, all remoting traffic occurs over ports 5985 (HTTP) and 5986 (HTTPS) by default. In both cases, the request payloads are encrypted – use of HTTPS only adds header encryption since all content is sent over SSL.

If you want to encrypt all PowerShell content transmitted over the network with Https, you can use -UseSSL switch with Invoke-Command.   WinRM is configured with Http and port 5985 by default.  WinRM needs to be configured with Https in order to use -UseSSL switch with Invoke-Command.  You will get below error if remote server is not configured WinRM with Https.

[Server01] Connecting to remote server Server01 failed with the following error message : The client cannot
connect to the destination specified in the request. Verify that the service on the destination is running and is
accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most
commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
analyze and configure the WinRM service: “winrm quickconfig”. For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (Server01:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken

Run below command on computer you want to configure WinRM with Https,   It will configure it with Https and default port 5986 with host certificate by default.

winrm quickconfig -transport:https

Run below command to verify if WinRm is configured with Https endpoint.

winrm enumerate winrm/config/listener

Above command should return below details if https and http endpoints are configured properly.

Address = *
Transport = HTTP
Port = 5985
Enabled = true
URLPrefix = wsman
ListeningOn =,, ::1

Address = *
Transport = HTTPS
Port = 5986
Hostname =
URLPrefix = wsman
CertificateThumbprint = 42 50 60 70 80 90 100
ListeningOn =,, ::1

You should be able to use -UseSSL swith with Invoke-Command now.  Make sure you use servername with fully qualify name the way your certificate is configured.

Invoke-Command -ComputerName -UseSSL -ScriptBlock { $PSVersionTable }


Hope this helps!

Posted in Microsoft Technology Tagged with: