WinRM
WinRM (Windows Remote Management) is the standard way to run commands and scripts on a Windows machine remotely - the engine behind PowerShell remoting. It uses a protocol called WS-Man carried over HTTPS. The Bridge brokers WinRM so that remote command execution on Windows is policy-controlled and recorded, and users never hold the target’s credentials.
You can offer WinRM two ways, and you can use either or both:
- Native mode - users point their normal WinRM tooling (such as PowerShell remoting) at a port on the Bridge.
- Browser mode - the session runs inside the Bridge web interface, with nothing to install.
Granting access. Settings here enable WinRM for the deployment. To grant a person access to a host, create a checkout - see command filtering and the recording redaction override.
Native mode
Pick a port for the Bridge to listen on. Port 5986 is the conventional port for WinRM over HTTPS.
winrm:
native:
enabled: true
listen: "5986"Browser mode
winrm:
browser:
enabled: trueShared options
winrm:
idle_timeout: 30mResponse-body redaction applies to WinRM. Because commands run through the Bridge, the Bridge can see and record their output. It can mask secrets in the recorded stdout and stderr (the standard output and error streams of the commands). This is governed by the recording setting server.recording.redact_response_bodies (on by default) and can be overridden per checkout.
Example
winrm:
idle_timeout: 30m
native:
enabled: true
listen: "5986"
browser:
enabled: trueOption reference
| Option | Type | Default | Description |
|---|---|---|---|
winrm.idle_timeout | duration | 30m | Close a session after this much inactivity. |
winrm.native.enabled | bool | false | Turn on native WinRM (a listening port). |
winrm.native.listen | string (port) | 5986 | Port the Bridge listens on. Required when native is enabled. |
winrm.browser.enabled | bool | false | Turn on the in-browser WinRM session. |