Skip to content

WinRM

WinRM (Windows Remote Management) is the standard way to run commands and scripts on a Windows machine remotely - the engine behind PowerShell remoting. It uses a protocol called WS-Man carried over HTTPS. The Bridge brokers WinRM so that remote command execution on Windows is policy-controlled and recorded, and users never hold the target’s credentials.

You can offer WinRM two ways, and you can use either or both:

  • Native mode - users point their normal WinRM tooling (such as PowerShell remoting) at a port on the Bridge.
  • Browser mode - the session runs inside the Bridge web interface, with nothing to install.

Granting access. Settings here enable WinRM for the deployment. To grant a person access to a host, create a checkout - see command filtering and the recording redaction override.

Native mode

Pick a port for the Bridge to listen on. Port 5986 is the conventional port for WinRM over HTTPS.

bridge.yaml
winrm:
  native:
    enabled: true
    listen: "5986"

Browser mode

bridge.yaml
winrm:
  browser:
    enabled: true

Shared options

bridge.yaml
winrm:
  idle_timeout: 30m

Response-body redaction applies to WinRM. Because commands run through the Bridge, the Bridge can see and record their output. It can mask secrets in the recorded stdout and stderr (the standard output and error streams of the commands). This is governed by the recording setting server.recording.redact_response_bodies (on by default) and can be overridden per checkout.

Example

bridge.yaml
winrm:
  idle_timeout: 30m
  native:
    enabled: true
    listen: "5986"
  browser:
    enabled: true

Option reference

OptionTypeDefaultDescription
winrm.idle_timeoutduration30mClose a session after this much inactivity.
winrm.native.enabledboolfalseTurn on native WinRM (a listening port).
winrm.native.listenstring (port)5986Port the Bridge listens on. Required when native is enabled.
winrm.browser.enabledboolfalseTurn on the in-browser WinRM session.
Last updated on