Windows Remote Management
Windows Remote Management (WinRM) is Microsoft's implementation of the WS-Management protocol, a standard Simple Object Access Protocol (SOAP)-based and firewall-friendly mechanism for exchanging management information across diverse hardware and operating systems.[1] Introduced as a core component in Windows Vista and Windows Server 2008, WinRM enables IT administrators and developers to remotely execute commands, manage server hardware, and retrieve system data from local or remote Windows computers using secure HTTP/HTTPS communications.[2] It replaced older protocols like DCOM for Windows Management Instrumentation (WMI) interactions, providing a more interoperable and secure alternative that supports scripting, automation, and integration with tools like PowerShell.[3] WinRM's architecture includes client-side and server-side components, with the service handling incoming requests on ports 5985 (HTTP) and 5986 (HTTPS) by default, and it integrates seamlessly with WMI for querying and controlling system resources as well as Intelligent Platform Management Interface (IPMI) for hardware-level management.[4] Key features encompass support for the Windows Remote Shell (WinRS) for interactive command execution, plugin APIs for custom extensions, quota management to prevent resource abuse, and multi-hop authentication via Credential Security Support Provider (CredSSP) for delegated credentials in complex network environments.[5] The protocol adheres to WS-Management 1.2.0 specifications, including WS-Transfer, WS-Enumeration, and WS-Eventing, ensuring broad compatibility with non-Windows systems that implement the standard.[2] Since its initial release, WinRM has evolved through versions, with WinRM 2.0—bundled in Windows 7 and Windows Server 2008 R2—adding advanced capabilities like a client shell API, improved remote shell infrastructure, and PowerShell cmdlets for enhanced automation. Subsequent versions, such as WinRM 3.0 in Windows 8 and Windows Server 2012, further enhanced eventing and internationalization.[5] Earlier versions, such as WinRM 1.1, were available as downloads for legacy systems like Windows XP and Windows Server 2003, allowing retroactive remote management support.[6] As of Windows Server 2025, the WinRM service is automatically installed and started on modern Windows Server editions (from Windows Server 2016 onward), though configuration is required to enable remote access, forming a foundational element of Microsoft's remote administration ecosystem alongside tools like Server Manager and Ansible for cross-platform orchestration.[6]Overview
Definition and Standards
Windows Remote Management (WinRM) is the Microsoft implementation of the WS-Management (WS-Man) protocol, a standard for remote management of Windows-based systems and other resources.[1] It enables administrators to execute commands, manage configurations, and access system data remotely over a network, leveraging web services technologies to facilitate secure and standardized interactions.[2] The WS-Man protocol, developed by the Distributed Management Task Force (DMTF), is a SOAP-based, firewall-friendly standard designed for exchanging management information across diverse IT environments, including heterogeneous systems from multiple vendors.[7] It builds on core web services protocols such as HTTP/HTTPS for transport, XML for data representation, and SOAP for message enveloping, ensuring compatibility with existing network infrastructure while minimizing the need for custom ports or protocols.[8] Key standards underpinning WS-Man include the DMTF WS-Management specification, initially released as version 1.0.0 in February 2008, with subsequent updates such as version 1.1.0 in March 2010 and version 1.2.0 in September 2014, which introduced enhancements for improved interoperability, security profiles, and eventing capabilities.[9][10][8] These specifications also incorporate related web services standards like WS-Addressing for endpoint resolution, WS-Transfer for resource manipulation, and WS-Enumeration for querying collections.[11] The primary purpose of WinRM, through its adherence to WS-Man, is to provide a platform-independent mechanism for remote access to system resources, configuration management, and automation tasks, eliminating the reliance on proprietary binaries or vendor-specific tools in favor of open, extensible web services.[12] This approach supports scalable enterprise environments by allowing consistent management operations across Windows servers, clients, and even non-Windows devices compliant with the standard.[7]History and Development
Windows Remote Management (WinRM) was introduced by Microsoft in 2007 as part of Windows Vista and Windows Server 2008, providing native support for the WS-Management 1.0 (WS-Man 1.0) protocol. This marked the initial implementation of a standardized, web services-based framework for remote systems management, enabling SOAP-over-HTTP communication for tasks like hardware inventory and configuration. Prior to WinRM, remote management in Windows relied heavily on Distributed Component Object Model (DCOM)-based access to Windows Management Instrumentation (WMI), which was proprietary and limited interoperability with non-Windows platforms. WinRM addressed these limitations by adopting the WS-Man protocol developed by the Distributed Management Task Force (DMTF), an industry consortium promoting open standards for systems management to facilitate cross-platform compatibility and firewall-friendly operations.[1][13][14] Key milestones in WinRM's evolution followed with version updates aligned to major Windows releases. In 2009, WinRM 2.0 arrived with Windows 7 and Windows Server 2008 R2, incorporating enhancements such as improved eventing and subscription capabilities—later standardized in WS-Man 1.1—along with better integration for remote scripting. By 2012, WinRM 3.0 shipped with Windows 8 and Windows Server 2012, providing features like advanced filtering and selective enumeration that aligned with the forthcoming WS-Man 1.2 specification to optimize data retrieval efficiency. These updates built on the foundational shift from DCOM to WS-Man, emphasizing secure, standards-compliant remoting that supported emerging needs in enterprise environments. Further refinements came in 2015 with Windows 10 and Windows Server 2016, where WinRM underpinned PowerShell 5.0 remoting improvements, including Just Enough Administration (JEA) for role-based access control and enhanced session management.[5][1] Recent developments have focused on performance optimizations and reliability fixes rather than major architectural changes. Windows 11 and Windows Server 2022 included minor WinRM updates to improve throughput in high-latency networks and streamline authentication flows, ensuring compatibility with modern hybrid cloud scenarios. In October 2025, Microsoft released security update KB5066793, which resolved a critical issue in PowerShell Remoting over WinRM where commands would time out after 600 seconds, enhancing stability for long-running remote operations. These iterative enhancements reflect ongoing efforts to maintain WinRM's relevance in secure, scalable management infrastructures.[15][16]Architecture and Components
Core Components
The core components of Windows Remote Management (WinRM) constitute the essential software elements that enable remote administration and management of Windows-based systems. These include the WinRM service for handling requests, the Windows Remote Shell for command execution, the Scripting API for programmatic control, specialized providers for data access, and command-line tools for operational testing. Together, they operate within a client-server architecture, utilizing the WS-Management (WS-Man) protocol over HTTP or HTTPS to exchange SOAP-based messages for secure remote interactions.[4] At the heart of WinRM is the WinRM service, implemented as the Windows service named WinRM and backed by the WsmSvc.dll library, which acts as a listener on target servers to process incoming remote requests and manage active sessions. This service exposes management resources through WS-Man endpoints, allowing clients to initiate operations such as data retrieval or command invocation without relying on legacy protocols like DCOM. On the client side, supporting libraries like WSMAuto.dll provide automation interfaces, while WsmCL.dll handles lower-level C API calls for system integration. The service ensures firewall-friendly communication by defaulting to port 5985 for HTTP and 5986 for HTTPS.[4] The Windows Remote Shell (WinRS), implemented as the winrs.exe command-line tool, enables administrators to execute commands and scripts remotely on target machines as if interacting with a local shell. It establishes remote endpoints using NetBIOS names or WS-Man URLs (e.g., http://server:5985/wsman), supporting features like environment variable passing, unencrypted modes for testing, and SSL-secured connections for production use. WinRS interacts with the WinRM service to create shell instances under the URI shell/cmd, facilitating interactive or batch remote execution while adhering to WS-Man standards for interoperability.[17][1] For programmatic access, the WinRM Scripting API offers a set of COM-based objects that allow scripts in languages like VBScript or JScript to connect to and manage remote resources. Key objects include the WSMan interface for creating Session instances, which handle authentication via ConnectionOptions (supporting credentials like username/password), and ResourceLocator for specifying target URIs. Developers use methods like Enumerate or Invoke on these objects to perform WS-Man operations, such as querying system states or executing methods, enabling automated management tasks without manual command-line intervention. This API is invoked by tools like Winrm.vbs for scripting-based operations.[18][19] WinRM extends its reach through integrated providers that map management data to WS-Man resources. The WMI provider, via WsmWmiPl.dll, bridges WinRM with Windows Management Instrumentation (WMI), allowing remote access to system data using URIs like http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service for enumerating services or processes. This integration supports most WMI classes, including embedded objects, for comprehensive in-band system monitoring. Complementing this, the IPMI provider facilitates out-of-band hardware management by exposing Intelligent Platform Management Interface (IPMI) classes through WMI, enabling retrieval of Baseboard Management Controller (BMC) sensor data, event logs, and configuration even on powered-off or failed systems via the Remote Management Control Protocol (RMCP).[3][4][20] A dedicated command-line tool, winrm.cmd (implemented as Winrm.vbs), supports testing and basic WinRM operations, such as enumerating available services with commands like winrm enumerate winrm/config/listener or identifying remote endpoints. This tool performs WS-Man calls directly, aiding in diagnostics and configuration verification without requiring full scripting setups.[2][19]Protocol and Communication
Windows Remote Management (WinRM) implements the WS-Management (WS-Man) protocol, a standard developed by the Distributed Management Task Force (DMTF) for exchanging management information across diverse systems and operating systems. This protocol enables remote access to and control of hardware and software components through a request-response model built on SOAP-over-HTTP or HTTPS, adhering to the WS-I Basic Profile. Messages are formatted in XML, incorporating standards such as WS-Addressing for endpoint identification, WS-Transfer for resource manipulation, and WS-Enumeration for iterative data retrieval. Common operations include Create for instantiating resources, Get for retrieving resource states, Put and Delete for modifications, and Enumerate for listing resource instances, all encapsulated within XML envelopes that specify actions via resource URIs likehttp://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Process.[11][21][22]
Session management in WS-Man establishes persistent connections identified by unique session IDs, allowing clients to maintain stateful interactions with the remote server without re-authenticating for each operation. This is particularly useful for handling large datasets through pull-based enumeration, where clients request subsets of enumerated items in batches—specified by parameters like MaxElements and MaxCharacters—to avoid overwhelming network resources or memory on either end. For instance, during enumeration of system processes, a client might pull results in pages of 100 items, enabling efficient traversal of extensive CIM (Common Information Model) object collections without full upfront loading. These mechanisms ensure scalability and reliability in distributed environments.[11][21]
Unlike the Windows Management Instrumentation (WMI), which relies on the Distributed Component Object Model (DCOM) for communication—typically over dynamic RPC ports that complicate firewall traversal—WS-Man operates over standard web ports, making WinRM inherently firewall-friendly and suitable for secure, cross-platform scenarios. WinRM listeners default to TCP port 5985 for HTTP and 5986 for HTTPS, facilitating deployment in perimeter-protected networks without extensive port opening. This web-services foundation also promotes interoperability with non-Windows systems supporting WS-Man, such as Linux distributions via OpenWSMAN.[11][21]
In typical message flow, a WinRM client constructs and transmits a WS-Man command as an XML payload over HTTP/HTTPS to the server's WinRM listener service, which processes the request against local resources like CIM repositories. The server then formulates a response—either the requested data in XML format or an error message detailing faults such as invalid URIs or access denials—adhering to WS-Transfer fault schemas for structured error handling. This bidirectional exchange supports both synchronous and asynchronous patterns, with the listener queuing operations for execution by backend components.[11][21]
Configuration
Installation and Enabling
Windows Remote Management (WinRM) is included by default as a component of the operating system starting with Windows Vista and Windows Server 2008, and in all subsequent versions, eliminating the need for separate downloads or installations post these releases.[6] However, for security reasons, remote access is disabled out of the box, with no listener configured by default, which prevents the reception of WS-Management protocol messages over the network even if the WinRM service is running.[6] On server editions like Windows Server 2008 and later, the service starts automatically by default, while on client editions such as Windows Vista and Windows 7, it is set to manual startup and requires manual initiation.[6] Enabling WinRM requires administrative privileges to modify system services, firewall rules, and configuration settings.[6] The Windows Firewall must permit inbound connections on TCP port 5985 for HTTP-based communication and port 5986 for HTTPS, typically handled automatically during setup.[6] On non-server editions such as Windows 10 and 11, WinRM is available directly through built-in features without additional installation, accessible via standard configuration tools.[6] The most straightforward method for basic setup is thewinrm quickconfig command executed from an elevated Command Prompt, which verifies the current state, starts the WinRM service if necessary, configures it for automatic startup, creates a default HTTP listener bound to all IP addresses on port 5985, and enables the corresponding firewall exception.[6] This command prompts for confirmation unless run with the /quiet switch and assumes HTTP transport; HTTPS setup requires additional certificate configuration.[6]
For environments leveraging PowerShell, the Enable-PSRemoting cmdlet provides an integrated enabling approach, particularly suited for remoting sessions.[23] This cmdlet invokes Set-WSManQuickConfig internally to start the service, set automatic startup, establish a listener, enable firewall rules, and configure session endpoints for PowerShell access, while also adjusting security descriptors to permit remote connections.[23] It supports parameters like -Force to bypass prompts and -SkipNetworkProfileCheck for public network profiles, ensuring compatibility across trusted domains or workgroups with minimal manual intervention.[23] Both methods result in a functional baseline for remote management, with listener details manageable separately as needed.[6]
Listener and Service Management
WinRM listeners define the endpoints where the service accepts incoming WS-Management requests, specifying the network address, transport protocol (HTTP or HTTPS), and port. By default, runningwinrm quickconfig creates an HTTP listener on port 5985 bound to all IP addresses (Address=*), with the URL prefix wsman. To manually create a listener, administrators use the winrm create command, such as winrm create winrm/config/Listener?Address=*+Transport=HTTP for an HTTP listener on all interfaces or winrm create winrm/config/Listener?Address=192.168.1.100+Transport=[HTTPS](/page/HTTPS) to bind to a specific IP address on HTTPS (default port 5986). These commands allow customization of the listening scope to enhance operational control without altering firewall rules directly.[6]
The WinRM service, officially named "Windows Remote Management (WS-Management)", handles the runtime execution of remote management operations and must be actively managed for availability. On Windows Server 2008 and later server editions, the service is configured for automatic startup by default, while on client editions it is manual. Administrators can start or stop the service using the graphical Services console (services.msc) by locating the entry and selecting the appropriate action, or via command-line tools like sc start winrm to initiate it and sc stop winrm to halt operations. To adjust the startup type, the command sc config winrm start= auto sets it to automatic, while sc config winrm start= disabled prevents automatic launch; these changes take effect after a restart or manual service control.[24][6]
WinRM runtime configurations, such as timeouts, envelope sizes, and shell behaviors, are adjusted using the winrm set command to optimize performance and resource usage, with settings stored in the system's WS-Management configuration. The maximum envelope size, which limits message payloads, defaults to 150 KB (MaxEnvelopeSizekb=150) and can be increased up to 1,048,576 KB via winrm set winrm/config @{MaxEnvelopeSizekb="500"} to accommodate larger data transfers. Timeouts include the overall service timeout (MaxTimeoutms=60000 milliseconds by default) and shell-specific options like idle timeout (Winrs/IdleTimeout=180000 ms) and maximum shell runtime (Winrs/MaxShellRunTime=28800000 ms, or 8 hours), set with commands such as winrm set winrm/config/winrs @{IdleTimeout="300000"}. These parameters can be viewed in XML format using winrm get winrm/config and exported to a file for backup or offline review, typically saved as config.xml in directories like %SystemRoot%\System32\winrm\config. Direct edits to exported XML files are possible but require importing back with winrm invoke Restore winrm/config @{Path="config.xml"} to apply changes, ensuring consistency with the active configuration.[6]
Monitoring WinRM listeners and service health involves querying active configurations and reviewing system logs for anomalies. The command winrm enumerate winrm/config/listener lists all configured listeners, displaying details like address, transport, port, and enabled status, which helps verify bindings and detect misconfigurations. For troubleshooting, the Windows Event Viewer provides insights through logs under Applications and Services Logs > Microsoft > Windows > WinRM > Operational, where events detail connection attempts, errors, and service initialization issues, such as event ID 10119 indicating startup failures. System logs in Windows Logs > System may also capture broader service events, aiding in diagnosing runtime problems like resource exhaustion or binding conflicts.[6][25]
Usage and Applications
Command-Line and Scripting
Windows Remote Management (WinRM) provides command-line tools for performing remote management operations without relying on graphical interfaces or advanced scripting environments. The primary tools arewinrm, which handles WS-Management protocol actions such as enumeration, retrieval, and invocation of resources, and winrs, which enables execution of remote shell commands. These tools facilitate tasks like querying system information or running administrative commands on target machines over HTTP or HTTPS.[2][17]
The winrm command supports invoking methods on remote resources, such as WMI classes. For instance, to retrieve system information from a remote host, the following command can be used: winrm get http://schemas.[microsoft](/page/Microsoft).com/wbem/wsman/1/wmi/root/cimv2/Win32_OperatingSystem -r:http://remotehost:5985 -u:username -p:password. This operation targets a specified resource URI and authenticates using provided credentials, returning results in XML format for further processing. Additional options include specifying the authentication type (e.g., Basic or Kerberos) via the -auth parameter to suit network configurations.[3][2]
For executing arbitrary commands on a remote system, the winrs tool establishes a remote shell session. A basic example is winrs -r:remotehost cmd /c "ipconfig", which runs the ipconfig command on the target and displays network configuration details locally. Authentication can be specified with -u:username and -p:password, while -usessl enables secure HTTPS connections on port 5986; for environments without certificate validation, client-side configuration via winrm set can skip certificate authority checks, though this is not recommended for production use. Other parameters include -directory to set the working path or -noprofile to avoid loading user profiles for faster execution.[17]
Beyond direct commands, WinRM supports scripting through its API, accessible via VBScript or JScript for automating session creation and resource operations. In VBScript, a session is initialized with Set Wsman = CreateObject("Wsman.Automation") followed by Set Session = Wsman.CreateSession("http://remotehost:5985", "username", "password"), allowing enumeration of resources like services via Response = Session.Enumerate("http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service"). The response XML can be parsed using MSXML2.DOMDocument to extract details such as service names and states, enabling custom logic for management tasks. JScript follows a similar pattern using the same COM objects for cross-platform compatibility in legacy environments.[19][26]
These tools lend themselves to automation scenarios, such as batch scripts for inventorying multiple machines. A simple batch file might use a for loop to iterate over a host list (e.g., from a text file), executing for /f %%i in (hosts.txt) do winrs -r:%%i cmd /c systeminfo > C:\temp\%%i.txt to collect system details from each target and aggregate results locally for reporting or maintenance. This approach is effective for routine tasks like patch verification or hardware audits across a network, scaling to dozens of endpoints with minimal overhead.[2]
Integration with PowerShell
Windows Remote Management (WinRM) serves as the foundational transport mechanism for PowerShell remoting, enabling the execution of commands on remote computers through the WS-Management protocol. Specifically, it underpins key cmdlets such asInvoke-Command, which allows running scripts or commands on local or remote systems and returns output including errors; Enter-PSSession, which creates an interactive remote session substituting the local one for direct command execution; and New-PSSession, which establishes a persistent session for subsequent command invocation via Invoke-Command or interactive use with Enter-PSSession. These cmdlets rely on WinRM to facilitate secure, SOAP-based communication over HTTP or HTTPS ports, typically 5985 for HTTP and 5986 for HTTPS, ensuring that PowerShell instances on remote hosts process commands in isolated processes.[27][28][29][30]
The Enable-PSRemoting cmdlet provides a streamlined configuration tie-in by automatically setting up WinRM listeners on the target computer, enabling the WS-Management service, and configuring firewall exceptions to allow inbound traffic on the default ports. It also establishes trust policies, such as setting the security descriptor on session configurations to permit access primarily for administrators while enabling remote command reception via WS-Management technology. This one-time setup, which must be executed in an elevated PowerShell session, ensures that WinRM is operational for remoting without manual intervention in listener creation or service startup.[31][32]
Advanced features extend WinRM's integration with PowerShell for enhanced security and modularity. Just Enough Administration (JEA) leverages constrained endpoints over WinRM to delegate specific administrative tasks, restricting users to predefined roles, commands, and parameters within a PowerShell session, thereby minimizing privilege escalation risks in multi-user environments. Implicit remoting, facilitated through the Import-Module cmdlet's -PSSession parameter, imports modules from a remote WinRM-based PSSession into the local session, proxying command execution back to the remote host without transferring module files, which supports distributed module usage across machines.[33][34]
In enterprise applications, WinRM enables PowerShell to orchestrate Desired State Configuration (DSC), where it handles pull or push deployments of configuration scripts to remote nodes, ensuring compliance with defined states through WinRM-dependent communication for LCM (Local Configuration Manager) interactions. Additionally, it supports remote script execution for automation tasks, such as bulk system management or application deployment across server farms, allowing administrators to run complex workflows on multiple targets simultaneously via Invoke-Command for scalable operations.[35][30]
Security
Authentication Mechanisms
Windows Remote Management (WinRM) employs several authentication mechanisms to secure communications between clients and servers, ensuring that only authenticated users can establish remote sessions. The primary methods include Kerberos for domain environments, NTLM as a fallback, certificate-based authentication for enhanced security over HTTPS, and CredSSP for scenarios requiring credential delegation. These mechanisms are configurable via WinRM settings, with defaults prioritizing secure options like Kerberos where possible.[36] Kerberos serves as the default authentication protocol in domain-joined environments, leveraging ticket-based authentication for mutual verification between client and server. It requires both client and server to be joined to the same domain and uses a Service Principal Name (SPN) in the format WSMAN/winrm set winrm/config/client/auth @{CredSSP="true"}, along with Group Policy settings for AllowFreshCredentials and an associated SPN. CredSSP is not enabled by default due to its delegation risks but is essential for operations needing passed-through credentials.[37]
Authorization in WinRM is managed through role-based access, primarily granting permissions to members of the local Administrators group or the WinRMRemoteWMIUsers__ group for remote operations. Users can be added to the WinRMRemoteWMIUsers__ group using commands like net localgroup WinRMRemoteWMIUsers__ /add <domain>\<username>, while Group Policy can enforce broader configurations for access control. This ensures that authenticated users have appropriate privileges without full administrative rights.[36]
Configuration for Security
Securing Windows Remote Management (WinRM) involves configuring transport encryption, network access controls, and operational limits to mitigate unauthorized access and resource exhaustion risks. Enforcing HTTPS as the sole transport protocol is a primary recommendation, as it provides TLS encryption and server authentication, preventing man-in-the-middle attacks that are possible with the unencrypted HTTP listener. To implement this, administrators should install a valid SSL certificate—preferably issued by a trusted Certificate Authority (CA) matching the server's fully qualified domain name (FQDN) and including the Server Authentication enhanced key usage—on the target machine via the Microsoft Management Console (MMC) Certificates snap-in for the computer account.[39] Once the certificate is in place, run the commandwinrm quickconfig -transport:https to create an HTTPS listener on port 5986 (default for Windows 7 and later), and verify it with winrm enumerate winrm/config/listener. Self-signed certificates can be generated for testing using tools like New-SelfSignedCertificate in PowerShell, but they should be avoided in production environments due to trust validation issues.[39][38]
Firewall rules and access controls further restrict WinRM exposure by limiting inbound traffic to authorized sources. By default, Windows Defender Firewall permits WinRM connections on private network profiles but blocks them on public profiles unless explicitly allowed, often restricting to the same subnet for security. Administrators can create or modify rules using netsh advfirewall firewall add rule to allow TCP ports 5985 (HTTP) and 5986 (HTTPS) only from specific IP addresses or ranges, such as trusted management servers, thereby enforcing least-privilege access.[38] For domain-joined environments, Group Policy can centralize these configurations under Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service, setting options like "Allow remote server management through WinRM" to domain profiles only.[40]
Best practices emphasize minimizing the attack surface and monitoring usage. Disable the HTTP listener entirely after enabling HTTPS by running winrm delete winrm/config/Listener?Address=*+Transport=HTTP, as HTTP lacks encryption and exposes credentials in transit.[38] Limit remote access to the Administrators group by default, configurable via winrm set winrm/config/service @{AllowUnencrypted="false"} to block unencrypted sessions. To prevent denial-of-service attacks from excessive resource consumption, set the maximum memory per shell using winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}, which caps allocation at 1024 MB per session (the default value) including child processes.[41] Enable auditing for WinRM events through Group Policy under Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking, monitoring Event IDs like 91 (authentication success) and 92 (failure) in the Security log for suspicious activity.[38]
Addressing common vulnerabilities requires applying recent security updates and avoiding risky delegation protocols. For instance, the October 2025 updates KB5066835 and KB5066782 resolve issues in PowerShell Remoting and WinRM where commands could fail or hang due to connection handling flaws.[42][43] Similarly, avoid Credential Security Support Provider (CredSSP) authentication unless multi-hop remoting is essential, as it delegates full credentials to remote hosts, increasing man-in-the-middle risks; instead, prefer Kerberos or NTLM with HTTPS.[38] Regular patching and configuration reviews, such as verifying TrustedHosts only for non-domain scenarios with winrm set winrm/config/client @{TrustedHosts="specificserver"}, help maintain a secure posture.[38]