DSC (via Puppet or Ansible) over WInRM with HTTPS only?

mr-d-j-tracey · October 6, 2017, 3:46am

Hi Guys,

Is it a known issue that you can’t invoke DSC via Puppet or Ansible when you don’t have a HTTP listener configured?

Our clients are configured with HTTPS listeners on port 5986 only, and for example when using the ansible win_dsc module, I see errors such as:

"The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the documentation for the WS-Management service running on the destination, most commonly IIS or WinRM If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig”.

Enabling an HTTP listener (with 'New-Item -Path WSMan:\Localhost\Listener -Transport HTTP -Address * ') allows the task to succeed.

Our estate is configured to only allow traffic on port 5986, and we’ve done some work certificates etc. It would be a backward step to have to enable winrm over http everywhere, and I can’t see any options either in DSC, ansible or Puppet - to workaround this issue.

Thanks for your help.

Dan

davem · October 6, 2017, 1:09pm

Hi DanT,

Puppet and Ansible both use Invoke-DscResource to apply the DSC config. I have tried running commands below locally on a machine, and I seem to have the same challenge as you. It only works with a http listener in place. Sorry not much help, but kike you I’d be fascinated to know if there was a way of getting Invoke-DscResource to

a) use an alternative port/protocol.
b) for it to continue to use encrypted HTTP, but for it to be limited to the localhost only (Set-Item WSMan:\localhost\Client\TrustedHosts -Value “localhost” -Force)

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS > Get-WSManInstance -Enumerate -ResourceURI winrm/config/listener

cfg : http://schemas.microsoft.com/wbem/wsman/1/config/listener
xsi : http://www.w3.org/2001/XMLSchema-instance
lang : en-US
Address : *
Transport : HTTP
Port : 5985
Hostname :
Enabled : true
URLPrefix : wsman
CertificateThumbprint :
ListeningOn : {10.13.241.147, 127.0.0.1, ::1, fe80::5efe:10.13.241.147%12…}

cfg : http://schemas.microsoft.com/wbem/wsman/1/config/listener
xsi : http://www.w3.org/2001/XMLSchema-instance
lang : en-US
Address : *
Transport : HTTPS
Port : 5986
Hostname :
Enabled : true
URLPrefix : wsman
CertificateThumbprint : 6D372015489A4355B2596AE7FC11F607E9FD6C8C
ListeningOn : {10.13.241.147, 127.0.0.1, ::1, fe80::5efe:10.13.241.147%12…}

PS > winrm delete winrm/config/Listener?Address=*+Transport=HTTP
PS > Get-WSManInstance -Enumerate -ResourceURI winrm/config/listener

cfg : http://schemas.microsoft.com/wbem/wsman/1/config/listener
xsi : http://www.w3.org/2001/XMLSchema-instance
lang : en-US
Address : *
Transport : HTTPS
Port : 5986
Hostname :
Enabled : true
URLPrefix : wsman
CertificateThumbprint : 6D372015489A4355B2596AE7FC11F607E9FD6C8C
ListeningOn : {10.13.241.147, 127.0.0.1, ::1, fe80::5efe:10.13.241.147%12…}

PS > Invoke-DscResource -Name WindowsProcess -Method Test -Property @{Path = ‘C:\Windows\System32\Wind
owsPowerShell\v1.0\powershell.exe’; Arguments = ‘’} -ModuleName PSDesiredStateConfiguration
The client cannot connect to the destination specified in the request. Verify that the service on the destination is
running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: “winrm quickconfig”.
+ CategoryInfo : ConnectionError: (root/Microsoft/…gurationManager:String) , CimException
+ FullyQualifiedErrorId : HRESULT 0x80338012
+ PSComputerName : localhost

PS > winrm quickconfig
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

> Invoke-DscResource -Name WindowsProcess -Method Test -Property @{Path = ‘C:\Windows\System32\Wind
owsPowerShell\v1.0\powershell.exe’; Arguments = ‘’} -ModuleName PSDesiredStateConfiguration

InDesiredState

True