Forge Home


Module for configuring and managing Windows WinRM configurations


1,176 latest version

5.0 quality score

Version information

  • 0.2.1 (latest)
  • 0.2.0
  • 0.1.2
  • 0.1.1
released Dec 16th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'encore-winrm', '0.2.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add encore-winrm
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install encore-winrm --version 0.2.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



encore/winrm — version 0.2.1 Dec 16th 2020

WinRM module for Puppet

Build Status Puppet Forge Version Puppet Forge Downloads Puppet Forge Score Puppet PDK Version docs

Table of Contents

  1. Description - What the module does and why it is useful
  2. Setup - The basics of getting started with winrm
  3. Usage - Configuration options and additional functionality
  4. Reference - Parameters and explanations

Module Description

This module configures and maintains the WinRM configurations on a Windows system.

Setup requirements

You need to be running powershell 4 or greater for this module to work correctly.


Basic usage:

class { 'winrm': }

Advanced configuration WinRM on Windows servers:

class { 'winrm':
  allow_unencrypted_enable                 => false,
  auth_basic_enable                        => false,
  auth_credssp_enable                      => false,
  auth_kerberos_enable                     => true,
  auth_negotiate_enable                    => true,
  cert_validity_days                       => 1095,
  execution_policy                         => 'RemoteSigned',
  http_listener_enable                     => false,
  https_listener_enable                    => true,
  local_account_token_filter_policy_enable => true,
  skip_network_profile_check               => false,

Firewall usage:

class { 'winrm::config::firewall':
  http_listener_enable  => false,
  https_listener_enable => true,




Is unencrypted traffic allowed? Default is false.

class { 'winrm::config::allow_unencrypted':
  allow_unencrypted_enable => false,



Is Basic Authentication allowed? Default is false


Is CredSSP Authentication allowed? Default is false


Is Kerberos Authentication allowed? Default is true


Is Negotiate Authentication allowed? Default is true

class { 'winrm::config::auth':
  auth_basic_enable     => false,
  auth_credssp_enable   => false,
  auth_kerberos_enable  => true,
  auth_negotiate_enable => true,


Server execution policy to follow. Available options are: 'AllSigned', 'Bypass', 'RemoteSigned', 'Restricted', 'Undefined', 'Unrestricted' Defualt is RemoteSigned

class { 'winrm::config::execution_policy':
  execution_policy => 'RemoteSigned',


Should winrm be listening for http connections. Defialt is false

class { 'winrm::config::listener::http':
  http_listener_enable => false,


Should winrm be listening for https connections. Defialt is true


If not using a Self Signed Certificate then this hash can be passed in and used for the HTTPs/SSL listener. When specify a custom certificate, you must also specify cert_common_name that matches the subject/common name in the certificate.

class { 'winrm::config::listener::https':
  https_listener_enable => true,
  certificate_hash      => 'ABCDEF123456890',
  cert_common_name      => 'hostname.domain.tld',


Length of time in days the Self Signed certificate is good for. Default is 1095

class { 'winrm::config::listener::https':
  cert_validity_days    => 1095,
  certificate_hash      => 'test cert hash',
  https_listener_enable => true,


Common name of the self-signed or custom bound certificate. If you specify a custom certificate_hash, the CN (Common Name) in that certificate MUST match this value, otherwise the cert binding will not work.


If LocalAccountTokenFilterPolicy should be enabled? Default is true

class { 'winrm::config::localaccounttokenfilter':
  local_account_token_filter_policy_enable => true,


If Enable-PSRemoting should skip the network profile check. Default is false

class { 'winrm::config::ps_remoting':
  skip_network_profile_check => false,