Windows Remote Management (WinRM)

To authenticate with Windows nodes, Puppet Remediate uses NTLM authentication over HTTPS on port 5986. When enabled, Remediate falls back to using NTLM authentication over HTTP on port 5985, if the default authentication fails.

To discover resources on your Windows hosts, you must enable WinRM access on each host by running the following commands:

winrm quickconfig
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'

To enable the HTTP fallback option (see step 6 below), include the winrm set winrm/config/service '@{AllowUnencrypted="true"}' command. This means that all Puppet Remediate commands and responses, not including credentials, are sent in plain text over the network.


Your Windows user account must be a member of either the local administrator group or the WinRMRemoteWMIUsers_ group. For more information, see the Default Group Access section in the Microsoft Windows Remote Management documentation.

Add WinRM credentials

  1. On the sidebar, click Manage credentials.
  2. Click WinRM credential.
  3. In the Name field, enter a unique and descriptive name.
  4. Assign an individual scope, or both, to the credential:
    • Discover resources on nodes: This credential scope is valid only for discovering resources on your Windows nodes.
    • Remediate vulnerabilities: This credential is valid only for running tasks on your Windows nodes. When this individual scope is selected, no attempts are made to discover resources.
  5. Select HTTP fallback to permit using authentication over HTTP, if the default authentication over HTTPS fails.
  6. Click Add credential.