Create a Microsoft Windows (PowerShell) machine
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Create a Microsoft Windows (PowerShell) machine
Creating a machine enables Next-Gen Trust Security to connect to a Windows host over WinRM and run a customer-managed PowerShell function after certificate installation. After creating the machine, you can provision certificates to it.
Before you begin
Choose the most secure authentication method supported by your environment.
The following methods are listed from most to least secure:
- Kerberos authentication over HTTPS (recommended)
- Kerberos authentication over HTTP
- Basic authentication over HTTPS
You will also need:
- Windows Remote Management (WinRM) enabled on the target host
- Credentials with permissions to access the target certificate store and perform the required post-install actions
- A PowerShell script that implements the required function contract (see below)
- Supported Windows versions:
- Windows Server 2019
- Windows Server 2022
Ensure that the required Windows Remote Management (WinRM) ports are open from the Next-Gen Trust Security VSatellite machine to the target Windows Server. Firewalls or network security controls that block these ports will prevent certificate operations, discovery, or provisioning.
Required ports
| Purpose | Protocol | Port | When required |
|---|---|---|---|
| WinRM over HTTP | TCP | 5985 | When the machine uses WinRM over HTTP (for example, Kerberos over HTTP). |
| WinRM over HTTPS | TCP | 5986 | When the machine uses WinRM over HTTPS (for example, Kerberos over HTTPS or Basic Authentication over HTTPS). |
| Kerberos authentication | TCP and UDP | 88 | Required whenever Kerberos authentication is used. The Next-Gen Trust Security VSatellite must reach a domain controller’s Kerberos service. |
Important:
- Confirm that TCP 5985 and/or TCP 5986 are reachable if you're using the default WinRM listener configuration.
- When using Kerberos authentication, verify that TCP/UDP 88 is open between the VSatellite and your domain controller.
- If your environment uses custom WinRM ports, ensure those ports are reachable.
- Blocked ports frequently cause Test Access failures or authentication errors during machine creation or certificate provisioning.
PowerShell function contract
The machine executes a PowerShell function to consume the installed certificate (for example, bind it to a Windows service). Your script must implement a function named:
- bind-certificate
The function must accept:
- certificateStore (string): the certificate store path/location
- thumbprint (string): the certificate thumbprint
A successful execution must return exit code 0. Failures must return a non-zero exit code. Any output may be surfaced in Next-Gen Trust Security job details.
Ensure that the PowerShell script configured on the Microsoft Windows (PowerShell) machine is managed and written to execute your intended actions, not exhaust system resources, and is signed with a trusted certificate on the target system. The script must contain a specific function that is executed to consume (bind) the certificate from the CAPI store.
Warning: You are responsible for managing, writing, and securing your PowerShell script. To minimize exposure and prevent unauthorized access, use a dedicated user account with only the necessary permissions (least privilege) instead of an admin or shared account. Script signing ensures integrity after deployment but does not guarantee the security of its source or development environment.
Example PowerShell script:
<################## .NAME bind-certificate .DESCRIPTION Consumes a certificate from the CAPI store, mainly used to bind the certificate to a Windows service .PARAMETER certificateStore The Windows Certificates store location where the certificate is stored .PARAMETER thumbprint A text string that represents the public key hash of the certificate .NOTES A successful script execution returns an exit code 0. If the script fails, it returns a non-zero exit code and Next-Gen Trust Security would show the error message in the UI ##################> function bind-certificate ( [string]$certificateStore, [string]$thumbprint ) { return "Success" }
Configure the machine
From Authentication Type, select the method you want to use, then follow the corresponding steps.
Warning: Always use the most secure authentication method allowed by your environment. Less secure methods increase the risk of credential exposure.
Note:
- If a username in UPN format (for example, user@domain.com) fails, try using only the username (for example, user).
- Windows Management Framework (WMF) 5.1 or later is required.
Kerberos authentication over HTTPS
Prerequisite configuration
If your organization requires Kerberos over HTTPS, your target Windows host must already have a valid TLS Server Certificate installed before you can use Kerberos authentication.
Note: Kerberos authentication over HTTPS provides the highest level of security with built-in encryption.
Note: The certificate must be installed in the LocalMachine\My CAPI store (Local Computer > Personal store if using the Certificates MMC snap-in).
- An Active Directory domain user that is directly or indirectly a member of the local Administrators group.
- Kerberos authentication enabled.
- A certificate with Server Authentication EKU.
- An HTTPS WinRM listener configured with that certificate.
- Enter the Microsoft Windows (PowerShell) Hostname and WinRM Port.
- Enable Use TLS for WinRM if desired.Tip: Since Kerberos already has built-in encryption, this option is not required to secure data in transit.
- Enter the Domain Name, Key Distribution Center Address/Hostname, and Service Principal Name.Tip: To view your SPN, run setspn –L hostname.
- From Credential Type, select Enter Credentials or Select Credentials.Important: Credential visibility depends on your role.
- Enter the required credentials.Warning: If a UPN-formatted username fails, try using only the username.Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Create.
Kerberos authentication over HTTP
Prerequisite configuration
- An Active Directory domain user that is directly or indirectly a member of the local Administrators group.
- Kerberos authentication enabled.
- Unencrypted WinRM traffic allowed.
- Enter the Microsoft Windows (PowerShell) Hostname and WinRM Port.
- Leave Use TLS for WinRM disabled.Tip: Kerberos provides encryption even without TLS.
- Enter the Domain Name, Key Distribution Center Address/Hostname, and Service Principal Name.
- From Credential Type, select Enter Credentials or Select Credentials.
- Enter the required credentials.Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Create.
Basic authentication over HTTPS
Prerequisite configuration
Basic authentication must be used only over TLS.
Note: The certificate must be installed in the LocalMachine\My CAPI store.
- A local (non-domain) user that is a member of the local Administrators group.
- Basic authentication enabled.
- HTTPS WinRM listener configured.
- Enter the Microsoft Windows (PowerShell) Hostname and WinRM Port.
- Enable Use TLS for WinRM.Warning: Disabling TLS sends credentials in plaintext.
- From Credential Type, select Enter Credentials or Select Credentials.
- Enter the required credentials.Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Continue.
What's next?
Return to Create a new machine to finish configuring discovery and provisioning schedules.
For existing machines: