PowerShell remoting maintains a list of trusted IP addresses and/or machine names on the client side (the machine that issues the command and authenticates at the server). This list is important for you because it governs how you can authenticate to remote computers.
By default, PowerShell supports Kerberos authentication only because it is most secure and authenticates both sides, client and server. It requires an Active Directory though and does not work with IP addresses.
# execute PowerShell code remotely Invoke-Command { Get-Service } -ComputerName storage2 -Credential AdminUser
In this example, AdminUser would need to be a domain account recognized on storage2 with the proper permissions to access it.
By adding IP addresses and/or computer names to TrustedHosts, you can use NTLM authentication, too. This way, you can use local accounts for authentication and remote to stand-alone systems, systems outside your domain, and also to systems you specify by IP address.
Wildcards are allowed, too, so when you set TrustedHosts to “*”, any computer can use NTLM authentication. That isn’t always clever, though, because now a hacker could unplug a server and replace it with a rouge machine and capture your password because you wouldn’t notice that it is no longer the machine you intended to contact. Therefore, make changes to TrustedHosts only for computers you know are located in a safe environment – that you “trust”.
The TrustedHosts list is accessible only for admins, and only when the WinRM service is running. Launch an elevated PowerShell environment, and make sure the WinRM service is running:
PS> Start-Service -Name WinRM
To view the current content of TrustedHosts, run this:
PS> Get-ChildItem -Path WSMan:\localhost\Client\TrustedHosts WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client Type Name SourceOfValue Value ---- ---- ------------- ----- System.String TrustedHosts
By default, the list is empty. To reset its content, i.e. specify an IP range, use Set-Item:
PS> Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value 192.168.* -Force
To add more entries, add the -Concatenate parameter. This adds a distinct computer name:
PS> Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value storage2 -Concatenate -Force
Now try and dump the changed content. The result is a comma-separated list supporting wildcards:
PS> Get-ChildItem -Path WSMan:\localhost\Client\TrustedHosts WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client Type Name SourceOfValue Value ---- ---- ------------- ----- System.String TrustedHosts 192.168.*,storage2
To revert TrustedHosts to default and empty it, use Clear-Item:
PS> Clear-Item -Path WSMan:\localhost\Client\TrustedHosts -Force
