103

To run powershell commands on a machine from a remote machine we have to add the remote machine to the trusted hosts list of the host machine.

I am adding machine A to machine B's trusted hosts using the following command :

winrm set winrm/config/client ‘@{TrustedHosts="machineA"}’

How to add more machines say machine C, machine D to trusted hosts list of machine B?

cmm user
  • 2,426
  • 7
  • 34
  • 48

6 Answers6

153

I prefer to work with the PSDrive WSMan:\.

Get TrustedHosts

Get-Item WSMan:\localhost\Client\TrustedHosts

Set TrustedHosts

provide a single, comma-separated, string of computer names

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'machineA,machineB'

or (dangerous) a wild-card

Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*'

to append to the list, the -Concatenate parameter can be used

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'machineC' -Concatenate
hdev
  • 6,097
  • 1
  • 45
  • 62
  • is there a way to append hosts to the list? because I could not find any API for append. – Snow Jul 06 '16 at 09:13
  • 12
    You can append with -Value "machineB" -Concatenate – SxMT Aug 24 '16 at 22:44
  • 1
    @dhcgm This solution does **NOT** work for Domain controlled Servers that rely on Kerberos for authentication. Can you please confirm ? So despite adding explicit trusted hosts I can still use non-trusted hosts to access the server as long as I have admin rights on the server. I think this works only for Workgroup Computers. Thanks. – objectNotFound Aug 14 '20 at 04:44
  • @objectNotFound In my environment I used Powershell Remoting only on Workgroup Computers, so I cannot confirm your thesis. But I sounds plausible. – hdev Aug 14 '20 at 07:13
  • @objectNotFound Works fine for me going between domain member servers, including across domains. What it doesn't do is add permissions to the server you add it to, so if the user you're connecting with doesn't already have permission to the remote server it still won't work, but for different reasons. Once I granted the required permissions to user I was connecting with on the target server I was able to connect fine. – Keith Langmead Feb 01 '23 at 11:08
77
winrm set winrm/config/client '@{TrustedHosts="machineA,machineB"}'
Loïc MICHEL
  • 24,935
  • 9
  • 74
  • 103
  • 22
    if anyone gets an `Error: Invalid use of command line ...` response, try removing the single quotation marks – svarog Nov 16 '16 at 07:11
  • This just doesn't work for me, single quotes or not. I get `Error: Invalid use of command` regardless. – Hylle Mar 21 '18 at 13:37
  • @svarog for me it was vis-versa. I had to **add** single quotes. Before I had the same error `Error: Invalid use of command`. – Bruno Bieri Sep 17 '18 at 08:30
15

The suggested answer by Loïc MICHEL blindly writes a new value to the TrustedHosts entry.
I believe, a better way would be to first query TrustedHosts.
As Jeffery Hicks posted in 2010, first query the TrustedHosts entry:

PS C:\> $current=(get-item WSMan:\localhost\Client\TrustedHosts).value
PS C:\> $current+=",testdsk23,alpha123"
PS C:\> set-item WSMan:\localhost\Client\TrustedHosts –value $current
Community
  • 1
  • 1
Altered-Ego
  • 436
  • 5
  • 6
9

I created a module to make dealing with trusted hosts slightly easier, psTrustedHosts. You can find the repo here on GitHub. It provides four functions that make working with trusted hosts easy: Add-TrustedHost, Clear-TrustedHost, Get-TrustedHost, and Remove-TrustedHost. You can install the module from PowerShell Gallery with the following command:

Install-Module psTrustedHosts -Force

In your example, if you wanted to append hosts 'machineC' and 'machineD' you would simply use the following command:

Add-TrustedHost 'machineC','machineD'

To be clear, this adds hosts 'machineC' and 'machineD' to any hosts that already exist, it does not overwrite existing hosts.

The Add-TrustedHost command supports pipeline processing as well (so does the Remove-TrustedHost command) so you could also do the following:

'machineC','machineD' | Add-TrustedHost
Jason Boyd
  • 6,839
  • 4
  • 29
  • 47
  • @HerbM Domain names work fine. Ranges with wildcards only seem to work for a single value, i.e. you can have a comma separated list of machines, or a string containing wildcards, but not a comma separated list where one of the values in the list has a wildcard. This looks like a WinRM issue. It _will_ let you add a value with a subnet mask but it doesn't seem to interpret it as a network range when you try to connect to a machine in the range so that does not seem to work. – Jason Boyd Apr 10 '18 at 19:25
  • 2
    And apparently you have to use poor man's 'subnetting' (on octet boundaries) and not CIDR or MASK notation: 192.168.230.* NOT: 192.168.224.0/19 # or whatever – HerbM Apr 12 '18 at 19:36
0

Same as @Altered-Ego but with txt.file:

Get-Content "C:\ServerList.txt"
machineA,machineB,machineC,machineD


$ServerList = Get-Content "C:\ServerList.txt"
    $currentTrustHost=(get-item WSMan:\localhost\Client\TrustedHosts).value
    if ( ($currentTrustHost).Length -gt "0" ) {
        $currentTrustHost+= ,$ServerList
        set-item WSMan:\localhost\Client\TrustedHosts –value $currentTrustHost -Force -ErrorAction SilentlyContinue
        }
    else {
        $currentTrustHost+= $ServerList
        set-item WSMan:\localhost\Client\TrustedHosts –value $currentTrustHost -Force -ErrorAction SilentlyContinue
    }

The "-ErrorAction SilentlyContinue" is required in old PS version to avoid fake error message:

PS C:\Windows\system32> get-item WSMan:\localhost\Client\TrustedHosts


   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   TrustedHosts                                   machineA,machineB,machineC,machineD
ilRobby
  • 69
  • 2
  • 10
0

winrm set winrm/config/client '@{TrustedHosts="ServerA"}'

Generates this error:

Syntax Error: input must be of the form {KEY="VALUE"[;KEY="VALUE"]}

This worked for me (Server 2016):

winrm set winrm/config/client @{TrustedHosts="ServerA"}

stanti
  • 1