WinRM unencrypted via HTTP


I got a problem regarding WinRM and VMWare Orchestrator 5.5. and hope someone can help me.

When I add a powershell host using WinRM, HTTP I receive an error:

w:MaxEnvelopeSize xmlns:w="" mustUnderstand="true">153600</w:MaxEnvelopeSize>

    <a:MessageID xmlns:a="">uuid:C3F974DC-F8C4-4AB5-A98F-3B3A29B25F08</a:MessageID>

    <w:Locale xmlns:w="" mustUnderstand="false" xml:lang="en-US"/>

    <p:DataLocale xmlns:p="" mustUnderstand="false" xml:lang="en-US"/>

    <w:OperationTimeout xmlns:w="">PT180.000S</w:OperationTimeout>

    <a:Action xmlns:a="" mustUnderstand="true"></a:Action>

    <w:ResourceURI xmlns:w="" mustUnderstand="true"></w:ResourceURI>

    <w:OptionSet xmlns:w="">

      <w:Option Name="WINRS_NOPROFILE">FALSE</w:Option>

      <w:Option Name="WINRS_CODEPAGE">437</w:Option>




    <rsp:Shell xmlns:rsp="">


      <rsp:OutputStreams>stdout stderr</rsp:OutputStreams>




, document out [EMPTY], (Dynamic Script Module name : addPowerShellHost#16)

However I found out that it is working if I set the WinRm to "AllowUnencrypted" on the client.

Interestingly WinRM encrypted is working if I just remotely connect via powershell, therefore this seems to be a setting or limitation on the Orchestrator.

Is it by design not possible or do I miss a specific setting?

0 Kudos
4 Replies

Hello theire,

i didn't used Orchestrator so far.

But maybe that Helps:

VMware vCenter Orchestrator Plug-In Documentation Center

Best regards


0 Kudos

Thank you for the hint. I already tested HTTPS and this is working as the encryption is then put to another level.

However there is a significant impact on simplicity as certificates must be auto-enrolled and they can not be automatically be extended because the certificate is "hardcoded" to the WinRM setting (this is the actual pain).

Therefore I hoped to find a solution that will allow encryption on WinRM application layer rather than on the protocol.

0 Kudos

I had to enable unencrypted on my Windows hosts since it is disabled by default.  You can check with:

winrm get winrm/config/service

winrm get winrm/config/client

REM enable unencrypted

winrm set winrm/config/service @{AllowUnencrypted="True"}

winrm set winrm/config/client @{AllowUnencrypted="True"}

Thats from a Windows Admin cmd prompt.  If you use powershell, you'll need to escape a bunch - `@`{AllowUnencrypted=`"True`"`}

Typed that from memory, so syntax may be slightly off; should be able to find via google if I remembered wrong.

0 Kudos
VMware Employee
VMware Employee

WinRm to "AllowUnencrypted" set to true is requirement of the third party library used by PowerShell plugin. As far as I remember this requirement is documented in PowerShell plugin documentation

AllowUnencrypted=false is not supported.

0 Kudos