Before you add a physical machine to a manual unmanaged desktop pool, you must log in to the machine as an administrator and perform certain configuration tasks.

Prerequisites

  • Verify that you have administrator credentials for logging in to the machine. If the machine is joined to a domain, obtain domain administrator credentials.
  • Familiarize yourself with the procedure for configuring WinRM to use HTTP. See "Configure WinRM to Use HTTP," in the vCenter Plug-Ins documentation.

Procedure

  1. Log in as an administrator and set the Windows Remote Manager service to start automatically:
    1. Go to the Services applet.
      For example, on Windows 7 machines, you can go to Start > Administrative Tools > Services.
    2. Right-click the Windows Remote Management (WS-Management) service and select Properties.
    3. Select the startup type Automatic, click Start, and click OK after the service starts.
  2. Start PowerShell as an administrator and use the following commands to configure remote execution policies:
    1. Use the following command to verify that the policy is set to RemoteSigned.
      Get-ExecutionPolicy
    2. If the policy is set to Restricted, use the following command:
      Set-ExecutionPolicy RemoteSigned

      Press Y when prompted.

    3. Use the following command to enable remote execution for WinRM
      Enable-PSRemoting

      Press Y when prompted.

    4. Use a command to add vRealize Orchestrator hosts as trusted servers.
      Option Command
      Add all machines as trusted hosts. Set-Item wsman:\localhost\client\trustedhosts * or

      set-item wsman:\localhost\Client\TrustedHosts -value *

      Add all domain machines as trusted hosts. set-item wsman:\localhost\Client\TrustedHosts *.domain.com
      Add a single machine (use the FQDN of the machine). set-item wsman:\localhost\Client\TrustedHosts -value hostname.domain.com
      Add a single machine using the IP address. set-item wsman:\localhost\Client\TrustedHosts -value xxx.xxx.xxx.xxx
      Press Y when prompted.
      Note: You can use the following command to see the list of trusted hosts:
      Get-item wsman:\localhost\Client\TrustedHosts
      
    5. Use the following command to restart WinRM Service:
      Restart-Service WinRM
  3. On another Windows machine, test the connection to the machine you just configured by running the following command:
    Test-WsMan IP-or-DNS-of-machine
    For example: Test-WsMan 12.34.56.78
    The output is similar to:
    wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
    ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor   : Microsoft Corporation
    ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 2.0

    If you use the following command, the output lists the contents of the C drive:

    Invoke-Command -ComputerName IP-or-DNS-of-machine -ScriptBlock { Get-ChildItem C:\ } 
    -credential domain\administrator
  4. Open a command prompt and configure the physical machine (WinRM host) to enable the communication with the PowerShell plug-in through the HTTP protocol.
    If you use PowerShell 2.0, enclose the commands in single quotes, as follows:
    winrm set winrm/config/service/auth '@{Basic="true"}'
    winrm set winrm/config/service '@{AllowUnencrypted="true"}'
    
    winrm set winrm/config/client/auth '@{Basic="true"}'
    winrm set winrm/config/client '@{AllowUnencrypted="true"}'
    If the WinRM host machine is in an external domain, you must also run the following command to specify the trusted hosts:
    winrm set winrm/config/client @{TrustedHosts="host1, host2, host3"}
    You can use the following command to verify the settings after you finish making changes:
    winrm get winrm/config
  5. For machines that belong to a domain, enable and test Kerberos authentication:
    1. Open a command prompt and use the following commands to enable Kerberos authentication:
      winrm set winrm/config/service/auth '@{Kerberos=”true”}'
      winrm set winrm/config/service '@{AllowUnencrypted="true"}'
      
      winrm set winrm/config/client/auth '@{Kerberos=”true”}'
      winrm set winrm/config/client '@{AllowUnencrypted="true"}'
      
    2. Use the following command to test Kerberos authentication:
      winrm id -r:machine.domain.com -auth:Kerberos -u:administrator@domain.com -p:'password'
  6. Install Horizon Agent in the physical machine.

What to do next

Configure authentication on the vRealize Orchestrator server. See Configure vRealize Orchestrator to Use Kerberos Authentication with Physical Machines.