To collect session latency metrics and establish a MS SQL Server relationship, users must install a signed certificate and set up WinRM HTTPS on each VDA and DDC (XenDesktop Delivery Controller) as outlined in the following sub-topics.

Create a signed certificate for the system to be monitored

Note the following requirements for the certificate:

  • The certificate can be self-signed or signed by an authority.
  • If self-signed, vROps must be told to ignore SSL verification.
  • The certificate must include the private key for the system.
Important: If creating the certificate manually, the PFX format (which includes both a certificate and private key) is required by Windows.

Install the certificate on the target system

  1. Open mmc.
  2. Add Snap-in Certificates:
    1. Select File > Add Snap-in.
    2. Select Certificates.
    3. Select Computer Account.
    4. Select Local computer.
    5. Click OK.
  3. Expand the certificates tree:
    1. Select Personal/Certificates (or just Personal if /Certificates does not exist).
    2. Right-click inside the directory and select:
      1. All tasks > Import.
      2. Locate your certificate, then click OK.

Install certificate authority certificate (Optional)

If the certificate installed above was signed by an authority, you will need to install a trusted authority certificate, provided by your authority.

  1. Under the Certificates (Local Computer) snap-in, select Trusted Root Certificates/Certificates.
  2. Right-click and select All tasks > Import to import a certificate.
  3. Navigate to your certificate authority's provided certificate, then click OK.
Important: Any system connecting to the target system with WinRM HTTPS will also need your root certificate authority’s certificate.

Enable WinRM

  1. Launch the Command Prompt as an Administrator (NOTE: Do not use PowerShell).
  2. Execute the following command: winrm quickconfig

    Important: This will enable HTTP listening by default (using port 5985). The HTTP listener can be removed later.
  3. Find your certificate thumbprint:

    1. Open the mmc snap-in and find your personal certificate.

    2. Double-click the certificate. On the details tab, find Certificate Thumbprint.

  4. Create the HTTPS listener:

    1. Execute the following command:winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<YOUR_DNS_NAME>"; CertificateThumbprint="<COPIED_CERTIFICATE_THUMBPRINT>"}

      Important: NOTE: YOUR_DNS_NAME must match what the certificate specifies. The COPIED_CERTIFICATE_THUMBPRINT must match the thumbprint found in the previous step.
  5. Verify that WinRM is using HTTPS:

    1.  Execute the following command: winrm enumerate winrm/config/listener

      Important: The default port used is 5986 (HTTPS). The default HTTP port is 5985.
  6. Delete HTTP listener (Optional):

    1. Execute the following command: winrm delete winrm/config/Listener?Address=*+Transport=HTTP

Reference: Commands to enable supported authentication mechanisms

Note the following commands can be used to enable the supported authentication mechanisms:


winrm set winrm/config/service/auth @{Basic="true"}


winrm set winrm/config/service/auth @{Negotiate="true"}


winrm set winrm/config/service/auth @{Kerberos="true"}