Skip to main content

Configuring Windows Server for OS device-driver updates

Lenovo XClarity Administrator uses the Windows Remote Management service (WinRM) listening over HTTPS or HTTP to run device-driver update commands on target Windows systems. The WinRM service must be correctly configured on the target servers before attempting to update OS device drivers.

Before you begin

Required ports must be available. For more information, see Port availability.

For more information about configuring Windows Server before updating OS device driver, see the XClarity Administrator: Preparing for OS Device Driver Updates (white paper).

Procedure

To configure Windows Server to support updating OS device drivers, complete the following steps.

  • For HTTPS

    1. Sign and install a server certificate on each of your target Windows systems.

      Important
      The certificate must contain the following information.
      • In the Subject, ensure that the Domain Component is set (for example, DC=labs, DC=com, DC=company).

      • In the Subject Alternative Name, ensure that the DNS Name and host IP Address are set (for example, DNS Name=node1325C554A6F.labs.company.com and IP Address=10.245.43.149).

    2. Configure the remote management commands and data over an HTTPS connection by running one of the following commands from an administrative command prompt, and then confirm the suggested configuration changes.

      • winrm quickconfig -transport:https
      • winrm create winrm/config/Listener?Address=*+Transport=HTTPS 
        @{Hostname="host_name";CertificateThumbprint="certificate_thumbprint"}

      To manually set up a WinRM HTTPS listener according to WinRM documentation, see the How to configure WinRM for HTTPS webpage.

    3. Configure authentication settings, depending on whether you want to use domain accounts or Windows local user accounts to access target Windows servers.

      • Domain accounts

        If you want to use domain accounts that are created and managed in the network domain, Kerberos authentication must be enabled in WinRM. It is enabled in WinRM by default. If it is currently disabled, you can enable it by running the following command from an administrative command prompt.
        winrm set winrm/config/service/Auth @{Kerberos="true"}
        In addition, you need to add the domain accounts to XClarity Administrator by completing the following steps
        1. From the XClarity Administrator menu bar, click Provisioning > Windows Driver Updates: Apply. The Windows Driver Updates: Apply page is displayed.
        2. Click All Actions > Manage Domain Account. The Manage Domain Accounts dialog is displayed.
        3. Click the Create icon (Create icon). to add a realm for the domain account. The Create Realm dialog is displayed.
        4. Specify a realm name and one or more key distribution center hostnames. Use the Add icon (Add icon) to add another host name and use Remove icon (Remove icon) to remove a host name.
        5. Select the realm to use by default in the Apply this realm as the default select field above the table.
        6. Click Save to save the configuration.
        Important
        • The managed Windows servers must be in the domain network before configuring domain accounts.

        • When you add stored credentials for a domain account in XClarity Administrator, use the format USER@DOMAIN. The format DOMAIN/USER is not supported.

      • Windows local user accounts

        If you want to use user accounts that were created on the target Windows servers, basic authentication must be enabled. It is disabled in WinRM by default. If it is currently disabled, you can enable it by running the following command from an administrative command prompt.
        winrm set winrm/config/service/Auth @{Basic="true"}
      Important
      WinRM command uses Negotiate authentication to configure the WinRM subsystem. Do not disable negotiate authentication.
    4. To avoid a possible timeout and sending WinRM request errors in compliance checking and performing driver updates, increase the default value for the WinRM response timeout by running the following command from an administrative command prompt. A value of 280000 is recommended. For more information, see the Installation and Configuration for Windows Remote Management webpage.

      winrm set winrm/config @{MaxTimeoutms="280000"}
    5. Open the port in your firewall that you configured for the WinRM HTTPS listener. The default HTTPS port is 5986. For example

      netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow 
      protocol=TCP localport=5986
    6. If you are using HTTPS listeners, adds the certificate to the XClarity Administrator trust store by completing the following steps. Adding the certificate to the trust store allows XClarity Administrator to trust the WinRM HTTPS listeners to which it connects. Repeat the following steps for any additional certification paths that need to be trusted for the Windows Remote Management service.

      1. Identify and collect the Certificate Authority root certificate that you used to sign the server certificates for the target Windows systems. If you do not have access to the CA root certificate, collect the server certificate itself or another certificate in the certification path.

      2. From the XClarity Administrator menu bar, click Administration > Security to display the Security page.

      3. Click Trusted Certificates under the Certificate Management section.

      4. Click the Create icon (Create icon) to display the Add Certificate dialog.

      5. Either browse for the certificate file that you collected in step 1, or copy/paste the contents of the certificate file into the text box.

      6. Click Create.

    7. After the WinRM listener is running on your target Windows systems, XClarity Administrator can connect to these systems and perform the device driver updates.
  • For HTTP

    1. Configure the remote management commands and data over an HTTP connection by running the following command from an administrative command prompt, and then confirm the suggested configuration changes.

      winrm quickconfig
    2. Configure authentication settings, depending on whether you want to use domain accounts or Windows local user accounts to access target Windows servers.

      • Domain accounts

        If you want to use domain accounts that are created and managed in the network domain, Kerberos authentication must be enabled in WinRM. It is enabled in WinRM by default. If it is currently disabled, you can enable it by running the following command from an administrative command prompt.
        winrm set winrm/config/service/Auth @{Kerberos="true"}
        In addition, you need to add the domain accounts to XClarity Administrator by completing the following steps
        1. From the XClarity Administrator menu bar, click Provisioning > Windows Driver Updates: Apply. The Windows Driver Updates: Apply page is displayed.
        2. Click All Actions > Manage Domain Account. The Manage Domain Accounts dialog is displayed.
        3. Click the Create icon (Create icon). to add a realm for the domain account. The Create Realm dialog is displayed.
        4. Specify a realm name and one or more key distribution center hostnames. Use the Add icon (Add icon) to add another host name and use Remove icon (Remove icon) to remove a host name.
        5. Select the realm to use by default in the Apply this realm as the default select field above the table.
        6. Click Save to save the configuration.
        Important
        • The managed Windows servers must be in the domain network before configuring domain accounts.

        • When you add stored credentials for a domain account in XClarity Administrator, use the format USER@DOMAIN. The format DOMAIN/USER is not supported.

      • Windows local user accounts

        If you want to use user accounts that were created on the target Windows servers, basic authentication must be enabled. It is disabled in WinRM by default. If it is currently disabled, you can enable it by running the following command from an administrative command prompt.
        winrm set winrm/config/service/Auth @{Basic="true"}
      Important
      WinRM command uses Negotiate authentication to configure the WinRM subsystem. Do not disable negotiate authentication.
    3. Allocate enough memory for the update commands on this system by running the following command from an administrative command prompt.

      winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}
    4. Allow unencrypted data by running the following command from an administrative command prompt.

      winrm set winrm/config/service @{AllowUnencrypted="true"}
    5. Open the port in your firewall that you configured for the WinRM HTTP listener. The default HTTPS port is 5985. For example

      netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow 
      protocol=TCP localport=5985

    After the WinRM listener is running on your target Windows systems, XClarity Administrator can connect to these systems and perform the device driver updates.