Skip to content

Prerequisites for Adding the Windows Host to CHAI™ for Discovery and Transform


Resource Requirements

Resource CPU RAM Disk Space
Requirement 4 cores 8 GB >20 GB in C:\ drive

PowerShell Version 3+

CHAI™ connects to the Windows Host over the network using WinRM (Windows Remote Management) and it has a dependency on underneath PowerShell version. The minimum version required is 3.

Note: Windows 2012 R2, 2016 and 2022 are supported out of box and hence no installation of PowerShell is required.

OS PS Version 3 PS Version 4 PS Version 5
2012 - Default -
2016 - - Default

Verify PowerShell version as below:

C:\>$PSVersionTable.PSVersion
Output:
Major Minor Build Revision
----- ----- ----- --------
3     0     -1    -1

Administrative Access on Host

  • User account used for authenticating with Windows Host from CHAI™ should have Administrator rights.

Remote Execution Policy

Execute the command Get-ExecutionPolicy -List and verify if you get similar output:

PS> Get-ExecutionPolicy -List
    Scope ExecutionPolicy
    ----- ---------------
    MachinePolicy Undefined
    UserPolicy Undefined
    Process Undefined
    CurrentUser Undefined
    LocalMachine RemoteSigned

If you see LocalMachine Undefined then set the said policy to "RemoteSigned" using the following PowerShell command:

PS> Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

Verify the updated policy as follows:

PS> Get-ExecutionPolicy -List
    Scope ExecutionPolicy
    ----- ---------------
    MachinePolicy Undefined
    UserPolicy Undefined
    Process Undefined
    CurrentUser Undefined
    LocalMachine RemoteSigned

Configure WinRM

The following other prerequisites also needed to be enabled:

  • Enable PSRemoting
  • Set WinRM to run with following configuration:
  • Basic authentication for server
  • Port 5986 is open

CHAI™ uses a PowerShell script that will ensure all the above prerequisites are set.

Please download the PowerShell script on Windows Host. The file will be downloaded as "ConfigureRemoting.ps1".

Execute the script as follows:

PS C:\> .\ConfigureRemoting.ps1
    Self-signed SSL certificate generated; thumbprint: 89E65FE46301E79A5A583244945201C3A72FCEDE
    wxf: http://schemas.xmlsoap.org/ws/2004/09/transfer
    a : http://schemas.xmlsoap.org/ws/2004/08/addressing
    w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    Lang : en-US
    Address: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    ReferenceParameters : ReferenceParameters
    Ok.

Disable UAC Remote Restrictions

⚠️ Skip the below steps if you are using AD user or domain user to login to host

Option A: PowerShell Command

Open Windows PowerShell as an Administrator and execute below command:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1

Option B: Manual Configuration

  1. Click Start, click Run, type regedit, and then press Enter
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. If the LocalAccountTokenFilterPolicy registry entry doesn't exist, follow these steps:
  4. Right-click on blank white area, click New, and then select DWORD Value
  5. Type LocalAccountTokenFilterPolicy, and then press Enter
  6. Right-click LocalAccountTokenFilterPolicy, and then select Modify
  7. In the Value data box, type 1, and then select Ok
  8. Exit Registry Editor

Whitelist winchtoolpy.exe in the AntiVirus Software

If the Windows host is running an AntiVirus software, add winchtoolpy.exe to the AntiVirus Software whitelist.


Connection between Host and CHAI™

CHAI™ authenticates with the Windows Host using the following 2 methods over WinRM:

  • Kerberos
  • Username and password

Host communicates back to CHAI™ over port 443 (https). Please ensure that port 443 is enabled on the Host for external communication and unblocked on the firewall in between Host and CHAI™.