Prerequisites for Adding the Windows Host to CHAI™ for Discovery and Transform¶
Resource Requirements¶
| Resource | CPU | RAM | Disk Space |
|---|---|---|---|
| Requirement | 4 cores | 8 GB | >20 GB in C:\ drive |
PowerShell Version 3+¶
CHAI™ connects to the Windows Host over the network using WinRM (Windows Remote Management) and it has a dependency on underneath PowerShell version. The minimum version required is 3.
Note: Windows 2012 R2, 2016 and 2022 are supported out of box and hence no installation of PowerShell is required.
| OS | PS Version 3 | PS Version 4 | PS Version 5 |
|---|---|---|---|
| 2012 | - | Default | - |
| 2016 | - | - | Default |
Verify PowerShell version as below:
C:\>$PSVersionTable.PSVersion
Output:
Major Minor Build Revision
----- ----- ----- --------
3 0 -1 -1
Administrative Access on Host¶
- User account used for authenticating with Windows Host from CHAI™ should have Administrator rights.
Remote Execution Policy¶
Execute the command Get-ExecutionPolicy -List and verify if you get similar output:
PS> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
If you see LocalMachine Undefined then set the said policy to "RemoteSigned" using the following PowerShell command:
Verify the updated policy as follows:
PS> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
Configure WinRM¶
The following other prerequisites also needed to be enabled:
- Enable PSRemoting
- Set WinRM to run with following configuration:
- Basic authentication for server
- Port 5986 is open
CHAI™ uses a PowerShell script that will ensure all the above prerequisites are set.
Please download the PowerShell script on Windows Host. The file will be downloaded as "ConfigureRemoting.ps1".
Execute the script as follows:
PS C:\> .\ConfigureRemoting.ps1
Self-signed SSL certificate generated; thumbprint: 89E65FE46301E79A5A583244945201C3A72FCEDE
wxf: http://schemas.xmlsoap.org/ws/2004/09/transfer
a : http://schemas.xmlsoap.org/ws/2004/08/addressing
w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
Lang : en-US
Address: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters : ReferenceParameters
Ok.
Disable UAC Remote Restrictions¶
⚠️ Skip the below steps if you are using AD user or domain user to login to host
Option A: PowerShell Command¶
Open Windows PowerShell as an Administrator and execute below command:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1
Option B: Manual Configuration¶
- Click Start, click Run, type regedit, and then press Enter
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - If the
LocalAccountTokenFilterPolicyregistry entry doesn't exist, follow these steps: - Right-click on blank white area, click New, and then select DWORD Value
- Type
LocalAccountTokenFilterPolicy, and then press Enter - Right-click LocalAccountTokenFilterPolicy, and then select Modify
- In the Value data box, type
1, and then select Ok - Exit Registry Editor
Whitelist winchtoolpy.exe in the AntiVirus Software¶
If the Windows host is running an AntiVirus software, add winchtoolpy.exe to the AntiVirus Software whitelist.
Connection between Host and CHAI™¶
CHAI™ authenticates with the Windows Host using the following 2 methods over WinRM:
- Kerberos
- Username and password
Host communicates back to CHAI™ over port 443 (https). Please ensure that port 443 is enabled on the Host for external communication and unblocked on the firewall in between Host and CHAI™.