Understanding managed endpoints:

A managed endpoint is any machine that PowerShell Orchestrator connects to in order to collect assessment data. This includes:

• Active Directory domain controllers
• Windows member servers
• Workstations (if included in your assessment scope)
• Microsoft Entra ID (connected via the configured service account, not a direct machine connection)

PowerShell Orchestrator connects to endpoints using PowerShell Remoting over WinRM. The service account configured during installation is used to authenticate to each endpoint.

Prerequisites:

Before adding managed endpoints, confirm the following on each target machine:

• WinRM is enabled and the WinRM service is running
• The PowerShell Orchestrator service account has read permissions on the target machine
• No firewall is blocking WinRM traffic between the orchestrator machine and the target endpoint

Default WinRM ports:

Anthropic recommends using HTTPS (port 5986) for WinRM connections in production environments to encrypt traffic between the orchestrator and managed endpoints.

[Your administrator should confirm which WinRM protocol and port are used in your environment.]

Enabling WinRM on target endpoints:

If WinRM is not already enabled on a target endpoint, run the following in PowerShell as Administrator on that machine:

Enable-PSRemoting -Force

To enable WinRM across multiple machines simultaneously, use Group Policy:

1. Open Group Policy Management Console
2. Create or edit a GPO linked to the relevant OU
3. Navigate to:

Computer Configuration → Policies → Windows Settings →

Security Settings → System Services → Windows Remote Management

4. Set the service startup mode to Automatic
5. Apply the GPO

[Your administrator should confirm whether WinRM is already managed via Group Policy in your environment before making manual changes.]

Testing connectivity to a target endpoint:

Before adding an endpoint to PowerShell Orchestrator, test that the orchestrator machine can successfully connect to it:

Test-WSMan -ComputerName <hostname or IP> -Credential (Get-Credential)

A successful result returns the WinRM service information for the target machine. If the test fails:

• Confirm WinRM is running on the target machine
• Confirm no firewall is blocking ports 5985 or 5986
• Confirm the service account has permission to connect remotely

Adding managed endpoints in LT Auditor ^MP:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to Configure → PowerShell Orchestrator
3. Click Add Endpoint
4. Configure the endpoint details:
   • Name — a descriptive name for the endpoint (e.g., DC01 — Primary Domain Controller)
   • Hostname or IP Address — the address of the target machine
   • Connection Protocol — HTTP or HTTPS
   • Port — 5985 (HTTP) or 5986 (HTTPS)
   • Credential — select the configured service account
5. Click Test Connection to verify connectivity before saving
6. Click Save

Repeat this process for each endpoint you want to include in assessments.

[Your administrator should maintain a list of all managed endpoints and their roles in your environment.]

Adding Microsoft Entra ID as a managed target:

Entra ID is connected as a cloud target rather than a direct machine endpoint.

1. Navigate to Configure → PowerShell Orchestrator → Cloud Targets
2. Click Add Entra ID Target
3. Enter the following details from your App Registration in the Azure Portal:
   • Tenant ID
   • Client ID
   • Client Secret
4. Click Test Connection to verify the credentials
5. Click Save

[Your administrator should refer to the EntraConnector Prerequisites article for instructions on creating and configuring the App Registration in the Azure Portal if this has not already been done.]

Verifying endpoint connectivity:

After adding endpoints, confirm they are showing as reachable in LT Auditor ^MP:

1. Navigate to Configure → PowerShell Orchestrator
2. Review the endpoint list — each endpoint should show a status of Reachable
3. If any endpoint shows as Unreachable, check:
   • The WinRM service is running on that machine
   • The hostname or IP address is correct
   • No firewall is blocking the WinRM port
   • The service account credentials are valid and have not expired

Removing a managed endpoint:

If a machine is decommissioned or no longer needs to be included in assessments:

1. Navigate to Configure → PowerShell Orchestrator
2. Locate the endpoint in the list
3. Click the Delete icon next to it
4. Confirm the deletion

Removing an endpoint stops future assessments from running against it. Historical assessment data collected from that endpoint is retained in the LT Auditor ^MP database and is not affected.

Best practices:

• Always test connectivity before saving a new endpoint to catch configuration issues early
• Use HTTPS for WinRM connections in production to encrypt assessment traffic
• Use a dedicated, least-privilege service account — avoid using a domain admin account for orchestrator connections
• Keep the endpoint list current — remove decommissioned machines promptly to avoid failed assessment runs
• Manage WinRM configuration via Group Policy for consistency across large environments
• Document each managed endpoint and its role so other administrators understand the assessment scope

[Your administrator should review the managed endpoint list regularly to ensure it reflects the current state of your environment.]