Skip to main content

Configuring Windows Server for OS device-driver updates

Lenovo XClarity Administrator uses the Windows Remote Management service (WinRM) listening over HTTPS or HTTP to run device-driver update commands on target Windows systems. The WinRM service must be correctly configured on the target servers before attempting to update OS device drivers.

Before you begin

Required ports must be available. For more information, see Port availability.

For more information about configuring Windows Server before updating OS device driver, see the XClarity Administrator: Preparing for OS Device Driver Updates (white paper).

Procedure

To configure Windows Server to support updating OS device drivers, complete the following steps.

  • For HTTPS

    1. Sign and install a server certificate on each of your target Windows systems.

      Important
      The certificate must contain the following information.

      • In the Subject, ensure that the Domain Component is set (for example, DC=labs, DC=com, DC=company).

      • In the Subject Alternative Name, ensure that the DNS Name and host IP Address are set (for example, DNS Name=node1325C554A6F.labs.company.com and IP Address=10.245.43.149).

    2. Configure the remote management commands and data over an HTTPS connection by running one of the following commands from an administrative command prompt, and then confirm the suggested configuration changes.

      • winrm quickconfig -transport:https
      • winrm create winrm/config/Listener?Address=*+Transport=HTTPS 
        @{Hostname="host_name";CertificateThumbprint="certificate_thumbprint"}

      To manually set up a WinRM HTTPS listener according to WinRM documentation, see the How to configure WinRM for HTTPS webpage.

    3. Enable basic authentication of local Windows users by running the following command from an administrative command prompt.

      winrm set winrm/config/service/Auth @{Basic="true"}

    4. To avoid a possible timeout and sending WinRM request errors in compliance checking and performing driver updates, increase the default value for the WinRM response timeout by running the following command from an administrative command prompt. A value of 280000 is recommended. For more information, see the Installation and Configuration for Windows Remote Management webpage.

      winrm set winrm/config @{MaxTimeoutms="280000"}

    5. Open the port in your firewall that you configured for the WinRM HTTPS listener. The default HTTPS port is 5986. For example

      netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow 
      protocol=TCP localport=5986

    6. If you are using HTTPS listeners, adds the certificate to the XClarity Administrator trust store by completing the following steps. Adding the certificate to the trust store allows XClarity Administrator to trust the WinRM HTTPS listeners to which it connects. Repeat the following steps for any additional certification paths that need to be trusted for the Windows Remote Management service.

      1. Identify and collect the Certificate Authority root certificate that you used to sign the server certificates for the target Windows systems. If you do not have access to the CA root certificate, collect the server certificate itself or another certificate in the certification path.

      2. From the XClarity Administrator menu bar, click Administration > Security to display the Security page.

      3. Click Trusted Certificates under the Certificate Management section.

      4. Click the Create icon (Create icon) to display the Add Certificate dialog.

      5. Either browse for the certificate file that you collected in step 1, or copy/paste the contents of the certificate file into the text box.

      6. Click Create.

    7. After the WinRM listener is running on your target Windows systems, XClarity Administrator can connect to these systems and perform the device driver updates.

  • For HTTP

    1. Configure the remote management commands and data over an HTTP connection by running the following command from an administrative command prompt, and then confirm the suggested configuration changes.

      winrm quickconfig

    2. Enable basic authentication of local Windows users by running the following command from an administrative command prompt.

      winrm set winrm/config/service/Auth @{Basic="true"}

    3. Allocate enough memory for the update commands on this system by running the following command from an administrative command prompt.

      winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}

    4. Allow unencrypted data by running the following command from an administrative command prompt.

      winrm set winrm/config/service @{AllowUnencrypted="true"}

    5. Open the port in your firewall that you configured for the WinRM HTTP listener. The default HTTPS port is 5985. For example

      netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow 
      protocol=TCP localport=5985

    After the WinRM listener is running on your target Windows systems, XClarity Administrator can connect to these systems and perform the device driver updates.