To run OfficeExpert in hybrid infrastructures (Azure Active Directory Connect server, ADFS server) or if you want to run the Azure Sync simulation, please make sure that remote PowerShell is active on each of the target hosts:


Configuration (Non-encrypted Communication)



Note: This is the MOST used way!



  • Enable-PSRemoting -force
  • set-item -force WSMan:\localhost\Service\Auth\Basic $true
  • set-item -force WSMan:\localhost\Client\AllowUnencrypted $true
  • set-item -force WSMan:\localhost\Service\AllowUnencrypted $true
  • Make sure that you use an account which is member of the local Administrator group of the target host (no need to be a Domain admin)
  • TCP Port 5985 and 5986 needs to be opened between OfficeExpert and target host
  • Make sure that the OE Windows Proxy host is listed as a TrustedHost on the Destination System (Exchange Onprem, ...)
    • Check the current setting:  Get-Item -Path WSMan:\localhost\Client\TrustedHosts
    • Add the OE host:  Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value <FQDN_of_OE_WindowsProxy> -Force



Configuration (encrpyted communication)

  • Open PowerShell on Windows host and execute the following four commands:
    • Enable-PSRemoting –force
    • set-item -force WSMan:\localhost\Service\Auth\Basic $true
    • set-item -force WSMan:\localhost\Client\AllowUnencrypted $false
    • set-item -force WSMan:\localhost\Service\AllowUnencrypted $false

Check if there are already certificates in the Certificate Store (open Powershell on target host)

  • Set-Location Cert:\LocalMachine\My
  • Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint -AutoSize

You should get a list of certificates back (otherwise the list is just empty):

Import Certificate (open PowerShell) - CER

  • Import-Certificate -FilePath "<path to certificate>" -CertStoreLocation Cert:\LocalMachine\My -Verbose

You should get something like this:

Note: If you want to use a PFX, use the command

Import-PfxCertificate -FilePath "<path to pfx>" -CertStoreLocation Cert:\LocalMachine\My -Verbose

Create Self Signed Certificate

  • New-SelfSignedCertificate -DnsName <hostname> -CertStoreLocation Cert:\LocalMachine\My

Now we have imported or created a self-signed certificate which can be used for the Remote PS Call.


How to Connect the Certificate with the WS-MAN Remotely

Copy the correct Thumbprint from Store

    • Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint -AutoSize
    • copy the ThumbPrint you want to use

Open command prompt (cmd)

    • winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<hostname>"; CertificateThumbprint="<your thumbprint >"}

This binds the certificate with HTTPS on the host

Please adjust the address and hostname parameter based on your needs! If you use a Wildcard SSL certificated, make sure that hostname is equal the CN name in the certificate

In case a listener with the same address and HTTPS is configured, please make sure you clean it up first

You can remove an existing entry (for Address=* and Transport HTTPS) by just using

  • winrm delete winrm/config/Listener?Address=*+Transport=HTTPS


Inbound Firewall Setting

Make sure that Inbound connection to TCP port 5986 is allowed on the target host level!

Contact Support

Visit panagenda OfficeExpert on our website!