Requirements:

• WinRM service must be enabled on endpoints.
• The WinRM HTTP port(s) (5986 or 5985 (insecure)) must be enabled and available through the firewall to the FortiNAC App. server. HTTPS (5986) is strongly encouraged for security purposes.
• NTLM Authentication with domain credentials authorized to run PowerShell commands get-wmiobject, get-itemproperty, get-service, get-process, convertto-json, and read the registry.
• Minimum Windows Management Framework (WMF) version: 3.0.

For testing, open the FortiNAC CLI and cd /bsc/campusMgr/bin/internal, then run the below commands:

root@fnc-ca1:/bsc/campusMgr/bin/internal

> winrmps

<Workstation-ip>:5985

Domain\username

<password>

ipconfig

Note.

After 'ipconfig' has been typed and Enter has been pressed, type '[ctrl+d]' to run the script.

Screenshot for illustration:

In later versions of FortiNAC-O,S the following commands need to be run:

execute enter-shell
cd /bsc/campusMgr/bin/internal

./winrmps

10.1.3.11:5985
EB\gimi
gimi123
ipconfig

Disclaimer.

This is not a public API, and the program input may change without notice.

Alternatively, it is possible to run WinRPMs using the below command if the HTTPS port 5986 is used:

> /bsc/campusMgr/bin/internal/winrmps /bsc/.runtime/data/certificate/winrmps_ca.pem

10.27.2.139:5986

DOMAIN\Username

Password-in-plaintext

Ipconfig

Where everything after the first line is stdin. 'ipconfig' is just an example command to run.

Important Note.

If FortiNAC version 9.1.x to version 9.2.1 is used, type the UPN name in the DPC role created in the FortiNAC DPC role.

Otherwise, DPC will not work correctly.

Also, it is necessary to be logged in to the workstation for FortiNAC to receive the ipconfig output.

Solution.
The WinRM Device Profiling method supports multiple user credentials in versions 9.2.6 and 9.4.1.

FortiNAC v9.2.6 Release Notes

Related document:

WinRM Device Profile Requirements and Setup