PowerShell is the go-to tool for automating tasks on Windows, and its remoting capabilities are a cornerstone of its power. For years, WinRM (Windows Remote Management) with the Invoke-Command cmdlet has been the standard. However, with the rise of cross-platform development and the native integration of OpenSSH in Windows, a new contender has emerged: Invoke-SSHCommand.
Both cmdlets let you run commands on remote machines, but they operate on fundamentally different protocols. Understanding the difference is key to choosing the right tool for your environment. This guide breaks down the pros, cons, and best use cases for each.
Part 1: The Traditional Way (WinRM and Invoke-Command)
Invoke-Command uses the WinRM protocol, which is Microsoft’s implementation of the WS-Management standard. It communicates over HTTP (5985) or HTTPS (5986) and is deeply integrated into Windows.
How to Use Invoke-Command
The syntax is straightforward. To run a command on a remote machine, you use the -ComputerName and -ScriptBlock parameters.
Invoke-Command -ComputerName "WinSrv01" -ScriptBlock { Get-Process -Name "powershell" }Key Characteristics of WinRM
- Object-Oriented: WinRM serializes and deserializes full PowerShell objects using CLIXML. This means you get rich, structured data back from the remote machine, not just plain text.
- Windows-Centric: It is designed primarily for Windows-to-Windows communication and is tightly integrated with Active Directory for authentication (Kerberos).
- Requires Configuration: WinRM is not always enabled by default. You often need to run
winrm quickconfigon the target machine and configure firewall rules and trusted hosts.
Pros:
- Returns rich PowerShell objects.
- Excellent integration with Active Directory.
- Built-in to PowerShell; no extra modules needed.
Cons:
- Can be difficult to configure, especially in non-domain environments.
- The “double-hop” problem requires complex CredSSP configuration.
- Windows-only; not suitable for managing Linux machines.
- Higher overhead and slower performance on high-latency networks.
Part 2: The Modern, Cross-Platform Way (SSH and Invoke-SSHCommand)
With OpenSSH now a standard feature in Windows, using SSH for remoting has become a popular and powerful alternative. The Invoke-SSHCommand cmdlet, from the third-party Posh-SSH module, makes this easy.
How to Use Invoke-SSHCommand
First, you need to install the Posh-SSH module:
Install-Module -Name Posh-SSH -Scope CurrentUser -ForceThen, you can use Invoke-SSHCommand to run a command over SSH.
Invoke-SSHCommand -ComputerName "LinuxBox" -Credential (Get-Credential) -Command "ps aux | grep nginx"Key Characteristics of SSH
- Text-Based: SSH is a text-based protocol. It sends commands and receives plain text back (stdout and stderr). You don’t get rich PowerShell objects, but you get raw, fast output.
- Cross-Platform: SSH is the universal standard for remote management on Linux, macOS, and network devices. With OpenSSH on Windows, you can use a single protocol to manage your entire fleet.
- Simple and Reliable: SSH is generally easier to set up and more reliable, especially across firewalls and complex networks, as it uses a single, well-known port (TCP 22).
Pros:
- Truly cross-platform (Windows, Linux, macOS).
- Faster and more lightweight, especially over high-latency WAN links.
- Simpler authentication model (password or key-based).
- More firewall-friendly (only requires port 22).
Cons:
- Returns plain text, not PowerShell objects.
- Requires the
Posh-SSHmodule to be installed. - Requires an SSH server to be running on the target machine.
Part 3: Head-to-Head Comparison
| Aspect | Invoke-Command (WinRM) |
Invoke-SSHCommand (SSH) |
|---|---|---|
| Protocol | WS-Management (HTTP/S) | SSH (TCP 22) |
| Target OS | Windows only | Any (Windows, Linux, macOS) |
| Return Data | PowerShell Objects (CLIXML) | Plain Text (stdout/stderr) |
| Performance (WAN) | Slower (higher overhead) | Faster (lightweight protocol) |
| Configuration | Can be complex (firewalls, TrustedHosts, CredSSP) | Simpler (install SSH server, open port 22) |
| Authentication | Kerberos, NTLM, CredSSP | Password, Public Key, GSSAPI |
| Built-in? | Yes | No (requires Posh-SSH module) |
Part 4: Recommendations and Conclusion
Which One Should You Choose?
-
Use
Invoke-Command(WinRM) when:- You are in a pure, domain-joined Windows environment.
- You need to work with rich PowerShell objects returned from the remote machine.
- Your network is already configured and secured for WinRM.
-
Use
Invoke-SSHCommand(SSH) when:- You are in a mixed-OS environment (Windows and Linux).
- You need to manage machines over the internet or a high-latency WAN.
- WinRM is blocked or too difficult to configure.
- You prefer the simplicity and ubiquity of SSH and key-based authentication.
Final Verdict
While Invoke-Command remains a powerful tool for Windows-centric environments, Invoke-SSHCommand is often the more robust, flexible, and future-proof choice for modern, cross-platform infrastructure. Its superior performance over high-latency networks and its ability to connect to any machine running an SSH server make it an indispensable tool for today’s DevOps and automation workflows.
For most new projects, especially those involving the cloud or mixed operating systems, starting with an SSH-based approach will likely save you time and headaches in the long run.