diff --git a/ansible/inventory/group_vars/workstation_host_windows.yml b/ansible/inventory/group_vars/workstation_host_windows.yml
index de5d831..11e0f85 100644
--- a/ansible/inventory/group_vars/workstation_host_windows.yml
+++ b/ansible/inventory/group_vars/workstation_host_windows.yml
@@ -1,9 +1,9 @@
 ---
 ansible_connection: psrp
-ansible_psrp_auth: negotiate
+ansible_psrp_auth: ntlm
 ansible_psrp_cert_validation: ignore
-ansible_psrp_protocol: http
-ansible_port: 5985
+ansible_psrp_protocol: https
+ansible_port: 5986
 ansible_shell_type: powershell
 
 windows_winget_packages:
diff --git a/scripts/bootstrap_windows_workstation.ps1 b/scripts/bootstrap_windows_workstation.ps1
index ec40bb4..a545729 100644
--- a/scripts/bootstrap_windows_workstation.ps1
+++ b/scripts/bootstrap_windows_workstation.ps1
@@ -7,6 +7,75 @@ param(
 Set-StrictMode -Version Latest
 $ErrorActionPreference = 'Stop'
 
+function Get-OrCreate-WinRMHttpsCertificate {
+    $dnsName = $env:COMPUTERNAME
+    $existingCertificate = Get-ChildItem -Path Cert:\LocalMachine\My |
+        Where-Object { $_.Subject -eq "CN=$dnsName" } |
+        Sort-Object NotAfter -Descending |
+        Select-Object -First 1
+
+    if ($null -ne $existingCertificate) {
+        return $existingCertificate
+    }
+
+    return New-SelfSignedCertificate `
+        -DnsName $dnsName `
+        -CertStoreLocation 'Cert:\LocalMachine\My' `
+        -FriendlyName 'WinRM HTTPS Listener' `
+        -KeyAlgorithm RSA `
+        -KeyLength 2048 `
+        -HashAlgorithm SHA256 `
+        -NotAfter (Get-Date).AddYears(5)
+}
+
+function Ensure-WinRMHttpsListener {
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$CertificateThumbprint
+    )
+
+    $listener = Get-ChildItem -Path WSMan:\localhost\Listener |
+        Where-Object {
+            $_.Keys -match 'Transport=HTTPS' -and $_.Keys -match "Hostname=$($env:COMPUTERNAME)"
+        } |
+        Select-Object -First 1
+
+    if ($null -eq $listener) {
+        New-WSManInstance -ResourceURI winrm/config/Listener `
+            -SelectorSet @{ Transport = 'HTTPS'; Address = '*' } `
+            -ValueSet @{ Hostname = $env:COMPUTERNAME; CertificateThumbprint = $CertificateThumbprint } | Out-Null
+        return $true
+    }
+
+    return $false
+}
+
+function Ensure-LocalAccountTokenFilterPolicy {
+    $registryPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+    $propertyName = 'LocalAccountTokenFilterPolicy'
+    $currentValue = Get-ItemProperty -Path $registryPath -Name $propertyName -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $propertyName -ErrorAction SilentlyContinue
+
+    if ($currentValue -ne 1) {
+        New-ItemProperty -Path $registryPath -Name $propertyName -Value 1 -PropertyType DWord -Force | Out-Null
+        return $true
+    }
+
+    return $false
+}
+
+function Ensure-CurrentUserInRemoteManagementGroup {
+    $groupName = 'Utenti gestione remota'
+    $currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
+    $members = @(Get-LocalGroupMember -Name $groupName -ErrorAction Stop | Select-Object -ExpandProperty Name)
+
+    if ($members -contains $currentUser) {
+        return @{ Changed = $false; User = $currentUser; Group = $groupName }
+    }
+
+    Add-LocalGroupMember -Group $groupName -Member $currentUser -ErrorAction Stop
+    return @{ Changed = $true; User = $currentUser; Group = $groupName }
+}
+
 function Enable-FeatureIfNeeded {
     param(
         [Parameter(Mandatory = $true)]
@@ -39,6 +108,18 @@ if (-not $SkipUbuntuInstall -and $null -eq $installedUbuntuDistribution) {
 Enable-PSRemoting -SkipNetworkProfileCheck -Force
 Set-Service -Name WinRM -StartupType Automatic
 
+$winrmCertificate = Get-OrCreate-WinRMHttpsCertificate
+$httpsListenerChanged = Ensure-WinRMHttpsListener -CertificateThumbprint $winrmCertificate.Thumbprint
+$rebootRequired = (Ensure-LocalAccountTokenFilterPolicy) -or $rebootRequired
+$remoteManagementGroupState = Ensure-CurrentUserInRemoteManagementGroup
+
+Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false
+
+$httpsFirewallRule = Get-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -ErrorAction SilentlyContinue
+if ($null -eq $httpsFirewallRule) {
+    New-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986 | Out-Null
+}
+
 Write-Host ''
 Write-Host 'Bootstrap completato.'
 Write-Host 'Passi successivi:'
@@ -48,4 +129,8 @@ Write-Host '3. Installa Ansible dentro WSL Ubuntu e lancia il playbook da li.'
 Write-Host '4. Le applicazioni Windows saranno installate dal playbook Ansible via winget, non da questo bootstrap.'
 Write-Host ''
 Write-Host ('WSL distro Ubuntu rilevata: {0}' -f $(if ($null -ne $installedUbuntuDistribution) { $installedUbuntuDistribution } else { 'nessuna, verra installata ' + $Distribution }))
+Write-Host ('PSRP transport consigliato: https://{0}:5986/wsman' -f $env:COMPUTERNAME)
+Write-Host ('Certificato WinRM HTTPS: {0}' -f $winrmCertificate.Thumbprint)
+Write-Host ('Utente aggiunto a Utenti gestione remota: {0}' -f $remoteManagementGroupState.User)
+Write-Host ('Listener HTTPS creato in questo run: {0}' -f $(if ($httpsListenerChanged) { 'yes' } else { 'no' }))
 Write-Host ('Riavvio consigliato: {0}' -f $(if ($rebootRequired) { 'yes' } else { 'no' }))