How to enable WinRM via Group Policy

The Windows Remote Management (a.k.a. WinRM) interface is a network service that allow remote management access to computer via the network. It’s used  frequently as a conduit to allow remote management of computer via PowerShell. As a result WinRM is enabled by default on Windows Server 2012 to enable the Server Manager tool but it is not enabled for Windows client OS’s by default.

As it is turned off by default on client OS’s the following describes how you can enable it using Group Policy.

Firstly create a Group Policy Object that targets the workstation that you want to enable the WinRM (e.g. “Enable WinRM”)

Then enable the “Allow remote server management through WinRM” policy setting found under Computer > Policies > Windows Components > Windows Remote Management (WinRM) > WinRM Service. From here you need to specify the IP Address ranges that the service will accept connections from, be cautious if you just add “*” in the field as this can potentially allow incoming connection form all network locations. If possible specify the exact IP ranges that you will be performing the remote management from to reduce the risk of connection coming in from any computer.

Note: This policy is also know as “Allow automatic configuration of listeners”

image

Next we need to enable the “Windows Remote Management (WS-Management)” Service via the Group Policy Preferences Services.

image

And finally we need to open up the firewall rules to allow the incoming TCP connection on the Domain Network profile.

Go to Computer Configurations > Policies > Security Settings > Windows Firewall and Advanced Security > Windows Firewall and Advanced Security then right click on “Inbound Rules” and click on the “New Rule…” option.

image

Check the “Predefined” option and select “Windows Remote Management” from the pop-down list and Click “Next”

image

Then uncheck the top “Public” rule to again reduce the exposure of this services to the internet and then click “Next”

image

Then click “Finish”

image

And you should now have a new listed as similar to below.

image

To again reduce the exposure of this service again you can double click on the new rule you just created and remove the “Private” from the network profiles that this applies.

image

You have now enable WinRM on your workstations that is required to allow you run PowerShell remote commands against.

As you might already realise enabling this should not be taken lightly as you are essentially opening up a way to completely remote control your computers. This is why should always limit the scope of incoming network connections to only the required networks/hosts.

17 Comments

  1. All the articles on the internet appear to be a copy-paste of one original source, therefore they all have the same two problems. First, they all direct you to Computer > Policies > Windows Components > Windows Remote Management (WinRM) > WinRM Service. when it is actually Computer > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service. Fro some reason, everyone is leaving out “Administrative templates”

    Second issue – this is an incomplete solution. With this policy in place, systems are not configured for remote management. You still have to run winrm quickconfig -q which then echoes “created a WinRM listener on http://* to accept WS-Man requests to any IP on this machine.” Once that is done, it works as advertised. However, there appears to be no way to perform this step remotely, much less in bulk/batch. It works flawlessly if actually logged in to the target system, but fails if run in a batch file, or if run using PSEXEC, or even if submitted as an SCCM job. I can find no way to push this to 5000 systems, making the fact that Microsoft is making this a prerequisite for more of its tools and deprecating old functionality that wasn’t WinRM dependent more than a little frustrating.

  2. To piggyback on what Anonymous said above, there is another thing wrong here. The IP Filters do not specify which IP addresses are allowed to connect, they specify which IP addresses the WinRM service binds to.

  3. NO, NO, NO – The IPv4/v6-Filter Field DOES NOT SET the allowed remote administration IPs. It defines a range of addresses the service is allowed to bind to (as clearly stated in the description). To restrict remote access to certain administration IPs configure your firewall rule accordingly.

  4. I have to agree, the statement below is wrong. You use the firewall to restrict who can access remote management from the network not this policy.

    “From here you need to specify the IP Address ranges that the service will accept connections from, be cautious if you just add “*” in the field as this can potentially allow incoming connection form all network locations. If possible specify the exact IP ranges that you will be performing the remote management from to reduce the risk of connection coming in from any computer.”

  5. We have recently enabled winrm in a very large environment (40,000+ devices ) via group policy. Our winx64 devices can connect via ps remote session but our 32 bit builds cannot without running Enable-Psremote.

    Any ideas on why the policy wouldn’t affect 32bit like it does x64?

Leave a Reply

Your email address will not be published.