The Windows Remote Management (a.k.a. WinRM) interface is a network service that allow remote management access to computer via the network. It’s used frequently as a conduit to allow remote management of computer via PowerShell. As a result WinRM is enabled by default on Windows Server 2012 to enable the Server Manager tool but it is not enabled for Windows client OS’s by default.
As it is turned off by default on client OS’s the following describes how you can enable it using Group Policy.
Firstly create a Group Policy Object that targets the workstation that you want to enable the WinRM (e.g. “Enable WinRM”)
Then enable the “Allow remote server management through WinRM” policy setting found under Computer > Policies > Windows Components > Windows Remote Management (WinRM) > WinRM Service. From here you need to specify the IP Address ranges that the service will accept connections from, be cautious if you just add “*” in the field as this can potentially allow incoming connection form all network locations. If possible specify the exact IP ranges that you will be performing the remote management from to reduce the risk of connection coming in from any computer.
Note: This policy is also know as “Allow automatic configuration of listeners”
Next we need to enable the “Windows Remote Management (WS-Management)” Service via the Group Policy Preferences Services.
And finally we need to open up the firewall rules to allow the incoming TCP connection on the Domain Network profile.
Go to Computer Configurations > Policies > Security Settings > Windows Firewall and Advanced Security > Windows Firewall and Advanced Security then right click on “Inbound Rules” and click on the “New Rule…” option.
Check the “Predefined” option and select “Windows Remote Management” from the pop-down list and Click “Next”
Then uncheck the top “Public” rule to again reduce the exposure of this services to the internet and then click “Next”
Then click “Finish”
And you should now have a new listed as similar to below.
To again reduce the exposure of this service again you can double click on the new rule you just created and remove the “Private” from the network profiles that this applies.
You have now enable WinRM on your workstations that is required to allow you run PowerShell remote commands against.
As you might already realise enabling this should not be taken lightly as you are essentially opening up a way to completely remote control your computers. This is why should always limit the scope of incoming network connections to only the required networks/hosts.