The Windows Remote Management (a.k.a. WinRM) interface is a network service that allow remote management access to computer via the network. It’s usedÂ frequently as a conduit to allow remote management of computer via PowerShell. As a result WinRM is enabled by default on Windows Server 2012 to enable the Server Manager toolÂ but it is not enabled for Windows client OS’s by default.
As it is turned off by default on client OS’s the following describes how you can enable it using Group Policy.
Firstly create a Group Policy Object that targets the workstation that you want to enable the WinRM (e.g. â€œEnable WinRMâ€)
Then enable the â€œAllow remote server management through WinRMâ€ policy setting found under Computer > Policies > Windows Components > Windows Remote Management (WinRM) > WinRM Service. From here you need to specify the IP Address ranges that the service will accept connections from, be cautious if you just add â€œ*â€ in the field as this can potentially allow incoming connection form all network locations. If possible specify the exact IP ranges that you will be performing the remote management from to reduce the risk of connection coming in from any computer.
Note: This policy is also know as â€œAllow automatic configuration of listenersâ€
Next we need to enable the â€œWindows Remote Management (WS-Management)â€ Service via the Group Policy Preferences Services.
And finally we need to open up the firewall rules to allow the incoming TCP connection on the Domain Network profile.
Go to Computer Configurations > Policies > Security Settings > Windows Firewall and Advanced Security > Windows Firewall and Advanced Security then right click on â€œInbound Rulesâ€ and click on the â€œNew Ruleâ€¦â€ option.
Check the â€œPredefinedâ€ option and select â€œWindows Remote Managementâ€ from the pop-down list and Click â€œNextâ€
Then uncheck the top â€œPublicâ€ rule to again reduce the exposure of this services to the internet and then click â€œNextâ€
Then click â€œFinishâ€
And you should now have a new listed as similar to below.
To again reduce the exposure of this service again you can double click on the new rule you just created and remove the â€œPrivateâ€ from the network profiles that this applies.
You have now enable WinRM on your workstations that is required to allow you run PowerShell remote commands against.
As you might already realise enabling this should not be taken lightly as you are essentially opening up a way to completely remote control your computers. This is why should always limit the scope of incoming network connections to only the required networks/hosts.