How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Kent Chen — Fri, 19 Jan 2018 06:57:08 +0000

PowerShell Remoting really makes my work a lot easier but it requires quite a bit of work to get all the remote computers ready to take the remoting calls, such as automatically start Windows Remote Management services, set up the HTTP listener for incoming WinRM requests, as well as open Firewall Port to allow the traffic to go through.

For individual computers

It’s quite easy. Just open a PowerShell as Administrator window on the computer and run the following cmdlet and it will take care of the rest.

Enable-PSRemoting

For large network

Deploying the settings via Group Policy is definitely the way to go. If you are on Windows Server 2012 R2, open Group Policy Management and find the Grou Policy object you want to tweak and edit from there. Or create a new one if needed.

Once you are in there, there are three places that you need to go through:

1. Allow remote server management through WinRM

Go to Computer Configuration > Policies > Administrative Templates > Windows Remote Management (WinRM) > WinRM Service.

Double-click the setting “Allow remote server management through WinRM”

Select Enable and type in “*” in for both IPv4 filter and IPv6 filter.

Click OK to close the window.

* If you don’t see Windows Remote Management in your Group Policy Editor, there is probably the WinRM admin template missing in your Active Directory.

2. Enable WinRM service

Go to Computer Configuration > Policies > Preferences > Control Panel Settings.

And right-click Services and choose New > Service.

Choose Automatic (Delayed Start) as startup type, pick WinRM as the service name, set Start service as the action.

Click OK to save the change.

3. Set up the Firewall rule

Go to Computer Configuration > Policies > Security Settings > Windows Firewall with Advanced Security.

And right-click Inbound Rules and start a New Rule…

Select Predefined: option and choose Windows Remote Management from the list (not the one with compatible). Click Next.

Select the one for Domain and Private, and Allow the connection option at the next screen. And click Finish.

To reduce the exposure to this service we can remove the Private and only leave only Domain profile in place. Double-click the new rule we just created, go to Advanced tab and uncheck the Private option from the Profiles section.

Test it out

You can scan the port 5985 on the remote computer to see if it responses, like below:

Test-NetConnection -ComputerName remote_computer -Port Port#

Oh, simply open a PowerShell session on the remote computer and see if it succeeds.

Enter-PSSession -ComputerName remote_computer

The post How To Enable WinRM with Domain Group Policy for PowerShell Remoting first appeared on KC's Blog.