Enabling WinRM and Remote PS Sessions

on

OK. Let me admit something. 

I did a write-up for some internal documentation at VENZO... and I copy/pasted quite a bit of this section pretty much all of it from How to enable WinRM with domain controller Group Policy for WMI monitoring – Auvik Support so kudos to the original author!

But to be honest; it's been handy enough that I figured I'd throw it up here and since no one reads my blog; no one will notice all the plagarism! 

... and admittedly, one of my main motivations for starting this blog is for note keeping. Because when you think of it; an OK blog post is just a skip away from OK documentation - so if I'm taking notes and/or documentation already...

That's my reasoning excuse at least. 



So... what's first for enabling WInRM and Remote PS Sessions? I find the easiest way is to create a GPO and just push it out to the OUs I need to. 

First, we need to create a Group Policy object the domain

  1. From the start menu, open Control Panel.
  2. Select Administrative Tools.
  3. Select Group Policy Management.
  4. From the menu tree, click Domains > dom01.local
  5. Right-click and select Create a GPO in this domain and Link it here.
  6. Input Enable WinRM.
  7. Click OK.

Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:

Allow remote server management through WinRM

  1. Right-click on the new Enable WinRM Group Policy Object and select Edit.
  2. From the menu tree, click Computer Configuration > Policies > Administrative Templates: Policy definitions > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
  3. Right-click on Allow remote server management through WinRM and click Edit.
  4. Select Enabled to allow remote server management through WinRM.
  5. Enter an asterisk (*) into each field.
  6. Click OK.

Now that Windows Remote Management has been enabled on the Group Policy, you need to enable the service that goes with it.

  1. From the Group Policy Management Editor window, click Preferences > Control Panel Settings > Services.
  2. Right-click on Services and select New > Service.
  3. Select Automatic as the startup.
  4. Enter WinRM as the service name.
  5. Select Start service as the service action.
  6. All remaining details can stay on the defaults. Click OK.

Now you must allow for inbound remote administration by updating the firewall rules. When you’re done, there will be two rules enabled:

  • Windows Firewall: Allow inbound remote administration exception
  • Windows Firewall: Allow ICMP exception


Using the Group Policy Management Editor, from the menu tree, click Computer Configuration > Policies > Administrative Templates: Policy definitions > Network > Network Connections > Windows Firewall > Domain Profile.

  1. Right-click on Windows Firewall: Allow inbound remote administration exception and click Edit.
  2. Select Enabled.
  3. Enter the IP address into the field called Allow unsolicited incoming messages from these IP addresses. To allow messages from any IP address, enter an asterisk (*) into each field.
  4. Click OK.
  5. Right-click on Windows Firewall: Allow ICMP exception and click Edit.
  6. Select Enabled.
  7. Check Allow inbound echo request.
  8. Click OK.


The final steps are to create a new inbound firewall rule and update the network list manager for unidentified networks.

  1. From the menu tree, click Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
  2. Right-click on Inbound Rules and click New Rule.
  3. Select Predefined.
  4. Select Windows Remote Manaement from the list of services.
  5. Click Next.
  6. Uncheck the Public rule. Leave the Domain, Private rule checked.
  7. Click Next.
  8. Leaving the defaults, click Finish.
  9. Right-click on the new rule and click Properties.
  10. Click the Advanced tab.
  11. Uncheck Private.
  12. Click OK.
  13. From the menu tree, click Computer Configuration > Policies > Windows Settings > Security Settings > Network List Manager Policies.
  14. Right-click Unidentified Networks and click Properties.
  15. Change the location type from Not configured to Private.
  16. Click OK.
  17. Close the Local Group Policy Editor window.


When you have completed the above stops, right click on the OU and select Group Policy Update. Test the connection by running test-wsman -computername [HOSTNAME].


If the connection still fails, run this command on the target device: winRM quickconfig.



Remember that WinRM isn't exactly best practice security-wise; so what I tend to do is disable the GPO when I'm done using it.