SecHard

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

WinRM - test

PowerShell Remoting really makes my work a lot easier but it requires quite a bit of work to get all the remote computers ready to take the remoting calls, such as automatically start Windows Remote Management services, set up the HTTP listener for incoming WinRM requests, as well as open Firewall Port to allow the traffic to go through.

For individual computers

It’s quite easy. Just open a PowerShell as Administrator window on the computer and run the following cmdlet and it will take care of the rest.

Enable-PSRemoting
PowerShell Enable PSRemoting - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

For large network

Deploying the settings via Group Policy is definitely the way to go. If you are on Windows Server 2012 R2, open Group Policy Management and find the Grou Policy object you want to tweak and edit from there. Or create a new one if needed.

Once you are in there, there are three places that you need to go through:

1. Allow remote server management through WinRM

Go to Computer Configuration > Policies > Administrative Templates > Windows Remote Management (WinRM) > WinRM Service.

Double-click the setting “Allow remote server management through WinRM

Group Policy Allow remote server management through 600x267 - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Select Enable and type in “*” in for both IPv4 filter and IPv6 filter.

Group Policy Allow remote server management through dialog 600x335 - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Click OK to close the window.

  • If you don’t see Windows Remote Management in your Group Policy Editor, there is probably the WinRM admin template missing in your Active Directory.

2. Enable WinRM service

Go to Computer Configuration > Policies > Preferences > Control Panel Settings.

And right-click Services and choose New > Service.

Group Policy New service - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Choose Automatic (Delayed Start) as startup type, pick WinRM as the service name, set Start service as the action.

Group Policy New Service WinRM - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Click OK to save the change.

3. Set up the Firewall rule

Go to Computer Configuration > Policies > Security Settings > Windows Firewall with Advanced Security.

And right-click Inbound Rules and start a New Rule…

Group Policy New Inbound Rule - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Select Predefined: option and choose Windows Remote Management from the list (not the one with compatible). Click Next.

Group Policy New Inbound Rule wizard 1 600x485 - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Select the one for Domain and Private, and Allow the connection option at the next screen. And click Finish.

To reduce the exposure to this service we can remove the Private and only leave only Domain profile in place. Double-click the new rule we just created, go to Advanced tab and uncheck the Private option from the Profiles section.

Group Policy Rule to remove Private - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Test it out

You can scan the port 5985 on the remote computer to see if it responses, like below:

Test-NetConnection -ComputerName remote_computer -Port Port#

Oh, simply open a PowerShell session on the remote computer and see if it succeeds.

Enter-PSSession -ComputerName remote_computer
WinRM est 600x196 - How To Enable WinRM with Domain Group Policy for PowerShell Remoting
  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.
 

SecHard