SecHard

How To Enable WinRM with Domain Group Policy for PowerShell Remoting

Owned by seda peker
Jun 14, 2023
WinRM - test

For individual computers

It’s quite easy. Just open a PowerShell as Administrator window on the computer and run the following cmdlet and it will take care of the rest.

Enable-PSRemoting
PowerShell Enable PSRemoting - How To Enable WinRM with Domain Group Policy for PowerShell Remoting

For large network

Deploying the settings via Group Policy is definitely the way to go. If you are on Windows Server 2012 R2, open Group Policy Management and find the Grou Policy object you want to tweak and edit from there. Or create a new one if needed.

Once you are in there, there are three places that you need to go through:

1. Allow remote server management through WinRM

Go to Computer Configuration > Policies > Administrative Templates > Windows Remote Management (WinRM) > WinRM Service.

Double-click the setting “Allow remote server management through WinRM

Select Enable and type in “*” in for both IPv4 filter and IPv6 filter.

Click OK to close the window.

  • If you don’t see Windows Remote Management in your Group Policy Editor, there is probably the WinRM admin template missing in your Active Directory.

Double-click the setting “Turn on Compability HTTP Listener” Enabled

Double-click the setting “Turn on Compability HTTPS Listener”. Enabled

2. Enable WinRM service

Go to Computer Configuration > Policies > Preferences > Control Panel Settings.

And right-click Services and choose New > Service.

Choose Automatic (Delayed Start) as startup type, pick WinRM as the service name, set Start service as the action.

Click OK to save the change.

3. Set up the Firewall rule

Go to Computer Configuration > Policies > Security Settings > Windows Firewall with Advanced Security.

And right-click Inbound Rules and start a New Rule…

Select Predefined: option and choose Windows Remote Management from the list (not the one with compatible). Click Next.

Select the one for Domain and Private, and Allow the connection option at the next screen. And click Finish.

To reduce the exposure to this service we can remove the Private and only leave only Domain profile in place. Double-click the new rule we just created, go to Advanced tab and uncheck the Private option from the Profiles section.

Test it out

You can scan the port 5985 on the remote computer to see if it responses, like below:

Test-NetConnection -ComputerName remote_computer -Port Port#

 

Oh, simply open a PowerShell session on the remote computer and see if it succeeds.

Enter-PSSession -ComputerName remote_computer

SecHard