How do I configure and troubleshoot WinRM?

To configure WinRM:

Entuity v19.0 upwards supports monitoring for Windows servers via WinRM. Before you can monitor Windows servers, you must configure WinRM on the server for remote management. Please see below for details on how to configure WinRM.

The WinRM service must be running on the Windows server that is to be monitored/discovered. Default installations of Microsoft Windows Server 2012 and above come with the WinRM service running by default, and so in this case no extra steps are needed.
- If the server is running a different Windows OS version, or a non-default configuration, the following command can be used to configure the server for remote management (note, this requires administrative privileges):
  winrm quickconfig
You must ensure that the WinRM service is not blocked by a firewall and therefore is remote accessible. By default, WinRM uses port 5985, which needs to be open. If WinRM is configured to use a non-default port, then this port needs to be open. Note, Entuity can use the non-default port.
You must ensure that a user account with appropriate privileges is used on the Windows server. The user account must be part of the local administrators group on the managed server. Entuity uses Microsoft's negotiate authentication method, allowing Entuity to manage Windows machines that are either part of the domain or not. You can use the following username formats to do so:
- to manage a Windows OS that is part of the domain, use <domain>\<user> format, e.g. 'mydomain\username'
- to manage a Windows OS that is not part of the domain, use just the username, e.g. 'Administrator'

To configure WinRM access as a non-admin user:

It is possible to manage Windows OS with a user account that is not a member of the local administrators group. There are four requirements for configuring non-admin user access, each of which are explained below:

User must be a member of required groups.
User must have access to WinRM resources.
User must have access to WMI namespace.
User must have query service manager permissions.

Notes:

as a prerequisite, the below instructions assume that you have created a domain user account which will be used for monitoring. In the below instructions, it is referred to as <domain>\<user>, which will be replaced with an actual domain user when setting up the non-admin user.
all actions in the below instructions are performed on the Windows server that is to be monitored with an administrative account (command prompt runs as administrator).

To add the user to the required groups:

In the command prompt, execute the following commands:
net localgroup "Remote Management Users" /add <domain>\<user>
net localgroup "Performance Monitor Users" /add <domain>\<user>

To give the user access to WinRM resources:

In the command prompt, execute the following command:

winrm configSDDL default
This command will open the Permissions for Default dialog.
In the Group or user names section, add <domain>\<user> to the list.
Select the <domain>\<user> you have just added, and in the Permissions section beneath, check 'Allow' for Read(Get,Enumerate,Subscribe) and Execute(Invoke). The following screenshot shows the example user 'entuity@places.world':
Click OK to confirm your changes.

To give the user access to WMI namespace:

In the command prompt, execute the following prompt:
This will open the WmiMgmt console. Right click on WMIControl (Local), and from the context menu click Properties.

This will open the WMI Control (Local) Properties dialog. Under the Security tab, select Root and then click Security at the bottom of the window.

This will open the Security for Root dialog. In the Group or user names section, add 'Remote Management Users' group.
Select the newly added 'Remote Management Users' group from the list and click Advanced at the bottom of the window.

This will open the Advanced Security Settings for Root dialog. Select the 'Remote Management Users' group and click Edit.

This will open the Permission Entry for Root dialog. In the Applies to dropdown field, select 'This namespace and subnamespaces'.
In the Permissions section, tick the following boxes:

Execute Methods

Enable Account

Remote Enable

Click OK to save your changes.

To allow the user service control manager queries:
Open command prompt in Administrator mode.
Obtain and take note of the SID of the user by using 'wmic useraccount where name="<username>" get name,sid'.
Output the existing SDDL, which you will need to adjust by using 'sc sdshow scmanager'. The output will be similar to the below (note the 'S:' in the SDDL - you will be adding new text immediately before it):

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;<user SID>)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Create a new SDDL snippet that is to be inserted into the original SDDL obtained in Step 3 above. The content of the snippet is:
(A;;CCLCRPWPRC;;;<SID of User>)
You need to replace <SID of User> with the SID obtained in Step 2 above. After replacement, the snippet will look similar to the following:

(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)
Place the above snippet immediately before 'S:' of the original SDDL obtained. This will look similar to the following:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Update the service manager SDDL:
sc sdset scmanager <SDDL from Step 5>

Troubleshooting Windows OS monitoring:

In some cases, errors may be caused by the WMI performance metrics database being out of sync. To resolve this issue, follow the below instructions:

Log in to the affected server.
From the command line (run as Administrator), issue the following commands:
cd %windir%\system32\
lodctr /R
cd %windir%\sysWOW64\
lodctr /R