Enabling and Configuring WinRM via GPO
In this guide, I will show you how to Enable and Configure WinRM via GPO. Microsoft Windows Remote Management (WinRM) is an implementation of the WS-Management protocol, which is a standard Simple Object Access Protocol (SOAP). Please “Cannot find the computer: Fix the following error occurred while using Kerberos authentication“, and how to fix “An error occurred while attempting to connect to the server: Check if the Virtual Machine Management service is running or you are not authorized to connect to this server“.
This is a firewall protocol that allows communication between hardware and operating systems of different vendors. WinRM is part of the Windows operating system but for you to obtain data from a remote computer, you must configure a WinRM listener.
This is one utility tool that IT Pros who are experts in writing scripts to automate the management of servers and want to obtain data for management applications.
Please, see Configure Windows Admin Center on Windows Server 2019, and Why Software KVMs such as Synergy is replacing Hardware KVMs. Also, see how to Configure WinRM to accept connection from a specific IP Address“.
WinRM vs RDP
| WinRM | RDP |
| WinRM is a protocol for remote management. | Remote Desktop (RDP) is a protocol for remote desktop access. |
| WinRM allows for remote execution of management commands. | RDP provides a graphical interface for remote desktop access. |
Read more about How to enable or disable WinRM via the command-line, WinRM and PSRemoting: How to configure servers for remote access, Determine Windows PowerShell version and see if WinRM is running via Test-WSMan
Steps to Enable and Configure WinRM via GPO
1: Open Group Policy Management on your domain controller by running gpmc.msc
2. Create a new Group Policy Object and name it. I will give mine “TechDirectGPO”.
3. Enter the New GPO and click OK.
4. Edit the new GPO. Right-click on the GPO and click on Edit.
5. Click Computer Configuration and navigate to Policies > Administrative Templates: Policy definitions > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
6. On the settings panel right click “Allow remote server management through WinRM” and click “Edit” to configure the settings.
Enable WinRM
7. After the dialog box opens click “Enabled” and under the IP Options section, specify an IP Address range or put an Asterisk “*” in the IPv4 filter and IPv6 filter text box.
The range of IP’s you input will only be allowed to remotely manage the PC but when you input “*” it means all IP addresses will be allowed to remotely manage the PC. Then click OK.
Please see How to determine Tombstone Lifetime in Active Directory, and how to configure a remote Windows Server to Support Ansible.
Automatic Startup
8. Enable the Windows Remote Management (WS-Management) Service to start automatically. Navigate to Computer Configuration > Preferences > Control Panel Settings > Services. Right-click Services > New > Service.
9. Under the New Service Properties set Startup as Automatic. Enter Service Name as WinRM and select Service Action as Start service. Then click OK.
Windows Firewall
10. We will now configure the Windows Firewall to Allow the proper ports inbound network traffic to the PC.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > InboundRules. Right-click Inbound Rules and select New Rule.
11. On the New Inbound Rule wizard box, check the “Predefined” rule option and select “Windows Remote Management” and click Next.
12. On the Predefined Rules page uncheck the Public profile box. This will allow only the WinRM access to the Private and Domain networks. Click Next.
13. Select the “Allow the connection” box and click Finish.
Windows Remote Management (HTTP-In) Properties
We have successfully finished enabling and configuring WinRM to our Active Directory Domain via GPO. You will need to wait for some period for the GPO to automatically propagate to all devices.
But if you want the GPO to propagate immediately then you can run “gpupdate /force” on a specific workstation.
Please take a look at the YouTube video below demonstrating these steps.
I hope you found this blog post on Enabling and Configuring WinRM via GPO Interesting and helpful. If you have any questions do not hesitate to ask in the comment section.
