Configure WinRM to accept connection from a specific IP Address

Posted on Christian By Christian No Comments on Configure WinRM to accept connection from a specific IP Address
WinRM set up for specific IP

In this article, we shall discuss how to enable and Configure WinRM to accept connection from a specific IP Address. Windows Remote Management (WinRM) is a Microsoft implementation of the WS-Management protocol. It is a standard web services protocol used for remote software and hardware management. Please see Enabling and Configuring WinRM via GPO, and how to configure a remote Windows Server to Support Ansible.

WInRM enables administrators to remotely execute commands, retrieve data, and perform management tasks on a Windows PC from another PC. Below are some key features of Windows Remote Management (WinRM).

  • It enables you to run commands on remote Windows PC. This makes it useful for remote system administration tasks.
  • WinRM supports PowerShell remoting. This enables Windows administrators to execute PowerShell scripts remotely.
  • WinRM allows you to query system information (such as hardware configurations, operating system details, etc.) from remote computers.
  • Communication over WinRM can be encrypted and secured using HTTPS. This ensures that sensitive data is protected.

Also, see How to setup Windows Admin Center, “How to install Chocolatey” and “How to install, upgrade and uninstall software with Chocolatey“.

Enable and Configure WinRM

WinRM is started automatically on newer versions of Windows Server. (that is from WS 2008) to be precise at the time of writing this piece.

Note: WinRM is not configured by default on Windows PCs or Servers, even when WinRM service is running.

Run the following command in an elevated command prompt or PowerShell session. This command configures WinRM with default settings and starts the service.

winrm quickconfig
WinRM-firewall-exception-will-not-work-since-one-of-the-network-connection-types-on-this-machine-is-set-to-Public

The below is intended as we have firewall rules enabled for Public

WinRM service type changed successfully.
WinRM service started.
WSManFault
    Message
        ProviderFault
            WSManFault
                     Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.

Error number: -2144108183 0x80338169
WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.
PS C:\windows\system32>

Ideally, you have to change the network connection type from Public to either Domain or Private in the Network and Sharing Center on your Windows PC. But for me, all rules are fine by me.

Note: In this case, we need to configure an exception.

Windows-firewall-correctly-configured

Click on Advanced firewall Settings to access the firewall rules.

windows-management-and-instrumentation-greyed-out.-cannot-manage-the-firewall-rules

If you cannot change the network type due to company policy. You can either use the Advanced Firewall Settings above or manually create a firewall rule to allow WinRM traffic without relying on the automatic exception by running the following command below in an elevated Command Prompt.

netsh advfirewall firewall add rule name="Allow WinRM" dir=in action=allow protocol=TCP localport=5985,5986

This command adds a rule to allow inbound traffic on the WinRM ports (5985 for HTTP and 5986 for HTTPS) without relying on the public network exception.

Please see How to enable or disable WinRM via the command-line, how to Configure SQL Server Instance to listen on a specific TCP Port, and Concept of Ansible on Windows using Cygwin.

Configure WinRM Listener for a Specific IP Address

By default, the WinRM listens on all IP addresses. You can create or modify a listener to restrict it to a specific IP address.

Note: This step is Optional: If a listener already exists and listens on all IPs, you might want to delete it first.

winrm delete winrm/config/Listener?Address=*+Transport=HTTP

For HTTPS, use the command below to delete the listener.

winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

Create a New Listener

I will be creating a Listener for a specific IP Address. Please replace 192.168.x.xxx with the IP address you want to allow. This should be a jump PC or an administrative PC. This way, you can remotely manage other PCs.

winrm create winrm/config/Listener?Address=192.168.1.100+Transport=HTTP

If you are utilizing HTTPS, please run the command below instead

winrm create winrm/config/Listener?Address=192.168.x.xxx+Transport=HTTPS

Configure Windows Firewall to Accept Connections from the Specific IP

Internet Connection Firewall (ICF) blocks access to ports. That is, by default, the WinRM listener doesn’t accept remote connections.

The agreed goal is to configure the Windows Defender Firewall rule to enable connection to remote PCs only from the management PC (Windows ADmin Center) for security reasons. This can be achieved easily via GPO.

You can restrict access to your PC via Windows Defender Firewall by editing inbound rules. Under the scope, enter the IP of the management PC and remove all other IPs.

Next, you need to ensure that the Windows Firewall allows traffic on the WinRM port. The default is 5985 for HTTP and 5986 for HTTPS from the specific IP address.

Launch PowerShell or the Command Prompt as Administrator and run the following command, replacing the IP 192.168.x.xxx with the IP address you want to allow. Use the command below for HTTP (Port 5985).

netsh advfirewall firewall add rule name="Allow WinRM from specific IP" dir=in action=allow protocol=TCP localport=5985 remoteip=192.168.x.xxx

For HTTPS connections, please use the command below.

netsh advfirewall firewall add rule name="Allow WinRM from specific IP" dir=in action=allow protocol=TCP localport=5986 remoteip=192.168.x.xxx

Please see how to fix “WinRM cannot complete the operation, verify that the specified computer name is valid“, how to install Winglet and how to install applications with Winglet CLI.

Test the Connection

To test the connection, please launch PowerShell as an “Administrator” or the “Command Prompt”. From the client PC (with IP 192.168.x.xxx) you have configured for exception. You can test the WinRM connection using the following PowerShell command:

Test-WSMan -ComputerName "192.168.x.100"
TestWSMAN

This is the IP “192.168.x.100” of the remote PC which you wish to administer. If successful, you will see a prompt confirming that WinRM is available on the remote PC.

Note: If you’re working with PC in a non-domain environment, ensure that both client and server have trusted each other’s IP addresses by setting up the trusted hosts. 

winrm set winrm/config/client @{TrustedHosts="192.168.1.100"}

Please see how to add servers to the Trusted Hosts list, and how to fix Error: Failed to create a scheduled task, cannot perform the operation because the runspace pool is not in the open state.

I hope you found this article very useful on How to enable and Configure WinRM to accept connection from a specific IP Address. Please feel free to leave a comment below.

5/5 - (1 vote)
Windows, Windows Server Tags:, , ,

Related Posts

More Related Articles

hero activedirectory 1 Active Directory Contact and a User Account Object Differences Security | Vulnerability Scans and Assessment
image001 Fix Certificate Error: Unable to access Windows Admin Center from the Web Windows Server
RDP Fix Windows 11 Remote Desktop Connectivity Error code 0x204 Windows
DNS Domain Name System: How to create a DNS record Windows Server
1 kAUgwdVYmcVgUSXiwUkObw Error 0x801c001d – Automatic registration failed: Failed to look up the registration service from AD Windows Server
How to Remove Language Pack How to forcefully remove Language Pack on Windows 10 and 11 Windows

Leave a Reply