Guide to Configuring WinRM on MS Windows
Quick guide for configuring WinRM on Windows systems for computers with or without domain in Active Directory.
WinRM on a computer that is not part of an AD domain
This guide is an aid to perform a basic configuration of WinRM, but you will need to adjust the configuration for your environment if you require any particular parameter.
- You must ensure that the network you are connecting to is private, in a PowerShell® terminal window:
Get-NetConnectionProfile
Set-NetConnectionProfile -Name "MYWIFINETWORK" -NetworkCategory Private- Activation of the administrator user and assignment of a password:
net user administrator /active:yes
net user administrator *- WinRM configuration and allow connection from specific or all hosts:
winrm quickconfig
Set-Item WSMan:\localhost\Client\TrustedHosts -Value *- Restart the service:
Restart-Service WinRM
WinRM on a computer in an AD domain
This guide is an aid to perform basic configuration of WinRM, but you will need to adjust the settings for your environment should you require any particular parameters.
To sum up:
- Create a Group Policy object for the Active Directory® (AD) domain to which the computer belongs (note the time it may take for changes to propagate).
- Edit the item created in step 1 with the services required for WinRM.
- Create rules in the Firewall (of the operating system) to allow the incoming connection.
Creating a Group Policy
- Go to the MS Windows Control Panel and open Administrative Tools.
- Open Group Policy Management and select the domain the computer belongs to.
- Click with the secondary mouse button (secondary-click) and select Create a GPO in this domain.
- Enter "Enable WinRM" and click OK.
Allow Remote Server Management with WinRM
- Secondary-click on the newly created group policy ("Enable WinRM") and select Edit.
- Click on Computer Configuration → Policies → Administrative Templates: Policy definitions → Windows Components → Windows Remote Management (WinRM) → WinRM Service.
- Secondary-click on Allow remote server management through WinRM and select Edit.
- Select Enabled to allow remote server management through WinRM, enter an asterisk in each field and click OK.
Enable WinRM at startup
- Go to the Group Policy Management Editor window and click Preferences → Control Panel Settings → Services.
- Secondary-click on Services and select New → Service.
- Select automatic start and enter "WinRM" as the service name.
- Start the service with the Start service button and leave the other fields with their default values and click OK.
Configuring rules in MS Windows Firewall
Add exception for remote administration
- In the Group Policy Management Editor tree, click Computer Configuration → Policies → Administrative Templates: Policy definitions → Network → Network Connections → Windows Firewall → Domain Profile.
- Secondary-click on Windows Firewall, select Allow inbound remote administration exception and click on Edit and configure Enabled.
- At field Allow unsolicited incoming messages from these IP addresses enter the IP address of PFMS server and click OK.
Add exception for ICMP
- Secondary-click on Windows Firewall and select Allow ICMP exception.
- Click Edit and select Enabled.
- Check the checkbox labeled Allow inbound echo request and click OK.
Add input rule
- In the Group Policy Management Editor tree, click on Computer Configuration → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security → Windows Firewall with Advanced Security → Inbound Rules.
- Secondary-click on Inbound Rules, select New rule and then Predefined.
- Select Windows Remote Management from the list of services and click Next.
- Uncheck the public rule, select the domain, check the private rule and click Next.
- Leave the other fields with the default values, click Finish to save the changes.
- Secondary-click on the new rule, select Properties and click on the Advanced tab.
- Uncheck Private and click OK.
- In the Group Policy Management Editor tree, click on Computer Configuration → Policies → Windows Settings → Security Settings → Network List Manager Policies.
- Secondary-click on Unidentified Networks and click on Properties.
- Change the Not configured setting to Private and click OK.
Finally close the Local Group Policy Editor windows.