# WinRM on a computer in an AD domain

<p class="callout info">This guide is an aid to perform basic configuration of WinRM, *but you will need to adjust the settings for your environment should you require any particular parameters.*</p>

To sum up:

1. Create a **Group Policy object** for the Active Directory® (**AD**) domain to which the computer belongs (note the time it may take for changes to propagate).
2. Edit the item created in step 1 with the services required for **WinRM**.
3. Create rules in the **Firewall** (of the operating system) to allow the incoming connection.

### Creating a Group Policy

- Go to the MS Windows **Control Panel** and open **Administrative Tools**.
- Open **Group Policy Management** and select the domain the computer belongs to.
- Click with the secondary mouse button (*secondary-click*) and select **Create a GPO in this domain**.
- Enter "Enable WinRM" and click OK.

#### Allow Remote Server Management with WinRM

- *Secondary-click* on the newly created group policy ("Enable WinRM") and select **Edit**.
- Click on **Computer Configuration → Policies → Administrative Templates: Policy definitions → Windows Components → Windows Remote Management (WinRM) → WinRM Service**.
- *Secondary-click* on **Allow remote server management through WinRM** and select **Edit**.
- Select **Enabled to allow remote server management through WinRM**, enter an asterisk in each field and click **OK**.

#### Enable WinRM at startup

- Go to the **Group Policy Management Editor** window and click **Preferences → Control Panel Settings → Services**.
- *Secondary-click* on **Services** and select **New → Service**.
- Select automatic start and enter "WinRM" as the service name.
- Start the service with the **Start service** button and leave the other fields with their default values and click **OK**.

#### Configuring rules in MS Windows Firewall

##### Add exception for remote administration

- In the **Group Policy Management Editor** tree, click **Computer Configuration → Policies → Administrative Templates: Policy definitions → Network → Network Connections → Windows Firewall → Domain Profile**.
- *Secondary-click on* **Windows Firewall**, select **Allow inbound remote administration exception** and click on **Edit** and configure **Enabled**.
- At field **Allow unsolicited incoming messages from these IP addresses** enter the IP address of PFMS server and click **OK**.

##### Add exception for ICMP

- *Secondary-click* on **Windows Firewall** and select **Allow ICMP exception**.
- Click **Edit** and select **Enabled**.
- Check the checkbox labeled **Allow inbound echo request** and click **OK**.

##### Add input rule

- In the **Group Policy Management Editor** tree, click on **Computer Configuration → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security → Windows Firewall with Advanced Security → Inbound Rules**.
- *Secondary-click* on **Inbound Rules**, select **New rule** and then **Predefined**.
- Select **Windows Remote Management** from the list of services and click **Next**.
- Uncheck the public rule, select the domain, check the private rule and click **Next**.
- Leave the other fields with the default values, click **Finish** to save the changes.
- *Secondary-click* on the new rule, select **Properties** and click on the **Advanced** tab.
- Uncheck **Private** and click **OK**.
- In the **Group Policy Management Editor** tree, click on **Computer Configuration → Policies → Windows Settings → Security Settings → Network List Manager Policies**.
- *Secondary-click* on **Unidentified Networks** and click on **Properties**.
- Change the **Not configured** setting to **Private** and click **OK**.

Finally close the **Local Group Policy Editor** windows.