Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / How to Enable and Configure WinRM (Windows Remote Management) via GPO

August 9, 2024

How to Enable and Configure WinRM (Windows Remote Management) via GPO

In this article, we will show how to enable and configure Windows Remote Management (WinRM) on domain computers using Group Policy (GPO). Windows Remote Management is an implementation of the WS-Management Protocol for remote management of Windows desktops and servers. WinRM allows you to remotely manage computers through:

  • Server Manager (Windows Server)
  • PowerShell Remoting (PSSession)
  • Windows Admin Center (WAC)

Contents:
  • How to Manually Enable WinRM in Windows?
  • Configuring WinRM via Group Policy
  • Checking WinRM Settings and PowerShell Connectivity

How to Manually Enable WinRM in Windows?

The WinRM service is available in all modern Windows versions. In Windows Server it is enabled by default, but it is disabled in desktop Windows 11/10/8.1 editions. By default, the WinRM listener doesn’t accept remote connections. To check it, run the command below on a client:

WinRM enumerate winrm/config/listener

You will see an error saying that the WinRM is not configured:

WSManFault Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number: -2144108526 0x80338012

WinRM enumerate error WSManFault

To enable and configure the WinRM service on Windows, it is enough to run this command:

winrm quickconfig

or

Enable-PSRemoting –Force

WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.

enable-psremoting (winrm) powershell manually

This command will change the WinRM service startup type to automatic, apply default WinRM settings, and add exceptions for WinRM ports (TCP 5985 and 5986) to the list of exceptions in the Microsoft Defender Firewall.

Configuring WinRM via Group Policy

You can automatically enable and configure WinRM on domain computers using Windows GPO.

  1. Open the Group Policy Management Console (gpmc.msc), select an Active Directory container (Organizational Unit) with the computers you want to enable WinRM on, and create a new GPO: corpEnableWinRM;enable WinRM with GPO
  2. Open the policy to edit it;
  3. Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services. Find the Windows Remote Service (WS-Management) service and enable automatic startup for it; Windows Remote Management (WS-Management) service automatic startup
  4. Then go to Computer Policies -> Preferences -> Control Panel Settings -> Services. Select New -> Service. Enter the service name WinRM, and select the Restart the Service action on the Recovery tab; restart winrm service on failure
  5. Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service. Enable Allow remote server management through WinRM. In the Ipv4/IPv6 filter box, you can specify IP addresses or subnetworks, on which WinRM connections must be listened to. If you want to allow WinRM connections on all IP addresses, leave * here; enable gpo : Allow remote server management through WinRM
  6. Create Windows Defender Firewall rules allowing WinRM connections on the default ports TCP/5985 and TCP/5986. Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules. Select Windows Remote Management predefined rule; open Windows Remote Management firewall ports
    Learn more about how to configure Windows Defender rules and open ports using GPO.
  7. Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Shell and enable Allow Remote Shell Access. WinRM Group Policy: Allow Remote Shell Access

Update GPO settings on your clients and make sure that WinRM has been configured automatically. You can use the gpresult tool to troubleshoot Group Policy settings on client computers.

Checking WinRM Settings and PowerShell Connectivity

To check that the WinRM settings on the computer are configured through GPO, run the command:

winrm e winrm/config/listener

The command displays the current WinRM listener settings. Note the Listener [Source="GPO"] line. This means that the current WinRM settings are configured through the GPO.

winrm listener configured via GPO

You can use HTTPS to secure your WinRM/PowerShell Remoting connections.

You may list the complete configuration of your WinRM service using this command:

winrm get winrm/config

Then try to connect to a remote computer via WinRM. Open the PowerShell console and run the command below:

Test-WsMan wsk-w10b01

If WinRM is enabled, the following response will appear:

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

test-wsman (winrm) remote connectivity

You can check for an open WinRM port (TCP/5985) on the remote computer with PowerShell:

Test-NetConnection -ComputerName wsk-w10b01 -Port 5985

Then you may try to connect to a remote computer interactively using PSRemoting and the Enter-PSSession cmdlet:

Enter-PSSession wsk-w10b01

Using Enter-PSsession via WinRM PSSremoting

In this case, the connection is successfully established and the PS console of the remote host appears.

Besides PSRemoting, you can use the Invoke-Command to execute commands and scripts on a remote computer:

Invoke-Command -ComputerName wsk-w10b01 -ScriptBlock {ipconfig /all}

If the PSRemoting connection is established, you will see the ipconfig output on the screen.

You can also run a command on a remote host as follows:

winrs -r: wsk-w10b01 dir

In some cases, you may see the following error when connecting via PSSession:

Enter-PSSession : Connecting to remote server wsk-w10BO1 failed with the following error message : Access is denied.
CategoryInfo : InvalidArgument: (wsk-w10b01:String) [Enter-PSSession], PSRemotingTransportException FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Check current WinRM connection permissions:

Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell

Make sure that your account is a member of the Administrators or Remote Management Users group (check how to allow WinRm connection for non-admin users) and that they have FullControl permissions. Also, make sure that there are no Deny rules.

Check WinRM Permissions

You can configure WinRM and PSRemoting in a workgroup environment (without an Active Directory domain) according to the following guide.
3 comments
5
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesPowerShellWindows 10Windows Server 2019
previous post
Adding USB 3.0 and NVMe Drivers to Windows 7 Install Media
next post
Migrating RDS Roles (Connection Broker, Web Access) to Another Server

Related Reading

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

How to Allow Non-Admin User to Start/Stop Service...

March 15, 2024

How to Hide or Show User Accounts from...

July 24, 2024

3 comments

Kyle August 7, 2024 - 5:20 pm

7. Configuration -> Policies -> Windows Components -> Windows Remote Shell
Should be Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Shell thank you for the help.

Reply
admin August 9, 2024 - 1:06 pm

Fixed, thanks!

Reply
Bala December 7, 2024 - 4:38 pm

Good Article, Keep it up!..

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top