How to Enable WinRM via Group Policy

WinRM or Windows Remote Management is a service that allows execution of queries and commands on a Windows computer remotely from another Windows computer in the network. Just like SSH or Remote Terminal on other OS, WinRM is an extremely useful tool for administrator on a managed domain environment. By default WinRM is enabled on Windows Server 2012, but not enabled on Windows client such as Windows 7, 8, or 10. However, administrator can control the feature by enabling it using Group Policy. This article shows how to enable WinRM via Group Policy in Server 2012 R2.

How to Enable WinRM via Group Policy

There are three things that needs to be done on the target computer and all these things will be achieved using GPO, which are:

  • Enabling WinRM service
  • Allowing remote management access on the computer
  • Opening firewall ports required for Windows Remote Management

Step-by-step

This demonstration is using Windows Server 2012 R2 as the Domain Controller and Windows 10 as the targeted client PC. In the scenario, the client PC is joined to a domain named asaputra.com and is placed under the OU path “asaputra.com\Workstations\W10”

1. Create the policy
The policy could be a new GPO or using existing GPO in the Group Policy Management Console at the Domain Controller. In this example a new GPO is created with the name “Global Management”

How to Enable WinRM via Group Policy - 1

2. Edit the settings – Enable WinRM service
Open up the editor window by right-clicking on the policy object and choose “Edit”. The first thing to be done here is telling the targeted PC to enable WinRM service. Go to Computer Configuration > Preferences > Control Panel Settings > Services, then right click on the blank space and choose New > Service

How to Enable WinRM via Group Policy - 2

The service parameter that we need to fill out is as follows:

How to Enable WinRM via Group Policy - 3

Click OK to save the parameters but don’t close the policy editor just yet.

3. Edit the settings – Allowing remote management access
Next, still on the same policy object, the next thing to configure is the list of IP addresses that are allowed to do remote management access on the target computer. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Services. Then double click on “Allow remote server management through WinRM” to modify the setting as follows:

How to Enable WinRM via Group Policy - 4

NB: From security perspective it is best to limit the IP address range as least as possible. However, for this example, an asterisk sign (*) is specified on the field to allow remote access from any IP address.

Click OK to save the settings and again, do not close the policy editor just yet.

4. Edit the settings – Opening Firewall ports
Last thing to be done here is creating a new rule for the Firewall on the targeted client PC. Go to Computer Configurations > Policies > Security Settings > Windows Firewall and Advanced Security > Windows Firewall and Advanced Security then right click on Inbound Rules > New Rule

Select the Windows Remote Management from the predefined rule set as shown below, click Next

How to Enable WinRM via Group Policy - 5

Leave the tick mark only on Domain and Private profile, click Next. 

How to Enable WinRM via Group Policy - 6

Set the action to Allow the connection.

How to Enable WinRM via Group Policy - 7

Click Finish to save the configuration and now policy editor window can be closed.

5. Apply the policy to the computer OU
As this is a computer policy, it has to be applied to on the OU where to computer resides. As in this scenario, here’s how it looks when the policy is applied:

How to Enable WinRM via Group Policy - 8

Once Group Policy is refreshed, all those 3 settings configured above will be reflected to the client computer.

Verification

This command below can be run on PowerShell with administrator privilege to test WinRM connection to the target computer

Test-WsMan [Target Hostname/IP address]

If WinRM has been successfully enabled, it will response like this:

How to Enable WinRM via Group Policy - 9

Otherwise, an error message as shown below will appear:

How to Enable WinRM via Group Policy - 10

To troubleshoot this error, verify the settings on the targeted client computer has been correctly set. If we go to Services > Windows Remote Management, the see service status should be Running.

How to Enable WinRM via Group Policy - 11

Also, with administrator privilege on the client we can verify using RSoP whether Group Policy has been enabled and the required firewall rule has been in place.

Also, with administrator privilege on the client we can verify using RSoP whether Group Policy has been enabled and the required firewall rule has been in place.

You can also review the Windows Firewall.
How to Enable WinRM via Group Policy - 13

And that’s how you can enable WinRM via Group Policy.

The following two tabs change content below.
Arranda Saputra

Arranda Saputra

CCNA, CCDA, VCP6-DCV, MCSA Administering Windows Server 2012
An IT infrastructure practitioner with main specialization in network engineering. Cisco is his first love, but he also enjoyed working on virtualization with VMware and system administration with Windows Server.
Arranda Saputra

Latest posts by Arranda Saputra (see all)