WinRM or Windows Remote Management is a service that allows execution of queries and commands on a Windows computer remotely from another Windows computer in the network. Just like SSH or Remote Terminal on other OS, WinRM is an extremely useful tool for administrator on a managed domain environment. By default WinRM is enabled on Windows Server 2012, but not enabled on Windows client such as Windows 7, 8, or 10. However, administrator can control the feature by enabling it using Group Policy. This article shows how to enable WinRM via Group Policy in Server 2012 R2.
How to Enable WinRM via Group Policy
There are three things that needs to be done on the target computer and all these things will be achieved using GPO, which are:
- Enabling WinRM service
- Allowing remote management access on the computer
- Opening firewall ports required for Windows Remote Management
This demonstration is using Windows Server 2012 R2 as the Domain Controller and Windows 10 as the targeted client PC. In the scenario, the client PC is joined to a domain named asaputra.com and is placed under the OU path “asaputra.com\Workstations\W10”
1. Create the policy
The policy could be a new GPO or using existing GPO in the Group Policy Management Console at the Domain Controller. In this example a new GPO is created with the name “Global Management”
2. Edit the settings — Enable WinRM service
Open up the editor window by right-clicking on the policy object and choose “Edit”. The first thing to be done here is telling the targeted PC to enable WinRM service. Go to Computer Configuration > Preferences > Control Panel Settings > Services, then right click on the blank space and choose New > Service
The service parameter that we need to fill out is as follows:
Click OK to save the parameters but don’t close the policy editor just yet.
3. Edit the settings — Allowing remote management access
Next, still on the same policy object, the next thing to configure is the list of IP addresses that are allowed to do remote management access on the target computer. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Services. Then double click on “Allow remote server management through WinRM” to modify the setting as follows:
NB: From security perspective it is best to limit the IP address range as least as possible. However, for this example, an asterisk sign (*) is specified on the field to allow remote access from any IP address.
Click OK to save the settings and again, do not close the policy editor just yet.
4. Edit the settings — Opening Firewall ports
Last thing to be done here is creating a new rule for the Firewall on the targeted client PC. Go to Computer Configurations > Policies > Security Settings > Windows Firewall and Advanced Security > Windows Firewall and Advanced Security then right click on Inbound Rules > New Rule
Select the Windows Remote Management from the predefined rule set as shown below, click Next
Leave the tick mark only on Domain and Private profile, click Next.
Set the action to Allow the connection.
Click Finish to save the configuration and now policy editor window can be closed.
5. Apply the policy to the computer OU
As this is a computer policy, it has to be applied to on the OU where to computer resides. As in this scenario, here’s how it looks when the policy is applied:
Once Group Policy is refreshed, all those 3 settings configured above will be reflected to the client computer.
This command below can be run on PowerShell with administrator privilege to test WinRM connection to the target computer
Test-WsMan [Target Hostname/IP address]
If WinRM has been successfully enabled, it will response like this:
Otherwise, an error message as shown below will appear:
To troubleshoot this error, verify the settings on the targeted client computer has been correctly set. If we go to Services > Windows Remote Management, the see service status should be Running.
Also, with administrator privilege on the client we can verify using RSoP whether Group Policy has been enabled and the required firewall rule has been in place.
And that’s how you can enable WinRM via Group Policy.