How to enforce PowerShell Remoting (WinRM) settings with Group Policy

Remote connectivity in PowerShell leverages a few different technologies under the hood. For example, cmdlets that provide a -ComputerName parameter usually connect with RPC, WMI, or WinRM.

Most of the truly interesting remote capabilities come through WinRM. It allows you to enter and maintain remote console sessions, invoke remote scriptblocks, and more. One drawback is that the configuration is slightly more involved than just opening a firewall port. Fortunately we can use Group Policy to enable remoting and enforce the settings on a large scale. The group policy object (GPO) settings below do just that.

Requirements

WinRM requires PowerShell 2.0 or later. This is baked in automatically on Windows 7 or newer clients, and Windows 2008 R2 or newer servers. These instructions will not work for machines with operating systems below this requirement.

GPO Settings

Policy 1: Allow WinRM Management

  1. Section: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
  2. Setting: Allow Remote Server management through WinRM
  3. Values:
    1. Enabled
    2. IPv4 Filter: *
    3. IPv6 Filter: *

Policy 2: Enable WinRM Firewall Rule

  1. Section: Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security – … > Inbound Rules
  2. Action: Right Click > Create New Rule
  3. Values:
    1. RuleType: Predefined: Windows Remote Management
    2. PredefinedRules: (leave default 2 rules)
    3. Action: Allow the connection

Policy 3: Ensure WinRM Service Starts

  1. Section: Computer Configuration > Policies > Windows Settings > Security Settings > System Services
  2. Service: Windows Remote Management (WS-Management)
  3. Action: Right Click > Properties
  4. Values:
    1. Define this policy: Checked
    2. Startup mode: Automatic

Policy 4: Ensure WinRM Service Restarts on Failure

  1. Section: Computer Configuration > Preferences > Control Panel Settings > Services
  2. Action: Right Click > New > Service
  3. Values:
    1. General Tab
      1. Startup: No change
      2. Service name: WinRM
      3. Service action: Start service
    2. Recovery Tab
      1. First failure: Restart
      2. Second failure: Restart
      3. Subsequent failures: Restart
      4. Restart service after: 5 minutes

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s