[-]
  
  
  
  
[-]
  
[-]
  
  
  
  
[-]
  
  
  
 
 
 
[-]
  
  
  
  
  
  
  
  
  
  
  
  
  
[-]
  
  
[-]
  
  
 
 
 
 
 
[-]
 [+]
 [+]
Updated on 10/10/2018
True Control Center Installation Guide
Appendix A - Enabling the Windows Remote Management Service
Direct link to topic in this publication:

Appendix A - Enabling the Windows Remote Managment Service ready for the Cireson Control Center 

This Appendix details how to enable the Windows Remote Management (WinRM), service which is required if you wish to use the Remote Manage feature of the Cireson Control Center to perform remote administration tasks on your computers.

As detailed in the "Remote Manage Requirements" section, there are three ways you can enable the Windows Remote Management (WS-Management) service (which is not enabled and is set to start manually by default), on computers:

Information

If you attempt to invoke any Control Center Remote Manage Actions on a computer where the Windows Remote Management (WS-Management) service has not been enabled, started, and the firewall rules configured, those actions will fail as the computer is not "listening" for the Remote Manage request.


aUsing the "WinRm QuickConfig" command 

If you only want to enable WinRM on a single computer, you can use the Winrm quickconfig command as follows:

  1. Login to the relevant computer with an account that has local administrator permissions.
  2. Right-click the  Windows PowerShell shortcut and select Run as administrator

The PowerShell window will open with the title Administrator: Windows PowerShell

  1. Type winrm quickconfig in the PowerShell window.
Information You can use the get-service winrm PowerShell command to verify the status of the WinRM service (if it enabled and running). The value in the Status column will be Running if the winrm service has been enabled and it is running.

You will see the following text:

WinRM is not set up to receive requests on this machine.
The following changes must be made:

Start the WinRM service.
Set the WinRM service type to delayed auto start.

Make these changes [y/n]?

  1. Type y and hit ENTER

If the WinRM has been enabled and started successfully, you will see the following messages:

WinRM service type changed successfully.
WinRM service started.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Enable the WinRM firewall exception.

Make these changes [y/n]?

  1. Type y and hit ENTER which will open the firewall ports required for PowerShell Remoting/WinRM i.e. HTTP: 5985 and HTTPS: 5986. 

If the firewall ports are opened successfully, you will see the following messages: 

WinRM has been updated for remote management.

WinRM firewall exception enabled.

This completes enabling and configuring WinRM on this computer using the quickconfig command. You can now close the PowerShell window.


aCreating a Group Policy Object to enable the WinRM Service and configure Firewall Rules

If you need to enable WinRM on more than one computer in your environment, then creating a Group Policy Object (GPO) to enable and configure WinRM is the way to go. Once you have created the GPO, you can then apply this to an Active Directory container containing the computers on which you want to enable WinRM.

Creating a GPO to enable and configure WinRM consists of the following steps:

aCreate a new GPO

To create a GPO in Windows Server 2016:

  1. Login using an account that is either a member of the Domain Administrators group or which has been delegated permissions to create a new GPO.
  2. Open the Group Policy Management console. 
  3. In the navigation pane, navigate to:

Group Policy Management
  Forest:<Forest_Name>
    |- Domains
      |- <Domain_Name>
 

where <Forest_Name> is the name of your Active Directory Forest and <Domain_Name> is the name of the relevant Domain you wish to create the GPO in.

  1. Click Group Policy Objects
  2. Click the Action menu and select New.

The New GPO dialog box will be displayed.

  1. In the Name field, enter a name for the new GPO that clearly identifies it's purpose, for example, Enable WinRM
Information Make sure the name you choose follows any GPO naming standards your organization has established.
  1. Leave the value in the Source Starter GPO dropdown set to (none), then click OK
Information Leave the Group Policy Management console open as it is used in the next section.

aConfigure the GPO for WinRM

Now that we have created a GPO, we now need to configure it to enable and configure WinRM.

To configure the GPO to enable and configure WinRM:

  1. Open the Group Policy Management console (if it isn't already open). 
  2. In the navigation pane, navigate to:

Group Policy Management
  Forest:<Forest_Name>
    |- Domains
      |- <Domain_Name>
 
        |- Group Policy Objects

where <Forest_Name> is the name of your Active Directory Forest and <Domain_Name> is the name of the Domain containing the GPO created in the previous section.

  1. Right-click the GPO created in the previous section (e.g., Enable WinRM) and select Edit...

The Group Policy Management Editor will then be displayed.

  1. Navigate to:

<GPO_Name> [<Domain_Name>] Policy
  |- Computer Configuration
    |- Policies
      |- Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer
        |- Windows Components
          |- Windows Remote Management (WinRM)
           |- WinRM Service

  1. In the details pane, double-click the Allow remote server management through WinRM setting.

The Allow remote server management through WinRM dialog box will be displayed, to allow you to configure WinRM. 

  1. Select the Enabled option.
  2. Under the Options section, enter the IP address of your Control Center server. 

One of the many advantages of the Control Center is that you only need to enter the IP address of the Control Center server that will be used to perform Remote Manage actions on a computer, as the call to manage the computer is issued from the Control Center server, not the machine running the Internet browser accessing the Control Center Dashboard.

By entering just the IP address of the Control Center server, you can limit Remote Manage actions to only being invoked from the Control Center server, drastically improving security and giving you peace of mind that only people with access to the Control Center can perfrom Remote Manage actions.

Information

Although you could just enter an asterisk (*) in either the IPv4 filter/IPv6 filter fields, doing so would allow any IP address to be able to perform remote management-related tasks on any computers this GPO is deployed which is a potential security risk.

You could also enter an IP address range of the computers that are allowed to perform remote management-related tasks on any computers this GPO is applied to, but this again potentially exposes your machines to being accessed from machines falling with the IP address that has been entered.

  1. Click OK to close the Allow remote server management through WinRM dialog box.

Next, we need to configure the GPO to start the Windows Remote Management (WS-Management) service. To do this:

  1. Navigate to:

<GPO_Name> [<Domain_Name>] Policy
  |- Computer Configuration
    |- Preferences
      |- Control Panel Settings
 

  1. Right-click Services and select New | Service

The New Service Properties window is displayed.

  1. From the Startup drop-down, select Automatic (Delayed Start)
  2. Click the button with the three dots (...) after the Service name field.
  3. Scroll down the list until you see WinRM under the Service Name column.
  4. Under the Display Name column, click the Windows Remote Management(WS-Management) service.
  5. Click Select to close the  New Service Properties window.
  6. From the Service action drop-down, select Start service then click OK

The WinRM service is added to the list of Services in the details pane.

Finally, we need to configure the Windows Firewall to allow the relevant inbound ports. To do this:

  1. Navigate to:

<GPO_Name> [<Domain_Name>] Policy
  |- Computer Configuration
    |- Policies
      |- Windows Settings
        |- Security Settings
          |- Windows Firewall with Advanced Security
           |- Windows Firewall with Advanced Security - LDAP

  1. Right-click Inbound Rules and select New Rule...

The New Inbound Rule Wizard will be started.

  1. Select the Predefined option, and select Windows Remote Management
  2. In the navigation pane, under Steps select Predefined Rules
  3. To prevent the Firewall from opening this port on a public network (which could be a potential security risk), uncheck the checkbox beside the Rule that has the word Public in the Profile column.
  4. Click Next
  5. On the Action page, verify the Allow the connection option is selected then click Finish

This will close the New Inbound Rule Wizard, and the new rule will be displayed in the details pane.

  1. Close the Group Policy Management Editor
Information Leave the Group Policy Management console open as it is used in the next section.


aDisable User Configuration

As the WinRM GPO does not contain any user-related settings, you can improve performance by disabling the User Configuration section of the GPO.

To disable the User Configuration section of the WinRM GPO:

  1. Open the Group Policy Management console (if it isn't already open).
  2. In the navigation pane select the GPO that enables and configures WinRM that was created previously.
  3. In the details pane, click the Details tab. 
  4. From the GPO Status drop-down, select User configuration settings disabled
  5. Click OK on the Group Policy Management dialog box stating Do you want to change the status for this GPO to User configuration settings disabled?
Information Leave the Group Policy Management console open as it is used in the next section.


aLink the GPO to the relevant Active Directory container

The final part in the process is to link the new GPO to the relevant Active Directory container that contains the computers we wish to apply this GPO to. For this example, we will link the new WinRM GPO to a Domain container in Active Directory.

To link the GPO to enable WinRM to a Domain container:

  1. Open the Group Policy Management console (if it isn't already open). 
  2. In the navigation pane, navigate to:

Group Policy Management
  Forest:<Forest_Name>
    |- Domains
      |- <Domain_Name>
 

where <Forest_Name> is the name of your Active Directory Forest and <Domain_Name> is the name of the relevant Domain you wish to link the WinRM GPO to.

  1. Right-click the Domain you wish to link the WinRM GPO to and select Link an Existing GPO...

The Select GPO dialog box will be displayed.

  1. From the list of Group Policy objects, select the GPO to enable WinRM, for example, Enable WinRM
  2. Click OK
  3. In the details pane, click the Linked Group Policy Objects tab. This will show you all of the GPOs that have been linked to this domain and the order in which they are applied (make any adjustments if required).
  4. Close the Group Policy Management console.


aVerify the GPO has been applied

The final part of the process is to verify that the GPO to enable WinRM has been successfully applied to the target computers.

To verify the GPO to enable WinRM has been processed and applied to a computer:

  1. Login to a computer to which the GPO to enable WinRM should be applied with an account that has local administrator permissions.

  2. Right-click the  Windows PowerShell shortcut and select Run as administrator

The PowerShell window will open with the title Administrator: Windows PowerShell

  1. Type get-service winrm in the PowerShell window to verify the status of the WinRM service (if it enabled and is running). The value in the Status column will be Stopped if the winrm service is set to its default value of being disabled.

If the GPO has been applied successfully, the Status column will show Running 

Information

You can also look in Control Panel | Services for the values set for the Windows Remote Management (WS-Management) service.

  • If the service is configured with its default values, the Status column will be blank, and the Startup Type column will be set to Manual.
  • If the GPO has been successfully configured and applied, the Status column will be Running, and the Startup Type will be Automatic (Delayed Start)

This concludes creating an applying a GPO to enable and configure WinRM on computers.


aUsing PsExec to Remotely Enable WinRM on computers

If you need to enable WinRM on a computer, there may be many reasons where the previous methods aren't viable, such as:

  • You can't get physical access to the computer as it is in a remote location.
  • You cannot use some kind of remote access software like Remote Desktop or SCCM Remote Control.
  • You don't have the rights to create a GPO.
  • You don't want to go through the hassle of creating a GPO for a few computers.

If any/all of the above are true, or something else is preventing you from using one of the other methods in this topic, another option for enabling and configuring WinRM is to  the PsExec utility from the PsTools suite.

Information       

You can find out more information on PsExec from:

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec 

To use PsExec to enable and configure WinRM:

  1. If you do not already have PsExec installed, you will need to download and install the PsTools toolkit (PsExec is part of the PsTools toolkit). You can download the PsTool toolkit at: https://download.sysinternals.com/files/PSTools.zip 
Information The PsTools toolkit does not require any special installation. Simply extract the PsExec.exe executable from the PsTools toolkit and make sure it is in a folder that is part of the path on the computer on which you are going to execute it.
  1. Start a Command Prompt under the context of a user that has administrative permissions to the target machine on which you want to run PsExec to enable and configure WinRM.
  2. Execute the following command where <Computer_Name> is the name of the computer on which you want to enable and configure WinRM:

PsExec \\<Computer_Name> -s winrm.cmd quickconfig -q

Information The -s switch is used to tell PsExec to run the remote process in the system account, and the -q switch tells PsExec to run the command in quiet mode (in other words no notifications/messages are displayed on the remote computer).

You will then see the following:

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


WinRM is not set up to receive requests on this machine.
The following changes must be made:

Start the WinRM service.
Set the WinRM service type to delayed auto start.

WinRM has been updated to receive requests.

WinRM service type changed successfully.
WinRM service started.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Enable the WinRM firewall exception.

WinRM has been updated for remote management.

WinRM firewall exception enabled.
winrm.cmd exited on Evallab-win10 with error code 0.

The key lines in the above are:

WinRM service type changed successfully - This shows that the WinRM service was successfully enabled.
WinRM service started - The WinRM service was started successfully.
WinRM firewall exception enabled - This shows the firewall ports for WinRM were successfully configured.
winrm.cmd exited on Evallab-win10 with error code 0 - This shows that the command issued by PsExec completed successfully.

If you want to verify WinRM has been enabled on the remote machine:

  1. Logon to the machine.
  2. Right-click the  Windows PowerShell shortcut and select Run as administrator

The PowerShell window will open with the title Administrator: Windows PowerShell

  1. Type get-service winrm in the PowerShell window to verify the status of the WinRM service (if it enabled and is running). 

As the PsExec command to enable WinRM was completed successfully, the Status column will show Running. If the command did not complete successfully, the value in the Status column will be Stopped meaning the winrm service is set to it's default value of being disabled.

You can also look in Control Panel | Services for the values set for the Windows Remote Management (WS-Management) service.
  • If the PsExec command successfully, the Status column will be Running and the Startup Type will be Automatic (Delayed Start).
  • If the PsExec command failed, the WinRM service will be configured with it's default values, i.e. the Status column will be blank and the Startup Type column will be set to Manual.
Information

You can also use PsExec to enable WinRM on multiple computers by specifying a list of computers on which WinRM should be enabled.

To do this, create a text file containing all of the computers you want to enable WinRM on, with each computer name on a separate line. 

Now run the following command, where <path> is the path to the text file containing the list of computer names, and <filename>  is the name of the file containing the list of computers:

PsExec @<path>:\<filename>.txt -s winrm.cmd quickconfig -q

for example:

PsExec @C:\WinRMComputers.txt -s winrm.cmd quickconfig -q

This concludes using PsExec to enable WinRM on a computer.