We have begun implementing the WinRM protocol into our inventory process and can perform complete inventory of endpoints with WinRM alone. Typically, this service is disabled on endpoints and can be enabled using the Group Policy below.
While this Group Policy will allow the access to WinRM over the network, you must also ensure that the Windows Remote Management service is running on the desired endpoints.
Below you will find two options for enabling WinRM in your environment, either via GPO or Manually on an endpoint.
How to enable WinRM via GPO
- Open Group Policy Management on your domain controller
- Create a new Group Policy Object and give it a descriptive name; i.e “Block 64 WinRM Enablement”
- Edit the new GPO
- Expand the Menu tree as follows: Computer Configuration > Policies > Administrative Templates: Policy definitions > Windows Components > Windows Remote Management (WinRM) > WinRM Service. Find the setting that says “Allow remote server management through WinRM” and right-click and click “Edit” to configure the settings.
- When the dialog box opens up, click “Enabled” and under the options section, either specify an IP Address range or put an Asterisk “*” IPv4 and IPv6 filter to allow all IP addresses to remotely manage the PC. Then click OK
- Then we need to enable the Windows Remote Mangement (WS-Management) Service to start automatically.
Go to Computer Configuration > Preferences > Control Panel Settings > Services and right-click and select “New” and the select “Service”. - We'll want to set Startup as Automatic, Service Name as WinRM and Service Action as Start service. Then click OK
- Lastly we configure the Windows Firewall to Allow the proper ports inbound. Go to Computer Configuration > expand Policies > expand Windows Settings > expand Security Settings > expand Windows Firewall with Advanced Security > expand Windows Firewall with Advanced Security > expand InboundRules.Right-click the Inbound Rules node and choose New Rule.
- When the New Inbound Rule wizard box opens, click on the “Predefined” radio button and scroll down to “Windows Remote Management” and click Next.
- When Predefined Rules window opens, uncheck the box that says Public profile. We only allow WinRM access to the Private and Domain networks.Then Click the Next.
- Then make sure “Allow the connection” is checked and click Finish.
- Congratulations! You have successfully finished GPO to enable WinRM in your AD network. Now we will wait for the GPO to automatically propagate to all devices. To test immediately you may run ` gpupdate /force` on a desired device.
How to enable WinRM Manually
At a command prompt running as the local computer Administrator account, run this command:
winrm quickconfig
If you're not running as the local computer Administrator, either select Run as Administrator from the Start menu, or use the Runas command at a command prompt.
When the tool displays Make these changes [y/n]?, type y.
If configuration is successful, the following output is displayed.
WinRM has been updated for remote management.
WinRM service type changed to delayed auto start.
WinRM service started.
Created a WinRM listener on https://* to accept WS-Man requests to any IP on this machine.