Enable Powershell Remoting with Group Policy

 Powershell Remoting is getting more and more important, at least in the Windows Server space, as seen from Windows Server 2012 and onward. Now the Server Manager is based on PS Remoting so you can manage a big number of servers from only one Server Manager instance. It is also a very good tool for automation, configuration and troubleshooting on the Windows Server side but also on the Windows client side. The only thing to note is that if you want to use it on client operating systems and on Windows Server 2008 R2 you have to enable it.

  Note: This post is applicable for OSes from Windows 7/Windows Server 2008 R2 and up.

 In order for Powershell Remoting to be usable, 3 settings need to be configured:

  1. A listener that has the job to wait for incoming requests
  2. A firewall rule that permits the remoting traffic
  3. The WinRM service which implements the WSMan protocol which Powershell Remoting uses has to be running and it’s startup set to automatic delayed

   For some versions of operating systems some of these settings or all are already configured by default. If you have a complex infrastructure and want remoting on everything (clients and servers) all 3 settings will have to be configured. Let’s see what every OS has by default:

  • Windows Server 2012 and later server OSes have everything already set.
  • Windows Server 2008 R2 has the 3rd setting configured so if targeting this OS, just configure the first 2 settings
  • Windows client OSes from Windows 7 and up do not have any of the 3 settings configured so all 3 have to be set

    So if you only want remoting on servers and have just Windows Server 2012 and up, you are already done: remoting is enabled. In this post I will configure remoting for all scenarios so all 3 settings have to be touched. Now while remoting can be enabled manually, it is not the best thing when you have lots of machines; a good way is to use Group Policy. Below are the steps to do it:

  • If the settings will be placed in a new GPO then configure it; if not, edit an existing one.
Create a new GPO for Powershell Remoting

Create a new GPO for Powershell Remoting

  • Edit the GPO. Navigate to Computer Configuration -> Policies -> Administrative Templates Policy -> Windows Components -> Windows Remote Management (WinRM)
Navigate to WinRM settings

Navigate to WinRM settings

  • Now go to WinRM service and open Allow automatic configuration of listeners. This setting allows you to set the basic configuration settings for a WinRM listener (the listener waits for incoming remoting requests). Set it to Enabled and configura the filters. Filters let you configure the listener to allow connections only on a specific IP, more IPs, a range of IPs or no IPs from the remoting host. There are 2 filters because the listening process can be done on IPv4 and IPv6 and separate configurations can be set. In this case I will be configuring only the IPv4 address so I will put a * in the v4 field (this means: listen on al IPs that the host has). Leave the v6 field blank so remoting will not be permitted on IPv6 interfaces.
Configure WinRM listener for Powershell Remoting

Configure WinRM listener for Powershell Remoting

  • To configure the firewall rule for remoting navigate to: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security…. -> Inbound Rules
Navigate to the Powershell Remoting firewall rule

Navigate to the Powershell Remoting firewall rule

  • Configure a new predefined rule named Windows Remote Management
Configure new Powershell Remoting firewall rule

Configure new Powershell Remoting firewall rule

  • Uncheck the Windows Remote Management Compatibility setting. This is to listen for remoting on port 80 which is not recommended. Starting with Windows 7 and Windows Server 2008 R2 the default port for Powershell Remoting is 5985.
Disable Powershell Remoting Compatibility Setting

Disable Powershell Remoting Compatibility Setting

  • Allow the connection.
Enable Powershell Remoting firewall rule

Enable Powershell Remoting firewall rule

  • For Windows client OSes we need to also set the WinRM service to start automatically. Navigate to Computer Configuration -> Policies -> Windows Settings -> System Services and configure the Windows Remote Management service to start automatically.
Set the WinRM service to start automatically

Set the WinRM service to start automatically

  • Now link the GPO to an OU or to the domain and you are all set.

    Note: For the client settings, although the service is set to automatic, it will not be started by Group Policy; you either have to start it by other means or just wait for the computer to be restarted.

    One more thing to talk about is who is allowed to connect to servers/computers using Powershell Remoting. There are 2 possible answers to this query:

  • For Windows 7 and Windows Server 2008 R2 only the members of the local Administrators group have access to remoting
  • for anything newer than 7/2008 R2 there is the Administrators group and the Remote Management Users group

    This can be changed but as Group Policy cannot do it, we will not talk about this issue in the current post.

 

Leave a Comment

Your email address will not be published. Required fields are marked *