Configuring “WinRM Quickconfig” on remote computers can be a little difficult at times, especially if this is your first time using the Windows Remote Management service. There are several ways to go about enabling winrm quickconfig on remote computers, many admins like to push the task to a GPO and others like to do it through powershell or 3rd Party programs.
We'll highlight 3 different methods we've used in the past to get Windows Remote Management service enabled, along with avoiding the dreaded “WINRM QUICKCONFIG ACCESS DENIED” error that many people get when going through this process.
3 Ways to Remotely Enable WinRM on Windows Clients/Servers
- Download and Run this Free Utility from Solarwinds to activate it on Remote Machines
- Setup new Group Policy Object to enable the WinRM Service and Firewall Rules
- Use PSEXEC to Remotely Enable on Client Machines
Free Utility for Remote Activation
This is by far the easiest way if you've already configured the Windows Firewall in your network. Solarwinds has a nifty free tool called “Remote Execution Enabler for PowerShell” that has the functionality to enable and configure WinRm on local and remote hosts within your network.
Its as easy as entering in the IP Address(es) or IP Address Range of all the computers your targeting, than enter credentials that have Administrative Rights to that PC (usually accounts in the Domain Administrators Group will do the trick) and click the “START CONFIGURATION” button:
When the utility is finished starting the Windows Remote Management services on all IP Addresses or Ranges specified, you will see a green dot with a “Complete” status, as seen below:
Grab the little utility from below and give it a go:
- Open Group Policy Management from within Administrative Tools folder.
- Right-click on the desired OU that you want to create a Group Policy Object for and click on “Create a GPO in this Domain, and Link it here…“
- Rename the GPO to whatever you would like, “Enable WinRM via GPO” or something along those lines then click OK.
- Now that the new GPO has been created, right-click on the Newly created GPO and click “EDIT“.
- Expand the Menu tree as follows: Computer Configuration > Policies > Administrative Templates: Policy definitions > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
- Find the setting that says “Allow remote server management through WinRM” and right-click and click “EDIT” to configure the settings. (see image below)
- When the dialog box opens up, click “Enabled” and under the options section, either specify an IP Address range or put an Asterisk “*” to allow all IP addresses to remotely manage the PC. (We recommend specifying an IP Address to reduce any risk of a security compromise of your systems/network).
- Now lets enable the Windows Remote Mangement (WS-Management) Service to start automatically. Go to Computer Configuration > Preferences > Control Panel Settings > Services and right-click and select “NEW” and the select “Service“.
- A New Service Properties window will come up and you will need to change Startup to “Automatic (Delayed Start)” and then in the Service Name dialog box, click the box with the 3 dots in it to the right of the Service name box and select “Windows Remote Management (WS-Management)” and click the Select button.
- Once you've selected the Service, under the “Service action:” pull down, we'll want to click “Start service“.
- Last Step of this Process is to configure the Windows Firewall to Allow the proper ports inbound. Go to Computer Configuration > expand Policies > expand Windows Settings > expand Security Settings > expand Windows Firewall with Advanced Security > expand Windows Firewall with Advanced Security > expand Inbound Rules. Right-click the Inbound Rules node and choose New Rule. (see screenshot below)
- When the New Inbound Rule wizard box opens, click on the “Predefined” radio button and scroll down to “Windows Remote Management” and click on it. (see screenshot below)
- Next we'll click on the Left Sidebar menu item that says “Predefined Rules” in order to not Allow the Firewall to open this Port to the Public network. When the window opens, uncheck the box that says Public profile next to it, as seen in the image below. This ensures that we only allow WinRM access to the Private and Domain networks. Then Click the Next button.
- The Last screen of the New Inbound Firewall Wizard will just ask whether to Allow The Connection or block it. Make sure the that “Allow the connection” radio box is checked and click Finish.
At this point, you've successfully finished the GPO and you'll need to wait for the GPO to propagate throughout your network.
PSEXEC for WinRM Activation
If either of the two options above don't work for you, using PSEXEC to remotely enable the service is another option, if you prefer. Here are the relevant commands you will need in order to execute “winrm quickconfig” using PSexec command line utility.
- Make sure you have PSEXEC installed on your machine and the proper “PATH” setup within your system variables – this should be automatically added when you install PSEXEC. If you dont have PSEXEC installed yet, grab the download from here (its part of the PSTOOLS package) and install it.
- Launch the an elevated “Command Prompt” window using your local/domain administrator account as the user of the target machine/s, to ensure that you have the necessary permissions to configure WinRM remotely on machines in your network.To run “Command Prompt” as a different user, hold the Shift Key down and right-click on the Command Prompt link and click on “Run as Different User” and then enter in a user account that has Administrator Privileges on all computers your targeting.
- Run one of the following commands below:
psexec \\ComputerName -s winrm.cmd quickconfig -qor create a text file with all the computer names you want to target and save them on your C:\ drive and run the command below to enable on all PC's in the specified text file we just created.Now you can run any one of the commands below depending on what you want to accomplish
psexec @c:\ALLComputerNames.txt -s winrm.cmd quickconfig -q
- If all goes well, you'll see a screen like the one below that confirms everything has been configured properly for WinRM on the remote machine/s.