mag72

WinRM QuickConfig, HowTo Enable via GPO or Remotely on All Servers

winrm quickconfig howto guide to enabling via gpo and remotely on servers

Configuring “WinRM Quickconfig” on remote computers can be a little difficult at times, especially if this is your first time using the Windows Remote Management service. There are several ways to go about enabling winrm quickconfig on remote computers, many admins like to push the task to a GPO and others like to do it through powershell or 3rd Party programs.

We’ll highlight 3 different methods we’ve used in the past to get Windows Remote Management service enabled, along with avoiding the dreaded “WINRM QUICKCONFIG ACCESS DENIED” error that many people get when going through this process.

3 Ways to Remotely Enable WinRM on Windows Clients/Servers

  1. Download and Run this Free Utility from Solarwinds to activate it on Remote Machines
  2. Setup new Group Policy Object to enable the WinRM Service and Firewall Rules
  3. Use PSEXEC to Remotely Enable on Client Machines

Free Utility for Remote Activation

This is by far the easiest way if you’ve already configured the Windows Firewall in your network. Solarwinds has a nifty free tool called “Remote Execution Enabler for PowerShell” that has the functionality to enable and configure WinRm on local and remote hosts within your network.

Its as easy as entering in the IP Address(es) or IP Address Range of all the computers your targeting, than enter credentials that have Administrative Rights to that PC (usually accounts in the Domain Administrators Group will do the trick) and click the “START CONFIGURATION” button:

winrm remote enabler by solarwinds screenshot

When the utility is finished starting the Windows Remote Management services on all IP Addresses or Ranges specified, you will see a green dot with a “Complete” status, as seen below:

completed screen

Grab the little utility from below and give it a go:

  1. Open Group Policy Management from within Administrative Tools folder.
  2. Right-click on the desired OU that you want to create a Group Policy Object for and click on “Create a GPO in this Domain, and Link it here…
  3. Rename the GPO to whatever you would like, “Enable WinRM via GPO” or something along those lines then click OK.
  4. Now that the new GPO has been created, right-click on the Newly created GPO and click “EDIT“.
  5. Expand the Menu tree as follows: Computer Configuration > Policies > Administrative Templates: Policy definitions > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
  6. Find the setting that says “Allow remote server management through WinRM” and right-click and click “EDIT” to configure the settings. (see image below)
    winrm group policy setting
  7. When the dialog box opens up, click “Enabled” and under the options section, either specify an IP Address range or put an Asterisk “*” to allow all IP addresses to remotely manage the PC. (We recommend specifying an IP Address to reduce any risk of a security compromise of your systems/network).
    config settings
  8. Now lets enable the Windows Remote Mangement (WS-Management) Service to start automatically. Go to Computer Configuration >  Preferences > Control Panel Settings > Services and right-click and select “NEW” and the select “Service“.
  9. A New Service Properties window will come up and you will need to change Startup to “Automatic (Delayed Start)” and then in the Service Name dialog box, click the box with the 3 dots in it to the right of the Service name box and select “Windows Remote Management (WS-Management)” and click the Select button.
  10. Once you’ve selected the Service, under the “Service action:” pull down, we’ll want to click “Start service“.
    gpo service setup
  11. Last Step of this Process is to configure the Windows Firewall to Allow the proper ports inbound. Go to Computer Configuration > expand Policies > expand Windows Settings > expand Security Settings > expand Windows Firewall with Advanced Security > expand Windows Firewall with Advanced Security > expand Inbound Rules. Right-click the Inbound Rules node and choose New Rule. (see screenshot below)
    inbound firewall rule
  12. When the New Inbound Rule wizard box opens, click on the “Predefined” radio button and scroll down to “Windows Remote Management” and click on it. (see screenshot below)
    predefinied winrm rule
  13. Next we’ll click on the Left Sidebar menu item that says “Predefined Rules” in order to not Allow the Firewall to open this Port to the Public network. When the window opens, uncheck the box that says Public profile next to it, as seen in the image below. This ensures that we only allow WinRM access to the Private and Domain networks. Then Click the Next button.
    remove public firewall rule
  14. The Last screen of the New Inbound Firewall Wizard will just ask whether to Allow The Connection or block it. Make sure the that “Allow the connection” radio box is checked and click Finish.
    allow connection

At this point, you’ve successfully finished the GPO and you’ll need to wait for the GPO to propagate throughout your network.

PSEXEC for WinRM Activation

If either of the two options above don’t work for you, using PSEXEC to remotely enable the service is another option, if you prefer. Here are the relevant commands you will need in order to execute “winrm quickconfig” using PSexec command line utility.

  1. Make sure you have PSEXEC installed on your machine and the proper “PATH” setup within your system variables – this should be automatically added when you install PSEXEC. If you dont have PSEXEC installed yet, grab the download from here (its part of the PSTOOLS package) and install it.
  2. Launch the an elevated “Command Prompt” window using your local/domain administrator account as the user of the target machine/s, to ensure that you have the necessary permissions to configure WinRM remotely on machines in your network.To run “Command Prompt” as a different user, hold the Shift Key down and right-click on the Command Prompt link and click on “Run as Different User” and then enter in a user account that has Administrator Privileges on all computers your targeting.elevated command prompt domain adminlogin
  3. Run one of the following commands below:psexec \\ComputerName -s winrm.cmd quickconfig -q or create a text file with all the computer names you want to target and save them on your C:\ drive and run the command below to enable on all PC’s in the specified text file we just created.Now you can run any one of the commands below depending on what you want to accomplishpsexec @c:\ALLComputerNames.txt -s winrm.cmd quickconfig -q
  4. If all goes well, you’ll see a screen like the one below that confirms everything has been configured properly for WinRM on the remote machine/s.psexec winrm remotely success