blog.powershell.no

On Windows PowerShell and other admin-related topics

Enable and configure Windows PowerShell Remoting using Group Policy

As you may know, Windows PowerShell 2.0 introduced a new remoting feature, allowing for remote management of computers.

While this feature can be enabled manually (or scripted) with the PowerShell 2.0 cmdlet Enable-PSRemoting, I would recommend using Group Policy whenever possible. This guide will show you how this can be accomplished for Windows Vista, Windows Server 2008 and above. For Windows XP and Windows Server 2003, running Enable-PSRemoting in a PowerShell startup script would be the best approach.

Windows PowerShell 2.0 and WinRM 2.0 shipped with Windows 7 and Windows Server 2008 R2. To take advantage of Windows PowerShell Remoting, both of these are required on the downlevel operating systems Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. Both Windows PowerShell 2.0 and WinRM 2.0 are available for download here, as part of the Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0). To deploy this update to downlevel operating systems I would recommend to use WSUS, which are described in detail in this blog post by Kurt Roggen.

Group Policy Configuration

Open the Group Policy Management Console from a domain-joined Windows 7 or Windows Server 2008 R2 computer.

Create or use an existing Group Policy Object, open it, and navigate to Computer Configuration->Policies->Administrative templates->Windows Components

Here you will find the available Group Policy settings for Windows PowerShell, WinRM and Windows Remote Shell:

image

To enable PowerShell Remoting, the only setting we need to configure are found under “WinRM Service”, named “Allow automatic configuration of listeners”:

image

Enable this policy, and configure the IPv4 and IPv6 addresses to listen on. To configure WinRM to listen on all addresses, simply use *.

In addition, the WinRM service are by default not started on Windows client operating systems. To configure the WinRM service to start automatically, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Remote Management, doubleclick on Windows Remote Management and configure the service startup mode to “Automatic”:



No other settings need to be configured, however, I`ve provided screenshots of the other settings so you can see what`s available:

image

image

image

image

There is one more thing to configure though; the Windows Firewall.

You need to create a new Inbound Rule under Computer Configuration->Policies->Windows Settings->Windows Firewall with Advanced Security->Windows Firewall with Advanced Security->Inbound Rules:

image

The WinRM port numbers are predefined as “Windows Remote Management”:

image

With WinRM 2.0, the default http listener port changed from TCP 80 to TCP 5985. The old port number are a part of the predefined scope for compatibility reasons, and may be excluded if you don`t have any legacy WinRM 1.1 listeners.

image

image

When the rule are created, you may choose to make further restrictions, i.e. to only allow the IP addresses of your management subnet, or perhaps some specific user groups:

image

Now that the firewall rule are configured, we are done with the minimal configuration to enable PowerShell Remoting using Group Policy.

image

On a computer affected by the newly configured Group Policy Object, run gpupdate and see if the settings were applied:

image

As you can see, the listener indicates “Source*”GPO”, meaning it was configured from a Group Policy Object.

When the GPO have been applied to all the affected computers you are ready to test the configuration.

Here is a sample usage of PowerShell Remoting combined with the Active Directory-module for Windows PowerShell:

image

The example are saving all computer objects in the Domain Controller Organization Unit in a variable. Then, a foreach-loop are invoking a scriptblock, returning the status of the Netlogon-service on all of the Domain Controllers.

Summary

We`ve now had a look on how to enable and configure PowerShell Remoting using Group Policy.
There are an incredible number of opportunities opening up with the new Remoting feature in Windows PowerShell 2.0. For a complete walkthrough on how you can use this new feature, I would like to recommend the excellent Administrator’s Guide to Windows PowerShell Remoting written by Dr. Tobias Weltner, Aleksandar Nikolic and Richard Giles.

Advertisements

March 4, 2010 - Posted by | Active Directory management, Deployment, Group Policy, Scripting, Windows 7, Windows PowerShell, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP | , ,

19 Comments »

  1. […] the article here: Enable and configure Windows PowerShell Remoting using Group … Share and […]

    Pingback by Enable and configure Windows PowerShell Remoting using Group … | Software Firewall | March 4, 2010 | Reply

  2. […] blog post in WSUS prior to running the script. The script requires that PowerShell remoting are enabled and configured on the remote servers. Also note that there is a known issue with the BPA module; When the […]

    Pingback by Invoke Best Practices Analyzer on remote servers using PowerShell « blog.powershell.no | August 18, 2010 | Reply

  3. Great post!
    for those not on 2008 R2 please see http://jfrmilner.wordpress.com/2010/10/13/configure-powershell-remoting-using-group-policy-on-legacy-domains

    Regards,
    jfrmilner

    Comment by jfrmilner | October 13, 2010 | Reply

  4. Hi, that’s a very useful post, so thanks for sharing this piece of knowledge about WinRM!
    The post of jfrmilner is interesting too!

    Regards
    HappySysadm

    Comment by HappySysadmin | October 20, 2010 | Reply

  5. Helpful indeed. Thanks a lot.

    Comment by baroniparson | November 30, 2010 | Reply

  6. I’m just trying to do this now… I’m on W7 Enterprise with the RSAT installed and the GPMC enabled and all that jazz…

    I can’t find the Group Policy setting to Enable Scripting for powershell anywhere… Am I just going blind or do I actually have to add in the legacy XP/2003 .adm template to enable it?

    Comment by Clay | March 20, 2011 | Reply

    • Hi,

      When using GPMC on Windows 7 you should find “Turn on Script Execution” under Computer/User configuration->Administrative Templates->Windows Components->Windows PowerShell

      Comment by Jan Egil Ring | March 20, 2011 | Reply

  7. […] I could cover all of those settings, but I found a great write up that covers the important settings. Enable and configure Windows PowerShell Remoting using Group Policy. […]

    Pingback by Powershell Remoting Part 2 « I Think In Code | April 2, 2011 | Reply

  8. Hello
    I tested enabling “Allow automatic configuration of listeners” via GPO to enable remote management but it is not enough!

    From Powershell: Get-PSSessionConfiguration

    Name PSVersion StartupScript Permission
    —- ——— ————- ———-
    microsoft.powershell 2.0 Everyone AccessDenied, BUILTIN\A…
    Microsoft.PowerShell32 2.0 Everyone AccessDenied, BUILTIN\A…
    microsoft.ServerManager 2.0 Everyone AccessDenied, BUILTIN\A…

    As you can see, remote management will be enabled but every access will be denied.
    Please, how to make “Set-PSSessionConfiguration” with correct SDDL via GPO without creating powershell startup scripts?
    Is there other possibility how to remove “Everyone AccessDenied” via GPO without manually starting “Enable-PSSessionConfiguration”?

    Many thanks
    ExSport

    Comment by ExSport | April 11, 2011 | Reply

    • That seems weird, the default permissions are:
      Permission : BUILTIN\Administrators AccessAllowed

      I would check to see if any other Group Policy settings are interfering with the WinRM setup.

      Comment by Jan Egil Ring | April 11, 2011 | Reply

      • Maybe something changed from SP1 on 2008R2?
        Unfortunatelly when I enable Remote Management by Powershell “Enable-PSSessionConfiguration” or manually by ticking it in GUI, correct descriptor is set.
        But when unticked or “Disable-PSSessionConfiguration” used, it always change SDDL to Everyone Denied so enabling listener via GPO is not enough.
        Many thanks for any hints.

        Comment by ExSport | April 11, 2011

  9. […] WinRM via group policy is pretty decently documented on many blogs out there on the Internet.  It requires you to touch three places: the WinRM settings, the […]

    Pingback by Enable WinRM with Group Policy, but use PowerShell to Create the Policy « Tome's Land of IT | May 17, 2011 | Reply

  10. […] If you haven’t done this, check with the AD folks and see if you can enable remoting and script execution through a GPO.  It makes your life easier.  If not, you can perform this on each computer individually,  but that defeats the purpose.  Here is a great blog post that describes the process. […]

    Pingback by Installing Roles and Features remotely on multiple computers simultaneously « JasonHelmick | May 23, 2011 | Reply

  11. […] In these help files, you will discover how to enable it with GPO’s, troubleshoot remoting and more.  Here is one of my favorite articles on setting up a GPO for remoting. […]

    Pingback by Enabling PowerShell Remoting in your Environment « JasonHelmick | July 28, 2011 | Reply

  12. great post! thanks for putting together such a detailed post about getting this configured. Much appreciated!

    Comment by Dean Poulin | November 8, 2011 | Reply

  13. […] To avoid the firewall requirements, a workaround is running the functions from a PowerShell script locally on target computers using a software distribution product like System Center Configuration Manager. Another option is to run the functions over PowerShell remoting. […]

    Pingback by Introducing the PowerShell Network Adapter Configuration module « blog.powershell.no | November 23, 2011 | Reply

  14. […] To avoid the firewall requirements, a workaround is running the functions from a PowerShell script locally on target computers using a software distribution product like System Center Configuration Manager. Another option is to run the functions over PowerShell remoting. […]

    Pingback by Introducing the PowerShell Network Adapter Configuration module - Jan Egil`s blog on Microsoft Infrastructure | November 23, 2011 | Reply

  15. […] For a serious, not funny but direct instructions to enable Remote using a GPO, go here. […]

    Pingback by I have better things to do than deploy IIS. Also I’m lazy. « IISonThe.net | January 31, 2012 | Reply

  16. […] following the instructions for configuring PowerShell Remoting through Group Policy, I got started.  The issue in our environment is that simply configuring it isn’t good […]

    Pingback by PowerShell Remoting Configuration Proposal | Other Duties As Required | March 28, 2012 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: