Enabling PSRemoting with a GPO

I believe PSRemoting to be one of the most exciting features of PowerShell, it allows us to execute scripts and code on remote machines and even open full PowerShell sessions (think SSH in the Windows world). Better than SSH, we can execute locally written functions on the remote host, and have any returned objects or values available locally. I’m getting nerd chills just thinking about it.

The WinRM Service (Windows Remote Management) is used to facilitate PSRemoting. The simplest way to enable WinRM / PSRemoting is through a Computer GPO, there are only a few settings required.

Computer Configuration > Policies > Security Settings > Windows Firewall > Inbound
Create a new rule and enable the following predefined policy: Windows Remote Management (HTTP-In)
I would also recommend removing the Public and Private profiles from the rule. This rule opens port TCP 5985, which you also need to permit through any firewall between the server and client.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
This policy needs to be enabled and an IP filter needs to be specified. I’ve seen many blogs get this bit wrong - the IP filter doesn’t limit which IPs can connect to the WinRM service (you can do this using the above firewall rule), it limits which interfaces on the host running the WinRM service are enabled for WinRM. If you have a public facing interface, and an internal management interface, this setting allows you to limit the WinRM service to only listen on the management interface. Wildcards (*) and ranges supported.

Computer Configuration > Preferences > Control Panel Settings > Services > New > WinRM
Here we edit the existing WinRM service. The changes which need to be made are to set the Action to Start and the Startup Type to Automatic

The GPO can then be applied to any OU containing computer accounts for which we want to enable WinRM. A reboot is not necessary for the changes to take effect.

If you only have a small number of hosts and a GPO is overkill, the Enable- PSRemoting command can be ran in an administrative PowerShell session.

Once WinRM is configured, we have a few options for using PSRemoting. First we need to define some credentials, if this part is skipped you will be promoted for them.

To run a single command We can save the returned data to a local object by assigning it a variable, no different to running the Get-Process command locally If we have a function we need to execute instead of a single command, it can still be done using ScriptBlock. If we want to execute a whole script Alternatively, we may just want to open a remote session, similar to SSH in Linux. And on a final note, if you intent to use IP addresses instead of hostnames, you will need to configure the TrustedHosts parameter on the host initiating the PS session. This can be done in an Administrative PowerShell session.