Enabling PSRemoting with a GPO
Posted on September 03, 2016
- and tagged as
- powershell,
- gpo
I believe PSRemoting to be one of the most exciting features of PowerShell, it allows us to execute scripts and code on remote machines and even open full PowerShell sessions (think SSH in the Windows world). Better than SSH, we can execute locally written functions on the remote host, and have any returned objects or values available locally. I’m getting nerd chills just thinking about it.
The WinRM Service (Windows Remote Management) is used to facilitate PSRemoting. The simplest way to enable WinRM / PSRemoting is through a Computer GPO, there are only a few settings required.
Computer Configuration > Policies > Security Settings > Windows Firewall >
Inbound
Create a new rule and enable the following predefined policy: Windows Remote
Management (HTTP-In)
I would also recommend removing the Public and Private profiles from the rule.
This rule opens port TCP 5985, which you also need to permit through any
firewall between the server and client.
Computer Configuration > Policies > Administrative Templates > Windows
Components > Windows Remote Management (WinRM) > WinRM Service
This policy needs to be enabled and an IP filter needs to be specified. I’ve
seen many blogs get this bit wrong - the IP filter doesn’t limit which IPs can
connect to the WinRM service (you can do this using the above firewall rule),
it limits which interfaces on the host running the WinRM service are enabled
for WinRM. If you have a public facing interface, and an internal management
interface, this setting allows you to limit the WinRM service to only listen
on the management interface. Wildcards (*
) and ranges supported.
Computer Configuration > Preferences > Control Panel Settings > Services >
New > WinRM
Here we edit the existing WinRM service. The changes which need to be made are
to set the Action to Start
and the Startup Type to Automatic
The GPO can then be applied to any OU containing computer accounts for which we want to enable WinRM. A reboot is not necessary for the changes to take effect.
If you only have a small number of hosts and a GPO is overkill, the Enable-
PSRemoting
command can be ran in an administrative PowerShell session.
Once WinRM is configured, we have a few options for using PSRemoting. First we need to define some credentials, if this part is skipped you will be promoted for them.
To run a single command We can save the returned data to a local object by
assigning it a variable, no different to running the Get-Process command
locally If we have a function we need to execute instead of a single command,
it can still be done using ScriptBlock
. If we want to execute a whole
script Alternatively, we may just want to open a remote session, similar to
SSH in Linux. And on a final note, if you intent to use IP addresses instead
of hostnames, you will need to configure the TrustedHosts parameter on the
host initiating the PS session. This can be done in an Administrative
PowerShell session.