0

I'm trying to setup my domain computers to be able to receive PS commands from the DC.

I'm beginning with a very simple command (Restart-Computer) to test things, however the Windows Firewall insists on blocking me.

The 5985 and 5986 TCP ports are already open, but the connection gets denied anyway. I know it's a firewall issue because when I disable the firewall or set a rule that allows all ports (essentially the same thing as disabling the FW) it works. I also checked that DC use the default 5985 port, and he does. What did i miss ?

Bekoj
  • 13
  • 2
  • 5

1 Answers1

0

You may see in this page from Microsoft:

The winrm quickconfig command creates a firewall exception only for the current user profile. If the firewall profile is changed for any reason, you should run winrm quickconfig to enable the firewall exception for the new profile; otherwise, the exception might not be enabled.

In this other link you can see how you can manually change the firewall rules to allow WinRM.

Microsoft provides the cmdlet Enable-PSRemoting which, among other things, manipulates the firewall rules.

J.M. Robles
  • 925
  • 6
  • 9
  • I did all that, and i can see the rules are in place in the Firewall (port 5985 open) but it's still not working. It's as if the PSRemote is using another port, although i've checked and my server does use the default 5985 port – Bekoj Apr 02 '21 at 07:08
  • Please check if 5955 and 5986 are the ports winrm listens to (winrm enumerate winrm/config/listener) . Old Windows versions used 80 and 443 – J.M. Robles Apr 02 '21 at 07:38
  • Here is the result of the command you mentionned : Listener [Source="GPO"] Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 10.50.254.14 10.50.254.14 is the workstation's IP – Bekoj Apr 02 '21 at 07:47
  • The problem seems to be that the Listener is configured with GPO ( [Source="GPO"] ) You should change group policies, e.g. http://prakash-nimmala.blogspot.com/2013/01/winrm-issue-winrm-service-could-not.html – J.M. Robles Apr 02 '21 at 08:01
  • Nope, i checked and my GPO are well configured, my server is in the range my clients listen to. I tried to change the GPO to get them to listen to every IP (like he does in the article you linked), but the result is the same. Besides, if that was the problem it still wouldn't work when i disable the firewall – Bekoj Apr 02 '21 at 08:30
  • As you have identified the Firewall as the cause of problems, it is time to review the rules that controls WinRM. Firewall rules are a bit more complicated than open or colse ports. You should locate the rule for "indows Remote Management and view which conditions could not be satisfied – J.M. Robles Apr 02 '21 at 08:34