New-PSSession to localhost fails

Question

I have a script that opens a remote session to the localhost. I need this to install NuGet on some devices from within a logonscript.

$Username = "Admin"  
$Password = ConvertTo-SecureString ‘adminPW’ -AsPlainText -Force
$adminCredential = New-Object System.Management.Automation.PSCredential $Username, $Password
$Session = New-PSSession  -Credential $adminCredential
Invoke-Command -Session $Session -ScriptBlock {Install-PackageProvider -Name NuGet -Verbose -MinimumVersion 2.8.5.201 -Force}

Every time I try to run this I get the following error:

New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message : The client cannot connect to the destination 
specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the 
WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the 
destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Users\Mike Holtackers\OneDrive - Foreign Trade Association\Scripts\OutlookSig\getAADconnectionOK.ps1:5 char:12
+ $Session = New-PSSession -ConnectionUri $ConnectionURI -Credential $a ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CannotConnect,PSSessionOpenFailed

Running winrm quickconfig does not change anything...

Following is the output of winrm get winrm/config

PS WSMan:\localhost\Listener\Listener_1084132640> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = 194.168.254.1-194.168.254.256 [Source="GPO"]
        IPv6Filter [Source="GPO"]
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true [Source="GPO"]
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

Yes, I have. Tried it again to be sire but still yields the same result — Docschnitzel, Apr 19 '17 at 16:09
Have you updated your WinRM TrustedHosts to allow you to connect to localhost? — TessellatingHeckler, Apr 19 '17 at 17:51
hm, this is interesting, I was assuming localhost is trusted by default... — 4c74356b41, Apr 19 '17 at 19:05
If you are running this locally, why can't you execute without invoke-command ? - any dependencies ??? — Prasoon Karunan V, Apr 21 '17 at 02:57
It also seems to require credentials when signing in with a Microsoft account. I must use Get-Credential on my home machine to make New-PSSession work. My work machine does not require that. — Brain2000, Dec 13 '18 at 18:41
Confirmed, my PowerShell requires credentials when signing in with a Microsoft account. Windows Admin Center broke and I spent an hour trying to figure out "why" since this isn't documented in the [Troubleshooting](https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/support/troubleshooting#configure-trustedhosts) page. — Will Angley, May 09 '22 at 01:41

score 5 · Answer 1 · answered Apr 19 '17 at 17:24

Check if the winrm service is running on your localhost:

PS C:\>  Get-Service winrm | ft -AutoSize

Status  Name  DisplayName                              
------  ----  -----------                              
Running winrm Windows Remote Management (WS-Management)

Otherwise PS remoting won't work, though you've configured via winrm and have enabled PS remoting via Enable-PSRemoting.

Docschnitzel · Accepted Answer · 2017-04-21T11:00:17.963

2

Issue was someone had tampered with the firewall... Thanx for the help guys!

Basically the firewall GPO was blocking remote management

edited Apr 21 '17 at 11:00

answered Apr 21 '17 at 07:50

Docschnitzel

175
1
2
12

Welcome to the site Docschnitzel, to help people further can you try and mark the correct answer to your original question. I see you've somehow managed to say @Moewalds answer was correct yet you wrote a comment saying it didn't work, then you have this other answer from yourself stating it was a firewall issue. What did you do to fix your issue? Once you explain that you can then mark your own answer as the correct one. – Will Webb Apr 21 '17 at 08:15
Thanks for the heads up, I cleared up my own answer and will mak it as the answer in a few hours (when the site will allow me to mark it) – Docschnitzel Apr 21 '17 at 11:01

score 2 · Answer 3 · answered Feb 05 '22 at 19:38

Following worked in my case:

# NOTE: Following is set by Enable-PSRemoting, it prevents UAC and
# allows remote access to members of the Administrators group on the computer.

Set-ItemProperty -Name LocalAccountTokenFilterPolicy -Value 1 `
        -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

For more information about this setting see section in about_Remote_Troubleshooting

New-PSSession to localhost fails

3 Answers3

Linked