Enable Powershell Remoting via Group Policy

To totally unlock this section you need to Log-in

Powershell really is a game changer when it comes management and scripting on Windows, but one of the areas where it really shines is in its remoting capability. Powershell remoting lets you connect to a remote system and run commands locally, then returns the results to the calling machine. This can be done as an automated block or as an interactive session.

Remoting requires Powershell 2.0 which comes built-in on Windows 7 and Windows 2008 R2, but it needs to be installed on Windows Vista / Server 2008 and below. The WinRM service will also have to be configured and enabled.

We'll show you how to accomplish this with group policy for the range of operating systems that can run it.

The Policy Split

We basically have three operating system “classes” to deal with here:

Windows 7 / Windows 2008 R2
Windows Vista / Windows 2008
Windows XP / Windows 2003

The requirements for each are as follows:

Windows 7 / 2008 R2:

Needs WinRM enabled / configured.
Needs firewall rules.
Needs service configuration.

Windows Vista / 2008:

Needs everything above.
Needs Powershell 2.0 installed.

Windows XP / Windows Server 2003

Needs everything above.
Needs .NET framework.
Cannot directly configure WinRM with Group Policy.

What does that last bolded bullet mean? There are already administrative templates for enabling and managing WinRM, but they only work on Vista clients and later, so our XP and 2003 machines are out of luck there. Vista and 2008 are covered by that, but they don’t have Powershell 2.0 installed by default. Windows XP and 2003 don’t have .NET framework by default either.

In our environments we've chosen to do this with two policies. The first policy uses the administrative templates to enable WinRM, and it sets a few additional policies for Windows firewall rules and WinRM service parameters which will apply to all of the OS classes. The second policy is filtered with WMI to only apply to Vista / 2008 machines and lower, and it consists solely of a startup script which installs Powershell 2.0 and .NET framework (as needed) and enables WinRM.

The "Enable Powershell Remoting" Policy

This is the first policy described above. If you are lucky enough to have no machines in your environment below Windows 7 / 2008 R2 (where do you work?!) then this is the only one you need. All of the settings we are using will be in Computer Configuration so if you want to disable User Configuration as we have go ahead.

Create your GPO, name it what you want, place it where you want, etc.
Edit your policy.

Enabling WinRM

Browse to: Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
Open the “Allow Remote Server management through WinRM” policy setting (Server 2008 R2 and later).
Open the “Allow automatic configuration of listeners” policy setting (Server 2008 and earlier).
Set the Policy to Enabled.
Set the IPv4 and IPv6 filters to * unless you need something specific there (check out the help on the right).

Setting the Firewall Rules

Browse to: Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
Open the “Windows Firewall: Define inbound port exceptions” policy setting.
Set it to Enabled if it isn’t already.
Click the “Show...” button and add the port exception. We’re going to be opening TCP port 5985, so the exception string will look something like this:

5985:TCP:*:enabled:WSMan

If Windows XP and 2003 are not a concern

You can use the new Firewall with Advanced Features policy to configure the rule instead, but this will only work on Vista and above. Additionally, you should configure this from a Windows 7 / 2008 R2 machine because of a difference in the pre-defined rule.

Browse to: Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall... > Inbound Rules
Right click and choose “New Rule...”
Choose the “Windows Remote Management” pre-defined rule.
When you click Next you should see the two rules that will be added.
Click Next, choose to Allow the connection, and then Finish.

Service Configuration

At this point we have enough in place to get this working, but we like to do a few more things to ensure that the WinRM service is configured to start automatically and to restart on failure.

Browse to: Policies > Windows Settings > Security Settings > System Services
Find the “Windows Remote Management (WS-Management)” service.
Define the policy and give it a startup mode of Automatic.
Browse to: Preferences > Control Panel Settings > Services

Create a new Service preference item with the following parameters:

General Tab

Startup: No Change (the policy we set above will take precedence over this anyway)
Service name: WinRM
Service action (optional): Start service

Recovery Tab

First, Second, and Subsequent Failures: Restart the Service

The "Install Powershell 2.0 and WinRM" Policy

Now we'll create the second policy that we described. This one will install the Windows Management Framework Core package and .NET framework via a startup script. This policy will use a WMI filter so that we aren’t trying to do these steps on Windows 7 / 2008 R2 where it’s unnecessary.

Since these are distributed as a Windows updates and not as an MSI, we can't use software distribution to install them. That also means that if you’re using WSUS you’ll have to make sure that these updates are approved:

KB968930
KB951847

You can download these packages, for Windows Server 2003 x86-x64 and Windows XP x86, from the following links:

[wpfilebase tag="file" id=164 /]
[wpfilebase tag="file" id=165 /]
[wpfilebase tag="file" id=166 /]

Create The WMI Filter

First, let’s create the WMI filter that we’re going to use so that this policy will only apply to Windows Vista / 2008 and below.

In the Group Policy Management console, scroll down to "WMI Filters".
Create a new WMI Filter, and give it a name and description.
In the Queries box, click the Add button.
Keep the namespace as “root\CIMv2″ and then click into the Query box.

The following WQL query will match Windows Vista, Windows 2008, and lower operating systems:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.0%" OR Version LIKE "5.%"

Create the GPO

Create the GPO and link it to the same places as the first one.

Make sure that the WMI filter we created above is applied to the GPO.

Set up the Startup Script

Browse to: Policies > Windows Settings > Scripts
Open the Startup item, and make sure you’re on the Scripts tab (not Powershell scripts).
Click the Show Files... button below. This location is where you must put the script. You can copy the following script:

Set updateSession = CreateObject("Microsoft.Update.Session")


Set updateSearcher = updateSession.CreateupdateSearcher()

 
Set searchResult = updateSearcher.Search("IsInstalled=0 and Type='Software'")

 
Set toDL = CreateObject("Microsoft.Update.UpdateColl")

 
For I = 0 To searchResult.Updates.Count-1


	Set update = searchResult.Updates.Item(I)


	For kbidindex = 0 to update.KBArticleIDs.Count-1


		kbid = update.KBArticleIDs.Item(kbidindex)


		If kbid = "968930" or kbid = "951847" Then


			toDL.Add(update)


		End If


	Next


Next


If toDL.Count = 0 Then


	Set WshShell = wscript.createobject("wscript.shell")


	WshShell.Run "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe ""Enable-PSRemoting -Force""", 1, True


	WScript.Quit -1


End If


Set DLer = updateSession.CreateUpdateDownloader() 


DLer.Updates = toDL


DLer.Download()

 
DLdone =  False


Do


	allDone = True


	For I = 0 to toDL.Count - 1


		Set update = toDL.Item(I)


		allDone = allDone and update.IsDownloaded


	Next


	DLdone = allDone


	WScript.Sleep 5000


Loop Until DLdone

 
Set installer = updateSession.CreateUpdateInstaller()


installer.Updates = toDL


Set installationResult = installer.Install()

	
Set WshShell = wscript.createobject("wscript.shell")


WshShell.Run "%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe ""Enable-PSRemoting -Force""", 1, True

Once the file is in place, click the Add... button in the Startup Properties window.
Type or paste the name of the VBScript file (just the name, not the full path).
Leave Script Parameters blank.

Wrapping Up

With this in place, you’re ready to go! As with any group policy changes, test, test, and test again.

Windows XP / 2003 machines probably need to be rebooted, maybe twice, for it all to work (especially if the script installs .NET). If you’ve got any other remote administration in place and working (psexec, WMI, third-party tools) you could use that to kickstart the execution of the VBScript that installs the management framework.

Enabling Powershell Remoting with VBScript

If you've a Windows Server 2003 or Windows Server 2008 you'll cannot use the Powershell tab on Startup script GPO because on these version this tab will not be available. To bypass this limitation we can still use Powershell code by using our good old VBScript code capabilities:

Set objShell = CreateObject("Wscript.shell")


objShell.run("powershell -executionpolicy bypass -command Enable-PSremoting -Force")

Search by Keyword

1 thought on “Enable Powershell Remoting via Group Policy”

HeelpBook says:
October 30, 2014 at 4:18 pm
To manage a lot systems with Powershell we’ll need some pre-requisites. To configure powershell remoting on systems we can use the power of the group policies.
Read more on Heelpbook:
Enable Powershell Remoting via Group Policy – http://heelpbook.altervista.org/2014/enable-powershell-remoting-via-group-policy/ #howto #gpo #powershell #heelpbook @heelpbook

Comments are closed.