Skip to content
vScope Support Page

Enabling WinRM on Windows Servers and Clients

WinRM (Windows Remote Management) is a Microsoft implementation of the WS-Management protocol, providing secure communication and remote management for Windows systems. Utilizing WinRM in vScope allows for comprehensive and efficient system inventory, especially as an alternative to WMI. This guide covers enabling WinRM via a GPO in Active Directory.

Prerequisites for WinRM

  • Default Availability: Enabled on Windows Server 2012 R2 and newer; disabled on client operating systems earlier than Windows Server 2012.
  • Legacy OS Support: For Windows XP and Windows Server 2003, install the Windows Management Framework Core package to enable WinRM.

Enabling WinRM via Group Policy

Using Group Policy is the simplest way to enable WinRM on all machines within a domain.

Creating a GPO

  1. On the Active Directory server, open Group Policy Management and create a new GPO linked to your domain.

    Creating a GPO for WMI and WinRM permissions

  2. Right-click the new GPO and select Edit….

    Creating a GPO for WMI and WinRM permissions

Configuring the WinRM Listener

  1. In Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.

  2. Edit the Allow automatic configuration of listeners policy setting (may also appear as “Allow remote server management through WinRM”).

    Configure the WinRM listener

  3. Specify which IP addresses the WinRM service will listen on. Setting * enables listening on all interfaces, which is usually sufficient.

    Configure WinRM listener

Automatically Starting the WinRM Service

  1. In Group Policy Management Editor, go to Computer Configuration > Preferences > Control Panel Settings > Services.

  2. Right-click Services and choose New > Service.

    Automatically start the WinRM service

  3. Set Startup to “Automatic (Delayed Start)” and Service action to “Start service.” Click OK to save.

    Configuring automatic start of the WinRM service

Opening WinRM Ports in the Firewall

WinRM requires port 5985 for HTTP connections.

  1. In Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules.

  2. Right-click Inbound Rules and select New Rule.

    How to open ports for winrm in firewall windows

  3. Choose Predefined and select “Windows Remote Management” from the dropdown. Click Next and ensure “Windows Remote Management (HTTP-In)” is selected.

    How to enable winrm ports in firewall windows

  4. Select Allow the connection as the action and click Finish.

Verifying WinRM Settings

After configuring the GPO, allow time for the settings to propagate, or use gpupdate /force on target machines to apply them immediately.

  1. To verify listener settings on a machine, run:
Terminal window
winrm e winrm/config/listener

If you see output displaying the listener settings, this confirms that WinRM is listening on the intended IP addresses and ports. Ensure that the output matches your configuration, especially if you specified a custom IP address or port.

Testing the Connection with PowerShell

After setting up WinRM, you can test the connection from a remote machine using PowerShell to verify that everything is configured correctly.

  1. Create a Credential Object
    Use the following command to create a PowerShell credential object. Replace USERNAME and PASSWORD with the actual credentials for the remote machine:
Terminal window
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList @('USERNAME', (ConvertTo-SecureString -String 'PASSWORD' -AsPlainText -Force))
  1. Invoke a Remote Command
    To confirm the connection, use Invoke-Command with the credentials to run a test command on the target machine. In this example, ipconfig /all retrieves network information from the remote machine:
Terminal window
Invoke-Command -ComputerName <target-machine> -ScriptBlock {ipconfig /all} -Credential $cred

A successful connection will display the network configuration of the remote machine. If the connection fails, check for network or permission issues.

Testing conection to ensure WinRM is working

Enabling WinRM in vScope

  1. Access Discovery Manager in vScope.
  2. Add a WMI Credential specific to the Windows machines in your environment.
  3. Under Advanced settings, ensure that Enable WinRM is selected. This activates WinRM over HTTP for inventory collection.
  4. If HTTPS is configured for added security, select WinRM Use HTTPS.

Verifying the WMI Credential with PowerShell

To verify that the WMI credential has the necessary permissions, use the following command from the vScope server (or a proxy server if applicable):

Terminal window
Get-WmiObject -Class Win32_ComputerSystem -ComputerName <target_IP> -Credential <domain\username>

After entering the password when prompted, a successful result will display system information for the target machine. Any error messages may indicate permission or connection issues.

Additional Resources