WinRM would not listen on port 5985

The WinRM was configured to allow remote administration via a GPO but it wouldn’t let us connect with Enter-PSSession. The firewall rule was there passing the traffic on TCP port 5985.

Checking WinRM config showed something strange:

Listener [Source=”GPO”]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null

So WinRM was actually configured but wasn’t listening on any network interface. Why?

Well, the trouble source was the GPO itself – “Allow remote server management through WinRM” was enabled, but IPv4 and IPv6 filter settings were left blank.

The catch is: if you leave filters blank you still enable remote management but the listener does not know on which interface to bind itself. Btw this is mentioned in the Syntax section but many people forget it 🙂

So in order to make WinRM work specify IPv4/IPv6 filters:
1) use * to include all network interfaces
2) use specific IP for example 10.20.30.10
3) use IP ranges. Multiple ranges should be separated by a comma. For example 2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22

Refresh Group Policies:
1) Just wait the refresh cycle
2) use cmd: gpupdate /force
3) use PowerShell: Invoke-GPUpdate
4) use GPMC to force clients to update their GP (this requires some ports to be opened)

Leave a Reply

Your email address will not be published. Required fields are marked *

*