The WinRM was configured to allow remote administration via a GPO but it wouldn’t let us connect with Enter-PSSession. The firewall rule was there passing the traffic on TCP port 5985.
Checking WinRM config showed something strange:
winrm enumerate winrm/config/listener
Address = *
Transport = HTTP
Port = 5985
Enabled = true
URLPrefix = wsman
ListeningOn = null
So WinRM was actually configured but wasn’t listening on any network interface. Why?
Well, the trouble source was the GPO itself – “Allow remote server management through WinRM” was enabled, but IPv4 and IPv6 filter settings were left blank.
The catch is: if you leave filters blank you still enable remote management but the listener does not know on which interface to bind itself. Btw this is mentioned in the Syntax section but many people forget it 🙂
So in order to make WinRM work specify IPv4/IPv6 filters:
1) use * to include all network interfaces
2) use specific IP for example 10.20.30.10
3) use IP ranges. Multiple ranges should be separated by a comma. For example 22.214.171.124-126.96.36.199, 188.8.131.52-184.108.40.206
Refresh Group Policies:
1) Just wait the refresh cycle
2) use cmd: gpupdate /force
3) use PowerShell: Invoke-GPUpdate
4) use GPMC to force clients to update their GP (this requires some ports to be opened)