WinRM Configuration

This article provides a comprehensive guide to configuring Windows Remote Management (WinRM) on your Windows systems. WinRM is a foundational component for remote management of Windows servers and clients, enabling tasks such as remote command execution, event log access, and software inventory.

What is WinRM?

WinRM is a firewall-friendly protocol that allows hardware and software to communicate over HTTP or HTTPS. It's built on top of the Web Services for Management (WS-Management) standard. WinRM is essential for many management tools, including PowerShell Remoting, Server Manager, and Windows Admin Center.

Enabling WinRM

To enable WinRM, you can use the winrm quickconfig command in an elevated PowerShell prompt. This command configures the necessary WinRM service settings and firewall rules.

winrm quickconfig

Configuring WinRM Listeners

WinRM can listen for incoming requests over HTTP (port 5985) or HTTPS (port 5986). For production environments, it is highly recommended to use HTTPS for secure communication.

HTTP Listener Configuration

To configure an HTTP listener:

winrm create winrm/config/Listener?Address=*+Transport=HTTP

HTTPS Listener Configuration

To configure an HTTPS listener, you need a valid SSL certificate. The command is similar, but specifies Transport=HTTPS.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS

Note: Ensure that the certificate you use for HTTPS has a subject name or subject alternative name that matches the FQDN of the server, and that it's trusted by the client.

Client Configuration

On the client machine, you need to configure WinRM to trust the remote server. This is often done by setting the TrustedHosts parameter.

winrm set winrm/config/client 'TrustedHosts'='SERVER_NAME_OR_IP'

Important: In a production environment, using TrustedHosts with wildcards or broad IP ranges is not recommended for security reasons. Consider using Active Directory group policies or proper certificate validation.

Firewall Rules

WinRM uses specific ports that need to be open in the Windows Firewall. The winrm quickconfig command typically creates these rules automatically. If not, you can create them manually:

HTTP: TCP port 5985
HTTPS: TCP port 5986

Example PowerShell command to open the HTTP port:

New-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)" -Direction Inbound -LocalPort 5985 -Protocol TCP -Action Allow

Troubleshooting WinRM Connectivity

If you encounter issues connecting to a remote machine via WinRM, consider the following:

Verify that the WinRM service is running on both the client and server.
Check that the firewall is configured correctly on both machines.
Ensure that the client machine trusts the server (e.g., via TrustedHosts or certificate trust).
Test connectivity using the Test-WSMan cmdlet.

Test-WSMan -ComputerName SERVER_NAME_OR_IP

Tip: For advanced scenarios, such as WinRM over IPv6 or custom authentication methods, consult the official Microsoft documentation for detailed configuration options.

Microsoft Learn