Remoting question

Welcome Forums General PowerShell Q&A Remoting question

This topic contains 2 replies, has 2 voices, and was last updated by

 
Participant
5 years, 1 month ago.

  • Author
    Posts
  • #11170

    Participant
    Points: 0
    Rank: Member

    So.... I am reworking our GPO that enables us to run powershell commands on remote machines to make it correct instead of expedient. Boss asks me why we need exceptions for WinRM and WSMan on 5985 in the GPO. I didn't think anything would run without those exceptions but I tested anyway. I disabled that part of the GPO and *everything* ran! Still! What am I missing? I thought you had to open that port for anything to work. We have two built-in exceptions in that GPO: Remote Eventlog Management, and Windows Remote Management.

    Everything (the commands I tested):
    enter-pssession, dir
    copy-item
    get-service
    get-winevent
    get-ciminstance

    The part of the GPO that I removed for the test is found in Computer Configuration, Adminstrative Templates, Network, Network Connections, Windows Firewall, Domain Profile, Windows Firewall: Define inbound program exceptions. At the moment it is set to Disabled for testing.

  • #11172

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    WS-Managament absolutely requires 5985 (by default; you can of course change it). What's very possible is that disabling the GPO didn't *also disable the existing firewall exception*, meaning the exception was still in place and active. "Disabled" prevents the GPO from pushing a specification but doesn't necessarily undo any exceptions that were already in place.

    You definitely need 5985 if you're using non-SSL WinRM, unless you've redefined the port to something else.

  • #11173

    Participant
    Points: 0
    Rank: Member

    OK. I changed the GPO to "not configured" for that setting. Then ran the same test. I got one failure and the rest worked. Is this more in line with what should happen? Or am I still doing something wrong?

    fail: get-service
    work: get-winevent
    enter-pssession, dir
    get-ciminstance
    copy-item

    Anticipating more questions from the boss... is there any way to come up with a list of which cmdlet uses this port (or WS-Management or WinRM)? I'm tempted to just tell her that Don Jones says to just "get over it". But I don't think that will fly. :p

The topic ‘Remoting question’ is closed to new replies.