Author Posts

November 2, 2013 at 8:14 am

So.... I am reworking our GPO that enables us to run powershell commands on remote machines to make it correct instead of expedient. Boss asks me why we need exceptions for WinRM and WSMan on 5985 in the GPO. I didn't think anything would run without those exceptions but I tested anyway. I disabled that part of the GPO and *everything* ran! Still! What am I missing? I thought you had to open that port for anything to work. We have two built-in exceptions in that GPO: Remote Eventlog Management, and Windows Remote Management.

Everything (the commands I tested):
enter-pssession, dir
copy-item
get-service
get-winevent
get-ciminstance

The part of the GPO that I removed for the test is found in Computer Configuration, Adminstrative Templates, Network, Network Connections, Windows Firewall, Domain Profile, Windows Firewall: Define inbound program exceptions. At the moment it is set to Disabled for testing.

November 2, 2013 at 9:05 am

WS-Managament absolutely requires 5985 (by default; you can of course change it). What's very possible is that disabling the GPO didn't *also disable the existing firewall exception*, meaning the exception was still in place and active. "Disabled" prevents the GPO from pushing a specification but doesn't necessarily undo any exceptions that were already in place.

You definitely need 5985 if you're using non-SSL WinRM, unless you've redefined the port to something else.

November 2, 2013 at 9:45 am

OK. I changed the GPO to "not configured" for that setting. Then ran the same test. I got one failure and the rest worked. Is this more in line with what should happen? Or am I still doing something wrong?

fail: get-service
work: get-winevent
enter-pssession, dir
get-ciminstance
copy-item

Anticipating more questions from the boss... is there any way to come up with a list of which cmdlet uses this port (or WS-Management or WinRM)? I'm tempted to just tell her that Don Jones says to just "get over it". But I don't think that will fly. :p