Configuring PowerShell remoting through GPO


I’m loving the way Microsoft is currently pushing PowerShell as THE go-to tool required to manage all your solutions.

I’m at a loss however at why they aren’t providing out of the box solutions so that you can manage all of your workstations/servers through PowerShell.
Sure, you can head over to every machine and configure PowerShell using

However I can understand that people have better things to do with their time [I sure do!]

This sounds like the ideal task for Group Policy Management, a central way to push configurations to all of your Computer Objects within Active Directory.
Using this solution you can ensure that all the required clients will get the configuration that you want them to have, without ever having to leave the comfort of your desk 🙂

Required Group Policy Objects [GPO]

In order to configure this correctly you will need to set the following configuration items within your GPO:

  1. Enable the Windows Remote Management [WinRM] Service and set startup mode to Automatic
  2. Enable the Windows Firewall to allow for WSMAN traffic [TCP 5985]
  3. Configure the WinRM service for listeners

Now personally I’ve added the following 2 steps to my “template” GPO in order to make my life a bit easier:

  • Configure the WinRM to automatically Restart the service on failure and start immediately [I hate having to wait for restarts]
  • Set the Script Execution Policy to RemoteSigned

Of course you can also do those things once you’ve gained access to all the machines, but this is a fire-and-forget thing and would be ideal if it’s automatically configured on each and every machine joined to the domain.

 

What to configure

Now that we know WHAT we want, the question becomes “How do we configure this?”

Using PowerShell

Since this is a blog primarily aimed at learning PowerShell, this will be the preferred way to create these policies.
This is currently supported from Windows 2008 R2 Server and up.
Unfortunately, currently you can only modify a GPO’s settings through the GUI.

All other management tasks can be done through PowerShell, so we’ll do as much as we can through PowerShell.

  1. Load the Group Policy module in your PowerShell session
  2. Create a new GPO
  3. Link your GPO to the required Organizational Unit [OU]

Once this is done, you can skip to step #4 in Using the GUI.

Using the GUI

If  you have a Windows 2008 Server or aren’t too comfortable with PowerShell yet, you can also use the GUI to create and set new Group Policy Objects.
This part of the guide will assume you know how to manage GPO’s and will only include the bare minimum information.

  1. Open the Group Policy Management console [gpmc.msc]
  2. Create a new Group Policy Object named Settings – [C] – Enable-PSRemoting
  3. Link the GPO to the correct OU, containing your computer objects.
  4. Now we’re on the same steps as with the PowerShell commands, we need to Edit our GPO:
    1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services -> Windows Remote Management (WS-Management)
      2015-08-03_112932
    2. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules -> New Rule
      2015-08-03_113213
    3. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> Trusted Hosts
      2015-08-03_113621
    4. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> Allow remote server management through WinRM
      2015-08-03_112934
    5. Computer Configuration -> Policies -> Administrative Templates: Policy Definitions (ADMX) -> Windows Components -> Windows PowerShell -> Turn on Script Execution
      2015-08-03_115516
    6. Computer Configuration -> Preferences -> Control Panel Settings -> Services -> New -> Service
      2015-08-03_120117

It’s as simple as that!

Wait for the GPO to propagate out to the machines and you should have access to the remote machines!

If like me you have multiple customers and would prefer to make 1 template GPO which you can Export/Import into various environments, be sure to change the TrustedHosts from your domain name to something like * or more secure: your subnet [192.168.1.*].

 

Happy Scripting! 🙂

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Robert

It never hurts to Get-Help

3 thoughts on “Configuring PowerShell remoting through GPO

  1. I noticed a couple things: One, you have a period after ‘Import-Module GroupPolicy.’ This is going to cause some people problems, if they were to overlook it. Two, I don’t believe that you need to add anything to Trusted Hosts if you’re in an Active Directory environment. It might be worth looking in to this closer, but I believe this setting is only for systems not in AD, or in AD, but not in a trusted domain. Otherwise, great article. I do much of this via GPO, as well. In fact, I mildly cringe when I see someone say to just use Enable-PSRemoting. In a one off situation or testing, it makes sense, but otherwise, I’d recommend Group Policy, too.

    1. Thanks for the check, I’ve removed the extra period from the code.
      As for the trusted hosts, you might be right, I’ll give it a look tomorrow if I have some time, but in any case it won’t hurt to change it.

      Thanks again!!

Leave a Reply

Your email address will not be published. Required fields are marked *