So… I am reworking our GPO that enables us to run powershell commands on remote machines to make it correct instead of expedient. Boss asks me why we need exceptions for WinRM and WSMan on 5985 in the GPO. I didn’t think anything would run without those exceptions but I tested anyway. I disabled that part of the GPO and everything ran! Still! What am I missing? I thought you had to open that port for anything to work. We have two built-in exceptions in that GPO: Remote Eventlog Management, and Windows Remote Management.
Everything (the commands I tested):
enter-pssession, dir
copy-item
get-service
get-winevent
get-ciminstance
The part of the GPO that I removed for the test is found in Computer Configuration, Adminstrative Templates, Network, Network Connections, Windows Firewall, Domain Profile, Windows Firewall: Define inbound program exceptions. At the moment it is set to Disabled for testing.
WS-Managament absolutely requires 5985 (by default; you can of course change it). What’s very possible is that disabling the GPO didn’t also disable the existing firewall exception, meaning the exception was still in place and active. “Disabled” prevents the GPO from pushing a specification but doesn’t necessarily undo any exceptions that were already in place.
You definitely need 5985 if you’re using non-SSL WinRM, unless you’ve redefined the port to something else.
OK. I changed the GPO to “not configured” for that setting. Then ran the same test. I got one failure and the rest worked. Is this more in line with what should happen? Or am I still doing something wrong?
fail: get-service
work: get-winevent
enter-pssession, dir
get-ciminstance
copy-item
Anticipating more questions from the boss… is there any way to come up with a list of which cmdlet uses this port (or WS-Management or WinRM)? I’m tempted to just tell her that Don Jones says to just “get over it”. But I don’t think that will fly.
