If Windows Remote Management is not installed and configured, WinRM scripts do not run and the Winrm command-line tool cannot perform data operations. The Windows Remote Shell command-line tool, Winrs, and event forwarding also depend on WinRM configuration.
Configuration of WinRM and IPMI
The following WinRM and Intelligent Platform Management Interface (IPMI) WMI provider components are installed with the operating system:
- The WinRM service starts automatically on Windows Server 2008. On Windows Vista, the service must be started manually.
Windows Server 2003 R2: WinRM is not installed by default, but is available as the Hardware Management feature through the Add/Remove System Components feature in the Control Panel under Management and Monitoring Tools. Complete installation and information about configuring WinRM using the Winrm command-line tool is available online in the Hardware Management Introduction which describes the WinRM and the IPMI features in Windows Server 2003 R2.
- By default, no WinRM listener is configured. Even if the WinRM service is running, WS-Management protocol messages that request data cannot be received or sent.
- Internet Connection Firewall (ICF) blocks access to ports.
Use the Winrm command to locate listeners and the addresses by typing the following command at a command prompt: winrm e winrm/config/listener.
To check the state of configuration settings, type: winrm get winrm/config.
Quick Default Configuration
Starting with Windows Vista, you can enable the WS-Management protocol on the local computer and set up the default configuration for remote management with the command: Winrm quickconfig.
Windows Server 2003 R2: The Winrm quickconfig command is not available. For more information about Windows Server 2003 R2 configuration, see Hardware Management Introduction.
The winrm quickconfig command (or the abbreviated version) winrm qc) performs the following operations:
- Starts the WinRM service and sets the service startup type to auto-start.
- Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.
- Defines ICF exceptions for the WinRM service and opens the ports for HTTP and HTTPS.
To retrieve information about customizing a configuration, type winrm help config at a command prompt.
.gif)
To Configure WinRM with Default Settings
- Type the following command at a command prompt: Winrm quickconfig.
If you are not running under the local computer Administrator account, you must either select Run as Administrator from the Start menu or use the Runas command at a command prompt.
- When the tool displays Make these changes [y/n]?, type y.
If configuration is successful, the following output is displayed.
|
WinRM has been updated for remote management.
WinRM service type changed to delayed auto start.
WinRM service started.
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this
machine. |
- Keep the default settings for client and server components of WinRM or customize them. For example, you may need to add certain remote computers to the client configuration TrustedHosts list.
A trusted hosts list should be set up when mutual authentication cannot be established. Kerberos allows mutual authentication, but cannot be used in workgroups, only domains. A best practice in setting up trusted hosts for a workgroup is that the list should be as restricted as possible.
- Create an HTTPS listener by the following command: winrm quickconfig -transport:https. Be aware that you must open port 443 for HTTPS transport to work.
Listener and WS-Management protocol Default Settings
To get the listener configuration, type winrm enumerate winrm/config/listener at a command prompt. Listeners are defined by a transport (HTTP or HTTPS) and a IPv4 or IPv6 address.
Winrm quickconfig creates the following default settings for a listener. You can create more than one listener. For more information, type winrm help config at a command prompt.
| Term | Description |
|---|
Address | The default is *. |
Transport | The default is HTTP. |
Port | The default is 80. |
Hostname | The hostname of the listener. |
Enabled | The default is True. |
URLPrefix | The default is wsman. |
CertificateThumbprint | A string of two-digit hexadecimal values found in the Thumbprint field of the certificate. |
ListeningOn | The IPv4 and IPv6 addresses that the listener users. For example: 111.0.0.1, 111.222.333.444, ::1, 1000:2000:2c:3:c19:9ec8:a715:5e24, 3ffe:8311:ffff:f70f:0:5efe:111.222.333.444, fe80::5efe:111.222.333.444%8, fe80::c19:9ec8:a715:5e24%6 |
Protocol Default Settings
Many of the configuration settings, such as MaxEnvelopeSizekb or SoapTraceEnabled determine how the WinRM client and server components interact with the WS-Management protocol.
| Term | Description |
|---|
MaxEnvelopeSizekb | The default is 150. |
MaxTimeoutms | The default is 60000. |
MaxBatchItems | The default is 20. |
MaxProviderRequests | The default is 25. |
WinRM Client Default Configuration Settings
The client version of WinRM has the following default configuration settings.
| Term | Description |
|---|
NetworkDelayms | The default is 5000. |
URLPrefix | The default is wsman. |
AllowUnencrypted | The default is False. |
Basic | The default is False. |
Digest | The default is True. |
Kerberos | The default is True. |
Negotiate | The default is True. |
DefaultPorts | The default HTTP port is 80 and the default HTTPS port is 443. |
TrustedHosts | List of remote computers that are trusted. Other computers in a workgroup or computers in a different domain should be added to this list. For more information about how to add computers to the TrustedHosts list, type winrm help config. |
WinRM Service Default Configuration Settings
The service version of WinRM has the following default configuration settings.
| Term | Description |
|---|
RootSDDL | The default is O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;ER)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD). |
MaxConcurrentOperations | The default is 100. |
AllowUnencrypted | The default is False. |
EnumerationTimeoutms | The default is 60000. |
MaxConnections | The default is 5. |
Basic | The default is False. |
Kerberos | The default is True. |
Negotiate | The default is True. |
DefaultPorts | The default HTTP port is 80 and the default HTTPS port is 443. |
IPv4Filter and
IPv6Filter | The defaults are IPv4Filter = * and IPv6Filter = *. |
Winrs Default Configuration Settings
Winrm quickconfig also configures Winrs default settings.
| Term | Description |
|---|
AllowRemoteShellAccess | The default is True. |
IdleTimeout | The default is 900000. |
MaxConcurrentUsers | The default is 5. |
MaxShellRunTime | The default is 28800000. |
MaxProcessesPerShell | The default is 5. |
MaxMemoryPerShell | The default is 80. |
MaxShellsPerUser | The default is 2. |
Configuring WinRM with Group Policy
Use the Group Policy editor to configure Windows Remote Shell and WinRM for computers in your enterprise.
To configure with Group Policy
- Type gpedit at a command prompt. The Group Policy Object Editor window opens.
- Look for the Windows Remote Management and Windows Remote Shell Group Policy Objects (GPO) under Administrative Templates and Windows Components.
Windows Firewall and WinRM Ports
The default listener ports configured by Winrm quickconfig are port 80 for HTTP transport and port 443 for HTTPS. If you configure a custom port for a listener, you must open the port before WinRM can send and receive messages.
The following example uses the netsh firewall command to open port 3190 for a listener that uses that port.
|
netsh firewall add portopening TCP 3190 "Port 3190" |
Configuring a Proxy Server for WinRM
WinRM uses HTTP and HTTPS to send messages between the client and server computers. By default, the WinRM client is not configured to use a proxy server and sends messages directly to the WinRM server computer. Be aware that the WinRM client does not use the Internet Explorer proxy settings. If a proxy is required in order to reach the server computer, the WinRM proxy configuration can be changed by using the ProxyCfg.exe tool.
WinRM Installation and Configuration Notes
The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service is installed on the same computer, you may see messages that indicate WinRM cannot be loaded before Interent Information Services (IIS). However, WinRM does not actually depend on IIS: these messages occur because the load order ensures that theIIS service starts before the HTTP service. WinRM does require that WinHTTP.dll be registered.
If the ISA2004 firewall client is installed on the computer, it can cause a Web Services for Management (WS-Management) client to stop responding. To avoid this issue, install ISA2004 Firewall SP1.
If two listener services with different IP addresses are configured with the same port number and computer name, WinRM listens or receives messages on only one address. This is because the URL prefixes used by WS-Management protocol are the same.
IPMI Driver and Provider Installation Notes
The driver may not detect the existence of IPMI drivers that are not from Microsoft. If the driver fails to start, you may need to disable it.
Windows Server 2003 R2: When you install the Hardware Management Windows component, any already installed IPMI drivers that are not from Microsoft are removed.
If the baseboard management controller (BMC) resources appear in the system BIOS, then ACPI (Plug-and-Play) detects the BMC hardware and automatically installs the IPMI driver. Plug-and-Play support may not be present in all BMCs. If the BMC is detected by Plug-and-Play, an Unknown Device appears in Device Manager before the Hardware Management component is installed. When the driver is installed, a new component, the Microsoft ACPI Generic IPMI Compliant Device, appears in the Device Manager.
If your system does not automatically detect the BMC and install the driver, but a BMC was detected during the setup process, the BMC device must be manually created. To do this, type at a command prompt:
Rundll32 ipmisetp.dll, AddTheDevice.
After this command is executed, the IPMI device is created and appears in the Device Manager. If you uninstall the Hardware Management component, the device is removed.
For more information, see Hardware Management Introduction.
The IPMI provider places the hardware classes in the root\hardware namespace of WMI. For more information about the hardware classes, see Intelligent Platform Management Interface (IPMI) Classes. For more information about WMI namespaces, see WMI Architecture.
Send comments about this topic to Microsoft
Build date: 5/15/2008