WSMan service configuration using domain GPO

Document created by Matt Ray Expert on Nov 17, 2015Last modified by on Jun 20, 2019
Version 8Show Document
  • View in full screen mode

WSMan has replaced WMI for Hyper-v and Microsoft APM configurations in Turbonomic 5.4 and above. WSMan will need to be enabled in order to use Turbonomic on Hyper-v before upgrading from previous versions.


WSMan service configuration needs to be setup by following these steps:

  1. Login to the AD domain controller server.
  2. Run Microsoft Management Console.
  3. Add the following Snap-ins through the 'File->Add/Remove Snap-ins' menu item as shown in the picture below:

  4. Further, we should create new GPO and link it with the domain. This could be done by the special context menu item 'Create a GPO in this domain, and Link it here...' for the selected domain.
  5. In the pop-up window we should specify the name of the new GPO (e.g 'Enable WSMan').
  6. In the 'Scope' tab for newly created GPO we should provide objects affected by the created GPO. In our case there should be a list of computers or a group of computers to which we want to access the WSMan service. In the picture below we group 'Domain computers' which means that the WSMan service should be configured for the all workstations in the domain.
  7. Then we should edit the newly created GPO.
  8. In the edit window we should configure the following settings:
    In the 'Computer Configuration > Policies > Administrative Templates ... > Windows Components > Windows Remote Management (WinRM) > WinRM Service' folder:
    'Allow automatic configuration of listeners' -> Enabled; (Note this is called "Allow remote server management through WinRM" in Windows2012)
    'IPv4 filter' property should be set to "*". (for more information see picture below)
    'Allow Basic authentication' -> Enabled.
    'Allow unencrypted traffic' -> Enabled.
    Here is howthe 'WinRM service' folder should look after configuration:
    In the 'Computer Configuration > Policies > Administrative Templates ... > Windows Components > Windows Remote Management (WinRM) > Windows Remote Shell' folder:
    'Allow Remote Shell Access' -> Enabled.
    Here is how the 'Windows Remote Shell' folder should look after configuration:
  9. Further we should specify to run WinRM service automatically. For this we should do the following:
    Select 'Computer Configuration > Preferences > Control Panel Settings > Services' folder and add a new service configuration as shown in the picture below:
  10. Then we also need to add a Windows firewall exception. This can be done in the 'Computer Configuration > Windows Settings > Security Settings > Windows Firewall ... > Windows Firewall ... > Inbound Rules' folder. We should add new rules as shown in the pictures below:


In the next wizard step we should select the appropriate rule as shown below:


At the last wizard step we should select 'Allow the connection' toggle, see below.



Important note: When using WinRM protocol to programatically connect/query a Windows server target, you'll have to specify the host name of that server machine and not its IP address.

That's all. Our policy will be applied in the next iteration of the updating policy process or we can manually update the policy on the local computer using the following command:

gpupdate /force


IMPORTANT NOTE: If you do not force gpupdate, then it will take 15 minutes for the changes to propagate to the Hyper-v Hosts before they can be validated with WSMAN changes.