WSMan service configuration using domain GPO

Document created by Matt Ray Expert on Nov 17, 2015Last modified by praveen.vaddepally on Dec 24, 2018
Version 6Show Document
  • View in full screen mode

WSMan has replaced WMI for Hyper-v and Microsoft APM configurations in VMTurbo 5.4 and above. WSMan will need to be enabled in order to use VMTurbo on Hyper-v before upgrading from previous versions.


WSMan service configuration will contains from the several steps:

  1. Login to the AD domain controller server.
  2. Run Microsoft Management Console.
  3. Add the following Snap-ins through the 'File->Add/Remove Snap-ins' menu item as shown in the picture below:

  4. Further, we should create new GPO and link it with domain. This could be done by the special context menu item 'Create a GPO in this domain, and Link it here...' for the selected domain.
  5. In the pop window we should specify the name of the new GPO (e.g 'Enable WSMan').
  6. In the 'Scope' tab for newly created GPO we should provide objects affected by the created GPO. In our case there should be a list of computers or a group of computers to which we want to access by WSMan service. In the picture below we group 'Domain computers' which means that WSMan service should be configured for the all workstation in the domain.
  7. Then we should edit the newly created GPO.
  8. In the edit window we should configure following settings:
    In the 'Computer Configuration > Policies > Administrative Templates ... > Windows Components > Windows Remote Management (WinRM) > WinRM Service' folder:
    'Allow automatic configuration of listeners' -> Enabled; (Note this is called "Allow remote server management through WinRM" in Windows2012)
    'IPv4 filter' property should be set to "*". (for more information see picture below)
    'Allow Basic authentication' -> Enabled.
    'Allow unencrypted traffic' -> Enabled.
    Here is how should look the 'WinRM service' folder after configuration:
    In the 'Computer Configuration > Policies > Administrative Templates ... > Windows Components > Windows Remote Management (WinRM) > Windows Remote Shell' folder:
    'Allow Remote Shell Access' -> Enabled.
    Here is how should look the 'Windows Remote Shell' folder after configuration:
  9. Further we should specify to run WinRM service automatically. For this we should do the following:
    Select 'Computer Configuration > Preferences > Control Panel Settings > Services' folder and add new service configuration as shown in the picture below:
  10. Then we also add windows firewall exception. This could be done in the 'Computer Configuration > Windows Settings > Security Settings > Windows Firewall ... > Windows Firewall ... > Inbound Rules' folder. We should add new rule as shown in the pictures below


In the next wizard step we should select the appropriate rule as shown below:


At the last wizard step we should select 'Allow the connection' radio, see below.



Important note: When using WinRM protocol to programatically connect/query a Windows server target, you'll have to specify the host name of that server machine and not its IP address.


That's all. Our policy will be applied in the next iteration of the updating policy process or we should update manually policy on the local computer using the following command:

gpupdate /force


IMPORTANT NOTE: If you do not force gpupdate , then it will take 15 minutes for the changes to propagate to the Hyper-v Hosts before they can be validated with WSMAN changes.