Forum Discussion

PatrickF11's avatar
PatrickF11
Steel Contributor
Dec 06, 2019

Enable WinRM through Intune

Hello everybody,

 

I'm trying to enable WinRM to remotely manage our devices, when onprem.

Therefore i tried to add a custom profile with the following OMA-URI:

./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement

(With value <enabled>).

 

Unfortunatelly the result is "-2016281112 (Remediation failed)".

What am i making wrong?

 

Thanks in advance. 🙂

Regards

Patrick

 

 

  • Hey PatrickF11,

     

    you need to have a look at the Policy CSP documentation here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#remotemanagement-allowremoteservermanagement and be careful if it is a ADMX-backed policy. Then you have to deal with the correct way of defining the value, which configures the policy.

     

    In your case you have to carefully lookup the value definitions in the admx file and then you well get to the result like this:

     

    ./Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement

    Value (string):

    <enabled/>
    <data id="AllowAutoConfig_IPv4Filter" value="*" />
    <data id="AllowAutoConfig_IPv6Filter" value="" />

     

    this works and is the correct way to address the value which you want to configure.

     

    But! for this particular policy you have a way more convenient way to configure it, it is available in the Administrative templates:

     

     

    best,

    Oliver

    • Thijs Lecomte's avatar
      Thijs Lecomte
      Bronze Contributor
      Awesome! How do you find out the correct parameter names for 'AllowAutoConfig_IPv4Filter', because those are not listed in the CSP docs?
      • Oliver Kieselbach's avatar
        Oliver Kieselbach
        MVP

        Hi Thijs Lecomte,

         

        The CSP documentation gives you basically all info to look it up, see here:

         

        ADMX Info:

        • GP English name: Allow remote server management through WinRM
        • GP name: AllowAutoConfig
        • GP path: Windows Components/Windows Remote Management (WinRM)/WinRM Service
        • GP ADMX file name: WindowsRemoteManagement.admx

         

        Then go to C:\Windows\PolicyDefinitions on a Windows 10 device and look for:

        WindowsRemoteManagement.admx

            <policy name="AllowAutoConfig" class="Machine" displayName="$(string.AllowAutoConfig)" explainText="$(string.AutoConfigHelp)" presentation="$(presentation.AllowAutoConfig)" key="Software\Policies\Microsoft\Windows\WinRM\Service" valueName="AllowAutoConfig">
              <parentCategory ref="WinRMService" />
              <supportedOn ref="windows:SUPPORTED_WindowsVista" />
              <enabledValue>
                <decimal value="1" />
              </enabledValue>
              <disabledValue>
                <decimal value="0" />
              </disabledValue>
              <elements>
                <text id="AllowAutoConfig_IPv4Filter" valueName="IPv4Filter" maxLength="1024" />
                <text id="AllowAutoConfig_IPv6Filter" valueName="IPv6Filter" maxLength="1024" />
              </elements>
            </policy>

         

        Follow the instruction "How to construct the value / enable a policy" here:

        https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies#enabling-a-policy

         

        best,

        Oliver

    • PatrickF11's avatar
      PatrickF11
      Steel Contributor

      Oliver Kieselbach Thank you very much.

       

      Unfortunately enabling WinRM isn't enough.

      1. To achive remote management for registry i need to remotely enable the service "RemoteRegistry". How to deal with this via intune?
      2. To achive remote management for EventViewer i need to remotely enable the firewall rules Remote Event Log Management (RPC). How to deal with this via intune? I've found out that i can configure firewall rules inside of the endpoint protection profile. Unfortunately i don't know how to enable the rule which is already present but disabled. Inside of the GUI "Windows Defender Firewall with Advanced Security" i already found the rule but i don't know how to depict the "local port = RPC Dynamic Ports" in intune.
    • PatrickF11's avatar
      PatrickF11
      Steel Contributor

      Thijs Lecomte 

      Thanks for your response.

      I've read through this, unfortunatelly i don't get it. That's why i thought trying the syntax i used. (Which isn't working.)

      • nicolonsky's avatar
        nicolonsky
        Brass Contributor

        PatrickF11 have you tried the value "<enabled/>" with closing slash as this would represent the required syntax to enable an admx backend policy.