Forum Discussion
Enable WinRM through Intune
Hello everybody,
I'm trying to enable WinRM to remotely manage our devices, when onprem.
Therefore i tried to add a custom profile with the following OMA-URI:
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement
(With value <enabled>).
Unfortunatelly the result is "-2016281112 (Remediation failed)".
What am i making wrong?
Thanks in advance. 🙂
Regards
Patrick
Hey PatrickF11,
you need to have a look at the Policy CSP documentation here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#remotemanagement-allowremoteservermanagement and be careful if it is a ADMX-backed policy. Then you have to deal with the correct way of defining the value, which configures the policy.
In your case you have to carefully lookup the value definitions in the admx file and then you well get to the result like this:
./Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement
Value (string):
<enabled/> <data id="AllowAutoConfig_IPv4Filter" value="*" /> <data id="AllowAutoConfig_IPv6Filter" value="" />
this works and is the correct way to address the value which you want to configure.
But! for this particular policy you have a way more convenient way to configure it, it is available in the Administrative templates:
best,
Oliver
- Thijs LecomteBronze ContributorAwesome! How do you find out the correct parameter names for 'AllowAutoConfig_IPv4Filter', because those are not listed in the CSP docs?
Hi Thijs Lecomte,
The CSP documentation gives you basically all info to look it up, see here:
ADMX Info:
- GP English name: Allow remote server management through WinRM
- GP name: AllowAutoConfig
- GP path: Windows Components/Windows Remote Management (WinRM)/WinRM Service
- GP ADMX file name: WindowsRemoteManagement.admx
Then go to C:\Windows\PolicyDefinitions on a Windows 10 device and look for:
WindowsRemoteManagement.admx
<policy name="AllowAutoConfig" class="Machine" displayName="$(string.AllowAutoConfig)" explainText="$(string.AutoConfigHelp)" presentation="$(presentation.AllowAutoConfig)" key="Software\Policies\Microsoft\Windows\WinRM\Service" valueName="AllowAutoConfig"> <parentCategory ref="WinRMService" /> <supportedOn ref="windows:SUPPORTED_WindowsVista" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> <elements> <text id="AllowAutoConfig_IPv4Filter" valueName="IPv4Filter" maxLength="1024" /> <text id="AllowAutoConfig_IPv6Filter" valueName="IPv6Filter" maxLength="1024" /> </elements> </policy>
Follow the instruction "How to construct the value / enable a policy" here:
best,
Oliver
- PatrickF11Steel Contributor
Oliver Kieselbach Thank you very much.
Unfortunately enabling WinRM isn't enough.
- To achive remote management for registry i need to remotely enable the service "RemoteRegistry". How to deal with this via intune?
- To achive remote management for EventViewer i need to remotely enable the firewall rules Remote Event Log Management (RPC). How to deal with this via intune? I've found out that i can configure firewall rules inside of the endpoint protection profile. Unfortunately i don't know how to enable the rule which is already present but disabled. Inside of the GUI "Windows Defender Firewall with Advanced Security" i already found the rule but i don't know how to depict the "local port = RPC Dynamic Ports" in intune.
- Thijs LecomteBronze ContributorHi
I would recommend checking out the CSP documentation:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#remotemanagement-allowremoteservermanagement
It seems that a special SyncML format is required to use this policy. Have you looked into this?- PatrickF11Steel Contributor
Thanks for your response.
I've read through this, unfortunatelly i don't get it. That's why i thought trying the syntax i used. (Which isn't working.)
- nicolonskyBrass Contributor
PatrickF11 have you tried the value "<enabled/>" with closing slash as this would represent the required syntax to enable an admx backend policy.