Enable WinRM through Intune

Steel Contributor

Hello everybody,

 

I'm trying to enable WinRM to remotely manage our devices, when onprem.

Therefore i tried to add a custom profile with the following OMA-URI:

./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement

(With value <enabled>).

 

Unfortunatelly the result is "-2016281112 (Remediation failed)".

What am i making wrong?

 

Thanks in advance. :)

Regards

Patrick

 

 

12 Replies
Hi

I would recommend checking out the CSP documentation:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#remoteman...

It seems that a special SyncML format is required to use this policy. Have you looked into this?

@Thijs Lecomte 

Thanks for your response.

I've read through this, unfortunatelly i don't get it. That's why i thought trying the syntax i used. (Which isn't working.)

@PatrickF11 have you tried the value "<enabled/>" with closing slash as this would represent the required syntax to enable an admx backend policy.

@nicolonsky 

Thank you for sharing your thoughts.

Yes, i'm using the value "<enabled />" as in many other settings, too.

I will try this in my test environment and get back to you

@Thijs Lecomte 

Thank you very much!

I just checked and I am getting the same error.
When I check in the logs the error 'The system cannot find the file specified' is shown. I would advise to open up a support ticket for this.

Hey @PatrickF11,

 

you need to have a look at the Policy CSP documentation here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#remoteman... and be careful if it is a ADMX-backed policy. Then you have to deal with the correct way of defining the value, which configures the policy.

 

In your case you have to carefully lookup the value definitions in the admx file and then you well get to the result like this:

 

./Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement

Value (string):

<enabled/>
<data id="AllowAutoConfig_IPv4Filter" value="*" />
<data id="AllowAutoConfig_IPv6Filter" value="" />

 

this works and is the correct way to address the value which you want to configure.

 

But! for this particular policy you have a way more convenient way to configure it, it is available in the Administrative templates:

 

clipboard_image_0.png

 

best,

Oliver

Awesome! How do you find out the correct parameter names for 'AllowAutoConfig_IPv4Filter', because those are not listed in the CSP docs?

Hi @Thijs Lecomte,

 

The CSP documentation gives you basically all info to look it up, see here:

 

ADMX Info:

  • GP English name: Allow remote server management through WinRM
  • GP name: AllowAutoConfig
  • GP path: Windows Components/Windows Remote Management (WinRM)/WinRM Service
  • GP ADMX file name: WindowsRemoteManagement.admx

 

Then go to C:\Windows\PolicyDefinitions on a Windows 10 device and look for:

WindowsRemoteManagement.admx

    <policy name="AllowAutoConfig" class="Machine" displayName="$(string.AllowAutoConfig)" explainText="$(string.AutoConfigHelp)" presentation="$(presentation.AllowAutoConfig)" key="Software\Policies\Microsoft\Windows\WinRM\Service" valueName="AllowAutoConfig">
      <parentCategory ref="WinRMService" />
      <supportedOn ref="windows:SUPPORTED_WindowsVista" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
      <elements>
        <text id="AllowAutoConfig_IPv4Filter" valueName="IPv4Filter" maxLength="1024" />
        <text id="AllowAutoConfig_IPv6Filter" valueName="IPv6Filter" maxLength="1024" />
      </elements>
    </policy>

 

Follow the instruction "How to construct the value / enable a policy" here:

https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies#en...

 

best,

Oliver

I have learned something new today, thanks a lot!

@Oliver Kieselbach Thank you very much.

 

Unfortunately enabling WinRM isn't enough.

  1. To achive remote management for registry i need to remotely enable the service "RemoteRegistry". How to deal with this via intune?
  2. To achive remote management for EventViewer i need to remotely enable the firewall rules Remote Event Log Management (RPC). How to deal with this via intune? I've found out that i can configure firewall rules inside of the endpoint protection profile. Unfortunately i don't know how to enable the rule which is already present but disabled. Inside of the GUI "Windows Defender Firewall with Advanced Security" i already found the rule but i don't know how to depict the "local port = RPC Dynamic Ports" in intune.