Ports to open for Windows 10 clients

Copper Contributor

I've been able to add my servers to WAC with no issue. I thought I'd add my Windows 10 workstations. I've opened ports 5985, 5986, but when I try to access them, I get the following message. 

 

Any other ports I need to have open for my windows 10 client computers? Thanks!

Connection error

Connecting to remote server marvinatl.advlaser.com failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.

 

3 Replies
1.1) Windows Remote Management service (WinRM) must be running for WAC to work. Start Services (WIN + R, type Services, hit Enter), browse to WinRM service, right click it and select Properties.

1.2) Set WinRM Startup type to Automatic, click Start, click OK:
Windows Admin Center - Centrally manage all your Windows 10 PCs-image.png

Notice that if Start button is greyed out, WinRM is already running. Just set start to Automatic and click OK.

1.3) Windows by default has an empty TrustedHosts list, a list that contains those remote computers (hosts) that you can remotely manage from a client without authentication. WAC is a remote management client running on localhost (127.0.0.1) and needs permission to connect to computers it manages, even when managed computer is the same where WAC is running.

Open an elevated PowerShell and enter following command to see your current TrustedHosts list:

Get-Item WSMan:\localhost\Client\TrustedHosts

Trusted computers (or domains) are listed under Value. List is as mentioned empty by default:
Windows Admin Center - Centrally manage all your Windows 10 PCs-image.png

1.4) If the list is empty, add your computer to it with following command in elevated PowerShell, replacing ComputerName with actual NetBIOS name of your computer and when asked, press Y and Enter to confirm:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'ComputerName'
Windows Admin Center - Centrally manage all your Windows 10 PCs-image.png

You can add multiple computers by separating them with comma:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'Computer1,Computer2,Computer3'

Alternatively, if you so prefer, you can use an asterisk (*) to trust all hosts:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*'

1.5) Whenever you use Set-Item cmdlet to add trusted hosts, it overwrites previous list. In case your TrustedHosts already contains some hosts you do not want to remove from list, you can append the list in elevated PowerShell by first reading current list to a variable, then adding new hosts to said variable, and finally writing the variable content as new TrustedHost list.

Read current TrustedHosts list to variable, for instance $TrustedHosts:

$TrustedHosts=(get-item WSMan:\localhost\Client\TrustedHosts).value

Append list:

$TrustedHosts+=",NewHost1,NewHost2,NewHost3"

Notice that because comma separates hosts on the list, you must add a comma in the beginning of hosts you are adding to separate first newly added host from last on current list.

Finally, tell system to use contents of variable $TrustedHosts as TrustedHosts list:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value $TrustedHosts

In screenshot I first checked my TrustedHosts list (#1), then appended it with two new hosts / computers as told above (#2), and when done checked the list once again (#3), being satisfied that list was appended exactly as I wanted:
Windows Admin Center - Centrally manage all your Windows 10 PCs-image.png
Tip Tip
TrustedHosts list can also be enabled and edited in Group Policy Editor (not available in Home and Single Language editions):

Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WInRM Client > Trusted Hosts

1.6) In elevated PowerShell, add this registry entry (exactly as written):

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

Notice: the above is a single line command, although shown as two lines in some forum skins. Copy full command and paste in PS.

1.7) Still in elevated PS, add a new firewall rule with following command:

Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -RemoteAddress Any

1.8) Especially if you intend to manage multiple computers with WAC, rename all computers with a to you logical name (tutorial), and set network location to Private (tutorial).
Please use group policy for all of this instead. Make sure you limit the trusted host and firewall to limited trusted remote devices, to avoid a free for all in the same subnet, and lateral movement.
good afternoon, I'm studying the technology, I'm testing on a network where I have servers outside the domain and others inside the domain, the machines outside could access normally, but the servers in the domain, to access I needed to release 5985 for HTTP and 5986 for HTTPS, after that worked perfectly.