Three ways to configure WinRM listeners.

Configure WinRM Listeners through Quick Configure.

1.      Configuration HTTP listener and other actions to enable this machine for remote management:

winrm qc

2.      Configuration HTTPS listener and other actions to enable this machine for remote management:

winrm qc –transport:https

Note: this command requires a valid server authentication certificate present in machine MY store.

Configure WinRM HTTP listener through Group Policy.

1.      Launch Group Policy Management on Windows Server 2008 Domain Controller machine.

2.      Create a new Starter GPO.

a.      Right click “Starter GPOs” and click “New” and give a name (for example “turn on winrm http listener”) and comment if needed.

b.      Right click the created Starter GPO and click “Edit”. A window “Group Policy Starter GPO Editor” pops up.

c.      Browse the tree on left pane of “Group Policy Starter GPO Editor” to “Administrative Templatesà Windows ComponentsàWindows Remote Management (WinRM) à WinRM Service”

d.      Double click the policy setting “Allow automatic configuration of listeners”. A window “Allow automatic configuration of listeners” will show up.

e.      Check “Enabled” button. In the options field, put filter for IPv4 and IPv6. For example, fill “*” in both IPv4 and IPv6 text boxes and click OK.

f.       Close the “Group Policy Starter GPO Editor”.

g.      Click setting tab in the right pane of “Group Policy Management” and refresh the setting. You setting will show up in the right pane.

3.      Create a new Group Policy Object.

a.      Right click “Group Policy Objects” and click “New”.

b.      Give a name to the GPO and select the Starter GPO created in step 2.

c.      Click OK.

4.      Link the new Group Policy object to the domain.

a.      Right click your domain name and click “Link an existing GPO.”

b.      In the “select GPO” dialogue, select the GPO created in step 3.

c.      Click OK.

5.      On the client machine in the domain, run “gpupdate /force” or wait the group policy to be deployed to the client machine.

6.      On the client machine, enumerate the winRM listeners (winrm e winrm/config/listener). A new GPO source listener should be created automatically.

Configure WinRM HTTP listener without quick configure and Group Policy.

1.      Create an instance of HTTP Listener on all IPs:

winrm create winrm/config/Listener?Address=*+Transport=HTTP

2.      Create instance of HTTPS Listener on all IPs:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”HOST”;CertificateThumbprint=”XXXXXXXXXX”}

Note: XXXXXXXXXX represents a 40-digit hex string; see help config.

For more on Configuration for WinRM.

Comments (6)

  1. Jemimus says:

    For some reason, I cannot set up a listener.

    I constantly get the following:

    H:>winrm create winrm/config/Listener?Address=*+Transport=HTTP

    Error number: -2146992061 0x80078043

    The WS-Management service cannot process the request because the XML is invalid.


  2. Yanbing Wang says:

    Could you provide the following information?

    1. what OS and Service pack do run this command on?

    2. What is winrm verison? (by running command "winrm id")

    Could you run the command manually rather than copying-and-pasting?

    Also please provide the output for the following commands?

    1. winrm e winrm/config/listener

    2.winrm create winrm/config/Listener?Address=*+Transport=HTTP @{}


  3. Jeff Szuhay says:

    When setting up event forwarding via group policy on the clients, you must also set the group policy to automatically start the WinRM service on the clients:

    In GPEdit.msc, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, System Services, Windows Remote Management (WS-Management)

    Open the dialog.

    Check the box “Define this policy setting” and Select service startup mode to “Automatic”

    These insructions are missing and are critical for event forwarding to work via group policy settings.

  4. Mike says:

    Yanbing, is there a way to use GPO to configure the listener with HTTPS transport only? I've been hunting through all the settings, and it looks like the only way to configure the HTTPS listener on 5986 is via local commands.

  5. ACeq says:

    winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOST";CertificateThumbprint="XXXXXXXXXX"}

    the importnat point. the command will succsessfully work ONLY if you have installed in the system certificate WITH PRIVATE KEY.

    it can be check as so: open certificates mmc. local machine – personal. and look at the icon of the certificate.

    it MUST have key sign on the icon of the certificate.