WinRM would not listen on port 5985

The WinRM was configured to allow remote administration via a GPO but it wouldn’t let us connect with Enter-PSSession. The firewall rule was there passing the traffic on TCP port 5985.

Checking WinRM config showed something strange:

winrm enumerate winrm/config/listener

Listener [Source=”GPO”]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null

So WinRM was actually configured but wasn’t listening on any network interface. Why?

Well, the trouble source was the GPO itself – “Allow remote server management through WinRM” was enabled, but IPv4 and IPv6 filter settings were left blank.

The catch is: if you leave filters blank you still enable remote management but the listener does not know on which interface to bind itself. Btw this is mentioned in the Syntax section but many people forget it 🙂

So in order to make WinRM work specify IPv4/IPv6 filters:
1) use * to include all network interfaces
2) use specific IP for example 10.20.30.10
3) use IP ranges. Multiple ranges should be separated by a comma. For example 2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22

Refresh Group Policies:
1) Just wait the refresh cycle
2) use cmd: gpupdate /force
3) use PowerShell: Invoke-GPUpdate
4) use GPMC to force clients to update their GP (this requires some ports to be opened)

One thought on “WinRM would not listen on port 5985

  1. Thanks!! Somehow at some time, I managed to configure our GPO with ipv4 blank.
    Much later when looking into why event log forwarding stopped working to my workstation, testing WINRM was failing. After much spinning of wheels, I finally dod a netstat and saw it was not listening. Your Blog solved it!

Leave a Reply to Steve Mason Cancel reply

Your email address will not be published. Required fields are marked *