Here’s what happens when you do a winrm quickconfig
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
C:\> winrm quickconfig WinRM is not set up to receive requests on this machine. The following changes must be made: Set the WinRM service type to delayed auto start. Make these changes [y/n]? y WinRM has been updated to receive requests. WinRM service type changed successfully. WinRM is not set up to allow remote access to this machine for management. The following changes must be made: Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. Enable the WinRM firewall exception. Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users. Make these changes [y/n]? y WinRM has been updated for remote management. Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. WinRM firewall exception enabled. Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users. |
In my case the Windows Remote Management (WS-Management) service was already running, so its startup type was merely changed to “Automatic (Delayed)”, but if it wasn’t already running then it would have been started too.
So what all happens here?
- The service is started and type changed to “Automatic (Delayed)”.
- Starting the service in itself does not do anything as it does not listen for anything. So a listener is created. This listener listens for messages sent via HTTP on all IP addresses of the machine.
- A firewall exception is created for Windows Remote Management.
- A configuration change is made such that when a remote user connects with admin rights to this machine, the admin rights are not stripped via User Account Control (UAC). (See this & this blog post for what this means). Basically, this configuration change involves modifying a registry entry.
Thus, to undo the effect of winrm quickconfig
one must undo each of these changes.
1. Disabling the service
Either go via the Services MMC console and (1) stop the service and (2) change its type to disabled; or use PowerShell (running as administrator of course):
1 2 |
PS> Stop-Service winrm PS> Set-Service -Name winrm -StartupType Disabled |
That’s disabled.
2. Delete the listener
You can see the listener thus:
1 2 3 4 5 6 7 8 9 10 |
C:\> winrm enumerate winrm/config/listener Listener Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 127.0.0.1, 169.254.138.213, 169.254.160.213 |
And delete it thus:
1 |
C:\> winrm delete winrm/config/Listener?Address=*+Transport=HTTP |
The command has no output, so enumerate the listeners again if you want to confirm.
3. Delete the firewall exceptions
Either go via the GUI and disable the highlighted rule:
Or use PowerShell:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
# View the current state of the rule (if you want) PS> Get-NetFirewallRule | ? {$_.Displayname -eq "Windows Remote Management (HTTP-In)"} Name : WINRM-HTTP-In-TCP-NoScope DisplayName : Windows Remote Management (HTTP-In) Description : Inbound rule for Windows Remote Management via WS-Management. [TCP 5985] DisplayGroup : Windows Remote Management Group : @FirewallAPI.dll,-30267 Enabled : True Profile : Domain, Private Platform : {} Direction : Inbound Action : Allow EdgeTraversalPolicy : Block LooseSourceMapping : False LocalOnlyMapping : False Owner : PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSource : PersistentStore PolicyStoreSourceType : Local Name : WINRM-HTTP-In-TCP DisplayName : Windows Remote Management (HTTP-In) Description : Inbound rule for Windows Remote Management via WS-Management. [TCP 5985] DisplayGroup : Windows Remote Management Group : @FirewallAPI.dll,-30267 Enabled : False Profile : Public Platform : {} Direction : Inbound Action : Allow EdgeTraversalPolicy : Block LooseSourceMapping : False LocalOnlyMapping : False Owner : PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSource : PersistentStore PolicyStoreSourceType : Local # Disable the rule PS> Get-NetFirewallRule | ? {$_.Displayname -eq "Windows Remote Management (HTTP-In)"} | Set-NetFirewallRule -Enabled "False" |
That’s disabled.
4. Disable Remote UAC
Either open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, then set the value of LocalAccountTokenFilterPolicy to 0 (zero).
Or via PowerShell:
1 2 3 4 5 6 7 8 9 10 11 12 |
PS> Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Value 0 # Confirming the new value PS> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy LocalAccountTokenFilterPolicy : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry |
That’s it!