From
briantist.com
If you are lucky enough to have no machines in your environment below
Windows 7 / 2008 R2 (where do you work?!) then this is the only one you
need. All of the settings we are using will be in
Computer Configuration so if you want to disable User Configuration as I have go ahead.
- Create your GPO, name it what you want, place it where you want, etc.
- Edit your policy.
Enabling WinRM
- Browse to:
Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
- Open the “Allow Remote Server management through WinRM” policy setting (Server 2008 R2 and later).
- Open the “Allow automatic configuration of listeners” policy setting (Server 2008 and earlier).
- Set the Policy to Enabled.
- Set the IPv4 and IPv6 filters to * unless you need something specific there (check out the help on the right).
Setting the Firewall Rules
You can use the new Firewall with Advanced Features policy to
configure the rule instead, but this will only work on Vista and above.
Additionally, you should configure this from a Windows 7 / 2008 R2
machine because of a difference in the pre-defined rule.
- Browse to:
Policies > Windows Settings > Security Settings > Windows
Firewall with Advanced Security > Windows Firewall… > Inbound
Rules
- Right click and choose “New Rule…”
- Choose the “Windows Remote Management” pre-defined rule.
- When you click next you should see the two rules that will be added.
- Click next, choose to Allow the connection, and then Finish.
Service Configuration
At
this point we have enough in place to get this working, but I like to
do a few more things to ensure that the WinRM service is configured to
start automatically and to restart on failure.
- Browse to:
Policies > Windows Settings > Security Settings > System Services
- Find the “Windows Remote Management (WS-Management)” service.
- Define the policy and give it a startup mode of Automatic.
- Browse to:
Preferences > Control Panel Settings > Services
- Create a new Service preference item with the following parameters:
- General Tab
- Startup: No Change (the policy we set above will take precedence over this anyway)
- Service name: WinRM
- Service action (optional): Start service
- Recovery Tab
- First, Second, and Subsequent Failures: Restart the Service
Whole article is
here
Set powershell execution policy
Go to Computer configuration / Policies / Administrative templates: Policy definitons (ADMX files) / Windows components / Windows Powershell. Set "Turn on script execution" to "Allow all scripts". This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." !
Remote registry access enable
1. On a domain controller, Start >
administrative tools > Group Policy Editor > Either edit an
existing policy or create a new one (
Remember its a computer policy you need to link it to something with computers in it, if you link it to a users
OU nothing will happen).
2. Navigate to, Local Computer
Policy > Computer Configuration > Policies > Windows Settings
> Security Settings > System Services.
3. In the right hand pane locate "Remote Registry".
4. Define the policy, and set the startup type to automatic.