PowerShell Remoting IPv4 filter won't work

Hi Experts!

I've setup a test environment with a few Windows Server 2012 R2 machines and Windows 8.1 clients. I created a GPO to enable PS Remoting on the clients, and it's working.

Now i wan't to enable a filter that only allowes the server with ip address to use PS Remoting on the clients.

gpo winrm
PS Remoting works when i put an *, but it doesn't when i put the ip address there, or a range. How can this be?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
did you also change the firewall rules?
To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).
Firewall Policy
Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall… > Inbound Rules
Right click and choose “New Rule…”
Choose the “Windows Remote Management” pre-defined rule.
When you click next you should see the two rules that will be added.
Click next, choose to Allow the connection, and then Finish.
Service Policy
Browse to: Policies > Windows Settings > Security Settings > System Services
Find the “Windows Remote Management (WS-Management)” service.
Define the policy and give it a startup mode of Automatic.
Browse to: Preferences > Control Panel Settings > Services
Create a new Service preference item with the following parameters:
    General Tab
        Startup: No Change (the policy we set above will take precedence over this anyway)
        Service name: WinRM
        Service action (optional): Start service
    Recovery Tab
        First, Second, and Subsequent Failures: Restart the Service

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SvenIAAuthor Commented:
Yes, as i mentioned, PS Remoting is working fine. It's only the filter that does not work. I only want the server with to be able to use it from.

Thanks for your input.
David Johnson, CD, MVPOwnerCommented:
try changing the firewall rule instead
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

SvenIAAuthor Commented:
Ah now i get it. On the Inbound Firewall rule I changed the 'Action' to Allow the connection if it is secure. Then on the 'Remote Computers' tab, i set this;

And on the 'Remote Users' tab i set this;

Can you tell me what it means to give in remote ip adresses on the scope tab?
Read the help for the options again; this is not a firewall-like IP filter. This options defines the (local computer's) IP addresses on which the machine listens for requests.
The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
If you want to filter by incoming IP, you need to create an inbound firewall rule for the predefined "Windows Remote Management" group. (Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall… > Inbound Rules). Add the new rule(s) with the wizard, open the properties, go to "Scope", and define the remote IP addresses.
SvenIAAuthor Commented:
Is it true that members of the domain admins group, are always allowed to use PowerShell remoting?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Yes and no. Since Domain Admins are (by default) local admins, and local admins have access to the default PS session configuration, they have access to Remoting by default.
Set-PSSessionConfiguration Microsoft.Powershell -ShowSecurityDescriptorUI

Open in new window

on the target machine to change the ACL stored in  wsman:\localhost\Service\RootSDDL. You can remove the Administrators group, and add some users. The command will restart WSMan. But you can't execute the command remotely anyway because of the GUI.
SvenIAAuthor Commented:
Thanks for the help, its all clear to me now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.