Group Policy FIrewall exception for Windows Remote Management not applying

Hi

I'm trying to make all Windows 7 computers in our domain manageable by WinRM, but the part of the set-up process which is hampering my progress is with the firewall rules.

I've set up a group policy object and applied it to the OU that contains my computer and the top level OU (just in case). THis GPO has the following settings:

Computer Configuration> Policies> Windows Settings>Security Settings>System Services> Windows Firewall with Advanced Security>Inbound Rules
Windows Remote Management (HTTP-In) Inbound rule for Windows Remote Management via WS-Management. [TCP 5985] 
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module  
Enabled True 
Program System 
Action Allow 
Security Require authentication 
Authorized computers  
Authorized users  
Protocol 6 
Local port 5985 
Remote port Any 
ICMP settings Any 
Local scope Any 
Remote scope Any 
Profile Public 
Network interface type All 
Service All programs and services 
Allow edge traversal False 
Group Windows Remote Management 
 
Windows Remote Management (HTTP-In) Inbound rule for Windows Remote Management via WS-Management. [TCP 5985] 
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module  
Enabled True 
Program System 
Action Allow 
Security Require authentication 
Authorized computers  
Authorized users  
Protocol 6 
Local port 5985 
Remote port Any 
ICMP settings Any 
Local scope Any 
Remote scope Any 
Profile Domain, Private 
Network interface type All 
Service All programs and services 
Allow edge traversal False 
Group Windows Remote Management 
 
Windows Remote Management - Compatibility Mode (HTTP-In) Compatibility mode inbound rule for Windows Remote Management via WS-Management. [TCP 80] 
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module  
Enabled True 
Program System 
Action Allow 
Security Require authentication 
Authorized computers  
Authorized users  
Protocol 6 
Local port 80 
Remote port Any 
ICMP settings Any 
Local scope Any 
Remote scope Any 
Profile All 
Network interface type All 
Service All programs and services 
Allow edge traversal False 
Group Windows Remote Management (Compatibility) 
 

Open in new window


However, after multiple reboots and gpupdates, my local firewall looks like this:
Firewall-Windows-Remote-Management.png
Does anyone have any ideas why it's not applying? Or what I can do to get it working?

Thanks
FriendlyITInfrastructure TeamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
Have you ran a gpresult and verified that the client is getting the firewall settings from Group Policy?
0
FriendlyITInfrastructure TeamAuthor Commented:
Hi

Yes, I've run a gpresult and it looks like it's being applied:

COMPUTER SETTINGS
------------------
    CN=xxxxxxxxxxxxxxxxxxxx
    Last time Group Policy was applied: 29/04/2015 at 10:08:46
    Group Policy was applied from:      xxxxxxxxxxx
Group Policy slow link threshold:   500 kbps
    Domain Name:                        xxx
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Enable Powershell Remoting

Open in new window

0
Joseph MoodyBlogger and wearer of all hats.Commented:
Run a gpresult /h. Do the actual setting appear in the report? Here is an example on using gpresult /h: http://deployhappiness.com/gpresult-or-rsop/
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

FriendlyITInfrastructure TeamAuthor Commented:
Interesting, thanks for that tip. It looks like it is being applied correctly, but for some reason isn't showing up in the firewall:

Inbound Rules
Name      Description      Winning GPO
Windows Remote Management (HTTP-In)      Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]      Enable Powershell Remoting
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module      
Enabled      True
Program      System
Action      Allow
Security      Require authentication
Authorized computers      
Authorized users      
Protocol      6
Local port      5985
Remote port      Any
ICMP settings      Any
Local scope      Any
Remote scope      Any
Profile      Domain, Private
Network interface type      All
Service      All programs and services
Allow edge traversal      False
Group      @FirewallAPI.dll,-30267
Windows Remote Management - Compatibility Mode (HTTP-In)      Compatibility mode inbound rule for Windows Remote Management via WS-Management. [TCP 80]      Enable Powershell Remoting
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module      
Enabled      True
Program      System
Action      Allow
Security      Require authentication
Authorized computers      
Authorized users      
Protocol      6
Local port      80
Remote port      Any
ICMP settings      Any
Local scope      Any
Remote scope      Any
Profile      All
Network interface type      All
Service      All programs and services
Allow edge traversal      False
Group      Windows Remote Management
Windows Remote Management (HTTP-In)      Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]      Enable Powershell Remoting
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module      
Enabled      True
Program      System
Action      Allow
Security      Require authentication
Authorized computers      
Authorized users      
Protocol      6
Local port      5985
Remote port      Any
ICMP settings      Any
Local scope      Any
Remote scope      Any
Profile      Public
Network interface type      All
Service      All programs and services
Allow edge traversal      False
Group      @FirewallAPI.dll,-30267
0
compdigit44Commented:
I see you have scoped the Firewall settings for the domain and private profiles. Is your workstation being detected as being part of one of these profiles?

Have you tried to see if the setting apply to a fleshed imaged workstation
0
FriendlyITInfrastructure TeamAuthor Commented:
Hi

Thanks for your reply. I can confirm that the private profile is the one being shown as connected. I haven't tried it on a freshly imaged workstation but I have checked the settings on other workstations, which have the same symptoms

Thanks.
0
compdigit44Commented:
You said the private profile is being applied. If you are current connect to the domain it should be the domain profile. See if you can reassign the profile to domain, reboot then check the firewall settings.

http://windows.microsoft.com/en-us/windows/create-modify-network-profiles#1TC=windows-7
0
FriendlyITInfrastructure TeamAuthor Commented:
Thanks very much, sorry, that was a mistake on my part. It is the domain profile which is being applied.
0
compdigit44Commented:
Would it be possible to upload the gpresult /v report from a workstation along with the GP settings and snapshot of the OU stucture of the workstation is a member of.

Please black out and sensitive information
0
FriendlyITInfrastructure TeamAuthor Commented:
Hi

Thanks for your help. I've attached the requested files.

Thanks
Enable-Powershell-Remoting.htm
GPMC.png
GpresultV.txt
OU.png
0
compdigit44Commented:
Thanks for the post and sorry for not getting back to you.

Let put WinRM aside for a minute are you able to succesfuuly deply any fireall inbound/outbound rules to a workstation
0
compdigit44Commented:
In the Firewall wizard for the GP did you select create from "Program" or "Predefined" ?

If you did program trying setting it to "Predefined"
0
FriendlyITInfrastructure TeamAuthor Commented:
Hi thanks for your response. I'm not sure what I selected, but when I look at the properties of the rule in GPMC, it says "This is a predefined rule and some of its properties cannot be modified" - so I guess it's predefined..?
0
compdigit44Commented:
I does hurt to delete an recreate it using Predefined and it that does work select program
0
FriendlyITInfrastructure TeamAuthor Commented:
Hi again and thanks for all your help with this. Eventually I realised that in the GP settings there were two entries set up to manage this firewall rule. When I deleted one of those rules the policy started applying correctly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FriendlyITInfrastructure TeamAuthor Commented:
This is what I discovered was causing the problem. Once remedied, it started working correctly.
0
compdigit44Commented:
Nice work, I am interesting for my own knowledge to know which entries were duplicated and where...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.