I am attempting to make a change to our RDS deployment but WinRM is broken on some of our session hosts. From what I can gather it’s some issue with one of our GPOs, but I cannot figure it out as the settings are the same.
Our connection broker and most of our session hosts are working fine. We have one GPO that is applied to one OU that has 3 session hosts, all 3 of these are broken. The only setting that this GPO sets in terms of WinRM is “Allow remote server management through WinRM” and IPv4 is * and IPv6 is blank. I made a test GPO that sets both to * but that did not help.
The odd thing is, the settings are all the same (except the IPv6 filter, but I’ll show that later). If I do Test-WSMan this is what I get.
ConnectionBroker > BrokenHost1 = Does not work
ConnectionBroker > WorkingHost = Works
WorkingHost > BrokenHost1 = Does not work
BrokenHost1 > WorkingHost or ConnectionBroker = Does not work
BrokenHost1 > BrokenHost2 = Works
BrokenHost2 > BrokenHost1 = Works
BrokenHost2 > WorkingHost or ConnectionBroker = Does not work
The next thing I tried was to remove the server from the GPO then completely reset the WinRM settings. That also did not work.
Since servers do work between each other I don't think it's a network issue. Test-NetConnection also works using the port.
Below are the settings. Please let me know what I can try or if you need more logs or information.
Not Working server
winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.18.4, 127.0.0.1, ::1, fe80::f694:9325:b091:25a1%15
winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false [Source="GPO"]
Auth
Basic = false [Source="GPO"]
Digest = false [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false [Source="GPO"]
Auth
Basic = false [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
Working Server:
winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.1.12, 127.0.0.1, ::1, fe80::afe4:1432:509f:7878%14
winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false [Source="GPO"]
Auth
Basic = false [Source="GPO"]
Digest = false [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false [Source="GPO"]
Auth
Basic = false [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
1 post - 1 participant