Problems with WinRM

priBizcus · 2025-06-26T15:07:38.283Z

I am attempting to make a change to our RDS deployment but WinRM is broken on some of our session hosts. From what I can gather it’s some issue with one of our GPOs, but I cannot figure it out as the settings are the same.

Our connection broker and most of our session hosts are working fine. We have one GPO that is applied to one OU that has 3 session hosts, all 3 of these are broken. The only setting that this GPO sets in terms of WinRM is “Allow remote server management through WinRM” and IPv4 is * and IPv6 is blank. I made a test GPO that sets both to * but that did not help.

The odd thing is, the settings are all the same (except the IPv6 filter, but I’ll show that later). If I do Test-WSMan this is what I get.

ConnectionBroker > BrokenHost1 = Does not work
ConnectionBroker > WorkingHost = Works
WorkingHost > BrokenHost1 = Does not work
BrokenHost1 > WorkingHost or ConnectionBroker = Does not work
BrokenHost1 > BrokenHost2 = Works
BrokenHost2 > BrokenHost1 = Works
BrokenHost2 > WorkingHost or ConnectionBroker = Does not work

The next thing I tried was to remove the server from the GPO then completely reset the WinRM settings. That also did not work.

Since servers do work between each other I don't think it's a network issue. Test-NetConnection also works using the port.

Below are the settings. Please let me know what I can try or if you need more logs or information. 

Not Working server
winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.10.18.4, 127.0.0.1, ::1, fe80::f694:9325:b091:25a1%15

winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false [Source="GPO"]
        Auth
            Basic = false [Source="GPO"]
            Digest = false [Source="GPO"]
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false [Source="GPO"]
        Auth
            Basic = false [Source="GPO"]
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

Working Server:
winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.10.1.12, 127.0.0.1, ::1, fe80::afe4:1432:509f:7878%14

winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false [Source="GPO"]
        Auth
            Basic = false [Source="GPO"]
            Digest = false [Source="GPO"]
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false [Source="GPO"]
        Auth
            Basic = false [Source="GPO"]
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

priBizcus · 2025-06-30T15:34:46.015Z

Anyone have any ideas on this or at least next steps? I’m kind of at a loss on this.

afroz-stellar · 2025-07-01T05:20:43.727Z

The issue likely isn’t just GPO-related but may involve Kerberos, DNS, or SPN problems. First, test Test-WSMan using both hostname and IP to rule out DNS issues. Recreate the WinRM listener using winrm quickconfig -force, and ensure WinRM firewall rules are enabled on all profiles. Use gpresult /h report.html to verify actual GPO application, and check for SPN conflicts with setspn -L . Also, review network bindings or virtual adapters that may affect communication.