Have you ever been in a situation where you have PowerShell Remoting enabled and you need to put the configuration back the way it was before Enable-PSRemoting was run?
While it might seem that just running Disable-PSRemoting should suffice, it turns out to be a bit more work than you would think. Let’s take a look.
When you run Disable-PSRemoting, here’s what it tells you:
PS C:\Windows\system32> Disable-PSRemoting
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or
Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps.
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the
Administrators group on the computer.
As you see, the steps are pretty well documented. However, if you are like me, you would follow the order mentioned, and find out later that it’s a problem. Let’s see why.
Message = The client cannot connect to the destination specified in the request. Verify that the service on the dest
ination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running o
n the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig".
Well guess what, you just disabled the service. How will winrm commands connect to delete the listener?
So here’s what you need to do:
winrm enumerate winrm/config/listener
winrm delete winrm/config/listener?address=*+transport=HTTP
Now if you fancy why I didn’t use PowerShell to disable firewall exceptions, I will point you to this link and let you figure out how to do that.
Set-Service -Name winrm -StartupType Disabled
Set-Service -Name winrm -StartupType Disabled -Status Stopped
Set-Service : Cannot stop service 'Windows Remote Management (WS-Management) (winrm)'
because it is dependent on other services.
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 0 -Type DWord
Oh, and one more thing (I wonder who does that remind you of!) make sure you do all this from elevated PowerShell. But you already knew that, didn’t you?
Very useful. Thanks for sharing.