To run Windows PowerShell commands remotely, the system must have a firewall exception for WS-Management communications. The Enable-PSRemoting cmdlet tries to create the required firewall exception. However, it does not create the exception on client versions of Windows when the network location is "public."
Also, if the administrator who is running the Enable-PSRemoting cmdlet does not have permission to create a firewall exception, as might be the case in some Windows enterprises, that part of the command will fail. This topic explains how to use a Group Policy setting to give members of the Administrators group permission to set a firewall exception.
When there is no firewall exception, Windows PowerShell returns one of the following error messages.
ERROR: ACCESS IS DENIED
- or -
ERROR: The connection to the remote host was refused. Verify that the WS-Management service is running on the remote host and configured to listen for requests on the correct port and HTTP URL.
The Enable-PSRemoting cmdlet attempts to create a firewall exception for WS-Management communications by using the following rules.
- On server versions of Windows, the Enable-PSRemoting
cmdlet creates a firewall exception for all network locations.
- On client versions of Windows, such as
Windows 7, the Enable-PSRemoting
cmdlet creates a firewall exception only for domain and private
network locations. To minimize security risks, the Enable-PSRemoting
cmdlet does not create a firewall exception for public
To run Windows PowerShell commands remotely on a client version of Windows, the network location must be Domain or Private ("Home" or "Work"). When the current network location is Public, the Enable-PSRemoting cmdlet returns the following message:
Unable to check the status of the firewall.
In a Windows enterprise, you can use a Group Policy setting to give administrators permission to set a firewall exception.
To enable administrators to create a WinRM firewall exception
To allow the administrators of computers in the domain to create firewall exceptions, enable the Windows Firewall: Allow local port exceptions Group Policy setting. This Group Policy setting is in the following Group Policy path:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
When the Group Policy setting is enabled, members of the Administrators group can use the Enable-PSRemoting cmdlet or Windows Firewall in Control Panel to create the required exception for the Windows Remote Management (WinRM) service.