about_Remote_Troubleshooting.html






 

˙ūTOPIC
    about_Remote_Troubleshooting

SHORT DESCRIPTION
    Describes how to troubleshoot remote operations in Windows PowerShell.

LONG DESCRIPTION
    This section describes some of the problems that you might encounter when
    using the remoting features of Windows PowerShell that are based on 
    WS-Management technology and it suggests solutions to these problems.

    Before using Windows PowerShell remoting, see about_Remote and
    about_Remote_Requirements for guidance on configuration and basic use Also,
    the Help topics for each of the remoting cmdlets, particularly the parameter
    descriptions, have useful information that is designed to help you avoid
    problems.

    Updated versions of this topic, and other Windows PowerShell help topics, 
    can be downloaded by using the Update-Help cmdlet and can be found online
    in the Microsoft TechNet Library at 
    http://technet.microsoft.com/library/hh847850(v=wps.630).aspx.
 
    NOTE: To view or change settings for the local computer in the WSMan: drive,
    including changes to the session configurations, trusted hosts, ports, or
    listeners, start Windows PowerShell with the "Run as administrator" option. 



 TROUBLESHOOTING PERMISSION AND AUTHENTICATION ISSUES

    This section discusses remoting problems that are related to user and
    computer permissions and remoting requirements.


    HOW TO RUN AS ADMINISTRATOR
    ---------------------------
        ERROR: Access is denied. You need to run this cmdlet from an elevated
        process.

    To start a remote session on the local computer, or to view or change
    settings for the local computer in the WSMan: drive, including changes
    to the session configurations, trusted hosts, ports, or listeners,
    start Windows PowerShell with the "Run as administrator" option. 

    To start Windows PowerShell with the "Run as administrator option:

    -- Right-click a Windows PowerShell (or Windows PowerShell ISE) icon
       and then click "Run as administrator.


    To start Windows PowerShell with the "Run as administrator option in
    Windows 7 and Windows Server 2008 R2.

    -- In the Windows taskbar, right-click the Windows PowerShell icon,
       and then click "Run as Administrator."

    Note: In Windows Server 2008 R2, the Windows PowerShell icon is pinned
    to the taskbar by default. 



    HOW TO ENABLE REMOTING
    ----------------------
        ERROR:  ACCESS IS DENIED
        - or -
        ERROR: The connection to the remote host was refused. Verify that the
        WS-Management service is running on the remote host and configured to
        listen for requests on the correct port and HTTP URL. 

    No configuration is required to enable a computer to send remote
    commands. However, to receive remote commands, Windows PowerShell remoting
    must be enabled on the computer. Enabling includes starting the WinRM
    service, setting the startup type for the WinRM service to Automatic,
    creating listeners for HTTP and HTTPS connections, and creating default
    session configurations.

    Windows PowerShell remoting is enabled on Windows Server 2012 and newer
    releases of Windows Server by default. On all other systems, run the
    Enable-PSRemoting cmdlet to enable remoting. You can also run the 
    Enable-PSRemoting cmdlet to re-enable remoting on Windows Server 2012 and
    newer releases of Windows Server if remoting is disabled.

    To configure a computer to receive remote commands, use the 
    Enable-PSRemoting cmdlet. The following command enables all required
    remote settings, enables the session configurations, and restarts the
    WinRM service to make the changes effective. 

        Enable-PSRemoting

    To suppress all user prompts, type:

        Enable-PSRemoting -Force

    For more information, see Enable-PSRemoting.



    HOW TO ENABLE REMOTING IN AN ENTERPRISE
    ---------------------------------------
        ERROR:  ACCESS IS DENIED
        - or -
        ERROR: The connection to the remote host was refused. Verify that the
        WS-Management service is running on the remote host and configured to
        listen for requests on the correct port and HTTP URL. 

    To enable a single computer to receive remote Windows PowerShell commands
    and accept connections, use the Enable-PSRemoting cmdlet.

    To enable remoting for multiple computers in an enterprise, you can use the
    following scaled options.

    -- To configure listeners for remoting, enable the "Allow automatic
       configuration of listeners" group policy. For instructions, see 
       "How to Enable Listeners by Using a Group Policy" (below).
 
    -- To set the startup type of the Windows Remote Management (WinRM)
       to Automatic on multiple computers, use the Set-Service cmdlet. For
       instructions, see "How to Set the Startup Type of the WinrM Service"
       (below).

    -- To enable a firewall exception, use the "Windows Firewall: Allow Local
       Port Exceptions" group policy. For instructions, see "How to Create a
       Firewall Exception by Using a Group Policy" (below).

 

    HOW TO ENABLE LISTENERS BY USING A GROUP POLICY
    ------------------------------------------------
        ERROR:  ACCESS IS DENIED
        - or -
        ERROR: The connection to the remote host was refused. Verify that the
        WS-Management service is running on the remote host and configured to
        listen for requests on the correct port and HTTP URL.

    To configure the listeners for all computers in a domain, enable the "Allow
    automatic configuration of listeners"  policy in the following Group Policy
    path:

        Computer Configuration\Administrative Templates\Windows Components
          \Windows Remote Management (WinRM)\WinRM service

    Enable the policy and specify the IPv4 and IPv6 filters. Wildcards (*) are
    permitted.



    HOW TO ENABLE REMOTING ON PUBLIC NETWORKS
    -----------------------------------------
        ERROR:  Unable to check the status of the firewall
 
    The Enable-PSRemoting cmdlet returns this error when the local network    
    is public and the SkipNetworkProfileCheck parameter is not used in the
    command. 

    On server versions of Windows, Enable-PSRemoting succeeds on all network
    location types. It creates firewall rules that allow remote access to
    private and domain ("Home" and "Work") networks. For public networks, it
    creates firewall rules that allows remote access from the same local subnet.

    On client versions of Windows, Enable-PSRemoting succeeds on private and
    domain networks. By default, it fails on public networks, but if
    you use the SkipNetworkProfileCheck parameter, Enable-PSRemoting succeeds
    and creates a firewall rule that allows traffic from the same local subnet.
     
    To remove the local subnet restriction on public networks and allow
    remote access from any location, run the following command: 

        Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any 

    The Set-NetFirewallRule cmdlet is exported by the NetSecurity module.

    NOTE: In Windows PowerShell 2.0, on computers running server versions
    of Windows, Enable-PSRemoting creates firewall rules that allow remote
    access on private, domain and public networks. On computers running 
    client versions of Windows, Enable-PSRemoting creates firewall rules
    that allow remote access only on private and domain networks.


    HOW TO ENABLE A FIREWALL EXCEPTION BY USING A GROUP POLICY
    ----------------------------------------------------------
        ERROR:  ACCESS IS DENIED
        - or -
        ERROR: The connection to the remote host was refused. Verify that the
        WS-Management service is running on the remote host and configured to
        listen for requests on the correct port and HTTP URL.

    To enable a firewall exception for in all computers in a domain, enable the
    "Windows Firewall: Allow local port exceptions" policy in the following
    Group Policy path:

        Computer Configuration\Administrative Templates\Network
          \Network Connections\Windows Firewall\Domain Profile

    This policy allows members of the Administrators group on the computer to
    use Windows Firewall in Control Panel to create a firewall exception for 
    the Windows Remote Management service.



    HOW TO SET THE STARTUP TYPE OF THE WINRM SERVICE
    ------------------------------------------------
        ERROR:  ACCESS IS DENIED

    Windows PowerShell remoting depends upon the Windows Remote Management
    (WinRM) service. The service must be running to support remote commands.

    On server versions of Windows, the startup type of the Windows Remote
    Management (WinRM) service is  Automatic. 

    However, on client versions of Windows, the WinRM service is disabled
    by default. 

    To set the startup type of a service on a remote computer, use the
    Set-Service cmdlet. 

    To run the command on multiple computers, you can create a text file or
    CSV file of the computer names.

    For example, the following commands get a list of computer names from the
    Servers.txt file and then sets the startup type of the WinRM service on all
    of the computers to Automatic.

        C:\PS> $servers = Get-Content servers.txt

        C:\PS> Set-Service WinRM -ComputerName $servers -startuptype Automatic

    To see the results use the Get-WMIObject cmdlet with the Win32_Service object.
    For more information, see Set-Service.    

    

    HOW TO RECREATE THE DEFAULT SESSION CONFIGURATIONS
    --------------------------------------------------
        ERROR:  ACCESS IS DENIED

    To connect to the local computer and run commands remotely, the local
    computer must include session configurations for remote commands.

    When you use Enable-PSRemoting, it creates default session configurations
    on the local computer. Remote users use these session configurations
    whenever a remote command does not include the ConfigurationName parameter.

    If the default configurations on a computer are unregistered or deleted,
    use the Enable-PSRemoting cmdlet to recreate them. You can use this cmdlet
    repeatedly. It does not generate errors if a feature is already configured.

    If you change the default session configurations and want to restore the
    original default session configurations, use the
    Unregister-PSSessionConfiguration cmdlet to delete the changed session
    configurations and then use the Enable-PSRemoting cmdlet to restore them.
    Enable-PSRemoting does not change existing session configurations.

    Note: When Enable-PSRemoting restores the default session configuration, it
    does not create explicit security descriptors for the configurations.
    Instead, the configurations inherit the security descriptor of the RootSDDL,
    which is secure by default.

    To see the RootSDDL security descriptor, type:

        Get-Item wsman:\localhost\Service\RootSDDL

    To change the RootSDDL, use the Set-Item cmdlet in the WSMan: drive. To
    change the security descriptor of a session configuration, use the
    Set-PSSessionConfiguration cmdlet with the SecurityDescriptorSDDL or
    ShowSecurityDescriptorUI parameters. 

    For more information about the WSMan: drive, see the Help topic for the
    WSMan provider ("Get-Help wsman"). 




    HOW TO PROVIDE ADMINISTRATOR CREDENTIALS 
    ----------------------------------------
        ERROR:  ACCESS IS DENIED

    To create a PSSession or run commands on a remote computer, by default, the
    current user must be a member of the Administrators group on the remote
    computer. Credentials are sometimes required even when the current user is
    logged on to an account that is a member of the Administrators group.

    If the current user is a member of the Administrators group on the remote
    computer, or can provide the credentials of a member of the Administrators
    group, use the Credential parameter of the New-PSSession, Enter-PSSession
    or Invoke-Command cmdlets to connect remotely.

    For example, the following command provides the credentials of an
    Administrator.

        Invoke-Command -ComputerName Server01 -Credential Domain01\Admin01
 
    For more information about the Credential parameter, see New-PSSession,
    Enter-PSSession or Invoke-Command.



    HOW TO ENABLE REMOTING FOR NON-ADMINISTRATIVE USERS 
    ---------------------------------------------------
        ERROR:  ACCESS IS DENIED

    To establish a PSSession or run a command on a remote computer, the user
    must have permission to use the session configurations on the remote
    computer. 

    By default, only members of the Administrators group on a computer have
    permission to use the default session configurations. Therefore, only
    members of the Administrators group can connect to the computer remotely.

    To allow other users to connect to the local computer, give the user
    Execute permissions to the default session configurations on the local
    computer.

    The following command opens a property sheet that lets you change the
    security descriptor of the default Microsoft.PowerShell session
    configuration on the local computer.

        Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI

    For more information, see about_Session_Configurations.



    HOW TO ENABLE REMOTING FOR ADMINISTRATORS IN OTHER DOMAINS
    ----------------------------------------------------------
        ERROR:  ACCESS IS DENIED

    When a user in another domain is a member of the Administrators group on
    the local computer, the user cannot connect to the local computer remotely
    with Administrator privileges. By default, remote connections from other
    domains run with only standard user privilege tokens. 

    However, you can use the LocalAccountTokenFilterPolicy registry entry to
    change the default behavior and allow remote users who are members of the
    Administrators group to run with Administrator privileges. 

    Caution: The LocalAccountTokenFilterPolicy entry disables user account
             control (UAC) remote restrictions for all users of all affected
             computers. Consider the implications of this setting carefully
             before changing the policy.
    
    To change the policy, use the following command to set the value of the
    LocalAccountTokenFilterPolicy registry entry to 1.

        C:\PS> New-ItemProperty -Name LocalAccountTokenFilterPolicy -Path `
            HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -PropertyType `
            DWord -Value 1



    HOW TO USE AN IP ADDRESS IN A REMOTE COMMAND
    -----------------------------------------------------
        ERROR:  The WinRM client cannot process the request. If the
        authentication scheme is different from Kerberos, or if the client
        computer is not joined to a domain, then HTTPS transport must be used
        or the destination machine must be added to the TrustedHosts
        configuration setting.

    The ComputerName parameters of the New-PSSession, Enter-PSSession and
    Invoke-Command cmdlets accept an IP address as a valid value. However,
    because Kerberos authentication does not support IP addresses, NTLM
    authentication is used by default whenever you specify an IP address. 

    When using NTLM authentication, the following procedure is required
    for remoting.

    1. Configure the computer for HTTPS transport or add the IP addresses
       of the remote computers to the TrustedHosts list on the local
       computer.

       For instructions, see "How to Add a Computer to the TrustedHosts
       List" below.


    2. Use the Credential parameter in all remote commands.
  
       This is required even when you are submitting the credentials
       of the current user.


   
    HOW TO CONNECT REMOTELY FROM A WORKGROUP-BASED COMPUTER
    -------------------------------------------------------
        ERROR:  The WinRM client cannot process the request. If the
        authentication scheme is different from Kerberos, or if the client
        computer is not joined to a domain, then HTTPS transport must be used
        or the destination machine must be added to the TrustedHosts
        configuration setting.


    When the local computer is not in a domain, the following procedure is required
    for remoting.

    1. Configure the computer for HTTPS transport or add the names of the
       remote computers to the TrustedHosts list on the local computer.

       For instructions, see "How to Add a Computer to the TrustedHosts
       List" below.


    2. Verify that a password is set on the workgroup-based computer. If a
       password is not set or the password value is empty, you cannot run
       remote commands.

       To set password for your user account, use User Accounts in Control
       Panel. 


    3. Use the Credential parameter in all remote commands.
  
       This is required even when you are submitting the credentials
       of the current user.




    HOW TO ADD A COMPUTER TO THE TRUSTED HOSTS LIST
    -----------------------------------------------

    The TrustedHosts item can contain a comma-separated list of computer
    names, IP addresses, and fully-qualified domain names. Wildcards
    are permitted.

    To view or change the trusted host list, use the WSMan: drive. The
    TrustedHost item is in the WSMan:\localhost\Client node.

    Only members of the Administrators group on the computer have permission
    to change the list of trusted hosts on the computer.

    Caution: The value that you set for the TrustedHosts item affects all
             users of the computer.


    To view the list of trusted hosts, use the following command:

        Get-Item wsman:\localhost\Client\TrustedHosts

    You can also use the Set-Location cmdlet (alias = cd) to navigate
    though the WSMan: drive to the location. 
    For example: "cd WSMan:\localhost\Client; dir".



    To add all computers to the list of trusted hosts, use the following
    command, which places a value of * (all) in the ComputerName 

        Set-Item wsman:localhost