Atera's Network Discovery uses Windows Remote Management (WinRM) to access Windows Management Instrumentation (WMI), for seamless, remote agent installation via Network Discovery scans. You can automatically enable WinRM/WMI within Network Discovery (if the scanning agent is a Domain Controller), or you can do it manually.
This article explains how to manually enable WinRM using DC Group Policy on Windows Server 2012 R2. If using another version of Windows Server, instructions for enabling WinRM may be somewhat different.
To enable WinRM with DC Group Policy:
Step 1 - Create a new Group Policy Object (GPO)
To create:
1. From Start, access the Control Panel
2. Select Administrative Tools > Group Policy Management
3. From the menu, select Domains > [the domain name].
4. Right-click to select Create a GPO in this domain, and link it here
5. Enter Enable WinRM. Then click OK
Step 2 - Enable the following WinRM service settings in the new GPO
Enable remote server management through WinRM:
1. Right-click the new Enable WinRM Group Policy Object and select Edit
2. From the menu, select Computer Configuration > Policies > Administrative Templates: Policy definitions > Windows Components > Windows Remote Management (WinRM) > WinRM Service
3. Right-click Allow remote server management through WinRM and select Edit
4. Select Enabled
5. Enter asterisks (*) into the fields. Then click OK
Plus, you'll need to enable this associated service:
1. In the Group Policy Management Editor, select Preferences > Control Panel Settings > Services
2. Right-click Services and select New > Service
3. Select Automatic . Then enter WinRM as the service name.
4. Select Start service
5. Then click OK
Step 3 - Update the firewall rules to allow inbound remote administration exception and ICMP exception
1. In the Group Policy Management Editor, select Computer Configuration > Policies > Administrative Templates: Policy definitions > Network > Network Connections > Windows Firewall > Domain Profile
2. Then right-click Windows Firewall: Allow inbound remote administration exception and select Edit
3. Then select Enabled
4. Locate the field entitled 'Allow unsolicited incoming messages from these IP addresses' and enter the IP address. Enter an asterisk (*) into each field to allow messages from all IP addresses. Otherwise enter a comma-separated list containing IPs/subnets that will be allowed remote admin access. Then click OK
5. Right-click Windows Firewall: Allow ICMP exception and select Edit
6. Select Enabled
7. Check Allow inbound echo request. Then click OK
Step 4 - Create a new inbound firewall rule and update the network list manager policy for unidentified networks
1. From the menu, click Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules
2. Right-click Inbound Rules and select New Rule
3. then select Predefined
4. Select Windows Remote Management from services list. Then Click Next
5. Uncheck the Public rule. Make sure the Domain, Private rule is checked. Then click Next
6. Leave the defaults, and click Finish
7. Right-click the new rule and select Properties
8. In the Advanced tab, uncheck Private. Then Click OK
9. From the menu, select Computer Configuration > Policies > Windows Settings > Security Settings > Network List Manager Policies
10. Right-click Unidentified Networks and click Properties
11. Change the location type to 'Private', then click OK
