You may have seen the following error when either running Enable-PSRemoting or Set-WSManQuickConfig:
Set-WSManQuickConfig : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859113" Machine="localhost"><f:Message><f:ProviderFault provider="Config provider" path="%systemroot%\system32\WsmSvc.dll"><f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859113" Machine="win81"><f:Message>WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again. </f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault> At line:1 char:1 + Set-WSManQuickConfig -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand
This post will explain how to get around this error. There are different ways to do this depending on your operating system version. Windows 8/2012 workarounds are fairly sane while windows 7/2008R2 may seem a bit obtuse.
This post is inspired by an experience I had this week trying to get a customer's Chef node able to connect via WinRM over SSL. Her test node was running Windows 7 and she was getting the above error when trying to enable WinRM. Windows 7 has no way to change the connection Type via a native powershell cmdlet. I had done this via the commandline before on Windows 7 but did not have the commands handy. Further, it had been so long since changing the connection type on windows 7 via the GUI, I had to fire up my own win 7 VM and run through it just so I could relay propper instructions to this very patient customer.
So I write this to run through the different nuances of connection types on different operating systems but primarily to have a known place on the internet where I can stash the commands.
TL;DR for Windows 7 or 2008R2 Clients:
If you dont care about anything else other than getting past this error on windows 7 or 2008R2 without ceremonial pointing and clicking, simply run these commands:
$networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")) $connections = $networkListManager.GetNetworkConnections() # Set network location to Private for all networks $connections | % {$_.GetNetwork().SetCategory(1)}
This works on windows 8/2012 and up as well but there are much friendlier commands you can run instead. Unless you are one partial to GUIDs.
Connection Types - what does it mean?
Windows provide different connection type profiles (or Network Locations) each with different levels of restrictions on what connections can be granted to the local computer on the network.
I have personally always found these types to be confusing yet well meaning. You are perhaps familiar with the message presented the first time you logon to a machine asking you if you would like the computer to be discoverable on the internet. If you choose no, the network interface is given a public internet connection profile. If you choose "yes" then it is private. For me the confusion is that I equate "public" with "publicly accessible" but here the opposite applies.
Public network locations have Network Discovery turned off and restrict your firewall for some applications. You cannot create or join Homegroups with this setting. WinRM firewall exception rules also cannot be enabled on a public network. Your network location must be private in order for other machines to make a WinRM connection to the computer.
Domain Networks
If your computer is on a domain, that is an entirely different network location type. On a domain network, the accessibility of the machine is governed by your domain policies. This network location type is automatically chosen if your machine is part of an Active Directory domain.
Working around Public network restrictions on Windows 8 and up
When enabling WinRM, client SKUs of windows (8, 8.1, 10) expose an additional setting that allow the machine to be discoverable over WinRM publicly but only on the same subnet. By using the -SkipNetworkProfileCheck switch of Enable-PSRemoting or Set-WSManQuickConfig you can still allow connections to your computer but those connections must come from other machines on the same subnet.
Enable-PSRemoting -SkipNetworkProfileCheck
So this can work for local VMs but will still be restrictive for cloud based VMs.
Changing the Network Location
Once you answer yes or no the initial question of whether you want to be discovered, you are never prompted again, but you can change this setting later.
This is a family friendly blog so I am not going to cover how to change the Network Location via the GUI. It can be done but you are a dirty person for doing so (full disclosure - I have been guilty of doing this).
Windows 8/2012 and up
Powershell version 3 and later expose cmdlets that allow you to see and change your Network Location. Get-NetConnectionProfile shows you the network location of all network interfaces:
PS C:\Windows\system32> Get-NetConnectionProfile Name : Network 2 InterfaceAlias : Ethernet InterfaceIndex : 3 NetworkCategory : Private IPv4Connectivity : Internet IPv6Connectivity : LocalNetwork
Note the NetworkCategory above. The Network Location is private.
Use the Set-NetConnectionProfile to change the location type:
Set-NetConnectionProfile -InterfaceAlias Ethernet -NetworkCategory Public
or
Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private
The later is convenient if you want to ensure that all network interfaces are set to a particular location.
Windows 7 and 2008R2
You will not have the above cmdlets available on Windows 7 or 2008R2. You can still change the location on the command line but the commands are far less intuitive. As shown in the tl;dr, here is the command:
$networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")) $connections = $networkListManager.GetNetworkConnections() # Set network location to Private for all networks $connections | % {$_.GetNetwork().SetCategory(1)}
First we get a reference to a COM instance of an INetworkListManager which naturally has a Class ID of DCB00C01-570F-4A9B-8D69-199FDBA5723B. We then grab all the network connections and finally set them all to the desired location:
- 0 - Public
- 1 - Private
- 2 - Domain