When attempting to enable PowerShell Remoting on a Windows Server 2008 R2 machine in workgroup mode, many administrators encounter the frustrating "Access is denied" error despite running PowerShell as Administrator. This typically occurs during the Set-WSManQuickConfig phase of the Enable-PSRemoting command.
Unlike domain-joined machines, workgroup computers don't have centralized authentication. The WinRM service requires explicit permission configurations:
# Common symptoms you might see:
1. "Set-WSManQuickConfig : Access is denied"
2. WinRM service starts but listeners fail to configure
3. Event ID 10135 in Windows Event LogHere's the most reliable method I've found after troubleshooting numerous workgroup servers:
# First, verify current WinRM configuration
Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate
# If previous command fails, manually reset WinRM:
winrm quickconfig -transport:https -force
winrm delete winrm/config/listener?Address=*+Transport=HTTP
winrm create winrm/config/listener?Address=*+Transport=HTTPWorkgroup machines often need explicit firewall rules:
# Create specific firewall rules (more secure than default)
netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in action=allow protocol=TCP localport=5985
netsh advfirewall firewall add rule name="WinRM-HTTPS" dir=in action=allow protocol=TCP localport=5986For persistent access issues, modify SDDL permissions:
# Grant explicit permissions to Administrators
$newSDDL = "O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)"
Set-WSManInstance -ResourceURI winrm/config/service -ValueSet @{Security="@{$newSDDL}"}After applying these changes, validate your configuration:
# Test local remoting first
Test-WSMan -ComputerName localhost
# Check listener status
Get-ChildItem WSMan:\localhost\Listener
# Verify firewall rules
netsh advfirewall firewall show rule name=WinRM-HTTP
netsh advfirewall firewall show rule name=WinRM-HTTPSIf the above fails, consider this nuclear option (then reconfigure properly):
# Completely reset WinRM configuration
winrm invoke Restore winrm/config @{}
Enable-PSRemoting -ForceWhen attempting to execute Enable-PSRemoting on Windows Server 2008 R2 in workgroup mode, even with administrative privileges, you might encounter the frustrating "Access is denied" error. This typically occurs during the Set-WSManQuickConfig phase of the operation.
The issue stems from Windows Remote Management (WinRM) requiring explicit permission assignments beyond simple admin rights. In workgroup environments (non-domain joined), additional configuration is necessary because:
- Default WinRM permissions assume domain authentication
- Local account security descriptors need manual configuration
- UAC virtualization may interfere with service configuration
First, verify your current WinRM configuration:
winrm get winrm/config
winrm enumerate winrm/config/listenerThen implement this comprehensive solution:
# 1. Forcefully reset WinRM configuration
winrm delete winrm/config/listener?Address=*+Transport=HTTP
winrm create winrm/config/listener?Address=*+Transport=HTTP
# 2. Configure permissions for local accounts
netsh http add urlacl url=http://+:5985/ user="NT AUTHORITY\LocalService"
# 3. Adjust service permissions
sc.exe sdset winrm D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
# 4. Finalize with forced PSRemoting enable
Enable-PSRemoting -Force -SkipNetworkProfileCheckFor workgroup machines, manually configure firewall rules:
netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow protocol=TCP localport=5985Confirm successful configuration with:
Test-WSMan -ComputerName localhost
Get-Service WinRM | Select Status, StartTypeIf standard methods fail, rebuild the WinRM configuration entirely:
# Completely reset WinRM configuration
winrm quickconfig -transport:http -quiet
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'Remember to restart the WinRM service after making these changes:
Restart-Service WinRMFor production environments, consider these registry tweaks to maintain stability:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /fAlways test remote connectivity after configuration changes:
Enter-PSSession -ComputerName localhost -Credential (Get-Credential)