2018-12-20 05:57 AM
Hi we have used the winrmconfig.ps1 script to set up WinRM collection on our servers and it has worked very well.
We are now moving to a central collection model, with windows events being forwarded to central collectors, and then being picked up from there.
This means that we now need to remove the winrm settings from the servers?
Does anyone know or have a script that will do this - ie the reverse of the winrmconfig.ps1 script?
2019-02-10 01:30 AM
Hello David
The winrm quickconfig command (or the abbreviated version winrm qc) performs the following operations:
1. Starts the WinRM service, and sets the service startup type to auto-start.
2. Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.
3. Creates firewall exceptions for the WinRM service, opens the ports for HTTP and HTTPS for the current user profile.
Reference: https://docs.microsoft.com/en-us/windows/desktop/WinRM/installation-and-configuration-for-windows-remote-management
Before performing any of these steps please test on a test system, and confirm the WinRM service is not used by any other system other than NetWitness.
To manually undo these steps in reverse.
1. Disable the firewall exceptions for WS-Management communications.
In Windows Firewall with Advance Security, Inbound Rules
Look for the WinRm Local Port rules for 5985 (HTTP) and 5986 (HTTPS) and disable them.
2. Delete the listener that accepts requests on any IP address.
You can see the listener details with the command,
C:\>winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 192.168.1.1, 127.0.0.1, ::1, fe80::100:7f:fffe%1
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = WinServer
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 04973aa87376b4e424bff13d4cd0e4a4e3485
ListeningOn = 192.168.1.1, 127.0.0.1, ::1, fe80::100:7f:fffe%1
Then delete a listener with the command,
C:\> winrm delete winrm/config/Listener?Address=*+Transport=HTTP
The command has no output, so enumerate the listeners again if you want to confirm.
3. Stop and disable the WinRM service in Powershell.
Stop-Service winrm
Set-Service -Name winrm -StartupType Disabled