How to restore the Windows Remote Management settings when all authentication schemes are disabled on a computer that is running Windows Server 2008 R2

This article introduces how to restore Windows Remote Management settings when all authentication methods are disabled in Windows Server 2008 R2.
In Windows Remote Management 2.0, all operations are handled as if they come from a remote computer. Therefore, the requests that use a destination of "localhost" require that the Windows Remote Management service is running and that the correct authentication methods are enabled.

Specifically, Windows Remote Management lets you configure which authentication schemes are allowed on both the client-side and on the server-side. These settings are as follows:

C:\Windows\system32>winrm get winrm/config/client/authAuth    Basic = true    Digest = true    Kerberos = true    Negotiate = true    Certificate = true    CredSSP = false
C:\Windows\system32>winrm get winrm/config/service/authAuth    Basic = false    Kerberos = true    Negotiate = true    Certificate = false    CredSSP = false    CbtHardeningLevel = None [Source="GPO"]
Note The first example displays the authentication schemes that are allowed on the client-side, and the second example does the same on the server-side.

There are two possible situations where a user can effectively make Windows Remote Management inaccessible:
  • If the user disables all authentication schemes for the service, the service no longer accepts requests from any client. In this situation, a Windows Remote Management operation cannot pass through the locked service. Therefore, the configuration settings cannot be changed.
  • If the user disables all authentication schemes for the client, the client can no longer connect to any Windows Remote Management endpoint. In this situation, Windows Remote Management cannot connect to the local endpoint. Therefore, you cannot change the client-side settings.
Windows Remote Management supports an invoke restore operation that sets back the configuration to the default settings. However, this operation has to use the service. Therefore, this operation is useless in the situations that were mentioned earlier.

If one of these situations occurs, the following can be done to restore Windows Remote Management to a usable state.

The user changes the relevant Group Policy settings to enable at least one authentication mechanism. The user can then run a winrm command in order to enable all the necessary authentication mechanisms in both the client-specific and in the service-specific configuration settings. Then the user reverts the Group Policy settings back to their original state.

The relevant Group Policy settings can be found in the following location:
Administrative Templates > Windows Components > Windows Remote Management (WinRM)
The following are the relevant policies:
WinRM Client > Allow Basic authenticationWinRM Client > Allow CredSSP authenticationWinRM Client > Disallow Digest authenticationWinRM Client > Disallow Kerberos authenticationWinRM Client > Disallow Negotiate authenticationWinRM Service > Allow Basic authenticationWinRM Service > Allow CredSSP authenticationWinRM Service > Disallow Kerberos authenticationWinRM Service > Disallow Negotiate authentication

The following command examples enable particular authentication schemes on either the Windows Remote Management client or on the Windows Remote Management service:
winrm set winrm/config/client/Auth @{Basic="true"}
winrm set winrm/config/service/Auth @{Basic="true"}
Note  These command examples enable Basic authentication.

Article ID: 978319 - Last Review: 12/18/2009 02:01:37 - Revision: 1.1

Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard

  • kbsurveynew kbexpertiseadvanced kbhowto KB978319