Windows Firewall, IPSec, and Remote PowerShell

Shaunm001 301 Reputation points
2021-04-20T14:47:32.89+00:00

I've configured Connection Security Rules to require inbound authentication using Kerberos:

89573-image.png

I've configured Windows Firewall to block all incoming connections:

89509-image.png

And I've configured various exceptions to allow incoming connections for required services from authorized users and computers:

89602-image.png

Each of these rules are configured to override the "Block all connections" default firewall setting mentioned earlier:

89479-image.png

This all works fine with one exception...I cannot get remote PowerShell commands to work in this configuration:

89574-image.png

It seems the RPC Dynamic Ports don't open up on the remote PC when running a PowerShell command like "Get-WMIObject". It doesn't matter what kind of exceptions I put in, it never works. I even created an exception that says "let everything in" from my authorized PCs and it still doesn't work:

89603-image.png

Other similar inbound rules work fine (Like the default Remove Event Log Management (RPC) rule, which allows inbound connections for %SystemRoot%\System32\svchost.exe% to RPC Dynamic Ports). Something about remote PowerShell is unique and I can't figure out what, any thoughts from the community?

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,274 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2021-04-21T06:06:00.667+00:00

    Hi,

    Check that the Windows Management Instrumentation (WMI-In) rule is enabled in the firewall. Otherwise you will see the RPC server is unavailable message, as picture below:

    89802-image.png

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Shaunm001 301 Reputation points
    2021-04-26T15:35:17.247+00:00

    Still having this problem. I'll put it out there a different way...

    I've deleted all rules except one "AllowAll" rule for my workstation:

    91333-image.png

    When I try to view remote event viewer logs, everything works as expected:

    91309-image.png

    Windows Firewall Logs confirm the successful connection:

    91334-image.png

    But when I try to use Get-WmiObject in PowerShell, Im able to establish connection on TCP port 135, but the RPC Dynamic Ports are never opened, and the Get-WmiObject command fails:

    91310-image.png

    Windows Firewall Log shows the successful connection to TCP 135, but no log of a dropped connection to the RPC Dynamic Ports:

    91335-image.png

    Remote event log viewer works but Get-WmiObject doesnt. Why?

    0 comments
  3. I-Cat 76 Reputation points
    2021-04-26T19:58:41.903+00:00

    It looks like a powershell issue
    The classic cmd.exe works much better.