WinRM not not listening on Default Port

Justin Yaple 96 Reputation points
2021-03-07T16:22:28.717+00:00

I am having some trouble with the default WinRM listener not wanting to use HTTPS port 5986.

Everything appears to be configured correctly:

Winrm get winrm/config

Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = * [Source="GPO"]
        IPv6Filter [Source="GPO"]
        EnableCompatibilityHttpListener = true [Source="GPO"]
        EnableCompatibilityHttpsListener = true [Source="GPO"]
        CertificateThumbprint
        AllowRemoteAccess = true [Source="GPO"]
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

However when I enumerate the listeners its HTTPS listener is on 443 instead of the configured default port. No amount of rebooting or trying to change it has helped.

winrm enumerate winrm/config/Listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = <REMOVED>

Listener [Source="Compatibility"]
    Address = *
    Transport = HTTP
    Port = 80
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = <REMOVED>

Listener [Source="Compatibility"]
    Address = *
    Transport = HTTPS
    Port = 443
    Hostname = <REMOVED>
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = <REMOVED>
    ListeningOn = <REMOVED>

I checked and there are no other services listening on port 5986 that would be causing a conflict. The system is just choosing not to listen for some reason on the default port.

Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
440 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,544 questions
{count} votes

Accepted answer
  1. Justin Yaple 96 Reputation points
    2021-08-12T20:17:58.037+00:00

    I finally found the solution to this.

    #https://gist.github.com/bender-the-greatest/3e2f6e6d606eebaeedbacd8722e52396
    
    if(!$($(Winrm enumerate winrm/config/listener) -match "Port = 5986")){
        winrm create winrm/config/listener?Address=*+Transport=HTTPS
    }
    
    0 comments No comments

6 additional answers

Sort by: Most helpful
  1. Rich Matheisen 46,801 Reputation points
    2021-03-07T20:00:10.993+00:00

    Have you checked the GPO? Should it be adding another Listener for HTTPs on 5986? I only see the HTTP/5985 port.

    What does this show? netstat -ano | findstr 5986

    What about firewall rules? Can you disable the firewall on the machine and then restart the WinRM service.

    Verify from the "ListeningOn" section that port 5986 isn't just listening on IP address 127.0.0.1. You can also use 'netsh http show iplisten' to see

    0 comments No comments

  2. Justin Yaple 96 Reputation points
    2021-03-07T20:17:30.18+00:00

    I already mentioned that I check for anything else listening on that port and there was not.

    PS C:\WINDOWS\system32> netstat -ano | findstr 5986
    PS C:\WINDOWS\system32>
    

    I'm not even dealing with the firewall rule yet the listener is not running on the correct port.


  3. Karlie Weng 18,531 Reputation points Microsoft Vendor
    2021-03-08T07:07:25.367+00:00

    Hello @Justin Yaple

    Did you left the IPv4 and IPv6 filter settings blank ?

    "if you leave filters blank you still enable remote management but the listener does not know on which interface to bind itself."

    75291-image.png

    This blog might help :WinRM would not listen on port 5985

    Best Regards
    Karlie

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  4. Karlie Weng 18,531 Reputation points Microsoft Vendor
    2021-03-17T09:17:52.85+00:00

    Hello @Justin Yaple

    Please check this setting: EnableCompatibilityHttpsListener.
    78705-image.png

    According to this article, It Specifies whether the compatibility HTTPS listener is enabled. If this setting is True, then the listener will listen on port 443 in addition to port 5986. The default is False.

    The GPO will override or block any changes you try to make.

    78658-image.png

    Best Regards
    Karlie

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.