This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 62%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJY%3C/text%3E%3C/svg%3E)
I am having some trouble with the default WinRM listener not wanting to use HTTPS port 5986.
Everything appears to be configured correctly:
Winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source="GPO"]
IPv6Filter [Source="GPO"]
EnableCompatibilityHttpListener = true [Source="GPO"]
EnableCompatibilityHttpsListener = true [Source="GPO"]
CertificateThumbprint
AllowRemoteAccess = true [Source="GPO"]
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
However when I enumerate the listeners its HTTPS listener is on 443 instead of the configured default port. No amount of rebooting or trying to change it has helped.
winrm enumerate winrm/config/Listener
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = <REMOVED>
Listener [Source="Compatibility"]
Address = *
Transport = HTTP
Port = 80
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = <REMOVED>
Listener [Source="Compatibility"]
Address = *
Transport = HTTPS
Port = 443
Hostname = <REMOVED>
Enabled = true
URLPrefix = wsman
CertificateThumbprint = <REMOVED>
ListeningOn = <REMOVED>
I checked and there are no other services listening on port 5986 that would be causing a conflict. The system is just choosing not to listen for some reason on the default port.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 30%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGF%3C/text%3E%3C/svg%3E)
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management -> WinRM Service --> Allow remote server management through WinRM, necessary to make WinRM listen to traffic and accept incoming connections sometimes plain will not do anything; the filters defined there are not used by the service. Add IPV4 "*" , and restart WinRm service the TCP port immediately start listening
I finally found the solution to this.
#https://gist.github.com/bender-the-greatest/3e2f6e6d606eebaeedbacd8722e52396
if(!$($(Winrm enumerate winrm/config/listener) -match "Port = 5986")){
winrm create winrm/config/listener?Address=*+Transport=HTTPS
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Have you checked the GPO? Should it be adding another Listener for HTTPs on 5986? I only see the HTTP/5985 port.
What does this show? netstat -ano | findstr 5986
What about firewall rules? Can you disable the firewall on the machine and then restart the WinRM service.
Verify from the "ListeningOn" section that port 5986 isn't just listening on IP address 127.0.0.1. You can also use 'netsh http show iplisten' to see
I already mentioned that I check for anything else listening on that port and there was not.
PS C:\WINDOWS\system32> netstat -ano | findstr 5986
PS C:\WINDOWS\system32>
I'm not even dealing with the firewall rule yet the listener is not running on the correct port.
Do the people that manage the GPO's want you to use HTTPS? They haven't configured a listener for it.
The compatibility listener is enabled and running on port 443 instead of 5986 even though the default port is listed as 5986. Am I missing something there?
I don't know if you're missing anything. WinRM is a Windows service. PowerShell just uses it. I'm only looking for/answering questions using the Windows-Server-PowerShell tag.
Why not add to the GPO you're so it includes the HTTPS connection, too. GPOs usually override local configurations. The O/S folks may provide a better answer.
Hello @Justin Yaple
Did you left the IPv4 and IPv6 filter settings blank ?
"if you leave filters blank you still enable remote management but the listener does not know on which interface to bind itself."
This blog might help :WinRM would not listen on port 5985
Best Regards
Karlie
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
No I did not leave that blank in the GPO. Also you can see that the HTTPS listener is present I just <REMOVED> the IP addresses enumerated for ListeningOn.
The enumeration shows its listening on 443 but why not listening on its default port?
Hello @Justin Yaple
Please check this setting: EnableCompatibilityHttpsListener.
According to this article, It Specifies whether the compatibility HTTPS listener is enabled. If this setting is True, then the listener will listen on port 443 in addition to port 5986. The default is False.
The GPO will override or block any changes you try to make.
Best Regards
Karlie
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Have you checked if above answers help?
If they are helpful, please do not forget to accept the answers.
Have a good day !
Thanks
No, that was not helpful. I would be totally fine if it was listening on 443 in addition to port 5986. However it is still refusing to listen on port 5986 at all.