Share via

Configuring WinRM on endpoints for Windows Event Forwarding

Mountain Pond 1,676 Reputation points
2026-03-24T17:20:39.7266667+00:00

I am configuring Windows Event Forwarding (WEF) in a source-initiated setup using Microsoft Intune.

The goal is for client devices to forward event logs to a WEF collector without enabling full WinRM server functionality (no inbound connections, no remote PowerShell, no open firewall ports).

I configured the following via Intune:

  • Event Forwarding policy with Subscription Manager configured

However, event forwarding does not start unless I manually run winrm quickconfig on the client device.

After running winrm quickconfig, log forwarding immediately begins working.

My understanding is that in a source-initiated WEF scenario, the client only needs WinRM as a client (outbound), and not as a server.

Questions:

1 Is there a way to fully initialize WinRM for WEF without enabling the listener or opening inbound firewall rules?

2 What is the minimal required WinRM configuration for source-initiated WEF in an Intune-managed environment?

I would prefer a clean, secure configuration without enabling unnecessary remote management capabilities.

Any insights or best practices would be appreciated.

Microsoft Security | Intune | Other
0 comments
Answer accepted by question author
  1. Prathista Ilango 1,065 Reputation points Microsoft Employee
    2026-03-31T14:46:12.7033333+00:00

    Hello Mountain Pond,

    The provided answer covers most of it; I’m just directly addressing the two questions below.

    1. Is there a way to fully initialize WinRM for WEF without enabling the listener or opening inbound firewall rules?

    Afraid not. Source‑initiated WEF explicitly requires WinRM to be fully initialized on the source, including a local listener and firewall rules.

    1. What is the minimal required WinRM configuration for source-initiated WEF in an Intune-managed environment? WinRM service must be enabled and running with a local listener (via winrm quickconfig or equivalent policy), while inbound access can be restricted/scoped to limit remote management exposure.

    Refer to: https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription

    Hope this helps!

    If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-24T17:21:01.4966667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For source-initiated Windows Event Forwarding, WinRM must be configured and running on the client, even though the collector initiates no inbound management sessions to that client.

    From the documented source-initiated configuration:

    • WinRM must be configured on the event source (client) with: 
        winrm qc -q
    • This is explicitly required both when sources are in the same domain and when they are in a different domain from the collector.

    On the event source computer (same-domain scenario):

    1. Run from an elevated command prompt on the domain controller (for policy application): 
         winrm qc -q
    2. Configure the SubscriptionManager setting in Group Policy under: Computer Configuration > Administrative Templates > Windows Components > Event Forwarding.
    3. Apply policy with: 
         gpupdate /force

    On the event source computer (different-domain / workgroup scenario):

    1. Run on the event source: 
         winrm qc -q
    2. Configure the Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager policy and set the SubscriptionManagers value to the collector URI.
    3. Apply policy with: 
         gpupdate /force

    For Defender for Identity’s WEF guidance (also source-initiated), the minimum client-side configuration is the same:

    1. On each domain controller (acting as WEF client): 
         winrm quickconfig
    2. Configure Configure target Subscription Manager in policy with: 
         Server=http://<fqdnMicrosoftDefenderForIdentitySensor>:5985/wsman/SubscriptionManager/WEC,Refresh=10
    3. Apply policy with: 
         gpupdate /force

    This shows that the supported and documented minimal requirement for WEF clients is:

    • WinRM service installed and configured via winrm quickconfig.
    • WinRM used by the Event Forwarding client to connect outbound to the collector’s Subscription Manager URI.
    • Event Forwarding policy configured (SubscriptionManager) and applied.

    The documentation does not provide a supported method to initialize WinRM for WEF without running winrm quickconfig on the client. It also does not describe a separate “client-only” WinRM mode for WEF that avoids the standard WinRM configuration step.

    For a minimal, secure configuration in an Intune-managed environment, the documented baseline is therefore:

    • Ensure winrm quickconfig (or equivalent configuration) is applied on each WEF client.
    • Configure the Subscription Manager via policy (GPO or Intune) to point to the collector.
    • Ensure the collector is configured with winrm qc -q and wecutil qc /q and has the appropriate listener and certificates, as required by the chosen HTTP/HTTPS configuration.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.