WinRM not not listening on Default Port

Justin Yaple 96 Reputation points
2021-03-07T16:22:28.717+00:00

I am having some trouble with the default WinRM listener not wanting to use HTTPS port 5986.

Everything appears to be configured correctly: 

Winrm get winrm/config

Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = * [Source="GPO"]
        IPv6Filter [Source="GPO"]
        EnableCompatibilityHttpListener = true [Source="GPO"]
        EnableCompatibilityHttpsListener = true [Source="GPO"]
        CertificateThumbprint
        AllowRemoteAccess = true [Source="GPO"]
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

However when I enumerate the listeners its HTTPS listener is on 443 instead of the configured default port. No amount of rebooting or trying to change it has helped. 

winrm enumerate winrm/config/Listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = <REMOVED>

Listener [Source="Compatibility"]
    Address = *
    Transport = HTTP
    Port = 80
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = <REMOVED>

Listener [Source="Compatibility"]
    Address = *
    Transport = HTTPS
    Port = 443
    Hostname = <REMOVED>
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = <REMOVED>
    ListeningOn = <REMOVED>

I checked and there are no other services listening on port 5986 that would be causing a conflict. The system is just choosing not to listen for some reason on the default port.

Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
421 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,364 questions
0 comments
Accepted answer
  1. Justin Yaple 96 Reputation points
    2021-08-12T20:17:58.037+00:00

    I finally found the solution to this. 

    #https://gist.github.com/bender-the-greatest/3e2f6e6d606eebaeedbacd8722e52396

if(!$($(Winrm enumerate winrm/config/listener) -match "Port = 5986")){
    winrm create winrm/config/listener?Address=*+Transport=HTTPS
}
    0 comments

6 additional answers

Sort by: Newest
Most helpful Newest Oldest
  1. Danilo Rocha 1 Reputation point
    2021-05-25T17:54:13.63+00:00

    Estou com o mesmo caso, alguma solução?

    0 comments
  2. Ronaldod 1 Reputation point
    2021-04-12T13:43:05.06+00:00

    @Justin Yaple
    Hit the same problem.
    The port 80 and 443 are from the compatibly listeners. These are not wanted. And all reference i could find to activate the SSL part is a powershell command. But that is not i would like from a GPO.
    Any progress on your side ?

    0 comments
  3. Karlie Weng 14,106 Reputation points Microsoft Vendor
    2021-03-17T09:17:52.85+00:00

    Hello @Justin Yaple

    Please check this setting: EnableCompatibilityHttpsListener.
    78705-image.png

    According to this article, It Specifies whether the compatibility HTTPS listener is enabled. If this setting is True, then the listener will listen on port 443 in addition to port 5986. The default is False.

    The GPO will override or block any changes you try to make.

    78658-image.png

    Best Regards
    Karlie

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. Karlie Weng 14,106 Reputation points Microsoft Vendor
    2021-03-08T07:07:25.367+00:00

    Hello @Justin Yaple

    Did you left the IPv4 and IPv6 filter settings blank ?

    "if you leave filters blank you still enable remote management but the listener does not know on which interface to bind itself."

    75291-image.png

    This blog might help :WinRM would not listen on port 5985

    Best Regards
    Karlie

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.