Policy CSP - RemoteManagement
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>
. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
AllowBasicAuthentication_Client
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Client
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.
If you disable or don't configure this policy setting, the WinRM client doesn't use Basic authentication.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | AllowBasic_2 |
Friendly Name | Allow Basic authentication |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client |
Registry Value Name | AllowBasic |
ADMX File Name | WindowsRemoteManagement.admx |
AllowBasicAuthentication_Service
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Service
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.
If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client.
If you disable or don't configure this policy setting, the WinRM service doesn't accept Basic authentication from a remote client.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | AllowBasic_1 |
Friendly Name | Allow Basic authentication |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | AllowBasic |
ADMX File Name | WindowsRemoteManagement.admx |
AllowCredSSPAuthenticationClient
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowCredSSPAuthenticationClient
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication.
If you enable this policy setting, the WinRM client uses CredSSP authentication.
If you disable or don't configure this policy setting, the WinRM client doesn't use CredSSP authentication.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | AllowCredSSP_2 |
Friendly Name | Allow CredSSP authentication |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client |
Registry Value Name | AllowCredSSP |
ADMX File Name | WindowsRemoteManagement.admx |
AllowCredSSPAuthenticationService
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowCredSSPAuthenticationService
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client.
If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client.
If you disable or don't configure this policy setting, the WinRM service doesn't accept CredSSP authentication from a remote client.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | AllowCredSSP_1 |
Friendly Name | Allow CredSSP authentication |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | AllowCredSSP |
ADMX File Name | WindowsRemoteManagement.admx |
AllowRemoteServerManagement
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
- If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).
- If you disable or don't configure this policy setting, the WinRM service won't respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured.
The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service doesn't listen on any addresses.
For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.
Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter.
Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3. FFE:FFFF:7654:FEDA:1245:BA98:3210:4562.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | AllowAutoConfig |
Friendly Name | Allow remote server management through WinRM |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | AllowAutoConfig |
ADMX File Name | WindowsRemoteManagement.admx |
AllowUnencryptedTraffic_Client
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowUnencryptedTraffic_Client
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.
If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
If you disable or don't configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | AllowUnencrypted_2 |
Friendly Name | Allow unencrypted traffic |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client |
Registry Value Name | AllowUnencryptedTraffic |
ADMX File Name | WindowsRemoteManagement.admx |
AllowUnencryptedTraffic_Service
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowUnencryptedTraffic_Service
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.
If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
If you disable or don't configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | AllowUnencrypted_1 |
Friendly Name | Allow unencrypted traffic |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | AllowUnencryptedTraffic |
ADMX File Name | WindowsRemoteManagement.admx |
DisallowDigestAuthentication
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowDigestAuthentication
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.
If you enable this policy setting, the WinRM client doesn't use Digest authentication.
If you disable or don't configure this policy setting, the WinRM client uses Digest authentication.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | DisallowDigest |
Friendly Name | Disallow Digest authentication |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client |
Registry Value Name | AllowDigest |
ADMX File Name | WindowsRemoteManagement.admx |
DisallowNegotiateAuthenticationClient
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowNegotiateAuthenticationClient
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication.
If you enable this policy setting, the WinRM client doesn't use Negotiate authentication.
If you disable or don't configure this policy setting, the WinRM client uses Negotiate authentication.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | DisallowNegotiate_2 |
Friendly Name | Disallow Negotiate authentication |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client |
Registry Value Name | AllowNegotiate |
ADMX File Name | WindowsRemoteManagement.admx |
DisallowNegotiateAuthenticationService
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowNegotiateAuthenticationService
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication from a remote client.
If you enable this policy setting, the WinRM service doesn't accept Negotiate authentication from a remote client.
If you disable or don't configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | DisallowNegotiate_1 |
Friendly Name | Disallow Negotiate authentication |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | AllowNegotiate |
ADMX File Name | WindowsRemoteManagement.admx |
DisallowStoringOfRunAsCredentials
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowStoringOfRunAsCredentials
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service won't allow RunAs credentials to be stored for any plug-ins.
If you enable this policy setting, the WinRM service won't allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.
If you disable or don't configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely.
If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | DisableRunAs |
Friendly Name | Disallow WinRM from storing RunAs credentials |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | DisableRunAs |
ADMX File Name | WindowsRemoteManagement.admx |
SpecifyChannelBindingTokenHardeningLevel
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/SpecifyChannelBindingTokenHardeningLevel
This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens.
If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token.
If you disable or don't configure this policy setting, you can configure the hardening level locally on each computer.
If HardeningLevel is set to Strict, any request not containing a valid channel binding token is rejected.
If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that doesn't contain a channel binding token is accepted (though it isn't protected from credential-forwarding attacks).
If HardeningLevel is set to None, all requests are accepted (though they aren't protected from credential-forwarding attacks).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | CBTHardeningLevel_1 |
Friendly Name | Specify channel binding token hardening level |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | CBTHardeningLevelStatus |
ADMX File Name | WindowsRemoteManagement.admx |
TrustedHosts
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TrustedHosts
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity.
If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host.
If you disable or don't configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TrustedHosts |
Friendly Name | Trusted Hosts |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client |
Registry Value Name | TrustedHosts |
ADMX File Name | WindowsRemoteManagement.admx |
TurnOnCompatibilityHTTPListener
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TurnOnCompatibilityHTTPListener
This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service.
If you enable this policy setting, the HTTP listener always appears.
If you disable or don't configure this policy setting, the HTTP listener never appears.
When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985.
A listener might be automatically created on port 80 to ensure backward compatibility.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | HttpCompatibilityListener |
Friendly Name | Turn On Compatibility HTTP Listener |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | HttpCompatibilityListener |
ADMX File Name | WindowsRemoteManagement.admx |
TurnOnCompatibilityHTTPSListener
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TurnOnCompatibilityHTTPSListener
This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service.
If you enable this policy setting, the HTTPS listener always appears.
If you disable or don't configure this policy setting, the HTTPS listener never appears.
When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986.
A listener might be automatically created on port 443 to ensure backward compatibility.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | HttpsCompatibilityListener |
Friendly Name | Turn On Compatibility HTTPS Listener |
Location | Computer Configuration |
Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service |
Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service |
Registry Value Name | HttpsCompatibilityListener |
ADMX File Name | WindowsRemoteManagement.admx |