Configure a device for remote management (Industry 8.1)
7/8/2014
If you have trouble getting the Embedded Lockdown Manager (ELM) to remotely connect to your device, you may want to configure your device for remote management. If your device is joined to a domain, some or all of the following configurations may already be configured through Group Policy settings.
Configure a device for remote management
To enable remote management by using a local administrator account
Sign in to the device with an administrator account.
Set the following registry key to disable User Account Control remote restrictions:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]"LocalAccountTokenFilterPolicy"=dword:00000001For more information about how to change this registry key, see Description of User Account Control and remote restrictions and How to change the Remote UAC LocalAccountTokenFilterPolicy registry setting.
Restart your device.
To enable Windows Management Instrumentation (WMI) traffic through a firewall
On the Start menu, right-click Command Prompt, and then click Run as administrator.
To establish a firewall exception for WMI traffic, type the following command:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yesImportant
When running ELM on a non-English OS, use the localized group name.
(Optional) If ELM displays an error message that WMI did not respond or failed to connect, you can use individual commands for DCOM, WMI service, callback sink, and outgoing connections to enable WMI traffic.
To establish a firewall exception for DCOM port 135, type the following command:
netsh advfirewall firewall add rule dir=in name="DCOM" program=%systemroot%\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135To establish a firewall exception for the WMI service, type the following command:
netsh advfirewall firewall add rule dir=in name ="WMI" program=%systemroot%\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=anyTo establish a firewall exception for the sink that receives callbacks from a remote computer, type the following command:
netsh advfirewall firewall add rule dir=in name ="UnsecApp" program=%systemroot%\system32\wbem\unsecapp.exe action=allowTo establish a firewall exception for outgoing connections to a remote computer that the local computer is communicating with asynchronously, type the following command:
netsh advfirewall firewall add rule dir=out name ="WMI_OUT" program=%systemroot%\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any
For more information about how to enable WMI traffic, see Connecting to WMI Remotely on MSDN.
Create a custom ELM Microsoft Management Console (MMC) file
You can create a custom console file to configure ELM to work alongside other Microsoft Management Console (MMC) snap-ins, such as Event Viewer.
To create a custom ELM console file
Open a command prompt with administrator rights and type the following to open a new .msc console file in MMC:
mmcAccept the UAC prompt.
On the MMC File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, from the Available snap-ins list, select Embedded Lockdown Manager, and then click Add.
From the Available snap-ins list, select another snap-in, for example, Event Viewer, and then click Add.
Note
Some snap-ins may display a dialog box to configure the snap-in when you add it to the Selected snap-ins list.
When you have finished adding and configuring any additional snap-ins, click OK.
On the MMC File menu, click Save As and save your custom .msc console file.
You can now use ELM together with other MMC snap-ins in the same console to configure and manage your devices.