Why does Invoke-Command not work on some systems?

Question

I have seen this question asked a lot, but most of the answers boil down to 4 things:

be sure you have run enable-PSRemoting -force on remote system
be sure WMI services are running on remote system.
be sure you have Firewall rules allowing 5985 and 5986 traffic.
be sure on local system you have run Set-Item wsman:\localhost\client\trustedHosts -value * to ensure your local system trusts all it is connecting to.
P.S....* you may want to run it on the remote system as well *

The problem is - this issue still persists, even when the above has been completed and verified. what i have found is this:

Telnet to 5985 and 5986 shows port is open and listening. -- verified they were not in use by another process.
Get-WMIObject -computername <remoteSystemNameHere> works.
Invoke-Command -Computername <remoteSystemNameHere> fails (even with credentials provided)
Using FQDN of remoteSystem does not change the result.

This is only occurring on a handful of servers in our domains and have not been able to to pin down any thing different between those that work and those that do not. I know this question has been asked a lot on this forum, while the basic responses all seem to solve 80-90% of the issues, there are still the 10-20% still looking for answers. Any Help i am sure would be appreciated thanks.

When using Invoke-Command -computername RemoteServerName.domain.ds -credential $cred -scriptblock {get-process "svchost"}

this is the error i get:

[RemoteServerName.domain.ds] Connecting to remote server RemoteServerName.domain.ds failed with the following error message :
The client cannot connect to the destination specified in the request. Verify that the service on the destination is
running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (RemoteServerName.domain.ds:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken

Do these servers all have the same version of PowerShell/WinRM installed? — Bacon Bits, Oct 21 '19 at 13:34
Are they all on the same domain? That's easier for authentication. — js2010, Oct 21 '19 at 13:44
For the handful of systems where Powershell Remoting/WSMan doesn't work (the backbone of `Invoke-Command`), what error(s) do you get when trying to run `Invoke-Command` against one of these servers? Please include this and the affected versions of Windows in your question. — codewario, Oct 21 '19 at 14:45
Does `winrm get winrm/config` show any IPv4 or IPv6 filters in place? — codewario, Oct 21 '19 at 18:35

Sergio García Galán · Answer 1 · 2023-05-29T10:28:12.243

0

You should check if your server's network connection is Private or Public.

If Public, rules will not be applied to the firewall. Change the network connection to Private and run again 'Enable-PSRemoting -Force'.

edited May 29 '23 at 10:28

answered May 29 '23 at 10:06

Sergio García Galán

11
2

Why does Invoke-Command not work on some systems?

1 Answers1