WinRM service re-config

Despite the fact that Events had been forwarding successfully before, I came across an error in the target Win2016 System’s event log: 10128 and 10129. Everything appears to be correct.

Samples:

• The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (http://+:5985/wsman/SubscriptionManager/WEC) in HTTP.SYS.

• The WS-Management client is not listening for pushed events because there was a failure binding to the URL (http://+:5985/wsman/subscriptions/C66628DA-E0B8-43BF-A210-C4B685C23608) in HTTP.SYS.

Run netsh http show urlacl and note the URL mentioned in 10128.

Go to another collector that is working correctly. Run the same command and compare. On Win2016 it showed:

 Reserved URL            : http://+:5985/wsman/
    User: NT SERVICE\WinRM
        Listen: Yes
        Delegate: No
        SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)

But on a functioning collector (happened to be Win2012r2) it showed:

Reserved URL            : http://+:5985/wsman/
    User: NT SERVICE\WinRM
        Listen: Yes
        Delegate: No
    User: NT SERVICE\Wecsvc
        Listen: Yes
        Delegate: No
        SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

The non-functioning http://+:5985/wsman will need to be removed and recreated.

netsh http delete urlacl url=http://+:5985/wsman/

netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

Note: restarting the system and/or the winrm and wecsvc services would be a good idea too.