Troubleshooting WINRM Unlock in Domotz

This article will help you to troubleshoot the unlock for the OS monitoring feature for Microsoft Windows or in case of an Authentication error while using the Windows Integration Scripts.

If the unlock option is missing, ensure that the WinRM service is enabled and that the Domotz Agent Collector has permission to connect to the WinRM service port (TCP port 5985).

First three steps – Making sure you have run the script in the right way

1) Be sure you have downloaded the latest version of “WIRNM Enable ps script” from here: https://github.com/domotz/support_scripts/raw/main/os_monitoring/enable_winrm_os_monitoring.zip

2) Be sure you are NOT using the Powershell ISE, but instead be sure to run the script from a standard Power Shell console with Administrative Privileges.

3) Run the script: if you would like to run the script for local users please jump to 3a, if your would like to unlock with domain users, please jump to 3b.

3a) Run the script for local windows users: https://help.domotz.com/monitoring-management/os-monitoring-feature/#htoc-run-the-script-for-local-users

In case when you run the script as a local user. After While unlocking the device on the Domotz portal for OS monitoring, in the username field please enter the “$computername\username” as a username.

If you are unsure about the computer name, please open a cmd terminal and run the command “hostname”:

This command shall return the computer name of the system so that you can get the $computername

In the case when you run the script with a username argument and that user does not exist. The script creates a user with the provided username and creates a random password for this user which is mentioned in the same PowerShell terminal where the script has run. Please make sure to use that password while unlocking the Device on Domotz portal, otherwise you would encounter wrong credentials errors. You can also change the password for that newly created user by navigating to users and group settings of the machine.

3b) Run the script for Domain users: https://help.domotz.com/monitoring-management/os-monitoring-feature/#htoc-run-the-script-for-domain-users

Check all the permissions visually

4) Ensure that the account you are using to unlock the device is member of the group you granted the permission to (which is the group name you set as parameter when running the script).

5) Visually verify that the group actually has WinRM and WMI permission

WINRM Permissions:

a. From a PS shell run ‘winrm configsddl default’

b. On the newly opened window verify that the group has the required permissions for the DomotzWinRM group (or the name of the group you used in your use case):

WMI Permissions:

Check that the group has the required WMI permissions.

a. From a Ps session as Administrator, run the command ‘compmgmt.msc’

b. On the newly created window expand “Services and Applications”, right-click on “WMI Control” and select “Properties“, then select the “Security” tab, expand “Root“, expand “CIMV2” and select the button “Security” a bottom left, then verify that the group has the required permissions:

Other troubleshooting

6) You may encounter some issue with specific PowerShell cmdlet inside the script, these are usually in the log file, try to run them under the same context of the user who ran the script (if the user is SYSTEM you can try with PSExec64.exe ), maybe the WMI repository is broken or default security has been changed by GPO or other configuration enforcement tools for security/hardening purposes.

To try to rebuild the broken repository please see here: WMI: Repository Corruption, or Not?

7) If any of the above does not help in your situation, please open a ticket at support@domotz.com providing us the logs which will be extracted from the affected system by running this PowerShell script on it:

https://raw.githubusercontent.com/domotz/support_scripts/main/os_monitoring/src/domotzLogCollector.ps1