Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.

During an installation, the error only occurs if the Server Manager is used. In case of uninstallation, it does not matter whether it is done through Server Manager or Windows PowerShell.

In the Server Manager, you can see that the status for "Remote Management" is set to "Unknown".

When you click on the status, you get an error message.

Via the command line, the error can be narrowed down with the following command:

winrm enumerate winrm/config/listener

Causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Often, the underlying cause is a hardening measure, which in this case shows undesirable side effects.

The error pattern may have the following causes:

  • Remote shell connections are not accepted
  • Negotiate authentication is disabled for the WinRM client
  • Negotiate authentication is disabled for the WinRM server

Details: Remote shell connections are not accepted

The setting can be set via group policies. It can be found under "Computer Configuration" - "Administrative Templates" - "Windows Components" - "Windows Remote Shell".

The "Allow Remote Shell Access" option must be set to "Enabled" (or "Not configured").

In the registry the setting is shown in the following path:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS]
"AllowRemoteShellAccess"=dword:00000001

Details: Negotiate authentication is disabled for WinRM client

The setting can be set via group policies. It can be found under "Computer Configuration" - "Administrative Templates" - "Windows Components" - "Windows Remote Management (WinRM)" - "Client".

The Disallow Negotiate Authentication option must be set to Disabled (or Not configured).

In the registry the setting is shown in the following path:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client]
"AllowNegotiate"=dword:00000001

Details: Negotiate authentication is disabled for WinRM service

The setting can be set via group policies. It can be found under "Computer Configuration" - "Administrative Templates" - "Windows Components" - "Windows Remote Management (WinRM)" - "Service".

The Disallow Negotiate Authentication option must be set to Disabled (or Not configured).

In the registry the setting is shown in the following path:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service]
"AllowNegotiate"=dword:00000001

After modification via registry a restart of the Windows Remote Management service is required.

Restart service WinRM

Related links:

External sources

en_USEnglish