How to revert changes made by Enable-PSRemoting?


Some MS tools (like Best Practices Analyzers) automatically run
"Enable-PSRemoting" and then don't clean up after themselves. To reverse these

Start an admin-mode powershell.

Run "Disable-PSRemoting"

This will output:

PS C:\Windows\system32> Disable-PSRemoting
WARNING: Disabling the session configurations does not undo all the changes
made by the Enable-PSRemoting or Enable-PSSessionConfiguration cmdlet. You
might have to manually undo the changes by following these steps.
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which
       restricts remote access to members of the Administrators group on
       the computer.

Do not do step 1 yet. Instead:

List the Windows Remote Management listeners:

winrm enumerate winrm/config/listener

Usually the listener with Address = * and Port = 5985 using Transport = HTTP is
the one you want to remove.

Delete it by running:

winrm delete winrm/config/listener?address=*+transport=HTTP

Then, remove the firewall exceptions for Windows Remote Managment

Then, stop the windows remote management service:

Stop-Service winrm

And disable it:

Set-Service -Name winrm -StartupType Disabled

Finally, revert the LocalAccountTokenFilterPolicy setting to its default value of 0:

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 0 -Type DWord

Error messages/problems:
this will happen if you followed the output of Disable-PSRemoting verbatim:
    Message = The client cannot connect to the destination specified in the
request. Verify that the service on the dest ination is running and is
accepting requests. Consult the logs and documentation for the WS-Management
service running on the destination, most commonly IIS or WinRM. If the
destination is the WinRM service, run the following command on the destination
to analyze and configure the WinRM service: "winrm quickconfig".

This is why you need to leave WinRM enabled, delete the listeners, and *then*
turn it off.