It is possible to manage machines remotely without having to disable the firewall. You just need to open the right ports for WMI, DCOM, and RPC—nothing more, nothing less. You can use WMI to query machines remotely—collect system information, run commands, and manage scheduled tasks from the console or a PowerShell script.
When you run a Get-WmiObject command and get the error: "RPC access was denied," the easy solution is to disable the Windows firewall on the target machines. But this is a very bad idea on a network where machines with different trust levels coexist.
The correct solution: precisely open the ports required for WMI and remote management of scheduled tasks, with mandatory authentication on each rule.
How WMI Works on a Network
WMI uses DCOM (Distributed COM) for network communications, which itself relies on RPC (Remote Procedure Call). The complete stack:
WMI Client
→ DCOM (TCP port 135 — RPC Endpoint Mapper)
→ RPC (dynamic ports — negotiated via port 135)
→ WMI Service (winmgmt)
This is why you can’t just “open the WMI port”: the protocol uses dynamic ports negotiated at connection time, not a fixed port. You must open port 135 for negotiation and allow dynamic RPC traffic for data exchange.
Remote management of scheduled tasks uses the same RPC infrastructure, with the Schedule service in addition.
Creating the GPO
In the GPMC:
Right-click the target OU → Create a GPO in this domain and link it here
Name: Firewall_GPupdate
Link to SERVERS and STATIONS — wherever you want to be able to administer remotely.
Firewall rules to create
Computer Configuration → Policies → Windows Settings → Security Settings
→ Windows Firewall with Advanced Security → Inbound Rules
All rules are configured with "Require authentication" — no anonymous WMI on the network.
Rule 1 — Asynchronous WMI (TCP)
Allows asynchronous WMI traffic via unsecapp.exe.
| Setting | Value |
|---|---|
| Program | %systemroot%\system32\wbem\unsecapp.exe |
| Protocol | TCP |
| Local Port | Any |
| Action | Allow |
| Security | Require authentication |
| Group | Windows Management Instrumentation (WMI) |
Rule 2 — WMI-In (TCP)
Allows incoming WMI connections via the winmgmt service.
| Setting | Value |
|---|---|
| Program | %SystemRoot%\system32\svchost.exe |
| Service | winmgmt |
| Protocol | TCP |
| Local Port | All |
| Action | Allow |
| Security | Require authentication |
| Group | Windows Management Infrastructure (WMI) |
Rule 3 — DCOM-In (TCP 135)
Allows DCOM traffic on port 135 — this is the entry point for all network WMI communication.
| Setting | Value |
|---|---|
| Program | %SystemRoot%\system32\svchost.exe |
| Service | rpcss |
| Protocol | TCP |
| Local Port | 135 |
| Action | Allow |
| Security | Require authentication |
| Group | Windows Management Instrumentation (WMI) |
Rule 4 — RPC-EPMAP Scheduled Tasks
Allows RPC/TCP traffic for the Task Scheduler service via the endpoint mapper.
| Setting | Value |
|---|---|
| Program | %SystemRoot%\system32\svchost.exe |
| Service | RPCSS |
| Protocol | TCP |
| Local Port | RPC Endpoint Mapper |
| Action | Allow |
| Security | Require authentication |
| Group | Remote Scheduled Tasks Management |
Rule 5 — Dynamic RPC Scheduled Tasks
Allows dynamic RPC traffic for remote management of scheduled tasks.
| Setting | Value |
|---|---|
| Program | %SystemRoot%\system32\svchost.exe |
| Service | schedule |
| Protocol | TCP |
| Local Port | Dynamic RPC |
| Action | Allow |
| Security | Require authentication |
| Group | Remote management of scheduled tasks |
Post-deployment verification
From an administration machine after running gpupdate /force on the target:
# Basic WMI test
Get-WmiObject -ComputerName "MachineName" -Class Win32_OperatingSystem |
Select-Object Caption, Version, LastBootUpTime
# Test via CIM (modern method)
Get-CimInstance -ComputerName "MachineName" -ClassName Win32_ComputerSystem
# Test remote scheduled task management
$session = New-CimSession -ComputerName "MachineName"
Get-ScheduledTask -CimSession $session | Select-Object -First 5
If the commands return results without any RPC access errors, the policies are correctly applied.
What this GPO does not do
This GPO only opens what is necessary for WMI and scheduled task management. It does not open PSRemoting (WinRM / port 5985), SMB, or any other remote administration services. Each service has its own firewall rules, in its own GPOs.