WinRM service running as „Network service“ causes problems


When using WinRM for managing IT systems, especially when combining it with „Just enough administration“ (JEA) feature it can sometimes happen that errors occur.


As far as we have been able to evaluate the problem sometimes occurs after applying (major) Microsoft Windows Updates. After applying the updates – for some reasons – the WinRM service is running in the user context of „network service“. Default user context is „local system“.

The error message is the following:

New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message : 
The WS-Management service cannot process the operation. An attempt to create a virtual account failed. 
Ensure that WinRM service is running as Local System and that it has TCB privilege enabled. 
For more information, see the about_Remote_Troubleshooting Help topic.

See also screenshot below:

Screenshots of the services console show an interesting change.

Before Windows update we have the following situation:

Afterwards it changed:

Obviously the major Windows update changed the service account in which context Windows Remote Management service is running. And the network service account obviously is missing the „SeTcbPrivilege“.

(Workaround) solution

1. Switch the account back to „local system“

This can be achieved via management console or comand line, whatever you prefer. For example you can use the famous sc.exe command:

sc.exe config WinRM obj= "[.\username]" password= "[password]"

2. Take care for JEA

In case of using „JEA“ (just enough administration) the registered JEA session must be unregistered and then re-registered. This can easily be achieved via PowerShell using the following commands:

Unregister-PSSessionConfiguration -Name "MyJeaSession"

Afterwards register your JEA Configuration again.


Leave a Reply