================================================================================
DEPLOY AND TEST ONE PC - PRACTICAL GUIDE
================================================================================

This guide shows EXACTLY how to deploy to G9KN7PZ3ESF and test it.

================================================================================
PART 1: SETUP ON YOUR COMPUTER (H2PRFM94) - ONE TIME
================================================================================

Step 1: Create and Install CA
─────────────────────────────────────────────────────────────

  PS> cd C:\path\to\winrm-ca-scripts
  PS> .\Create-CA-Simple.ps1
  # Password: ShopfloorCA2025!

  PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
          -CertStoreLocation Cert:\LocalMachine\Root

  ✓ Done - CA created and trusted on your computer


Step 2: Sign Certificate for Test PC
─────────────────────────────────────────────────────────────

  Option A - Sign just one:
  PS> "G9KN7PZ3ESF" | Out-File "test-hostname.txt"
  PS> .\Sign-BulkCertificates.ps1 -HostnameFile "test-hostname.txt"
  # CA Password: ShopfloorCA2025!
  # PC Cert Password: PCCert2025!

  Option B - Sign all 175:
  PS> .\Sign-BulkCertificates.ps1
  # CA Password: ShopfloorCA2025!
  # PC Cert Password: PCCert2025!

  ✓ Certificate created: pc-certificates\batch-*\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx


================================================================================
PART 2: DEPLOY TO THE REMOTE PC (G9KN7PZ3ESF)
================================================================================

You have 3 deployment methods. Choose ONE:


METHOD 1: Network Share Deployment (EASIEST - Recommended)
════════════════════════════════════════════════════════════════════════════

  Step 1: Copy files to network share (on YOUR computer)
  ──────────────────────────────────────────────────────────────

  PS> # Copy certificates
  PS> Copy-Item "pc-certificates\batch-*" `
          -Destination "S:\dt\adata\script\deploy\pc-certificates\" `
          -Recurse

  PS> # Copy deployment scripts
  PS> Copy-Item "Deploy-PCCertificate.ps1" `
          -Destination "S:\dt\adata\script\deploy\"

  PS> Copy-Item "Deploy-PCCertificate.bat" `
          -Destination "S:\dt\adata\script\deploy\"


  Step 2: Run deployment on the PC (ON G9KN7PZ3ESF)
  ──────────────────────────────────────────────────────────────

  1. Walk to PC G9KN7PZ3ESF (or RDP to it)
  2. Open File Explorer
  3. Navigate to: S:\dt\adata\script\deploy\
  4. RIGHT-CLICK: Deploy-PCCertificate.bat
  5. Select: "Run as Administrator"
  6. Enter password when prompted: PCCert2025!
  7. Wait for "SUCCESS" message

  ✓ Script automatically:
    - Finds G9KN7PZ3ESF certificate from network share
    - Imports it to Local Machine store
    - Configures WinRM HTTPS listener
    - Creates firewall rule
    - Logs to: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-*.txt


METHOD 2: Copy Files Directly to PC (If network share not accessible)
════════════════════════════════════════════════════════════════════════════

  Step 1: Copy files to PC (on YOUR computer)
  ──────────────────────────────────────────────────────────────

  PS> # Copy certificate
  PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
          -Destination "\\G9KN7PZ3ESF\C$\Temp\"

  PS> # Copy setup script
  PS> Copy-Item "Setup-WinRM-HTTPS.ps1" `
          -Destination "\\G9KN7PZ3ESF\C$\Temp\"


  Step 2: Run setup on the PC (ON G9KN7PZ3ESF)
  ──────────────────────────────────────────────────────────────

  1. Walk to PC G9KN7PZ3ESF (or RDP to it)
  2. Open PowerShell as Administrator
  3. Run these commands:

  PS> cd C:\Temp

  PS> # Import certificate
  PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
  PS> $cert = Import-PfxCertificate `
          -FilePath (Get-Item "G9KN7PZ3ESF-*.pfx").FullName `
          -CertStoreLocation Cert:\LocalMachine\My `
          -Password $certPass

  PS> # Configure WinRM
  PS> Set-ExecutionPolicy Bypass -Scope Process -Force
  PS> .\Setup-WinRM-HTTPS.ps1 `
          -CertificateThumbprint $cert.Thumbprint `
          -Domain "logon.ds.ge.com"

  ✓ Done - WinRM HTTPS configured


METHOD 3: Remote Deployment via PowerShell (If WinRM HTTP already works)
════════════════════════════════════════════════════════════════════════════

  Step 1: Copy certificate to PC (on YOUR computer)
  ──────────────────────────────────────────────────────────────

  PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
          -Destination "\\G9KN7PZ3ESF\C$\Temp\"


  Step 2: Import and configure remotely (on YOUR computer)
  ──────────────────────────────────────────────────────────────

  PS> $cred = Get-Credential
  # Enter your domain credentials

  PS> Invoke-Command -ComputerName G9KN7PZ3ESF -Credential $cred -ScriptBlock {
      # Import certificate
      $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
      $certFile = Get-Item "C:\Temp\G9KN7PZ3ESF-*.pfx"

      $cert = Import-PfxCertificate `
          -FilePath $certFile.FullName `
          -CertStoreLocation Cert:\LocalMachine\My `
          -Password $certPass

      # Get hostname and FQDN
      $hostname = $env:COMPUTERNAME
      $fqdn = "$hostname.logon.ds.ge.com".ToLower()

      # Enable WinRM
      Enable-PSRemoting -Force -SkipNetworkProfileCheck
      Set-Service WinRM -StartupType Automatic
      Start-Service WinRM

      # Remove old HTTPS listener
      winrm delete winrm/config/Listener?Address=*+Transport=HTTPS 2>$null

      # Create HTTPS listener
      $winrmCmd = "create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$fqdn`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}"
      cmd.exe /c "winrm $winrmCmd"

      # Create firewall rule
      New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
          -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow -Force

      Write-Host "WinRM HTTPS configured on $hostname" -ForegroundColor Green
  }

  ✓ Done - Configured remotely


================================================================================
PART 3: VERIFY DEPLOYMENT ON THE PC (ON G9KN7PZ3ESF)
================================================================================

Option A: Quick Check (on the PC)
─────────────────────────────────────────────────────────────

  PS> winrm enumerate winrm/config/listener

  Look for:
    Listener
        Address = *
        Transport = HTTPS
        Port = 5986
        Hostname = g9kn7pz3esf.logon.ds.ge.com
        CertificateThumbprint = (long string)

  ✓ If you see HTTPS listener on port 5986 → Success!


Option B: Full Verification (on the PC)
─────────────────────────────────────────────────────────────

  1. Copy Test-RemotePC-Debug.bat to C:\Temp on the PC
  2. Copy Test-RemotePC-Debug.ps1 to C:\Temp on the PC
  3. Right-click Test-RemotePC-Debug.bat → "Run as Administrator"
  4. Review the output

  Check for:
  ✓ WinRM Service: Running
  ✓ HTTPS Listener on port 5986
  ✓ Port 5986 LISTENING
  ✓ Certificate in LocalMachine\My
  ✓ Firewall rule enabled


================================================================================
PART 4: TEST CONNECTION FROM YOUR COMPUTER (H2PRFM94)
================================================================================

Now test that YOU can connect to G9KN7PZ3ESF remotely.


Test 1: Basic WinRM Connectivity
─────────────────────────────────────────────────────────────

  PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986

  EXPECTED OUTPUT (Success):
  ┌────────────────────────────────────────────────────────┐
  │ wsmid           : http://schemas.dmtf.org/wbem/...     │
  │ ProtocolVersion : http://schemas.dmtf.org/wbem/...     │
  │ ProductVendor   : Microsoft Corporation                │
  │ ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0         │
  └────────────────────────────────────────────────────────┘

  ✅ SUCCESS = WinRM HTTPS is working!


  POSSIBLE ERROR (Failure):
  ┌────────────────────────────────────────────────────────┐
  │ Test-WSMan : The server certificate on the destination │
  │ computer has the following errors:                     │
  │ The SSL certificate is signed by an unknown CA.        │
  └────────────────────────────────────────────────────────┘

  FIX:
  PS> # Install CA on your computer
  PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
          -CertStoreLocation Cert:\LocalMachine\Root


Test 2: Interactive Remote Session
─────────────────────────────────────────────────────────────

  PS> $cred = Get-Credential
  # Enter your domain credentials (e.g., DOMAIN\username)

  PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
          -Credential $cred -UseSSL -Port 5986

  EXPECTED OUTPUT (Success):
  ┌────────────────────────────────────────────────────────┐
  │ [g9kn7pz3esf.logon.ds.ge.com]: PS C:\>                 │
  └────────────────────────────────────────────────────────┘

  ✅ You're now connected to the remote PC!

  Try these commands:
  [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
  G9KN7PZ3ESF

  [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM | Select-Object Status, Name
  Running  WinRM

  [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> $env:COMPUTERNAME
  G9KN7PZ3ESF

  [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession


Test 3: Remote Command Execution
─────────────────────────────────────────────────────────────

  PS> Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
          -Credential $cred -UseSSL -Port 5986 `
          -ScriptBlock {
              [PSCustomObject]@{
                  Hostname = $env:COMPUTERNAME
                  WinRMStatus = (Get-Service WinRM).Status
                  Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
              }
          }

  EXPECTED OUTPUT:
  ┌────────────────────────────────────────────────────────┐
  │ Hostname    WinRMStatus  Uptime                        │
  │ --------    -----------  ------                        │
  │ G9KN7PZ3ESF Running      23:15:42.1234567              │
  └────────────────────────────────────────────────────────┘

  ✅ Remote commands work!


Test 4: No Certificate Bypass Needed
─────────────────────────────────────────────────────────────

  NOTICE: You did NOT need to use:

  ❌ -SessionOption (no bypass needed!)
  ❌ -SkipCNCheck
  ❌ -SkipCACheck
  ❌ -SkipRevocationCheck

  This is a CLEAN, SECURE connection because:
  ✓ Your computer trusts the CA
  ✓ Certificate is properly signed
  ✓ Certificate CN matches hostname
  ✓ Full SSL/TLS validation works


================================================================================
TROUBLESHOOTING
================================================================================

Problem: Test-WSMan fails with "cannot connect"
Solution:
  1. Check PC is on network: ping g9kn7pz3esf.logon.ds.ge.com
  2. Check port reachable: Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
  3. On PC, verify listener: winrm enumerate winrm/config/listener
  4. On PC, verify port: netstat -an | findstr :5986


Problem: Test-WSMan fails with "SSL certificate signed by unknown CA"
Solution:
  Install CA on YOUR computer:
  PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
          -CertStoreLocation Cert:\LocalMachine\Root


Problem: Enter-PSSession fails with "Access Denied"
Solution:
  1. Verify credentials are correct
  2. Verify user has admin rights on remote PC
  3. Check WinRM permissions: winrm get winrm/config/service


Problem: Port 5986 not listening on PC
Solution:
  1. On PC: Get-Service WinRM (should be Running)
  2. On PC: winrm enumerate winrm/config/listener (check for HTTPS)
  3. Re-run Setup-WinRM-HTTPS.ps1 on the PC


Problem: Certificate not found during deployment
Solution:
  1. Verify certificate exists in network share or C:\Temp
  2. Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx
  3. Verify hostname matches: $env:COMPUTERNAME on the PC


================================================================================
SUCCESS CHECKLIST
================================================================================

✓ CA created and installed on your computer
✓ Certificate signed for G9KN7PZ3ESF
✓ Certificate deployed to G9KN7PZ3ESF
✓ WinRM HTTPS configured on G9KN7PZ3ESF
✓ Test-WSMan succeeds from your computer
✓ Enter-PSSession connects successfully
✓ No certificate bypasses needed
✓ Remote commands execute properly

When ALL checks pass → Ready to deploy to remaining PCs!


================================================================================
NEXT STEPS
================================================================================

After successful test on G9KN7PZ3ESF:

1. Test 3-5 more PCs to confirm process
2. If all work, proceed to batch deployment
3. Use same method for all 175 PCs
4. Track progress in spreadsheet

See: COMPLETE-WORKFLOW.txt for full deployment strategy


================================================================================
SUMMARY - DEPLOYMENT METHODS
================================================================================

Method 1: Network Share (Recommended)
  → Copy certs + scripts to S:\dt\adata\script\deploy\
  → On each PC: Run Deploy-PCCertificate.bat
  → Automatic deployment with logging

Method 2: Direct Copy
  → Copy cert + script to PC via \\HOSTNAME\C$\Temp\
  → On PC: Run Setup-WinRM-HTTPS.ps1 manually
  → Manual but reliable

Method 3: Remote PowerShell
  → Copy cert, deploy via Invoke-Command
  → Requires existing WinRM HTTP access
  → Fastest for bulk deployment

Choose based on your environment and access methods.

================================================================================
