================================================================================
SINGLE PC TEST - QUICK START
================================================================================

Test the entire certificate deployment on ONE PC before deploying to all 175.

Test PC: G9KN7PZ3ESF

================================================================================
STEP 1: CREATE CA (ONE TIME - 5 MINUTES)
================================================================================

On YOUR computer (H2PRFM94):

  PS> cd C:\path\to\winrm-ca-scripts
  PS> .\Create-CA-Simple.ps1

  Enter password: ShopfloorCA2025!

  Output:
  ✓ Shopfloor-WinRM-CA-20251017.pfx
  ✓ Shopfloor-WinRM-CA-20251017.cer


================================================================================
STEP 2: INSTALL CA ON YOUR COMPUTER (2 MINUTES)
================================================================================

Still on YOUR computer:

  PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" `
          -CertStoreLocation Cert:\LocalMachine\Root

  Result:
  ✓ Your computer now trusts all certificates signed by this CA


================================================================================
STEP 3: SIGN CERTIFICATE FOR TEST PC (2 MINUTES)
================================================================================

Option A: Sign just ONE certificate
────────────────────────────────────────────────────────────────

  Create a test file with just one hostname:

  PS> "G9KN7PZ3ESF" | Out-File "test-hostname.txt"

  PS> .\Sign-BulkCertificates.ps1 -HostnameFile "test-hostname.txt"

  Enter CA password: ShopfloorCA2025!
  Enter PC cert password: PCCert2025!

  Output:
  ✓ pc-certificates\batch-TIMESTAMP\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx


Option B: Sign ALL 175, but only deploy one
────────────────────────────────────────────────────────────────

  PS> .\Sign-BulkCertificates.ps1

  Enter CA password: ShopfloorCA2025!
  Enter PC cert password: PCCert2025!

  Output:
  ✓ pc-certificates\batch-TIMESTAMP\  (175 certificates)

  You'll only deploy one for testing


================================================================================
STEP 4: DEPLOY TO TEST PC (5 MINUTES)
================================================================================

Method 1: Network Share Deployment (Recommended)
────────────────────────────────────────────────────────────────

  A. Copy to network share:

     PS> Copy-Item "pc-certificates\batch-*" `
             -Destination "S:\dt\adata\script\deploy\pc-certificates\" `
             -Recurse

     PS> Copy-Item "Deploy-PCCertificate.ps1" `
             -Destination "S:\dt\adata\script\deploy\"

     PS> Copy-Item "Deploy-PCCertificate.bat" `
             -Destination "S:\dt\adata\script\deploy\"

  B. On the test PC (G9KN7PZ3ESF):

     1. Navigate to: S:\dt\adata\script\deploy\
     2. Right-click: Deploy-PCCertificate.bat
     3. Select: "Run as Administrator"
     4. Enter password: PCCert2025!
     5. Wait for SUCCESS message

  Result:
  ✓ Certificate automatically found and imported
  ✓ WinRM HTTPS configured
  ✓ Firewall rule created
  ✓ Log saved to: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-*.txt


Method 2: Manual Deployment (If network share not ready)
────────────────────────────────────────────────────────────────

  A. Copy certificate to PC:

     PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
             -Destination "\\G9KN7PZ3ESF\C$\Temp\"

     PS> Copy-Item "Setup-WinRM-HTTPS.ps1" `
             -Destination "\\G9KN7PZ3ESF\C$\Temp\"

  B. On the PC (G9KN7PZ3ESF), as Administrator:

     PS> cd C:\Temp

     # Import certificate
     PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
     PS> $cert = Import-PfxCertificate `
             -FilePath "G9KN7PZ3ESF-*.pfx" `
             -CertStoreLocation Cert:\LocalMachine\My `
             -Password $certPass

     # Configure WinRM
     PS> .\Setup-WinRM-HTTPS.ps1 `
             -CertificateThumbprint $cert.Thumbprint `
             -Domain "logon.ds.ge.com"

  Result:
  ✓ Certificate imported
  ✓ WinRM HTTPS listener created
  ✓ Firewall configured


================================================================================
STEP 5: VERIFY ON THE PC (2 MINUTES)
================================================================================

On the test PC (G9KN7PZ3ESF):

  # Check certificate
  PS> Get-ChildItem Cert:\LocalMachine\My | Where-Object {
      $_.Subject -like "*G9KN7PZ3ESF*"
  } | Format-List Subject, Issuer, Thumbprint

  Expected:
    Subject     : CN=g9kn7pz3esf.logon.ds.ge.com
    Issuer      : CN=Shopfloor WinRM CA
    Thumbprint  : (long string)

  # Check WinRM service
  PS> Get-Service WinRM

  Expected:
    Status   Name               DisplayName
    ------   ----               -----------
    Running  WinRM              Windows Remote Management (WS-Manag...

  # Check listener
  PS> winrm enumerate winrm/config/listener

  Expected:
    Listener
        Address = *
        Transport = HTTPS
        Port = 5986
        Hostname = g9kn7pz3esf.logon.ds.ge.com
        ...

  # Check port
  PS> netstat -an | findstr :5986

  Expected:
    TCP    0.0.0.0:5986           0.0.0.0:0              LISTENING

  ✓ All checks passed!


================================================================================
STEP 6: TEST CONNECTION FROM YOUR COMPUTER (3 MINUTES)
================================================================================

Back on YOUR computer (H2PRFM94):

  A. Test basic connectivity
  ─────────────────────────────────────────────────────────────

  PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986

  Expected Output:
    wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
    ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor   : Microsoft Corporation
    ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

  ✅ SUCCESS = WinRM is working with HTTPS!


  B. Test interactive session
  ─────────────────────────────────────────────────────────────

  PS> $cred = Get-Credential
  # Enter your domain credentials

  PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
          -Credential $cred -UseSSL -Port 5986

  Expected:
    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\>

  ✅ SUCCESS = You're connected!

  Try commands:
    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
    G9KN7PZ3ESF

    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM
    Running  WinRM  Windows Remote Management

    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession


  C. Test remote command execution
  ─────────────────────────────────────────────────────────────

  PS> Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
          -Credential $cred -UseSSL -Port 5986 `
          -ScriptBlock { Get-ComputerInfo | Select-Object CsName, WindowsVersion }

  Expected:
    CsName       WindowsVersion
    ------       --------------
    G9KN7PZ3ESF  2009

  ✅ SUCCESS = Remote commands work!


================================================================================
KEY OBSERVATIONS
================================================================================

Notice what you DON'T need:

  ❌ No -SessionOption parameter
  ❌ No -SkipCNCheck
  ❌ No -SkipCACheck
  ❌ No -SkipRevocationCheck
  ❌ No certificate bypass tricks

This is CLEAN and SECURE because:

  ✓ Your computer trusts the CA
  ✓ PC certificate is signed by trusted CA
  ✓ Certificate CN matches hostname
  ✓ Full certificate chain validation works


================================================================================
TROUBLESHOOTING
================================================================================

If Test-WSMan fails:
────────────────────────────────────────────────────────────────

  1. Copy Test-RemotePC-Debug.bat to the PC
  2. Run it as Administrator on the PC
  3. Review output to identify the issue

Common issues:
  - Port 5986 not listening → Re-run Setup-WinRM-HTTPS.ps1
  - Certificate not found → Re-import certificate
  - Firewall blocking → Check firewall rule
  - DNS not resolving → Use IP address for testing


If connection works but certificate errors appear:
────────────────────────────────────────────────────────────────

  Check if CA is installed on YOUR computer:

  PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
      $_.Subject -like "*Shopfloor*"
  }

  If not found:
  PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
          -CertStoreLocation Cert:\LocalMachine\Root


================================================================================
SUCCESS CRITERIA
================================================================================

The test is successful when:

  ✓ Test-WSMan works without errors
  ✓ Enter-PSSession connects without -SessionOption
  ✓ No certificate warnings
  ✓ Remote commands execute successfully
  ✓ Connection is clean and secure


================================================================================
AFTER SUCCESSFUL TEST
================================================================================

Once ONE PC works perfectly:

  1. Test 3-5 more PCs using same process
  2. If all tests pass, proceed to full deployment
  3. Deploy to remaining 170 PCs in batches
  4. Use COMPLETE-WORKFLOW.txt for full deployment guide


================================================================================
TIME ESTIMATE
================================================================================

Total time to test ONE PC:

  - Create CA: 5 minutes (one time)
  - Install CA on your computer: 2 minutes (one time)
  - Sign certificate for test PC: 2 minutes
  - Deploy to PC: 5 minutes
  - Verify configuration: 2 minutes
  - Test connection: 3 minutes
  ─────────────────────────────────
  Total: ~20 minutes for first PC

Subsequent PCs: ~4 minutes each (CA already created)


================================================================================
SUMMARY
================================================================================

Single PC Test Process:

  1. Create CA (one time)
  2. Install CA on your computer (one time)
  3. Sign certificate for G9KN7PZ3ESF
  4. Deploy certificate to G9KN7PZ3ESF
  5. Test connection from your computer
  6. Verify clean, secure connection

If successful → Deploy to all 175 PCs
If issues → Debug on test PC before continuing

================================================================================
