================================================================================
COMPLETE WORKFLOW - START TO FINISH
================================================================================

Visual guide showing the entire process from CA creation to remote access.

================================================================================
PHASE 1: SETUP (ONE TIME - 15 MINUTES)
================================================================================

┌─────────────────────────────────────────────────────────────────┐
│ STEP 1: Create Certificate Authority                            │
│ On YOUR computer (H2PRFM94)                                      │
└─────────────────────────────────────────────────────────────────┘

  Command:
  PS> .\Create-CA-Simple.ps1

  Input:
  - CA Password: ShopfloorCA2025!

  Output:
  ✓ Shopfloor-WinRM-CA-20251017.pfx  (CA private key - KEEP SECURE!)
  ✓ Shopfloor-WinRM-CA-20251017.cer  (CA public certificate)
  ✓ CA-INFO-20251017.txt

         ↓ ↓ ↓


┌─────────────────────────────────────────────────────────────────┐
│ STEP 2: Install CA on YOUR Computer                             │
│ On YOUR computer (H2PRFM94)                                      │
└─────────────────────────────────────────────────────────────────┘

  Command:
  PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" `
          -CertStoreLocation Cert:\LocalMachine\Root

  Result:
  ✓ YOUR computer now trusts ALL certificates signed by this CA!
  ✓ No more -SessionOption needed for connections!

         ↓ ↓ ↓


┌─────────────────────────────────────────────────────────────────┐
│ STEP 3: Sign All 175 PC Certificates                            │
│ On YOUR computer (H2PRFM94)                                      │
└─────────────────────────────────────────────────────────────────┘

  Command:
  PS> .\Sign-BulkCertificates.ps1

  Input:
  - CA Password: ShopfloorCA2025!
  - PC Certificate Password: PCCert2025!

  Process:
  → Reads: shopfloor-hostnames.txt (175 hostnames)
  → Signs: 175 individual certificates
  → Each PC gets unique certificate with its own hostname

  Output:
  ✓ pc-certificates/batch-20251017-123456/
    - G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
    - G1JJVH63ESF-logon.ds.ge.com-20251017.pfx
    - G1JJXH63ESF-logon.ds.ge.com-20251017.pfx
    - ... (175 total PFX files)
    - certificate-list.csv
    - SUMMARY.txt


================================================================================
PHASE 2: TEST DEPLOYMENT (ONE PC - 10 MINUTES)
================================================================================

┌─────────────────────────────────────────────────────────────────┐
│ STEP 4: Deploy to Test PC (G9KN7PZ3ESF)                         │
└─────────────────────────────────────────────────────────────────┘

  A. Copy Certificate to PC
  ─────────────────────────────────────────────────────────────
  On YOUR computer:

  PS> cd pc-certificates\batch-*
  PS> Copy-Item "G9KN7PZ3ESF-*.pfx" -Destination "\\G9KN7PZ3ESF\C$\Temp\"

  Result:
  ✓ Certificate file on PC: C:\Temp\G9KN7PZ3ESF-*.pfx


  B. Import Certificate on PC
  ─────────────────────────────────────────────────────────────
  ON THE PC (G9KN7PZ3ESF), as Administrator:

  PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
  PS> $cert = Import-PfxCertificate `
          -FilePath "C:\Temp\G9KN7PZ3ESF-*.pfx" `
          -CertStoreLocation Cert:\LocalMachine\My `
          -Password $certPass

  Result:
  ✓ Certificate installed in: Cert:\LocalMachine\My
  ✓ Subject: CN=g9kn7pz3esf.logon.ds.ge.com
  ✓ Issuer: CN=Shopfloor WinRM CA


  C. Configure WinRM HTTPS on PC
  ─────────────────────────────────────────────────────────────
  Still ON THE PC (G9KN7PZ3ESF):

  PS> .\Setup-WinRM-HTTPS.ps1 `
          -CertificateThumbprint $cert.Thumbprint `
          -Domain "logon.ds.ge.com"

  Result:
  ✓ WinRM service running
  ✓ HTTPS listener created on port 5986
  ✓ Firewall rule enabled
  ✓ Hostname: g9kn7pz3esf.logon.ds.ge.com


  D. Verify on PC
  ─────────────────────────────────────────────────────────────
  Still ON THE PC (G9KN7PZ3ESF):

  PS> Get-Service WinRM
  # Status: Running

  PS> winrm enumerate winrm/config/listener
  # Shows HTTPS listener on port 5986

  PS> netstat -an | findstr :5986
  # Shows: 0.0.0.0:5986 LISTENING

  ✓ All checks passed!

         ↓ ↓ ↓


┌─────────────────────────────────────────────────────────────────┐
│ STEP 5: Test Connection from YOUR Computer                      │
│ On YOUR computer (H2PRFM94)                                      │
└─────────────────────────────────────────────────────────────────┘

  A. Test Basic Connectivity
  ─────────────────────────────────────────────────────────────
  PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986

  Expected Output:
    wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
    ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor   : Microsoft Corporation
    ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

  ✓ SUCCESS! No certificate errors!


  B. Test Interactive Session
  ─────────────────────────────────────────────────────────────
  PS> $cred = Get-Credential
  PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
          -Credential $cred -UseSSL -Port 5986

  Expected Output:
    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\>

  ✓ CONNECTED! Clean and secure!
  ✓ No -SessionOption needed!
  ✓ No certificate warnings!

  Try commands:
    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
    G9KN7PZ3ESF

    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM
    Status   Name               DisplayName
    ------   ----               -----------
    Running  WinRM              Windows Remote Management (WS-Manag...

    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession

  🎉 TEST PC DEPLOYMENT SUCCESSFUL! 🎉


================================================================================
PHASE 3: EXPANDED TESTING (3-5 PCs - 30 MINUTES)
================================================================================

┌─────────────────────────────────────────────────────────────────┐
│ STEP 6: Deploy to Additional Test PCs                           │
└─────────────────────────────────────────────────────────────────┘

  Repeat STEP 4 for these PCs:
  - G1JJVH63ESF
  - G1JJXH63ESF
  - G1JKYH63ESF
  - G1JMYH63ESF

  For each PC:
  1. Copy certificate
  2. Import certificate
  3. Configure WinRM
  4. Verify
  5. Test connection

  Result:
  ✓ 5 PCs successfully deployed and tested
  ✓ All connections working
  ✓ Ready for full deployment


================================================================================
PHASE 4: FULL DEPLOYMENT (170 REMAINING PCs)
================================================================================

┌─────────────────────────────────────────────────────────────────┐
│ STEP 7: Deploy to All Remaining PCs                             │
└─────────────────────────────────────────────────────────────────┘

  Strategy: Deploy in batches of 10-20 PCs

  Batch 1: PCs 6-15
  Batch 2: PCs 16-25
  Batch 3: PCs 26-35
  ... continue ...
  Batch 17: PCs 166-175

  For each batch:
  1. Deploy certificates
  2. Configure WinRM
  3. Test connections
  4. Document results
  5. Move to next batch

  OR use automated deployment script (see AFTER-BULK-SIGNING.txt)


================================================================================
PHASE 5: VERIFICATION (ALL 175 PCs)
================================================================================

┌─────────────────────────────────────────────────────────────────┐
│ STEP 8: Verify All Deployments                                  │
│ On YOUR computer (H2PRFM94)                                      │
└─────────────────────────────────────────────────────────────────┘

  Test all 175 PCs at once:

  PS> $pcs = Get-Content "shopfloor-hostnames.txt"
  PS> $cred = Get-Credential

  PS> $results = foreach ($pc in $pcs) {
      $fqdn = "$pc.logon.ds.ge.com"
      Write-Host "Testing $pc..." -NoNewline

      try {
          Test-WSMan -ComputerName $fqdn -UseSSL -Port 5986 -ErrorAction Stop
          Write-Host " OK" -ForegroundColor Green
          [PSCustomObject]@{PC=$pc; Status="Success"}
      } catch {
          Write-Host " FAILED" -ForegroundColor Red
          [PSCustomObject]@{PC=$pc; Status="Failed"}
      }
  }

  PS> $results | Export-Csv "deployment-results.csv" -NoTypeInformation
  PS> $successCount = ($results | Where-Object {$_.Status -eq "Success"}).Count
  PS> Write-Host "$successCount / 175 PCs deployed successfully" -ForegroundColor Green

  Result:
  ✓ All PCs verified
  ✓ Results documented
  ✓ Any failures identified for remediation


================================================================================
FINAL RESULT - WHAT YOU CAN DO NOW
================================================================================

Connect to ANY shopfloor PC:
─────────────────────────────────────────────────────────────

  $cred = Get-Credential
  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986


Run commands on multiple PCs:
─────────────────────────────────────────────────────────────

  $computers = @("g9kn7pz3esf", "g1jjvh63esf", "g1jjxh63esf")

  Invoke-Command -ComputerName ($computers | ForEach-Object {"$_.logon.ds.ge.com"}) `
      -Credential $cred -UseSSL -Port 5986 `
      -ScriptBlock { hostname }


Collect data from all 175 PCs:
─────────────────────────────────────────────────────────────

  $allPCs = Get-Content "shopfloor-hostnames.txt" |
      ForEach-Object {"$_.logon.ds.ge.com"}

  $data = Invoke-Command -ComputerName $allPCs -Credential $cred `
      -UseSSL -Port 5986 -ScriptBlock {
          [PSCustomObject]@{
              PC = $env:COMPUTERNAME
              Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
              FreeMemoryGB = [math]::Round((Get-CimInstance Win32_OperatingSystem).FreePhysicalMemory/1MB,2)
              Services = (Get-Service | Where-Object {$_.Status -eq 'Running'}).Count
          }
      }

  $data | Export-Csv "shopfloor-inventory.csv" -NoTypeInformation


================================================================================
TIME INVESTMENT SUMMARY
================================================================================

Initial Setup (One Time):
  - Create CA: 5 minutes
  - Install CA on your computer: 2 minutes
  - Sign 175 certificates: 5 minutes
  - Total: ~12 minutes

Per PC Deployment:
  - Copy certificate: 1 minute
  - Import and configure: 2 minutes
  - Test: 1 minute
  - Total per PC: ~4 minutes

Full Deployment:
  - Test PC: 4 minutes
  - 4 additional test PCs: 16 minutes
  - 170 remaining PCs (automated): 2-3 hours
  - Total: ~3-4 hours for all 175 PCs

ONGOING USE:
  - Connect to any PC: 5 seconds
  - No certificate warnings ever again!
  - Clean, secure, professional


================================================================================
WORKFLOW COMPLETE!
================================================================================

You now have:
  ✓ Certificate Authority created and installed
  ✓ 175 individual PC certificates signed
  ✓ All PCs configured for WinRM HTTPS
  ✓ Clean, secure remote access to all shopfloor PCs
  ✓ No certificate bypasses or warnings
  ✓ Enterprise-grade security

Next: Start managing your shopfloor PCs remotely! 🚀

================================================================================
