ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: Organized PowerShell scripts for ShopDB asset collection

Browse Source 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
cproudlock
2025-12-10 10:57:54 -05:00
commit 62c0c7bb06
102 changed files with 28017 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
winrm-https/deployment-package/0-START-HERE.txt Normal file
View File

@@ -0,0 +1,123 @@
================================================================================
START HERE - READ ME FIRST
================================================================================
WinRM HTTPS Deployment Package
================================================================================
WHAT IS THIS?
================================================================================
This folder contains everything needed to deploy WinRM HTTPS (secure PowerShell
remoting) to 175 shopfloor PCs.
================================================================================
QUICK START (3 STEPS)
================================================================================
STEP 1: Add Certificate
------------------------
>> See: COPY-CERTIFICATE-HERE.txt
Copy the certificate file to this folder:
wildcard-logon-ds-ge-com-20251017.pfx
STEP 2: Copy to Network Share
------------------------------
Copy this entire folder to a network share:
Example: \\SERVER\Shares\WinRM-HTTPS
Set permissions: Read access for "Domain Computers"
STEP 3: Deploy to PCs
---------------------
On each PC:
OPTION A - SECURE (Recommended for Production):
1. Navigate to: \\SERVER\Shares\WinRM-HTTPS
2. Right-click: Deploy-WinRM-HTTPS.bat
3. Select: "Run as Administrator"
4. Enter password when prompted
5. Wait for SUCCESS message
OPTION B - AUTO-PASSWORD (Testing Only):
1. Navigate to: \\SERVER\Shares\WinRM-HTTPS
2. Right-click: Deploy-WinRM-HTTPS-AutoPassword.bat
3. Select: "Run as Administrator"
4. No password prompt - runs automatically
5. Wait for SUCCESS message
WARNING: Password is hardcoded! Delete after testing!
================================================================================
IMPORTANT FILES
================================================================================
START WITH THESE:
0-START-HERE.txt <-- You are here
COPY-CERTIFICATE-HERE.txt <-- Add certificate first!
README-DEPLOYMENT.txt <-- Deployment instructions
CHECKLIST.txt <-- Track your progress
DEPLOYMENT FILES:
Deploy-WinRM-HTTPS.bat <-- Main deployment script
Test-WinRM-HTTPS.bat <-- Test script
Setup-WinRM-HTTPS.ps1 <-- PowerShell setup
Test-WinRM-HTTPS-Setup.ps1 <-- PowerShell test
DOCUMENTATION:
NETWORK_SHARE_DEPLOYMENT.md <-- Detailed guide
REQUIRED (Add manually):
wildcard-*.pfx <-- CERTIFICATE - MUST ADD!
================================================================================
CERTIFICATE PASSWORD
================================================================================
Password: XqHuyaLZSyCYEcpsMz6h5
Keep this secure! Store in password manager for production use.
================================================================================
BATCH EXECUTION POLICY
================================================================================
The batch files (.bat) automatically run PowerShell scripts with:
-ExecutionPolicy Bypass
This allows the scripts to run without requiring execution policy changes
on each PC. The scripts will run even if execution policy is Restricted.
================================================================================
SUPPORT
================================================================================
For help:
- Read: README-DEPLOYMENT.txt
- Read: NETWORK_SHARE_DEPLOYMENT.md
- Check parent folder for troubleshooting guides
================================================================================
DEPLOYMENT WORKFLOW
================================================================================
[ ] 1. Add certificate to this folder
[ ] 2. Copy folder to network share
[ ] 3. Test on 3-5 PCs
[ ] 4. Verify connections work
[ ] 5. Deploy to remaining PCs in batches
[ ] 6. Track progress in CHECKLIST.txt
[ ] 7. Verify all deployments
[ ] 8. Clean up (remove certificate from share)
================================================================================
READY TO START?
================================================================================
Next: Read COPY-CERTIFICATE-HERE.txt to add the certificate file.
================================================================================

118
winrm-https/deployment-package/CHECKLIST.txt Normal file
View File

@@ -0,0 +1,118 @@
================================================================================
DEPLOYMENT CHECKLIST
================================================================================
Use this checklist to track your deployment progress.
================================================================================
PRE-DEPLOYMENT
================================================================================
[ ] Certificate generated (wildcard-logon-ds-ge-com-20251017.pfx)
[ ] Certificate password documented securely
[ ] Certificate copied to deployment-package folder
[ ] Network share created: \\____________\WinRM-HTTPS
[ ] All files copied to network share
[ ] Share permissions configured (Read: Domain Computers)
[ ] Test access to share from one PC
================================================================================
TEST DEPLOYMENT (3-5 PCs)
================================================================================
Test PC 1: _______________
[ ] Deploy-WinRM-HTTPS.bat executed successfully
[ ] WinRM HTTPS listener created (port 5986)
[ ] Firewall rule created
[ ] Test-WSMan successful from management server
[ ] Remote session created successfully
Date: ______ By: ______
Test PC 2: _______________
[ ] Deployed successfully
[ ] Tested successfully
Date: ______ By: ______
Test PC 3: _______________
[ ] Deployed successfully
[ ] Tested successfully
Date: ______ By: ______
Test PC 4: _______________
[ ] Deployed successfully
[ ] Tested successfully
Date: ______ By: ______
Test PC 5: _______________
[ ] Deployed successfully
[ ] Tested successfully
Date: ______ By: ______
================================================================================
BATCH DEPLOYMENT TRACKING
================================================================================
Total PCs to deploy: 175
Batch 1 (PCs 1-20): [ ] Complete Date: ______ Failed: ____
Batch 2 (PCs 21-40): [ ] Complete Date: ______ Failed: ____
Batch 3 (PCs 41-60): [ ] Complete Date: ______ Failed: ____
Batch 4 (PCs 61-80): [ ] Complete Date: ______ Failed: ____
Batch 5 (PCs 81-100): [ ] Complete Date: ______ Failed: ____
Batch 6 (PCs 101-120): [ ] Complete Date: ______ Failed: ____
Batch 7 (PCs 121-140): [ ] Complete Date: ______ Failed: ____
Batch 8 (PCs 141-160): [ ] Complete Date: ______ Failed: ____
Batch 9 (PCs 161-175): [ ] Complete Date: ______ Failed: ____
Total Successful: _______ / 175
Total Failed: _______
================================================================================
FAILED PCs - REMEDIATION
================================================================================
Hostname: _______________ Reason: ________________ Remediated: [ ]
Hostname: _______________ Reason: ________________ Remediated: [ ]
Hostname: _______________ Reason: ________________ Remediated: [ ]
Hostname: _______________ Reason: ________________ Remediated: [ ]
Hostname: _______________ Reason: ________________ Remediated: [ ]
================================================================================
VERIFICATION
================================================================================
[ ] All PCs tested with Invoke-RemoteAssetCollection-HTTPS.ps1 -TestConnections
[ ] Connection log reviewed
[ ] Failed PCs documented
[ ] Asset collection script tested on sample PCs
[ ] Results verified in dashboard
================================================================================
POST-DEPLOYMENT CLEANUP
================================================================================
[ ] Certificate removed from network share
[ ] Certificate backed up securely to: _________________________
[ ] Password stored in password manager
[ ] Network share archived or removed
[ ] Deployment documented
[ ] Asset inventory updated
[ ] Success rate calculated: _____%
================================================================================
SIGN-OFF
================================================================================
Deployment completed by: _____________________ Date: ___________
Verified by: _____________________ Date: ___________
Total time: _______ hours
Notes:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
================================================================================

52
winrm-https/deployment-package/COPY-CERTIFICATE-HERE.txt Normal file
View File

@@ -0,0 +1,52 @@
================================================================================
IMPORTANT: CERTIFICATE FILE REQUIRED
================================================================================
Before deploying, you MUST copy the certificate file to this folder:
FILE TO COPY:
wildcard-logon-ds-ge-com-20251017.pfx
FROM:
C:\users\570005354\Downloads\winrm-https\wildcard-logon-ds-ge-com-20251017.pfx
TO:
This folder (deployment-package)
The certificate file is NOT included by default for security reasons.
================================================================================
HOW TO ADD THE CERTIFICATE
================================================================================
1. Locate the certificate file on your Windows machine:
C:\users\570005354\Downloads\winrm-https\wildcard-logon-ds-ge-com-20251017.pfx
2. Copy it to this deployment-package folder
3. Verify it's here alongside these files:
- Deploy-WinRM-HTTPS.bat
- Setup-WinRM-HTTPS.ps1
- wildcard-logon-ds-ge-com-20251017.pfx <-- Must be present!
4. When ready, copy this entire folder to network share
================================================================================
VERIFICATION
================================================================================
Before deploying to PCs, verify the certificate is present:
[ ] Certificate file exists in deployment-package folder
[ ] Certificate filename: wildcard-logon-ds-ge-com-20251017.pfx
[ ] Certificate file size: approximately 2-3 KB
[ ] Certificate password known: XqHuyaLZSyCYEcpsMz6h5
Once verified, you're ready to deploy!
================================================================================

130
winrm-https/deployment-package/Deploy-WinRM-HTTPS-AutoPassword.bat Normal file
View File

@@ -0,0 +1,130 @@
@echo off
REM ============================================================================
REM Deploy-WinRM-HTTPS-AutoPassword.bat
REM Deploys WinRM HTTPS configuration with HARDCODED PASSWORD
REM
REM WARNING: This file contains the certificate password in PLAINTEXT!
REM For TESTING ONLY - Do NOT use in production!
REM For production, use Deploy-WinRM-HTTPS.bat which prompts for password
REM ============================================================================
REM Setup logging
set "LOG_DIR=S:\DT\ADATA\SCRIPT\DEPLOY\LOGS"
set "HOSTNAME=%COMPUTERNAME%"
set "TIMESTAMP=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%-%TIME:~0,2%%TIME:~3,2%%TIME:~6,2%"
set "TIMESTAMP=%TIMESTAMP: =0%"
set "LOG_FILE=%LOG_DIR%\%HOSTNAME%-%TIMESTAMP%.txt"
REM Create log directory if it doesn't exist
if not exist "%LOG_DIR%" (
mkdir "%LOG_DIR%" 2>nul
)
REM Start logging
echo ============================================================================ > "%LOG_FILE%"
echo WinRM HTTPS Deployment Log (AUTO-PASSWORD VERSION) >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Hostname: %HOSTNAME% >> "%LOG_FILE%"
echo Date/Time: %DATE% %TIME% >> "%LOG_FILE%"
echo Log File: %LOG_FILE% >> "%LOG_FILE%"
echo WARNING: Using hardcoded password for testing >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo. >> "%LOG_FILE%"
echo.
echo ========================================
echo WinRM HTTPS Deployment (AUTO-PASSWORD)
echo ========================================
echo.
echo WARNING: Using hardcoded password!
echo This version is for TESTING ONLY!
echo.
echo Logging to: %LOG_FILE%
echo.
REM Check for administrator privileges
net session >nul 2>&1
if %errorLevel% neq 0 (
echo [ERROR] This script requires Administrator privileges.
echo Please right-click and select "Run as Administrator"
echo.
echo [ERROR] Administrator privileges required >> "%LOG_FILE%"
pause
exit /b 1
)
echo [OK] Running with Administrator privileges
echo [OK] Running with Administrator privileges >> "%LOG_FILE%"
echo.
REM Get the directory where this batch file is located
set "SCRIPT_DIR=%~dp0"
echo Script directory: %SCRIPT_DIR%
echo Script directory: %SCRIPT_DIR% >> "%LOG_FILE%"
echo.
REM Check if Setup-WinRM-HTTPS.ps1 exists
if not exist "%SCRIPT_DIR%Setup-WinRM-HTTPS.ps1" (
echo [ERROR] Setup-WinRM-HTTPS.ps1 not found in script directory
echo [ERROR] Setup-WinRM-HTTPS.ps1 not found in script directory >> "%LOG_FILE%"
echo Please ensure all files are copied from the network share
echo Please ensure all files are copied from the network share >> "%LOG_FILE%"
echo.
pause
exit /b 1
)
REM Check if certificate exists
if not exist "%SCRIPT_DIR%wildcard-*.pfx" (
echo [ERROR] Wildcard certificate PFX not found in script directory
echo [ERROR] Wildcard certificate PFX not found in script directory >> "%LOG_FILE%"
echo Please ensure the certificate file is present
echo Please ensure the certificate file is present >> "%LOG_FILE%"
echo.
pause
exit /b 1
)
echo [OK] Required files found
echo [OK] Required files found >> "%LOG_FILE%"
echo.
REM ============================================================================
REM CERTIFICATE PASSWORD (HARDCODED FOR TESTING)
REM ============================================================================
REM TODO: Change this to your actual certificate password
set "CERT_PASSWORD=XqHuyaLZSyCYEcpsMz6h5"
REM ============================================================================
REM Execute PowerShell script with hardcoded password
echo Executing WinRM HTTPS setup with auto-password...
echo Executing WinRM HTTPS setup with auto-password... >> "%LOG_FILE%"
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
"$certPass = ConvertTo-SecureString '%CERT_PASSWORD%' -AsPlainText -Force; & '%SCRIPT_DIR%Setup-WinRM-HTTPS.ps1' -CertificatePath '%SCRIPT_DIR%wildcard-logon-ds-ge-com-20251017.pfx' -CertificatePassword $certPass -Domain 'logon.ds.ge.com' -LogFile '%LOG_FILE%'"
if %errorLevel% neq 0 (
echo.
echo [ERROR] Setup failed with error code: %errorLevel%
echo [ERROR] Setup failed with error code: %errorLevel% >> "%LOG_FILE%"
echo. >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Deployment FAILED >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo.
pause
exit /b %errorLevel%
)
echo.
echo ========================================
echo [SUCCESS] WinRM HTTPS Setup Complete
echo ========================================
echo.
echo ============================================================================ >> "%LOG_FILE%"
echo [SUCCESS] WinRM HTTPS Setup Complete >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Log saved to: %LOG_FILE%
echo.
pause

115
winrm-https/deployment-package/Deploy-WinRM-HTTPS.bat Normal file
View File

@@ -0,0 +1,115 @@
@echo off
REM ============================================================================
REM Deploy-WinRM-HTTPS.bat
REM Deploys WinRM HTTPS configuration to a shopfloor PC
REM ============================================================================
REM Setup logging
set "LOG_DIR=S:\DT\ADATA\SCRIPT\DEPLOY\LOGS"
set "HOSTNAME=%COMPUTERNAME%"
set "TIMESTAMP=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%-%TIME:~0,2%%TIME:~3,2%%TIME:~6,2%"
set "TIMESTAMP=%TIMESTAMP: =0%"
set "LOG_FILE=%LOG_DIR%\%HOSTNAME%-%TIMESTAMP%.txt"
REM Create log directory if it doesn't exist
if not exist "%LOG_DIR%" (
mkdir "%LOG_DIR%" 2>nul
)
REM Start logging
echo ============================================================================ > "%LOG_FILE%"
echo WinRM HTTPS Deployment Log >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Hostname: %HOSTNAME% >> "%LOG_FILE%"
echo Date/Time: %DATE% %TIME% >> "%LOG_FILE%"
echo Log File: %LOG_FILE% >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo. >> "%LOG_FILE%"
echo.
echo ========================================
echo WinRM HTTPS Deployment
echo ========================================
echo.
echo Logging to: %LOG_FILE%
echo.
REM Check for administrator privileges
net session >nul 2>&1
if %errorLevel% neq 0 (
echo [ERROR] This script requires Administrator privileges. | tee -a "%LOG_FILE%"
echo Please right-click and select "Run as Administrator" | tee -a "%LOG_FILE%"
echo.
echo [ERROR] Administrator privileges required >> "%LOG_FILE%"
pause
exit /b 1
)
echo [OK] Running with Administrator privileges
echo [OK] Running with Administrator privileges >> "%LOG_FILE%"
echo.
REM Get the directory where this batch file is located
set "SCRIPT_DIR=%~dp0"
echo Script directory: %SCRIPT_DIR%
echo Script directory: %SCRIPT_DIR% >> "%LOG_FILE%"
echo.
REM Check if Setup-WinRM-HTTPS.ps1 exists
if not exist "%SCRIPT_DIR%Setup-WinRM-HTTPS.ps1" (
echo [ERROR] Setup-WinRM-HTTPS.ps1 not found in script directory
echo [ERROR] Setup-WinRM-HTTPS.ps1 not found in script directory >> "%LOG_FILE%"
echo Please ensure all files are copied from the network share
echo Please ensure all files are copied from the network share >> "%LOG_FILE%"
echo.
pause
exit /b 1
)
REM Check if certificate exists
if not exist "%SCRIPT_DIR%wildcard-*.pfx" (
echo [ERROR] Wildcard certificate PFX not found in script directory
echo [ERROR] Wildcard certificate PFX not found in script directory >> "%LOG_FILE%"
echo Please ensure the certificate file is present
echo Please ensure the certificate file is present >> "%LOG_FILE%"
echo.
pause
exit /b 1
)
echo [OK] Required files found
echo [OK] Required files found >> "%LOG_FILE%"
echo.
REM Execute PowerShell script
echo Executing WinRM HTTPS setup...
echo Executing WinRM HTTPS setup... >> "%LOG_FILE%"
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
"& '%SCRIPT_DIR%Setup-WinRM-HTTPS.ps1' -CertificatePath '%SCRIPT_DIR%wildcard-logon-ds-ge-com-20251017.pfx' -Domain 'logon.ds.ge.com' -LogFile '%LOG_FILE%'"
if %errorLevel% neq 0 (
echo.
echo [ERROR] Setup failed with error code: %errorLevel%
echo [ERROR] Setup failed with error code: %errorLevel% >> "%LOG_FILE%"
echo. >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Deployment FAILED >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo.
pause
exit /b %errorLevel%
)
echo.
echo ========================================
echo [SUCCESS] WinRM HTTPS Setup Complete
echo ========================================
echo.
echo ============================================================================ >> "%LOG_FILE%"
echo [SUCCESS] WinRM HTTPS Setup Complete >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Log saved to: %LOG_FILE%
echo.
pause

206
winrm-https/deployment-package/LOGGING-README.txt Normal file
View File

@@ -0,0 +1,206 @@
================================================================================
DEPLOYMENT LOGGING DOCUMENTATION
================================================================================
All deployment activity is automatically logged to:
S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
Log files are named: HOSTNAME-YYYYMMDD-HHMMSS.txt
================================================================================
LOG FILE NAMING
================================================================================
Format: HOSTNAME-YYYYMMDD-HHMMSS.txt
Examples:
G1JJVH63ESF-20251017-143022.txt
G1JJXH63ESF-20251017-143155.txt
G1JKYH63ESF-20251017-143301.txt
Components:
- HOSTNAME: Computer name (from %COMPUTERNAME%)
- YYYYMMDD: Date (Year, Month, Day)
- HHMMSS: Time (Hour, Minute, Second)
================================================================================
WHAT IS LOGGED
================================================================================
Each log file contains:
- Deployment start time
- Hostname and system information
- Administrator privilege check
- Certificate import status
- WinRM HTTPS listener creation
- Firewall rule configuration
- All success and error messages
- Final deployment status (SUCCESS or FAILED)
================================================================================
LOG LOCATION
================================================================================
Network Path: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
The batch file automatically:
- Creates the log directory if it doesn't exist
- Creates a new log file for each deployment
- Logs all output (success and errors)
- Shows log file location on screen
================================================================================
VIEWING LOGS
================================================================================
Method 1: Manual Browse
1. Open Windows Explorer
2. Navigate to: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
3. Open log files with Notepad
Method 2: PowerShell Script (Recommended)
.\View-DeploymentLogs.ps1
Available options:
- List all logs
- Show latest logs
- Search by hostname
- Filter by success/failure
- Generate summary report
Method 3: Command Line
# View latest log
Get-Content S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*.txt | Select-Object -Last 50
# Search for errors
Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*.txt |
Select-String "ERROR|FAIL"
# List logs for specific PC
Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G1JJVH63ESF-*.txt
================================================================================
LOG FILE EXAMPLE
================================================================================
G1JJVH63ESF-20251017-143022.txt:
============================================================================
WinRM HTTPS Deployment Log
============================================================================
Hostname: G1JJVH63ESF
Date/Time: 10/17/2025 14:30:22
Log File: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G1JJVH63ESF-20251017-143022.txt
============================================================================
[OK] Running with Administrator privileges
Script directory: \\SERVER\WinRM-HTTPS\
[OK] Required files found
Executing WinRM HTTPS setup...
=== WinRM HTTPS Setup Script ===
Date: 10/17/2025 14:30:23
Logging to: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G1JJVH63ESF-20251017-143022.txt
=== Importing Certificate ===
Importing certificate from: \\SERVER\WinRM-HTTPS\wildcard-logon-ds-ge-com-20251017.pfx
[OK] Certificate imported successfully
Subject: CN=*.logon.ds.ge.com
Thumbprint: C1412765B2839E9081FCEA77BB1E6D8840203509
Expiration: 10/17/2027 08:16:34
=== Creating WinRM HTTPS Listener ===
Hostname: g1jjvh63esf.logon.ds.ge.com
Port: 5986
[OK] HTTPS listener created successfully
=== Configuring Windows Firewall ===
Creating firewall rule for port 5986...
[OK] Firewall rule created
============================================================================
[SUCCESS] WinRM HTTPS Setup Complete
============================================================================
================================================================================
TROUBLESHOOTING WITH LOGS
================================================================================
To find failed deployments:
.\View-DeploymentLogs.ps1 -Failed
To check specific PC:
.\View-DeploymentLogs.ps1 -Hostname "G1JJVH63ESF"
To see recent activity:
.\View-DeploymentLogs.ps1 -Latest 10
To generate deployment report:
.\View-DeploymentLogs.ps1
(Select option 6: Generate summary report)
================================================================================
LOG RETENTION
================================================================================
Recommendation:
- Keep logs for 90 days minimum
- Archive older logs to backup location
- Review logs periodically for issues
Log Management:
# Delete logs older than 90 days
Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*.txt |
Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-90)} |
Remove-Item
# Archive old logs
$archiveDate = (Get-Date).AddDays(-30)
$logs = Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*.txt |
Where-Object {$_.LastWriteTime -lt $archiveDate}
Compress-Archive -Path $logs -DestinationPath "S:\DT\ADATA\SCRIPT\DEPLOY\ARCHIVE\logs-$(Get-Date -Format 'yyyyMM').zip"
================================================================================
BENEFITS OF LOGGING
================================================================================
1. Troubleshooting
- See exactly what happened during deployment
- Identify error patterns
- Debug certificate or network issues
2. Tracking
- Know which PCs have been deployed
- See deployment timestamps
- Track multiple deployment attempts
3. Compliance
- Audit trail of all deployments
- Document when/who deployed
- Compliance with IT policies
4. Reporting
- Generate deployment statistics
- Identify problem PCs
- Calculate success rates
================================================================================
INTEGRATION WITH OTHER SYSTEMS
================================================================================
Logs can be:
- Imported into SIEM systems
- Parsed for monitoring dashboards
- Analyzed for trends
- Used for automated alerting
Example: Send email alert on failure
$failed = Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*.txt |
Select-String "FAILED" | Select-Object -Last 1
if ($failed) {
Send-MailMessage -To "it@example.com" -Subject "Deployment Failed" -Body $failed
}
================================================================================

536
winrm-https/deployment-package/NETWORK_SHARE_DEPLOYMENT.md Normal file
View File

@@ -0,0 +1,536 @@
# Network Share Deployment Guide
This guide explains how to deploy WinRM HTTPS to shopfloor PCs using a network share.
## Overview
Instead of manually copying files to each PC, you can:
1. Place all files on a network share
2. Access the share from each PC
3. Run a batch file to install
This is faster and ensures all PCs get the same configuration.
## Setup Network Share
### Step 1: Create Network Share
**On your file server or management computer:**
```powershell
# Create deployment folder
$deployPath = "C:\Deployment\WinRM-HTTPS"
New-Item -Path $deployPath -ItemType Directory -Force
# Copy all required files to deployment folder
Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath -Recurse
# Share the folder
New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone"
```
**Or manually:**
1. Create folder: `C:\Deployment\WinRM-HTTPS`
2. Copy all files from `winrm-https` folder
3. Right-click folder → Properties → Sharing → Advanced Sharing
4. Check "Share this folder"
5. Share name: `WinRM-HTTPS`
6. Permissions: Give "Everyone" Read access (or specific security group)
### Step 2: Verify Share Access
**From another computer:**
```powershell
# Test access (replace SERVER with your server name)
Test-Path "\\SERVER\WinRM-HTTPS"
# List files
Get-ChildItem "\\SERVER\WinRM-HTTPS"
```
Expected files:
-`Deploy-WinRM-HTTPS.bat`
-`Setup-WinRM-HTTPS.ps1`
-`wildcard-logon-ds-ge-com-20251017.pfx`
- ✅ Other PS1 scripts
---
## Required Files for Deployment
### Minimal Deployment Package
For basic deployment, you need:
```
\\SERVER\WinRM-HTTPS\
├── Deploy-WinRM-HTTPS.bat (NEW - Main deployment script)
├── Setup-WinRM-HTTPS.ps1 (WinRM HTTPS setup)
├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED)
└── README.txt (Optional - Instructions)
```
### Complete Package (Recommended)
Include everything for troubleshooting:
```
\\SERVER\WinRM-HTTPS\
├── Deploy-WinRM-HTTPS.bat (Deployment batch file)
├── Test-WinRM-HTTPS.bat (Test batch file)
├── Setup-WinRM-HTTPS.ps1 (WinRM setup script)
├── Test-WinRM-HTTPS-Setup.ps1 (Test script)
├── Generate-WildcardCert.ps1 (Certificate generator - optional)
├── Generate-WildcardCert-Alternative.ps1 (Alternative generator)
├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED!)
├── README.md (Documentation)
├── GETTING_STARTED.md (User guide)
├── NETWORK_SHARE_DEPLOYMENT.md (This file)
└── TROUBLESHOOTING_CERTIFICATE_GENERATION.md
```
---
## Deployment Methods
### Method 1: User Runs from Network Share (Simplest)
**On each shopfloor PC:**
1. Open Windows Explorer
2. Navigate to: `\\SERVER\WinRM-HTTPS`
3. Right-click `Deploy-WinRM-HTTPS.bat`
4. Select "Run as Administrator"
5. Enter certificate password when prompted
6. Wait for completion
**Advantages:**
- ✅ Simple - no copying needed
- ✅ Always uses latest files
- ✅ No local disk space used
**Disadvantages:**
- ⚠️ Requires network connectivity during install
- ⚠️ Slower if network is congested
---
### Method 2: Copy to Local Then Run (Recommended)
**On each shopfloor PC:**
```powershell
# Copy files locally first
New-Item -Path "C:\Temp\WinRM-Setup" -ItemType Directory -Force
Copy-Item "\\SERVER\WinRM-HTTPS\*" -Destination "C:\Temp\WinRM-Setup\" -Recurse
# Run locally
cd C:\Temp\WinRM-Setup
.\Deploy-WinRM-HTTPS.bat
```
**Or using batch file:**
```batch
@echo off
echo Copying deployment files...
xcopy "\\SERVER\WinRM-HTTPS\*" "C:\Temp\WinRM-Setup\" /E /Y
cd /d C:\Temp\WinRM-Setup
Deploy-WinRM-HTTPS.bat
```
**Advantages:**
- ✅ Faster execution
- ✅ Works if network connection lost
- ✅ Can verify files before running
**Disadvantages:**
- ⚠️ Uses local disk space
- ⚠️ Extra copy step
---
### Method 3: Remote Execution (Advanced)
**From management computer, deploy to multiple PCs:**
```powershell
# List of target PCs
$targetPCs = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -First 5
# Your credentials
$cred = Get-Credential -Message "Enter domain admin credentials"
# Deploy to each PC
foreach ($hostname in $targetPCs) {
Write-Host "Deploying to $hostname..." -ForegroundColor Yellow
try {
# Copy files to remote PC
$remotePath = "\\$hostname\C$\Temp\WinRM-Setup"
New-Item -Path $remotePath -ItemType Directory -Force
Copy-Item "C:\Deployment\WinRM-HTTPS\*" -Destination $remotePath -Recurse
# Execute remotely
Invoke-Command -ComputerName $hostname -Credential $cred -ScriptBlock {
Set-Location "C:\Temp\WinRM-Setup"
# Run PowerShell script directly
$certPath = "C:\Temp\WinRM-Setup\wildcard-logon-ds-ge-com-20251017.pfx"
$certPass = ConvertTo-SecureString "XqHuyaLZSyCYEcpsMz6h5" -AsPlainText -Force
& "C:\Temp\WinRM-Setup\Setup-WinRM-HTTPS.ps1" `
-CertificatePath $certPath `
-CertificatePassword $certPass `
-Domain "logon.ds.ge.com"
}
Write-Host "[OK] $hostname - Deployment complete" -ForegroundColor Green
}
catch {
Write-Host "[FAIL] $hostname - $($_.Exception.Message)" -ForegroundColor Red
}
}
```
**Advantages:**
- ✅ Deploy to many PCs from one location
- ✅ No physical access needed
- ✅ Can run overnight/batch
**Disadvantages:**
- ⚠️ Requires existing remote access (WinRM or admin shares)
- ⚠️ More complex
- ⚠️ Password visible in script (use secure credential management)
---
### Method 4: Group Policy Startup Script
**For domain-joined computers:**
1. **Copy files to NETLOGON share:**
```
\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\
```
2. **Create GPO:**
- Open Group Policy Management
- Create new GPO: "Deploy WinRM HTTPS"
- Edit GPO
3. **Add Startup Script:**
- Computer Configuration → Policies → Windows Settings → Scripts
- Startup → Add
- Script: `\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat`
4. **Link GPO to OU:**
- Link to Shopfloor Computers OU
- PCs will run script on next reboot
**Advantages:**
- ✅ Automated deployment
- ✅ Centrally managed
- ✅ Runs with SYSTEM privileges
**Disadvantages:**
- ⚠️ Requires domain environment
- ⚠️ Requires restart
- ⚠️ Password handling more complex
---
## Security Considerations
### Certificate Password
**Problem:** The batch file and scripts need the certificate password.
**Solutions:**
**Option 1: Interactive Prompt (Recommended for Manual)**
```batch
REM Batch file prompts user
Deploy-WinRM-HTTPS.bat
REM User types password when prompted
```
**Option 2: Encrypted File (Recommended for Automation)**
```powershell
# One-time setup: Store password encrypted
$certPass = Read-Host "Enter cert password" -AsSecureString
$certPass | Export-Clixml -Path "\\SERVER\WinRM-HTTPS\cert-password.xml"
# Modify Deploy-WinRM-HTTPS.bat to use:
# -CertificatePasswordFile ".\cert-password.xml"
```
**Option 3: Environment Variable (Less Secure)**
```batch
REM Set on each PC or via GPO
setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M
```
**⚠️ Never:**
- Hardcode password in batch file on network share (readable by everyone)
- Email password in plaintext
- Store password in unencrypted text file
### Share Permissions
**Recommended permissions:**
- **Read:** Authenticated Users or Shopfloor Computers group
- **Change/Full Control:** IT Admins only
```powershell
# Set proper permissions
Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\Domain Computers" -AccessRight Read -Force
Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -AccessRight Full -Force
```
### Certificate Protection
The certificate PFX file contains the private key. Protect it:
1. **Use share permissions** to restrict access
2. **Use certificate password** (you did ✅)
3. **Monitor access** to the share
4. **Delete from share** after deployment complete
---
## Deployment Workflow
### Recommended Workflow
**Phase 1: Prepare (One Time)**
```
1. Create network share: \\SERVER\WinRM-HTTPS
2. Copy all deployment files
3. Test from one PC
4. Document password securely
```
**Phase 2: Test Deployment (3-5 PCs)**
```
For each test PC:
1. Navigate to \\SERVER\WinRM-HTTPS
2. Right-click Deploy-WinRM-HTTPS.bat → Run as Administrator
3. Enter password when prompted
4. Verify success
5. Test connection from management server
```
**Phase 3: Full Deployment (All 175 PCs)**
```
Option A: Manual
- Visit each PC or send instructions to users
- Run Deploy-WinRM-HTTPS.bat
Option B: Remote
- Use remote execution script
- Deploy in batches of 20
Option C: Automated
- Use GPO startup script
- Schedule during maintenance window
```
**Phase 4: Verification**
```
1. Run connection test:
.\Invoke-RemoteAssetCollection-HTTPS.ps1 -TestConnections
2. Check logs for failures
3. Remediate failed PCs
```
**Phase 5: Cleanup**
```
1. Remove certificate from network share
2. Store password in secure vault
3. Document deployed PCs
4. Update asset inventory
```
---
## Example: Complete Deployment Session
### Step 1: Setup Share
```powershell
# On management server
$deployPath = "C:\Deployment\WinRM-HTTPS"
New-Item -Path $deployPath -ItemType Directory -Force
# Copy files
Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath
# Share
New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -ReadAccess "Everyone"
Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS"
```
### Step 2: Test on One PC
**On test PC (G1JJVH63ESF):**
1. Open Explorer: `\\MANAGEMENT-SERVER\WinRM-HTTPS`
2. Right-click `Deploy-WinRM-HTTPS.bat` → Run as Administrator
3. Enter password: `XqHuyaLZSyCYEcpsMz6h5`
4. Wait for completion
### Step 3: Verify
**From management server:**
```powershell
# Test connection
Test-WSMan -ComputerName "G1JJVH63ESF.logon.ds.ge.com" -UseSSL -Port 5986
# If successful, create session
$cred = Get-Credential
$session = New-PSSession -ComputerName "G1JJVH63ESF.logon.ds.ge.com" `
-UseSSL -Port 5986 -Credential $cred
# Test command
Invoke-Command -Session $session -ScriptBlock { $env:COMPUTERNAME }
# Cleanup
Remove-PSSession $session
```
### Step 4: Deploy to Next Batch
```powershell
# Deploy to next 5 PCs
$nextBatch = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -Skip 1 -First 5
foreach ($hostname in $nextBatch) {
Write-Host "`nDeploying to $hostname..." -ForegroundColor Cyan
# Instructions for manual deployment
Write-Host "1. RDP/physically access: $hostname" -ForegroundColor Yellow
Write-Host "2. Open: \\MANAGEMENT-SERVER\WinRM-HTTPS" -ForegroundColor Yellow
Write-Host "3. Run: Deploy-WinRM-HTTPS.bat (as Administrator)" -ForegroundColor Yellow
Write-Host "4. Password: XqHuyaLZSyCYEcpsMz6h5" -ForegroundColor Yellow
$continue = Read-Host "`nPress Enter when complete (or S to skip)"
if ($continue -eq 'S') { continue }
# Test after deployment
try {
Test-WSMan -ComputerName "$hostname.logon.ds.ge.com" -UseSSL -Port 5986 -ErrorAction Stop
Write-Host "[OK] $hostname - WinRM HTTPS working" -ForegroundColor Green
}
catch {
Write-Host "[FAIL] $hostname - Could not connect" -ForegroundColor Red
}
}
```
---
## Troubleshooting Network Share Deployment
### Problem: "Cannot access network share"
**Check:**
```powershell
# Test connectivity
Test-NetConnection -ComputerName SERVER -Port 445
# Test share access
Test-Path "\\SERVER\WinRM-HTTPS"
# List shares
Get-SmbShare -CimSession SERVER
# Check permissions
Get-SmbShareAccess -Name "WinRM-HTTPS"
```
**Solution:**
- Verify share exists
- Check firewall (port 445)
- Verify user has Read access
- Try with UNC path: `\\SERVER.domain.com\WinRM-HTTPS`
---
### Problem: "Access Denied" running batch file
**Solution:**
- Right-click → Run as Administrator
- User must be local admin on PC
- Check UAC settings
---
### Problem: Certificate password prompt fails
**Solution:**
- Modify batch file to read from file
- Use encrypted credential file
- Or hardcode temporarily for testing (remove after)
---
## Creating README for Network Share
```text
# WinRM HTTPS Deployment
This folder contains files to deploy WinRM HTTPS to shopfloor PCs.
## Quick Start
1. Right-click Deploy-WinRM-HTTPS.bat
2. Select "Run as Administrator"
3. Enter certificate password when prompted
4. Wait for completion
## Password
Contact IT Support for the certificate password.
## Files
- Deploy-WinRM-HTTPS.bat - Main deployment script
- Setup-WinRM-HTTPS.ps1 - PowerShell setup script
- wildcard-*.pfx - Certificate (DO NOT DELETE)
## Support
For issues, contact: IT Support / Extension: XXXX
```
Save as `README.txt` in the share.
---
## Summary
**Best Practice for Your Scenario:**
1. ✅ Create network share: `\\SERVER\WinRM-HTTPS`
2. ✅ Include:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
3. ✅ Deploy to 3-5 test PCs manually
4. ✅ Verify each deployment
5. ✅ Deploy to remaining PCs in batches
6. ✅ Remove certificate from share when done
**Certificate Password Storage:**
- Store in password manager
- Share only with authorized personnel
- Use encrypted files for automation
**The batch files handle:**
- ✅ Administrator check
- ✅ File verification
- ✅ Error handling
- ✅ User feedback

274
winrm-https/deployment-package/QUICK-CONNECTION-REFERENCE.txt Normal file
View File

@@ -0,0 +1,274 @@
================================================================================
QUICK CONNECTION REFERENCE - WinRM HTTPS
================================================================================
HOW TO CONNECT TO REMOTE PC FROM YOUR COMPUTER
================================================================================
METHOD 1: BASIC TEST (No Authentication Required)
================================================================================
Test if WinRM HTTPS is responding:
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
Replace "g9kn7pz3esf" with any PC hostname.
Expected Output:
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
================================================================================
METHOD 2: INTERACTIVE SESSION (Most Common)
================================================================================
Get an interactive PowerShell prompt on the remote PC:
# Get credentials (will prompt)
$cred = Get-Credential
# Connect
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Your prompt will change to show the remote computer name:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
Run commands normally. To exit:
Exit-PSSession
================================================================================
METHOD 3: RUN SINGLE COMMAND (Quick Tasks)
================================================================================
Execute a command without entering interactive mode:
# Get credentials first
$cred = Get-Credential
# Run command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { hostname }
Example - Get system info:
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { Get-ComputerInfo | Select-Object CsName, OsVersion, TotalPhysicalMemory }
================================================================================
METHOD 4: PERSISTENT SESSION (Multiple Commands)
================================================================================
Create a reusable connection:
# Get credentials
$cred = Get-Credential
# Create session
$session = New-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# Use session multiple times (faster than reconnecting)
Invoke-Command -Session $session -ScriptBlock { Get-Service }
Invoke-Command -Session $session -ScriptBlock { Get-Process }
Invoke-Command -Session $session -ScriptBlock { ipconfig }
# Close when done
Remove-PSSession $session
================================================================================
CERTIFICATE TRUST ISSUE? (Self-Signed Certs)
================================================================================
If you get certificate errors, skip certificate validation (testing only):
# Create session option
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
# Use with any connection method:
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 `
-SessionOption $sessionOption
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption `
-ScriptBlock { hostname }
================================================================================
CONNECTING TO MULTIPLE PCs
================================================================================
Test/connect to all shopfloor PCs:
# List of hostnames
$pcs = @("g1jjvh63esf", "g1jjxh63esf", "g9kn7pz3esf")
# Get credentials once
$cred = Get-Credential
# Test all PCs
foreach ($pc in $pcs) {
$fqdn = "$pc.logon.ds.ge.com"
Write-Host "Testing $fqdn..." -ForegroundColor Yellow
try {
Test-WSMan -ComputerName $fqdn -UseSSL -Port 5986 -ErrorAction Stop
Write-Host " [OK] $fqdn is responding" -ForegroundColor Green
} catch {
Write-Host " [FAIL] $fqdn failed: $($_.Exception.Message)" -ForegroundColor Red
}
}
================================================================================
USEFUL REMOTE COMMANDS
================================================================================
Once connected (via Enter-PSSession or Invoke-Command), try these:
System Information:
hostname
ipconfig
Get-ComputerInfo
systeminfo
WinRM Status:
Get-Service WinRM
winrm enumerate winrm/config/listener
Get-ChildItem Cert:\LocalMachine\My
Services:
Get-Service
Get-Service WinRM | Select-Object Name, Status, StartType
Processes:
Get-Process
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
Disk Space:
Get-PSDrive -PSProvider FileSystem
Event Logs:
Get-EventLog -LogName System -Newest 10
================================================================================
TROUBLESHOOTING
================================================================================
Cannot Reach PC:
Test-Connection g9kn7pz3esf.logon.ds.ge.com
Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com
Test-NetConnection -ComputerName g9kn7pz3esf.logon.ds.ge.com -Port 5986
Authentication Failed:
# Try different username formats:
Get-Credential -UserName "DOMAIN\username"
Get-Credential -UserName ".\localadmin"
Get-Credential -UserName "G9KN7PZ3ESF\username"
Certificate Errors:
# Use -SessionOption to skip validation (see above)
# Or install certificate on your computer:
Import-Certificate -FilePath "C:\path\to\cert.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
WinRM Client Settings (run as Administrator on YOUR computer):
# Enable WinRM client
Enable-PSRemoting -Force
# Add to trusted hosts
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*.logon.ds.ge.com" -Force
# View current settings
Get-Item WSMan:\localhost\Client\TrustedHosts
================================================================================
COMPLETE TESTING SCRIPT
================================================================================
Save this as Test-RemotePC.ps1 and run it:
param([string]$ComputerName)
Write-Host "Testing $ComputerName..." -ForegroundColor Cyan
# Test connectivity
if (Test-Connection $ComputerName -Count 2 -Quiet) {
Write-Host " [OK] PC is reachable" -ForegroundColor Green
} else {
Write-Host " [FAIL] Cannot reach PC" -ForegroundColor Red
exit
}
# Test WinRM HTTPS
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
try {
Test-WSMan -ComputerName $ComputerName -UseSSL -Port 5986 `
-SessionOption $sessionOption -ErrorAction Stop
Write-Host " [OK] WinRM HTTPS is responding" -ForegroundColor Green
} catch {
Write-Host " [FAIL] WinRM HTTPS not responding" -ForegroundColor Red
exit
}
# Test authenticated connection
$cred = Get-Credential
try {
$result = Invoke-Command -ComputerName $ComputerName -Credential $cred `
-UseSSL -Port 5986 -SessionOption $sessionOption `
-ScriptBlock { hostname } -ErrorAction Stop
Write-Host " [OK] Remote command succeeded: $result" -ForegroundColor Green
} catch {
Write-Host " [FAIL] Authentication failed" -ForegroundColor Red
}
Usage:
.\Test-RemotePC.ps1 -ComputerName g9kn7pz3esf.logon.ds.ge.com
================================================================================
CREDENTIAL FORMATS
================================================================================
When prompted for credentials, use one of these formats:
Domain Account:
Username: DOMAIN\username
Username: username@domain.com
Local Account:
Username: .\Administrator
Username: .\localadmin
Username: COMPUTERNAME\username
================================================================================
PORT INFORMATION
================================================================================
WinRM HTTPS: Port 5986 (configured by deployment scripts)
WinRM HTTP: Port 5985 (still available, but unencrypted)
Always use -UseSSL flag to ensure encrypted connection!
================================================================================
NEXT STEPS AFTER TESTING
================================================================================
1. Test basic connectivity with Test-WSMan
2. Test authenticated connection with Enter-PSSession
3. Run a few remote commands to verify functionality
4. If all works, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with full production rollout (175 PCs)
================================================================================
FOR MORE DETAILS
================================================================================
See: TEST-REMOTE-CONNECTION-GUIDE.md (comprehensive testing guide)
================================================================================

243
winrm-https/deployment-package/QUICK-TEST-GUIDE.txt Normal file
View File

@@ -0,0 +1,243 @@
================================================================================
QUICK TEST GUIDE - WinRM HTTPS Deployment
================================================================================
DEPLOYMENT PACKAGE STATUS: READY FOR TESTING
Certificate Password: XqHuyaLZSyCYEcpsMz6h5
================================================================================
WHAT'S INCLUDED
================================================================================
DEPLOYMENT SCRIPTS (Ready to Use):
✓ Deploy-WinRM-HTTPS.bat - Secure version (prompts for password)
✓ Deploy-WinRM-HTTPS-AutoPassword.bat - Testing version (auto-password)
✓ Setup-WinRM-HTTPS.ps1 - Main PowerShell setup script
✓ Test-WinRM-HTTPS.bat - Test connectivity
✓ Test-WinRM-HTTPS-Setup.ps1 - PowerShell test script
UTILITIES:
✓ View-DeploymentLogs.ps1 - View and analyze deployment logs
DOCUMENTATION:
✓ 0-START-HERE.txt - Quick start guide
✓ README-DEPLOYMENT.txt - Detailed deployment instructions
✓ README-AUTO-PASSWORD.txt - Auto-password version guide
✓ NETWORK_SHARE_DEPLOYMENT.md - Network deployment guide
✓ LOGGING-README.txt - Logging system documentation
✓ CHECKLIST.txt - Deployment tracking checklist
REQUIRED (Must Add):
⚠ wildcard-logon-ds-ge-com-20251017.pfx - CERTIFICATE FILE (MUST COPY!)
================================================================================
BEFORE YOU START
================================================================================
1. ADD CERTIFICATE TO THIS FOLDER
Copy: wildcard-logon-ds-ge-com-20251017.pfx
To: deployment-package folder
Without the certificate, deployment will fail!
2. COPY TO NETWORK SHARE
Copy entire deployment-package folder to network share
Example: \\SERVER\Shares\WinRM-HTTPS
Set permissions: "Domain Computers" - Read access
================================================================================
QUICK TEST (3 STEPS)
================================================================================
STEP 1: Prepare Test PC
- Choose a test PC (e.g., G9KN7PZ3ESF)
- Log in with admin account
- Navigate to network share: \\SERVER\Shares\WinRM-HTTPS
STEP 2: Run Auto-Password Deployment (For Testing)
- Right-click: Deploy-WinRM-HTTPS-AutoPassword.bat
- Select: "Run as Administrator"
- No password prompt - runs automatically!
- Wait for SUCCESS message
STEP 3: Check Results
- Look for SUCCESS message on screen
- Check log file: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\HOSTNAME-YYYYMMDD-HHMMSS.txt
- Verify HTTPS listener created
================================================================================
TESTING COMMANDS
================================================================================
From Management Server (After Deployment):
# Test WinRM HTTPS Connection
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -Port 5986 -UseSSL
# Create Remote Session
$cred = Get-Credential
New-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# Or Interactive Session
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
================================================================================
CHECKING DEPLOYMENT LOGS
================================================================================
View Latest Logs:
.\View-DeploymentLogs.ps1 -Latest 10
View Logs for Specific PC:
.\View-DeploymentLogs.ps1 -Hostname "G9KN7PZ3ESF"
View Failed Deployments:
.\View-DeploymentLogs.ps1 -Failed
Generate Summary Report:
.\View-DeploymentLogs.ps1
(Select option 6)
================================================================================
WHAT THE SCRIPT DOES
================================================================================
When you run Deploy-WinRM-HTTPS-AutoPassword.bat:
1. ✓ Checks for Administrator privileges
2. ✓ Verifies Setup-WinRM-HTTPS.ps1 exists
3. ✓ Verifies wildcard-*.pfx certificate exists
4. ✓ Creates log directory if needed
5. ✓ Imports certificate to Local Machine store
6. ✓ Creates WinRM HTTPS listener on port 5986
7. ✓ Configures firewall rule for port 5986
8. ✓ Enables WinRM service
9. ✓ Logs all activity to S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
================================================================================
EXPECTED RESULTS
================================================================================
Success Indicators:
✓ Console shows: [SUCCESS] WinRM HTTPS Setup Complete
✓ Log file created in S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
✓ Certificate imported (check Cert:\LocalMachine\My)
✓ HTTPS listener active on port 5986
✓ Firewall rule "WinRM HTTPS-In" created
✓ Test-WSMan works from management server
Verify on Target PC:
# Check WinRM listeners
winrm enumerate winrm/config/listener
# Check certificate
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*logon.ds.ge.com*"}
# Check firewall rule
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
================================================================================
TROUBLESHOOTING
================================================================================
If Deployment Fails:
1. Check Administrator Privileges
- Must right-click and "Run as Administrator"
2. Check Certificate File
- Must be in same folder as batch file
- Filename: wildcard-logon-ds-ge-com-20251017.pfx
- Password: XqHuyaLZSyCYEcpsMz6h5
3. Check Log File
- Location: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\HOSTNAME-*.txt
- Look for [ERROR] messages
- Check for certificate import errors
- Check for listener creation errors
4. Check Network Connectivity
- Can the PC reach S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\ ?
- Can the PC resolve DNS for *.logon.ds.ge.com ?
5. Check Existing Configuration
- Remove old HTTPS listeners:
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
================================================================================
RECENT FIXES APPLIED
================================================================================
✓ Fixed: WinRM listener creation command (now uses cmd.exe /c)
✓ Fixed: LogFile parameter added to Setup-WinRM-HTTPS.ps1
✓ Added: Auto-password version for testing convenience
✓ Added: Comprehensive logging to network share
✓ Added: Execution policy bypass in batch files
================================================================================
PRODUCTION DEPLOYMENT (After Testing)
================================================================================
Once testing is successful on 3-5 PCs:
1. DELETE Auto-Password Version
- Remove Deploy-WinRM-HTTPS-AutoPassword.bat from network share
- Security risk if left accessible!
2. Use Secure Version for Production
- Deploy-WinRM-HTTPS.bat (prompts for password)
- More secure for 175 PC rollout
3. Track Progress
- Use CHECKLIST.txt to track deployments
- Review logs regularly
- Generate summary reports with View-DeploymentLogs.ps1
4. Batch Deployment
- Deploy in groups of 10-20 PCs
- Verify each batch before continuing
- Monitor log files for issues
================================================================================
TARGET SYSTEMS
================================================================================
Total Shopfloor PCs: 175
Domain: logon.ds.ge.com
WinRM Port: 5986 (HTTPS)
Certificate: *.logon.ds.ge.com wildcard
Hostnames list: ../shopfloor-hostnames.txt
================================================================================
SUPPORT
================================================================================
For issues or questions:
- Read NETWORK_SHARE_DEPLOYMENT.md
- Read LOGGING-README.txt
- Check troubleshooting section in parent folder
- Review deployment logs
================================================================================
NEXT STEPS
================================================================================
[ ] 1. Copy wildcard-logon-ds-ge-com-20251017.pfx to this folder
[ ] 2. Copy deployment-package to network share
[ ] 3. Set "Domain Computers" read permissions on share
[ ] 4. Test on 1 PC with Deploy-WinRM-HTTPS-AutoPassword.bat
[ ] 5. Verify log file created successfully
[ ] 6. Test remote connection from management server
[ ] 7. If successful, test on 3-5 more PCs
[ ] 8. Switch to secure version for production rollout
[ ] 9. Deploy to remaining 170 PCs in batches
[ ] 10. Track progress and verify all deployments
================================================================================
READY TO BEGIN TESTING!
================================================================================

109
winrm-https/deployment-package/README-AUTO-PASSWORD.txt Normal file
View File

@@ -0,0 +1,109 @@
================================================================================
AUTO-PASSWORD VERSION - FOR TESTING ONLY
================================================================================
FILE: Deploy-WinRM-HTTPS-AutoPassword.bat
This version contains the certificate password HARDCODED in the batch file.
================================================================================
WARNING - SECURITY RISK
================================================================================
This file should ONLY be used for:
- Initial testing on a few PCs
- Lab/development environments
- Quick proof-of-concept deployments
DO NOT USE for production deployment!
Risks:
- Password is visible in PLAINTEXT in the batch file
- Anyone who can read the file can see the password
- Password may be logged in command history
- Not compliant with security policies
================================================================================
HOW TO USE
================================================================================
1. Open Deploy-WinRM-HTTPS-AutoPassword.bat in Notepad
2. Find this line (around line 82):
set "CERT_PASSWORD=XqHuyaLZSyCYEcpsMz6h5"
3. Change to your actual password if different
4. Save the file
5. Run as Administrator:
Right-click Deploy-WinRM-HTTPS-AutoPassword.bat
Select "Run as Administrator"
6. No password prompt - it will use the hardcoded password!
================================================================================
AFTER TESTING
================================================================================
Once you've verified the deployment works:
1. Switch to the secure version: Deploy-WinRM-HTTPS.bat
(This version prompts for password securely)
2. DELETE Deploy-WinRM-HTTPS-AutoPassword.bat from network share
(To prevent unauthorized access)
3. For automation, use secure credential storage:
See: SECURE_CREDENTIAL_MANAGEMENT.md
================================================================================
PRODUCTION DEPLOYMENT
================================================================================
For production, use ONE of these methods:
Option 1: Interactive (Manual Deployment)
Use: Deploy-WinRM-HTTPS.bat
- Prompts for password each time
- Most secure for manual deployment
Option 2: Encrypted Credentials (Automated)
- Store password encrypted with Export-Clixml
- See: SECURE_CREDENTIAL_MANAGEMENT.md
Option 3: Windows Credential Manager (Service Accounts)
- Use credentialmanager module
- Best for scheduled tasks
================================================================================
TESTING CHECKLIST
================================================================================
[ ] Test on 1-2 PCs with auto-password version
[ ] Verify HTTPS listener created successfully
[ ] Test remote connection from management server
[ ] Verify logging works correctly
[ ] Review log files for any errors
Once successful:
[ ] Delete auto-password version from share
[ ] Switch to secure version for remaining PCs
[ ] Document deployment process
[ ] Update asset inventory
================================================================================
FILE COMPARISON
================================================================================
Deploy-WinRM-HTTPS.bat (SECURE)
- Prompts for password
- Password not stored anywhere
- Recommended for production
Deploy-WinRM-HTTPS-AutoPassword.bat (TESTING ONLY)
- Password hardcoded in file
- No password prompt
- Use for testing only
================================================================================

140
winrm-https/deployment-package/README-DEPLOYMENT.txt Normal file
View File

@@ -0,0 +1,140 @@
================================================================================
WinRM HTTPS Deployment Package
================================================================================
This folder contains everything needed to deploy WinRM HTTPS to shopfloor PCs.
================================================================================
REQUIRED FILES
================================================================================
Before deploying, you MUST add the certificate file to this folder:
[ ] wildcard-logon-ds-ge-com-20251017.pfx
Copy this file from the parent folder after you generate it.
================================================================================
QUICK START - NETWORK SHARE DEPLOYMENT
================================================================================
STEP 1: Setup Network Share
---------------------------
1. Copy this entire folder to a network share:
Example: \\SERVER\Shares\WinRM-HTTPS
2. Ensure the certificate PFX file is included in the share
3. Set permissions: Read access for "Domain Computers" or "Everyone"
STEP 2: Deploy to PCs
---------------------------
On each shopfloor PC:
1. Open Windows Explorer
2. Navigate to: \\SERVER\Shares\WinRM-HTTPS
3. Right-click "Deploy-WinRM-HTTPS.bat"
4. Select "Run as Administrator"
5. Enter certificate password when prompted
6. Wait for "SUCCESS" message
STEP 3: Verify Deployment
---------------------------
From management server, test connection:
Test-WSMan -ComputerName "HOSTNAME.logon.ds.ge.com" -UseSSL -Port 5986
================================================================================
FILES IN THIS PACKAGE
================================================================================
Deploy-WinRM-HTTPS.bat - Main deployment batch file
Test-WinRM-HTTPS.bat - Test/verify batch file
Setup-WinRM-HTTPS.ps1 - PowerShell setup script
Test-WinRM-HTTPS-Setup.ps1 - PowerShell test script
NETWORK_SHARE_DEPLOYMENT.md - Detailed deployment guide
README-DEPLOYMENT.txt - This file
REQUIRED (Add manually):
wildcard-logon-ds-ge-com-20251017.pfx - Certificate file (MUST BE ADDED!)
================================================================================
CERTIFICATE PASSWORD
================================================================================
Certificate Password: [Store securely - contact IT if needed]
Password: XqHuyaLZSyCYEcpsMz6h5
IMPORTANT: Keep this password secure! Anyone with the PFX file and password
can decrypt WinRM HTTPS traffic.
For production deployment, use password manager or encrypted credential file.
See NETWORK_SHARE_DEPLOYMENT.md for secure password handling.
================================================================================
DEPLOYMENT WORKFLOW
================================================================================
Recommended approach:
Phase 1: Test (1-3 PCs)
- Deploy to test PCs manually
- Verify WinRM HTTPS works
- Test remote connection from management server
Phase 2: Pilot (10-20 PCs)
- Deploy to small production batch
- Monitor for issues
- Refine process if needed
Phase 3: Full Deployment (All 175 PCs)
- Deploy in batches of 20-30
- Track completed PCs
- Remediate failures
Phase 4: Verification
- Test all PCs with Invoke-RemoteAssetCollection-HTTPS.ps1
- Document results
- Clean up network share
================================================================================
SUPPORT
================================================================================
For detailed instructions, see: NETWORK_SHARE_DEPLOYMENT.md
For troubleshooting, see parent folder:
- TROUBLESHOOTING_CERTIFICATE_GENERATION.md
- GETTING_STARTED.md
- SECURE_CREDENTIAL_MANAGEMENT.md
Contact: IT Support
================================================================================
SECURITY NOTES
================================================================================
1. Certificate Protection
- The PFX file contains private key
- Protect with proper share permissions
- Remove from share after deployment
2. Password Security
- Do not hardcode password in batch files
- Use encrypted files for automation
- Store in password manager
3. Share Permissions
- Read access: Domain Computers group
- Full access: IT Admins only
- Monitor access logs
4. Cleanup
- Remove certificate from share after deployment
- Keep backup in secure location
- Document deployed systems
================================================================================

503
winrm-https/deployment-package/Setup-WinRM-HTTPS.ps1 Normal file
View File

@@ -0,0 +1,503 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Sets up WinRM HTTPS configuration using a wildcard certificate.
.DESCRIPTION
This script configures WinRM for HTTPS connections using a wildcard certificate
(e.g., *.logon.ds.ge.com). It handles:
1. Certificate installation from PFX file
2. HTTPS listener creation with proper hostname
3. Firewall rule configuration for port 5986
4. WinRM service configuration
.PARAMETER CertificatePath
Path to the PFX certificate file containing the wildcard certificate.
.PARAMETER CertificatePassword
SecureString password for the PFX certificate file.
.PARAMETER Domain
The domain suffix for FQDNs (e.g., "logon.ds.ge.com").
Will construct FQDN as: hostname.domain
.PARAMETER CertificateThumbprint
Use existing certificate by thumbprint instead of importing from PFX.
.PARAMETER Port
HTTPS port for WinRM (default: 5986).
.PARAMETER SkipFirewall
Skip firewall rule creation.
.PARAMETER TestConnection
Test HTTPS connection after setup.
.EXAMPLE
# Import certificate and setup WinRM HTTPS
$certPass = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
.\Setup-WinRM-HTTPS.ps1 -CertificatePath "C:\Certs\wildcard.pfx" `
-CertificatePassword $certPass -Domain "logon.ds.ge.com"
.EXAMPLE
# Use existing certificate by thumbprint
.\Setup-WinRM-HTTPS.ps1 -CertificateThumbprint "AB123..." -Domain "logon.ds.ge.com"
.EXAMPLE
# Prompt for certificate password
.\Setup-WinRM-HTTPS.ps1 -CertificatePath "C:\Certs\wildcard.pfx" -Domain "logon.ds.ge.com"
.NOTES
Author: System Administrator
Date: 2025-10-17
Version: 1.0
Prerequisites:
1. Wildcard certificate PFX file with private key
2. Administrator privileges
3. Windows with PowerShell 5.1 or later
After running this script:
- WinRM will listen on HTTPS (port 5986)
- HTTP listener (port 5985) will remain active
- Connections require -UseSSL flag in PowerShell remoting commands
#>
param(
[Parameter(Mandatory=$false)]
[string]$CertificatePath,
[Parameter(Mandatory=$false)]
[SecureString]$CertificatePassword,
[Parameter(Mandatory=$false)]
[string]$CertificateThumbprint,
[Parameter(Mandatory=$true)]
[string]$Domain,
[Parameter(Mandatory=$false)]
[int]$Port = 5986,
[Parameter(Mandatory=$false)]
[switch]$SkipFirewall = $false,
[Parameter(Mandatory=$false)]
[switch]$TestConnection = $false,
[Parameter(Mandatory=$false)]
[string]$LogFile
)
function Write-ColorOutput {
param([string]$Message, [string]$Color = "White")
Write-Host $Message -ForegroundColor $Color
# Also write to log file if specified
if ($script:LogFile) {
try {
Add-Content -Path $script:LogFile -Value $Message -ErrorAction SilentlyContinue
} catch {
# Silently ignore logging errors to avoid breaking the script
}
}
}
function Show-WinRMStatus {
Write-ColorOutput "`n=== Current WinRM Configuration ===" "Cyan"
try {
$winrmStatus = Get-Service WinRM
$statusColor = if($winrmStatus.Status -eq 'Running') {'Green'} else {'Red'}
Write-ColorOutput "WinRM Service Status: $($winrmStatus.Status)" $statusColor
Write-ColorOutput "`nWinRM Listeners:" "Yellow"
winrm enumerate winrm/config/listener
} catch {
Write-ColorOutput "Error checking WinRM status: $($_.Exception.Message)" "Red"
}
}
function Import-WildcardCertificate {
param(
[string]$CertPath,
[SecureString]$CertPassword
)
Write-ColorOutput "`n=== Importing Certificate ===" "Cyan"
if (-not (Test-Path $CertPath)) {
throw "Certificate file not found: $CertPath"
}
try {
# Prompt for password if not provided
if (-not $CertPassword) {
$CertPassword = Read-Host "Enter certificate password" -AsSecureString
}
# Import certificate to Local Computer Personal store
Write-ColorOutput "Importing certificate from: $CertPath" "Yellow"
$cert = Import-PfxCertificate -FilePath $CertPath `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $CertPassword `
-Exportable
Write-ColorOutput "[OK] Certificate imported successfully" "Green"
Write-ColorOutput " Subject: $($cert.Subject)" "Gray"
Write-ColorOutput " Thumbprint: $($cert.Thumbprint)" "Gray"
Write-ColorOutput " Expiration: $($cert.NotAfter)" "Gray"
return $cert
}
catch {
throw "Failed to import certificate: $($_.Exception.Message)"
}
}
function Get-ExistingCertificate {
param([string]$Thumbprint)
Write-ColorOutput "`n=== Locating Existing Certificate ===" "Cyan"
try {
$cert = Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object { $_.Thumbprint -eq $Thumbprint }
if (-not $cert) {
throw "Certificate with thumbprint $Thumbprint not found in Local Machine store"
}
Write-ColorOutput "[OK] Certificate found" "Green"
Write-ColorOutput " Subject: $($cert.Subject)" "Gray"
Write-ColorOutput " Thumbprint: $($cert.Thumbprint)" "Gray"
Write-ColorOutput " Expiration: $($cert.NotAfter)" "Gray"
# Check if certificate has private key
if (-not $cert.HasPrivateKey) {
throw "Certificate does not have a private key. WinRM HTTPS requires a certificate with private key."
}
return $cert
}
catch {
throw "Failed to locate certificate: $($_.Exception.Message)"
}
}
function Find-WildcardCertificate {
param([string]$Domain)
Write-ColorOutput "`n=== Searching for Wildcard Certificate ===" "Cyan"
Write-ColorOutput "Looking for certificate matching: *.$Domain" "Yellow"
try {
$certs = Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object {
$_.Subject -like "*$Domain*" -and
$_.HasPrivateKey -and
$_.NotAfter -gt (Get-Date)
}
if ($certs.Count -eq 0) {
throw "No valid wildcard certificate found for *.$Domain in Local Machine store"
}
if ($certs.Count -gt 1) {
Write-ColorOutput "Multiple certificates found:" "Yellow"
for ($i = 0; $i -lt $certs.Count; $i++) {
Write-ColorOutput " [$i] Subject: $($certs[$i].Subject) | Expires: $($certs[$i].NotAfter)" "White"
}
$selection = Read-Host "Select certificate number (0-$($certs.Count - 1))"
$cert = $certs[$selection]
} else {
$cert = $certs[0]
}
Write-ColorOutput "[OK] Certificate selected" "Green"
Write-ColorOutput " Subject: $($cert.Subject)" "Gray"
Write-ColorOutput " Thumbprint: $($cert.Thumbprint)" "Gray"
Write-ColorOutput " Expiration: $($cert.NotAfter)" "Gray"
return $cert
}
catch {
throw "Failed to find wildcard certificate: $($_.Exception.Message)"
}
}
function Remove-ExistingHTTPSListener {
Write-ColorOutput "`n=== Checking for Existing HTTPS Listeners ===" "Cyan"
try {
$listeners = winrm enumerate winrm/config/listener | Select-String "Transport = HTTPS" -Context 0,10
if ($listeners) {
Write-ColorOutput "Found existing HTTPS listener(s). Removing..." "Yellow"
# Remove all HTTPS listeners
$result = winrm delete winrm/config/Listener?Address=*+Transport=HTTPS 2>&1
if ($LASTEXITCODE -eq 0) {
Write-ColorOutput "[OK] Existing HTTPS listener removed" "Green"
}
} else {
Write-ColorOutput "[OK] No existing HTTPS listener found" "Green"
}
}
catch {
Write-ColorOutput "[WARN] Could not check/remove existing listeners: $($_.Exception.Message)" "Yellow"
}
}
function New-WinRMHTTPSListener {
param(
[System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate,
[string]$Hostname,
[int]$Port
)
Write-ColorOutput "`n=== Creating WinRM HTTPS Listener ===" "Cyan"
Write-ColorOutput "Computer FQDN: $Hostname" "Gray"
Write-ColorOutput "Port: $Port" "Gray"
try {
# Remove existing HTTPS listener if present
Remove-ExistingHTTPSListener
# Create new HTTPS listener
$thumbprint = $Certificate.Thumbprint
# Extract the wildcard CN from the certificate subject
# For wildcard cert like CN=*.logon.ds.ge.com, we need to use the wildcard format
$certSubject = $Certificate.Subject
Write-ColorOutput "Certificate Subject: $certSubject" "Gray"
# Extract the CN value (e.g., "*.logon.ds.ge.com")
if ($certSubject -match 'CN=([^,]+)') {
$certCN = $matches[1]
Write-ColorOutput "Certificate CN: $certCN" "Gray"
} else {
throw "Could not extract CN from certificate subject"
}
# For wildcard certificates, WinRM listener hostname must match the certificate CN exactly
# So we use the wildcard CN (*.logon.ds.ge.com) not the specific FQDN
$listenerHostname = $certCN
Write-ColorOutput "Creating HTTPS listener..." "Yellow"
Write-ColorOutput "Certificate Thumbprint: $thumbprint" "Gray"
Write-ColorOutput "Listener Hostname: $listenerHostname" "Gray"
# Use cmd.exe to execute winrm command to avoid PowerShell quoting issues
$winrmArgs = "create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$listenerHostname`";CertificateThumbprint=`"$thumbprint`";Port=`"$Port`"}"
Write-ColorOutput "Executing: winrm $winrmArgs" "Gray"
$result = cmd.exe /c "winrm $winrmArgs" 2>&1
if ($LASTEXITCODE -ne 0) {
Write-ColorOutput "Error output: $result" "Red"
throw "Failed to create HTTPS listener. Error code: $LASTEXITCODE"
}
Write-ColorOutput "[OK] HTTPS listener created successfully" "Green"
Write-ColorOutput "Note: Clients will connect using the specific FQDN ($Hostname)" "Gray"
Write-ColorOutput " but the listener uses the wildcard CN ($listenerHostname)" "Gray"
# Verify listener was created
Write-ColorOutput "`nVerifying HTTPS listener:" "Yellow"
winrm enumerate winrm/config/listener | Select-String "Transport = HTTPS" -Context 0,15
return $true
}
catch {
throw "Failed to create HTTPS listener: $($_.Exception.Message)"
}
}
function Enable-WinRMService {
Write-ColorOutput "`n=== Configuring WinRM Service ===" "Cyan"
try {
# Enable PowerShell Remoting
Write-ColorOutput "Enabling PowerShell Remoting..." "Yellow"
Enable-PSRemoting -Force -SkipNetworkProfileCheck
Write-ColorOutput "[OK] PowerShell Remoting enabled" "Green"
# Start WinRM service
Write-ColorOutput "Configuring WinRM service..." "Yellow"
Start-Service WinRM -ErrorAction SilentlyContinue
Set-Service WinRM -StartupType Automatic
Write-ColorOutput "[OK] WinRM service configured" "Green"
# Configure service settings
Set-Item WSMan:\localhost\Service\Auth\Certificate -Value $true
Write-ColorOutput "[OK] Certificate authentication enabled" "Green"
} catch {
throw "Failed to configure WinRM service: $($_.Exception.Message)"
}
}
function New-FirewallRule {
param([int]$Port)
if ($SkipFirewall) {
Write-ColorOutput "`n[SKIP] Firewall configuration skipped" "Yellow"
return
}
Write-ColorOutput "`n=== Configuring Windows Firewall ===" "Cyan"
try {
$ruleName = "WinRM HTTPS-In"
# Check if rule already exists
$existingRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if ($existingRule) {
Write-ColorOutput "Removing existing firewall rule..." "Yellow"
Remove-NetFirewallRule -DisplayName $ruleName
}
Write-ColorOutput "Creating firewall rule for port $Port..." "Yellow"
New-NetFirewallRule -DisplayName $ruleName `
-Name $ruleName `
-Profile Any `
-LocalPort $Port `
-Protocol TCP `
-Direction Inbound `
-Action Allow `
-Enabled True | Out-Null
Write-ColorOutput "[OK] Firewall rule created" "Green"
} catch {
Write-ColorOutput "[WARN] Could not configure firewall: $($_.Exception.Message)" "Yellow"
}
}
function Test-WinRMHTTPSConnection {
param([string]$Hostname, [int]$Port)
Write-ColorOutput "`n=== Testing HTTPS Connection ===" "Cyan"
try {
Write-ColorOutput "Testing connection to https://${Hostname}:${Port}/wsman..." "Yellow"
$testResult = Test-WSMan -ComputerName $Hostname -Port $Port -UseSSL -ErrorAction Stop
Write-ColorOutput "[OK] HTTPS connection successful!" "Green"
Write-ColorOutput "`nTest-WSMan Output:" "Gray"
$testResult | Format-List
return $true
}
catch {
Write-ColorOutput "[WARN] HTTPS connection test failed: $($_.Exception.Message)" "Yellow"
Write-ColorOutput "This may be normal if testing from the local machine." "Gray"
Write-ColorOutput "Try testing from a remote computer using:" "Gray"
Write-ColorOutput " Test-WSMan -ComputerName $Hostname -Port $Port -UseSSL" "White"
return $false
}
}
function Show-NextSteps {
param([string]$Hostname, [int]$Port)
Write-ColorOutput "`n=== Next Steps ===" "Cyan"
Write-ColorOutput ""
Write-ColorOutput "WinRM HTTPS is now configured on this computer." "Green"
Write-ColorOutput ""
Write-ColorOutput "To connect from a remote computer:" "Yellow"
Write-ColorOutput ""
Write-ColorOutput " # Test connection" "Gray"
Write-ColorOutput " Test-WSMan -ComputerName $Hostname -Port $Port -UseSSL" "White"
Write-ColorOutput ""
Write-ColorOutput " # Create remote session" "Gray"
Write-ColorOutput " `$cred = Get-Credential" "White"
Write-ColorOutput " New-PSSession -ComputerName $Hostname -Credential `$cred -UseSSL -Port $Port" "White"
Write-ColorOutput ""
Write-ColorOutput " # Or use Enter-PSSession" "Gray"
Write-ColorOutput " Enter-PSSession -ComputerName $Hostname -Credential `$cred -UseSSL -Port $Port" "White"
Write-ColorOutput ""
Write-ColorOutput "Notes:" "Yellow"
Write-ColorOutput " - HTTP listener on port 5985 is still active" "Gray"
Write-ColorOutput " - Always use -UseSSL flag for HTTPS connections" "Gray"
Write-ColorOutput " - Certificate must be trusted on the client computer" "Gray"
Write-ColorOutput ""
}
# Main execution
try {
# Make LogFile available to all functions
$script:LogFile = $LogFile
Write-ColorOutput "=== WinRM HTTPS Setup Script ===" "Cyan"
Write-ColorOutput "Date: $(Get-Date)" "Gray"
if ($LogFile) {
Write-ColorOutput "Logging to: $LogFile" "Gray"
}
Write-ColorOutput ""
# Construct FQDN
$hostname = $env:COMPUTERNAME
$fqdn = "$hostname.$Domain".ToLower()
Write-ColorOutput "Computer FQDN: $fqdn" "Gray"
# Show current status
Show-WinRMStatus
# Get or import certificate
$certificate = $null
if ($CertificateThumbprint) {
# Use existing certificate by thumbprint
$certificate = Get-ExistingCertificate -Thumbprint $CertificateThumbprint
}
elseif ($CertificatePath) {
# Import certificate from PFX
$certificate = Import-WildcardCertificate -CertPath $CertificatePath -CertPassword $CertificatePassword
}
else {
# Try to find existing wildcard certificate
$certificate = Find-WildcardCertificate -Domain $Domain
}
if (-not $certificate) {
throw "No certificate available. Provide -CertificatePath or -CertificateThumbprint"
}
# Verify certificate validity
if ($certificate.NotAfter -lt (Get-Date)) {
throw "Certificate has expired: $($certificate.NotAfter)"
}
# Enable WinRM service
Enable-WinRMService
# Create HTTPS listener
New-WinRMHTTPSListener -Certificate $certificate -Hostname $fqdn -Port $Port
# Configure firewall
New-FirewallRule -Port $Port
# Show updated status
Show-WinRMStatus
# Test connection if requested
if ($TestConnection) {
Test-WinRMHTTPSConnection -Hostname $fqdn -Port $Port
}
# Show next steps
Show-NextSteps -Hostname $fqdn -Port $Port
Write-ColorOutput "`n[SUCCESS] WinRM HTTPS setup completed successfully!" "Green"
} catch {
Write-ColorOutput "`n[ERROR] Setup failed: $($_.Exception.Message)" "Red"
exit 1
}

518
winrm-https/deployment-package/TEST-REMOTE-CONNECTION-GUIDE.md Normal file
View File

@@ -0,0 +1,518 @@
# Testing Remote WinRM HTTPS Connections
## Quick Reference
### From Your Computer to Test PC (G9KN7PZ3ESF)
```powershell
# Test basic connectivity
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Interactive remote session
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986
# Run single command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986 -ScriptBlock { hostname }
```
---
## Step-by-Step Testing Guide
### Step 1: Test Basic WinRM Connectivity
This is the simplest test - it just checks if WinRM HTTPS is responding:
```powershell
# Open PowerShell on your computer
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
```
**Expected Output** (Success):
```
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
```
**If it fails**, you'll see error messages. Common issues:
- Certificate trust issues
- Network connectivity
- Firewall blocking port 5986
- WinRM service not running
---
### Step 2: Test with Credentials (Basic Authentication)
Create a credential object and test connection:
```powershell
# Get credentials (will prompt for username/password)
$cred = Get-Credential
# When prompted, enter:
# Username: DOMAIN\username (or .\localadmin for local account)
# Password: your password
# Test connection with credentials
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 -Credential $cred
```
---
### Step 3: Interactive Remote Session (Enter-PSSession)
This gives you an interactive command prompt on the remote computer:
```powershell
# Create credential if not already done
$cred = Get-Credential
# Enter interactive session
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986
```
**Expected Output**:
```
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\Users\username\Documents>
```
Notice your prompt changes to show `[g9kn7pz3esf.logon.ds.ge.com]:` - you're now on the remote PC!
**Try some commands**:
```powershell
# Check hostname
hostname
# Check IP configuration
ipconfig
# Check running services
Get-Service | Where-Object {$_.Status -eq 'Running'}
# Check WinRM configuration
winrm enumerate winrm/config/listener
# Exit remote session
Exit-PSSession
```
---
### Step 4: Run Commands Remotely (Invoke-Command)
Execute commands on the remote PC without entering an interactive session:
```powershell
# Single command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { hostname }
# Multiple commands
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock {
$hostname = hostname
$ip = (Get-NetIPAddress -AddressFamily IPv4 | Where-Object {$_.IPAddress -notlike "127.*"})[0].IPAddress
[PSCustomObject]@{
Hostname = $hostname
IPAddress = $ip
WinRMStatus = (Get-Service WinRM).Status
}
}
```
---
### Step 5: Create Persistent Session (New-PSSession)
Create a session object for reuse:
```powershell
# Create session
$session = New-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# Check session
$session
# Use the session multiple times
Invoke-Command -Session $session -ScriptBlock { Get-ComputerInfo }
Invoke-Command -Session $session -ScriptBlock { Get-Service WinRM }
Invoke-Command -Session $session -ScriptBlock { Get-Process | Select-Object -First 10 }
# Close session when done
Remove-PSSession $session
```
**Benefits of persistent sessions**:
- Faster execution (connection is reused)
- Can maintain state between commands
- More efficient for multiple operations
---
## Troubleshooting Common Issues
### Issue 1: Certificate Trust Error
**Error**:
```
Test-WSMan : The SSL certificate contains a common name (CN) that does not match the hostname.
```
or
```
The SSL certificate is signed by an unknown certificate authority.
```
**Cause**: Your computer doesn't trust the self-signed certificate.
**Solution A - Skip Certificate Check (Testing Only)**:
```powershell
# Set session option to skip certificate validation
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
# Use with Test-WSMan
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 -SessionOption $sessionOption
# Use with Enter-PSSession
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption
# Use with Invoke-Command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption -ScriptBlock { hostname }
```
**Solution B - Install Certificate on Your Computer (Production)**:
```powershell
# Import the certificate to Trusted Root CAs on your computer
# This makes the certificate permanently trusted
# If you have the PFX file with password:
$certPassword = ConvertTo-SecureString "XqHuyaLZSyCYEcpsMz6h5" -AsPlainText -Force
Import-PfxCertificate -FilePath "C:\path\to\wildcard-logon-ds-ge-com-20251017.pfx" `
-CertStoreLocation Cert:\LocalMachine\Root `
-Password $certPassword
# Or export certificate from remote PC (without private key) and import:
# 1. On remote PC: Export certificate as .cer file
# 2. On your PC: Import to Trusted Root Certification Authorities
Import-Certificate -FilePath "C:\path\to\wildcard-cert.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
```
---
### Issue 2: Authentication Failed
**Error**:
```
Enter-PSSession : Connecting to remote server g9kn7pz3esf.logon.ds.ge.com failed with the following error message :
Access is denied.
```
**Possible Causes**:
1. Wrong username/password
2. User not in local Administrators group on remote PC
3. User Account Control (UAC) filtering
**Solutions**:
```powershell
# Try with explicit domain
$cred = Get-Credential -UserName "DOMAIN\username" -Message "Enter password"
# Or try local administrator
$cred = Get-Credential -UserName ".\Administrator" -Message "Enter password"
# Or try with computer name
$cred = Get-Credential -UserName "G9KN7PZ3ESF\username" -Message "Enter password"
```
---
### Issue 3: Network Connection Failed
**Error**:
```
Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770"
Machine="localhost"><f:Message>The WinRM client cannot complete the operation within the time specified. Check if
the machine name is valid and is reachable over the network and firewall exception for the WinRM service is enabled.
```
**Possible Causes**:
1. PC is offline/unreachable
2. Firewall blocking port 5986
3. DNS resolution issues
4. Wrong hostname
**Troubleshooting**:
```powershell
# Test basic network connectivity
Test-Connection g9kn7pz3esf.logon.ds.ge.com
# Test DNS resolution
Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com
# Test port 5986 connectivity
Test-NetConnection -ComputerName g9kn7pz3esf.logon.ds.ge.com -Port 5986
# Try with IP address instead of hostname
Test-WSMan -ComputerName 192.168.x.x -UseSSL -Port 5986 -SessionOption $sessionOption
```
---
### Issue 4: WinRM Client Configuration
**Error**:
```
The client cannot connect to the destination specified in the request.
```
**Solution**: Configure WinRM client settings on your computer:
```powershell
# Run as Administrator on your computer
# Enable basic authentication (if needed)
Set-Item WSMan:\localhost\Client\Auth\Basic -Value $true
# Add remote PC to trusted hosts (if not in same domain)
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "g9kn7pz3esf.logon.ds.ge.com" -Concatenate
# Or add wildcard for all PCs
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*.logon.ds.ge.com" -Concatenate
# View current trusted hosts
Get-Item WSMan:\localhost\Client\TrustedHosts
```
---
## Complete Testing Script
Save this as `Test-RemoteConnection.ps1`:
```powershell
#Requires -Version 5.1
<#
.SYNOPSIS
Test WinRM HTTPS connection to remote PC
.EXAMPLE
.\Test-RemoteConnection.ps1 -ComputerName g9kn7pz3esf.logon.ds.ge.com
#>
param(
[Parameter(Mandatory=$true)]
[string]$ComputerName,
[Parameter(Mandatory=$false)]
[int]$Port = 5986,
[Parameter(Mandatory=$false)]
[switch]$SkipCertificateCheck
)
Write-Host "`n=== Testing WinRM HTTPS Connection ===" -ForegroundColor Cyan
Write-Host "Target: $ComputerName" -ForegroundColor Gray
Write-Host "Port: $Port" -ForegroundColor Gray
Write-Host ""
# Test 1: Basic connectivity
Write-Host "Test 1: Basic Network Connectivity" -ForegroundColor Yellow
try {
$ping = Test-Connection $ComputerName -Count 2 -ErrorAction Stop
Write-Host " [OK] PC is reachable (avg: $($ping[0].ResponseTime)ms)" -ForegroundColor Green
} catch {
Write-Host " [FAIL] Cannot reach PC: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
# Test 2: DNS resolution
Write-Host "`nTest 2: DNS Resolution" -ForegroundColor Yellow
try {
$dns = Resolve-DnsName $ComputerName -ErrorAction Stop
Write-Host " [OK] DNS resolves to: $($dns.IPAddress)" -ForegroundColor Green
} catch {
Write-Host " [FAIL] DNS resolution failed: $($_.Exception.Message)" -ForegroundColor Red
}
# Test 3: Port connectivity
Write-Host "`nTest 3: Port $Port Connectivity" -ForegroundColor Yellow
try {
$portTest = Test-NetConnection -ComputerName $ComputerName -Port $Port -ErrorAction Stop
if ($portTest.TcpTestSucceeded) {
Write-Host " [OK] Port $Port is open" -ForegroundColor Green
} else {
Write-Host " [FAIL] Port $Port is closed or filtered" -ForegroundColor Red
}
} catch {
Write-Host " [FAIL] Cannot test port: $($_.Exception.Message)" -ForegroundColor Red
}
# Test 4: WinRM HTTPS connectivity
Write-Host "`nTest 4: WinRM HTTPS Connectivity" -ForegroundColor Yellow
$sessionOption = $null
if ($SkipCertificateCheck) {
Write-Host " [INFO] Skipping certificate validation (testing mode)" -ForegroundColor Gray
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
}
try {
if ($sessionOption) {
$result = Test-WSMan -ComputerName $ComputerName -UseSSL -Port $Port -SessionOption $sessionOption -ErrorAction Stop
} else {
$result = Test-WSMan -ComputerName $ComputerName -UseSSL -Port $Port -ErrorAction Stop
}
Write-Host " [OK] WinRM HTTPS is responding" -ForegroundColor Green
Write-Host " Product: $($result.ProductVendor) $($result.ProductVersion)" -ForegroundColor Gray
} catch {
Write-Host " [FAIL] WinRM HTTPS not responding: $($_.Exception.Message)" -ForegroundColor Red
Write-Host "`n Tip: Try with -SkipCertificateCheck flag if certificate trust is an issue" -ForegroundColor Yellow
exit 1
}
# Test 5: Authenticated connection
Write-Host "`nTest 5: Authenticated Connection" -ForegroundColor Yellow
Write-Host " Enter credentials for remote connection..." -ForegroundColor Gray
$cred = Get-Credential -Message "Enter credentials for $ComputerName"
try {
$params = @{
ComputerName = $ComputerName
Credential = $cred
UseSSL = $true
Port = $Port
ScriptBlock = {
[PSCustomObject]@{
Hostname = $env:COMPUTERNAME
IPAddress = (Get-NetIPAddress -AddressFamily IPv4 | Where-Object {$_.IPAddress -notlike "127.*"})[0].IPAddress
WinRMStatus = (Get-Service WinRM).Status
OSVersion = (Get-CimInstance Win32_OperatingSystem).Caption
}
}
}
if ($sessionOption) {
$params.SessionOption = $sessionOption
}
$remoteInfo = Invoke-Command @params
Write-Host " [OK] Successfully connected and executed remote command" -ForegroundColor Green
Write-Host "`n Remote Computer Information:" -ForegroundColor Cyan
Write-Host " Hostname: $($remoteInfo.Hostname)" -ForegroundColor Gray
Write-Host " IP Address: $($remoteInfo.IPAddress)" -ForegroundColor Gray
Write-Host " WinRM Status: $($remoteInfo.WinRMStatus)" -ForegroundColor Gray
Write-Host " OS: $($remoteInfo.OSVersion)" -ForegroundColor Gray
} catch {
Write-Host " [FAIL] Authentication or command execution failed: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
# Summary
Write-Host "`n=== Test Summary ===" -ForegroundColor Cyan
Write-Host "All tests passed! WinRM HTTPS is working correctly." -ForegroundColor Green
Write-Host ""
Write-Host "You can now connect using:" -ForegroundColor Yellow
Write-Host " Enter-PSSession -ComputerName $ComputerName -Credential `$cred -UseSSL -Port $Port $(if($SkipCertificateCheck){'-SessionOption $sessionOption'})" -ForegroundColor White
Write-Host ""
```
**Usage**:
```powershell
# Basic test (will fail if certificate not trusted)
.\Test-RemoteConnection.ps1 -ComputerName g9kn7pz3esf.logon.ds.ge.com
# Test with certificate check skipped (for self-signed certs)
.\Test-RemoteConnection.ps1 -ComputerName g9kn7pz3esf.logon.ds.ge.com -SkipCertificateCheck
```
---
## Testing Multiple PCs
Test all deployed PCs at once:
```powershell
# Read hostnames from file
$hostnames = Get-Content "C:\path\to\shopfloor-hostnames.txt"
# Test each PC
$results = foreach ($hostname in $hostnames) {
$fqdn = "$hostname.logon.ds.ge.com"
Write-Host "Testing $fqdn..." -ForegroundColor Yellow
try {
$test = Test-WSMan -ComputerName $fqdn -UseSSL -Port 5986 -ErrorAction Stop
[PSCustomObject]@{
Hostname = $hostname
FQDN = $fqdn
Status = "Success"
Error = $null
}
} catch {
[PSCustomObject]@{
Hostname = $hostname
FQDN = $fqdn
Status = "Failed"
Error = $_.Exception.Message
}
}
}
# Show summary
$results | Format-Table -AutoSize
$successCount = ($results | Where-Object {$_.Status -eq "Success"}).Count
Write-Host "`nSuccessful: $successCount / $($results.Count)" -ForegroundColor Cyan
```
---
## Quick Commands Reference
```powershell
# Basic test
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Test with cert skip
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 -SessionOption $sessionOption
# Interactive session
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption
# Single command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption -ScriptBlock { hostname }
# Create session
$session = New-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption
Invoke-Command -Session $session -ScriptBlock { Get-Service }
Remove-PSSession $session
```
---
## Next Steps
1. ✅ Run the updated deployment on test PC (with wildcard CN fix)
2. ✅ Use these commands to test connectivity
3. ✅ Verify remote commands work correctly
4. ✅ If successful, deploy to 3-5 more PCs
5. ✅ Test connectivity to all deployed PCs
6. ✅ Document any issues in deployment logs
7. ✅ Proceed with production rollout
---
**Document Created**: 2025-10-17
**Status**: Ready for testing
**Target PC**: g9kn7pz3esf.logon.ds.ge.com:5986

278
winrm-https/deployment-package/Test-WinRM-HTTPS-Setup.ps1 Normal file
View File

@@ -0,0 +1,278 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Complete test workflow for WinRM HTTPS setup on a single device.
.DESCRIPTION
This script guides you through testing the WinRM HTTPS setup:
1. Generate wildcard certificate (if needed)
2. Set up WinRM HTTPS on local machine
3. Test connection
4. Verify functionality
.PARAMETER Domain
Domain for the wildcard certificate (default: logon.ds.ge.com).
.PARAMETER CertPassword
Password for the certificate PFX file.
.PARAMETER SkipCertGeneration
Skip certificate generation if you already have one.
.PARAMETER ExistingCertPath
Path to existing PFX certificate file.
.EXAMPLE
.\Test-WinRM-HTTPS-Setup.ps1
.EXAMPLE
$pass = ConvertTo-SecureString "Password123!" -AsPlainText -Force
.\Test-WinRM-HTTPS-Setup.ps1 -CertPassword $pass
.NOTES
Author: System Administrator
Date: 2025-10-17
Version: 1.0
#>
param(
[Parameter(Mandatory=$false)]
[string]$Domain = "logon.ds.ge.com",
[Parameter(Mandatory=$false)]
[SecureString]$CertPassword,
[Parameter(Mandatory=$false)]
[switch]$SkipCertGeneration,
[Parameter(Mandatory=$false)]
[string]$ExistingCertPath
)
function Write-Step {
param([int]$Number, [string]$Description)
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "STEP $Number: $Description" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
}
function Write-Info {
param([string]$Message)
Write-Host $Message -ForegroundColor White
}
function Write-Success {
param([string]$Message)
Write-Host "[OK] $Message" -ForegroundColor Green
}
function Write-Error {
param([string]$Message)
Write-Host "[ERROR] $Message" -ForegroundColor Red
}
function Write-Warning {
param([string]$Message)
Write-Host "[WARN] $Message" -ForegroundColor Yellow
}
# Main execution
try {
Write-Host "`n╔════════════════════════════════════════╗" -ForegroundColor Cyan
Write-Host "║ WinRM HTTPS Test Setup Wizard ║" -ForegroundColor Cyan
Write-Host "╚════════════════════════════════════════╝" -ForegroundColor Cyan
Write-Host "Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor Gray
Write-Host ""
# Get computer info
$hostname = $env:COMPUTERNAME
$fqdn = "$hostname.$Domain".ToLower()
Write-Info "Current computer: $hostname"
Write-Info "Target FQDN: $fqdn"
Write-Info "Domain: $Domain"
# Get password if not provided
if (-not $CertPassword) {
Write-Host "`nEnter password for certificate PFX file:" -ForegroundColor Yellow
$CertPassword = Read-Host "Password" -AsSecureString
}
# Step 1: Generate or locate certificate
$certPath = $ExistingCertPath
if (-not $SkipCertGeneration -and -not $ExistingCertPath) {
Write-Step 1 "Generate Wildcard Certificate"
Write-Info "Generating self-signed wildcard certificate for *.$Domain..."
if (Test-Path ".\Generate-WildcardCert.ps1") {
& ".\Generate-WildcardCert.ps1" -Domain $Domain -Password $CertPassword -ExportPath "."
# Find the generated certificate
$certPath = Get-ChildItem -Path "." -Filter "wildcard-*.pfx" |
Sort-Object LastWriteTime -Descending |
Select-Object -First 1 -ExpandProperty FullName
if ($certPath) {
Write-Success "Certificate generated: $certPath"
}
else {
throw "Certificate generation failed - PFX file not found"
}
}
else {
throw "Generate-WildcardCert.ps1 not found in current directory"
}
}
elseif ($ExistingCertPath) {
Write-Step 1 "Using Existing Certificate"
Write-Info "Certificate path: $ExistingCertPath"
if (-not (Test-Path $ExistingCertPath)) {
throw "Certificate file not found: $ExistingCertPath"
}
Write-Success "Certificate file found"
}
else {
Write-Step 1 "Certificate Generation Skipped"
Write-Warning "Using existing certificate from machine store"
}
# Step 2: Set up WinRM HTTPS
Write-Step 2 "Configure WinRM HTTPS"
Write-Info "Setting up WinRM HTTPS listener..."
if (Test-Path ".\Setup-WinRM-HTTPS.ps1") {
$setupParams = @{
Domain = $Domain
}
if ($certPath) {
$setupParams.CertificatePath = $certPath
$setupParams.CertificatePassword = $CertPassword
}
& ".\Setup-WinRM-HTTPS.ps1" @setupParams
Write-Success "WinRM HTTPS setup completed"
}
else {
throw "Setup-WinRM-HTTPS.ps1 not found in current directory"
}
# Step 3: Verify WinRM Configuration
Write-Step 3 "Verify WinRM Configuration"
Write-Info "Checking WinRM service..."
$winrmService = Get-Service WinRM
if ($winrmService.Status -eq 'Running') {
Write-Success "WinRM service is running"
}
else {
Write-Error "WinRM service is not running"
}
Write-Info "`nChecking HTTPS listener..."
$httpsListener = winrm enumerate winrm/config/listener | Select-String "Transport = HTTPS" -Context 0,10
if ($httpsListener) {
Write-Success "HTTPS listener configured"
Write-Host "`nListener details:" -ForegroundColor Gray
$httpsListener | ForEach-Object { Write-Host $_.Line -ForegroundColor Gray }
}
else {
Write-Error "HTTPS listener not found"
}
# Step 4: Test Local Connection
Write-Step 4 "Test Local HTTPS Connection"
Write-Info "Testing WinRM HTTPS on localhost..."
try {
$testResult = Test-WSMan -ComputerName localhost -UseSSL -Port 5986 -ErrorAction Stop
Write-Success "Local HTTPS connection successful"
Write-Host "`nTest-WSMan Output:" -ForegroundColor Gray
$testResult | Format-List | Out-String | Write-Host -ForegroundColor Gray
}
catch {
Write-Warning "Local HTTPS test failed: $($_.Exception.Message)"
Write-Info "This is normal for localhost testing"
}
# Step 5: Test Remote Connection (if applicable)
Write-Step 5 "Test Remote HTTPS Connection"
Write-Info "Testing WinRM HTTPS using FQDN: $fqdn..."
try {
# First check if DNS resolves
try {
$resolved = Resolve-DnsName $fqdn -ErrorAction Stop
Write-Success "DNS resolution successful: $($resolved[0].IPAddress)"
}
catch {
Write-Warning "DNS resolution failed for $fqdn"
Write-Info "You may need to add a DNS entry or use hosts file"
}
# Test HTTPS connection
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
$testSession = New-PSSession -ComputerName $fqdn -UseSSL -Port 5986 -SessionOption $sessionOption -ErrorAction Stop
Write-Success "Remote HTTPS connection successful!"
# Get remote computer info
$remoteInfo = Invoke-Command -Session $testSession -ScriptBlock {
@{
ComputerName = $env:COMPUTERNAME
OSVersion = (Get-CimInstance Win32_OperatingSystem).Caption
PowerShellVersion = $PSVersionTable.PSVersion.ToString()
}
}
Write-Host "`nRemote Computer Info:" -ForegroundColor Cyan
Write-Host " Computer Name: $($remoteInfo.ComputerName)" -ForegroundColor White
Write-Host " OS: $($remoteInfo.OSVersion)" -ForegroundColor White
Write-Host " PowerShell: $($remoteInfo.PowerShellVersion)" -ForegroundColor White
Remove-PSSession $testSession
}
catch {
Write-Warning "Remote HTTPS connection test: $($_.Exception.Message)"
Write-Info "This is expected if DNS is not configured for $fqdn"
}
# Step 6: Summary and Next Steps
Write-Step 6 "Summary and Next Steps"
Write-Success "WinRM HTTPS test setup completed successfully!"
Write-Host "`nConfiguration Summary:" -ForegroundColor Cyan
Write-Host " Hostname: $hostname" -ForegroundColor White
Write-Host " FQDN: $fqdn" -ForegroundColor White
Write-Host " HTTPS Port: 5986" -ForegroundColor White
if ($certPath) {
Write-Host " Certificate: $certPath" -ForegroundColor White
}
Write-Host "`nNext Steps:" -ForegroundColor Yellow
Write-Host "1. Configure DNS to resolve $fqdn to this machine's IP" -ForegroundColor White
Write-Host "2. Deploy the same certificate to other shopfloor PCs" -ForegroundColor White
Write-Host "3. Run Setup-WinRM-HTTPS.ps1 on each PC" -ForegroundColor White
Write-Host "4. Test collection with:" -ForegroundColor White
Write-Host " .\Invoke-RemoteAssetCollection-HTTPS.ps1 -HostnameList @('$hostname') -Domain '$Domain'" -ForegroundColor Gray
Write-Host "`nFor production deployment:" -ForegroundColor Yellow
Write-Host "- Obtain a certificate from a trusted CA" -ForegroundColor White
Write-Host "- Configure proper DNS entries for all shopfloor PCs" -ForegroundColor White
Write-Host "- Use the shopfloor-hostnames.txt file for batch deployment" -ForegroundColor White
Write-Host "`n✅ Test setup complete!" -ForegroundColor Green
} catch {
Write-Host "`n❌ Test setup failed: $($_.Exception.Message)" -ForegroundColor Red
Write-Host "`nStack Trace:" -ForegroundColor Gray
Write-Host $_.ScriptStackTrace -ForegroundColor Gray
exit 1
}

63
winrm-https/deployment-package/Test-WinRM-HTTPS.bat Normal file
View File

@@ -0,0 +1,63 @@
@echo off
REM ============================================================================
REM Test-WinRM-HTTPS.bat
REM Tests WinRM HTTPS setup on local computer
REM ============================================================================
echo.
echo ========================================
echo WinRM HTTPS Test Script
echo ========================================
echo.
REM Check for administrator privileges
net session >nul 2>&1
if %errorLevel% neq 0 (
echo [ERROR] This script requires Administrator privileges.
echo Please right-click and select "Run as Administrator"
echo.
pause
exit /b 1
)
echo [OK] Running with Administrator privileges
echo.
REM Get the directory where this batch file is located
set "SCRIPT_DIR=%~dp0"
echo Script directory: %SCRIPT_DIR%
echo.
REM Check if Test-WinRM-HTTPS-Setup.ps1 exists
if not exist "%SCRIPT_DIR%Test-WinRM-HTTPS-Setup.ps1" (
echo [ERROR] Test-WinRM-HTTPS-Setup.ps1 not found in script directory
echo Please ensure all files are copied from the network share
echo.
pause
exit /b 1
)
echo [OK] Required files found
echo.
REM Execute PowerShell script
echo Running WinRM HTTPS test...
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
"& '%SCRIPT_DIR%Test-WinRM-HTTPS-Setup.ps1'"
if %errorLevel% neq 0 (
echo.
echo [ERROR] Test failed with error code: %errorLevel%
echo.
pause
exit /b %errorLevel%
)
echo.
echo ========================================
echo [SUCCESS] Test Complete
echo ========================================
echo.
pause

382
winrm-https/deployment-package/View-DeploymentLogs.ps1 Normal file
View File

@@ -0,0 +1,382 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
View deployment logs from S:\DT\ADATA\SCRIPT\DEPLOY\LOGS
.DESCRIPTION
Helper script to view, search, and analyze deployment logs.
.PARAMETER Latest
Show only the most recent log files.
.PARAMETER Hostname
Filter logs by hostname.
.PARAMETER Date
Filter logs by date (YYYYMMDD format).
.PARAMETER Failed
Show only logs that indicate failures.
.PARAMETER Successful
Show only logs that indicate successful deployments.
.EXAMPLE
.\View-DeploymentLogs.ps1
.EXAMPLE
.\View-DeploymentLogs.ps1 -Latest 10
.EXAMPLE
.\View-DeploymentLogs.ps1 -Hostname "G1JJVH63ESF"
.EXAMPLE
.\View-DeploymentLogs.ps1 -Failed
.NOTES
Author: System Administrator
Date: 2025-10-17
Version: 1.0
#>
param(
[Parameter(Mandatory=$false)]
[int]$Latest = 0,
[Parameter(Mandatory=$false)]
[string]$Hostname,
[Parameter(Mandatory=$false)]
[string]$Date,
[Parameter(Mandatory=$false)]
[switch]$Failed,
[Parameter(Mandatory=$false)]
[switch]$Successful
)
$LogDir = "S:\DT\ADATA\SCRIPT\DEPLOY\LOGS"
function Show-Menu {
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "WinRM HTTPS Deployment Log Viewer" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
Write-Host "Log Directory: $LogDir" -ForegroundColor Gray
Write-Host ""
Write-Host "1. List all logs" -ForegroundColor White
Write-Host "2. Show latest logs" -ForegroundColor White
Write-Host "3. Search by hostname" -ForegroundColor White
Write-Host "4. Show failed deployments" -ForegroundColor White
Write-Host "5. Show successful deployments" -ForegroundColor White
Write-Host "6. Generate summary report" -ForegroundColor White
Write-Host "Q. Quit" -ForegroundColor White
Write-Host ""
}
function Get-DeploymentLogs {
param([string]$Filter = "*")
if (-not (Test-Path $LogDir)) {
Write-Host "[ERROR] Log directory not found: $LogDir" -ForegroundColor Red
return @()
}
$logs = Get-ChildItem -Path $LogDir -Filter "$Filter*.txt" |
Sort-Object LastWriteTime -Descending
return $logs
}
function Show-LogContent {
param([string]$LogPath)
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Log File: $(Split-Path $LogPath -Leaf)" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
Get-Content $LogPath | ForEach-Object {
if ($_ -match 'ERROR|FAIL') {
Write-Host $_ -ForegroundColor Red
}
elseif ($_ -match 'SUCCESS|OK') {
Write-Host $_ -ForegroundColor Green
}
elseif ($_ -match 'WARN') {
Write-Host $_ -ForegroundColor Yellow
}
else {
Write-Host $_
}
}
Write-Host ""
}
function Get-DeploymentSummary {
$logs = Get-DeploymentLogs
$summary = @{
Total = $logs.Count
Successful = 0
Failed = 0
Hostnames = @{}
}
foreach ($log in $logs) {
$content = Get-Content $log.FullName -Raw
# Extract hostname from filename
$filename = $log.Name
if ($filename -match '^([^-]+)-') {
$hostname = $matches[1]
if (-not $summary.Hostnames.ContainsKey($hostname)) {
$summary.Hostnames[$hostname] = @{
Total = 0
Successful = 0
Failed = 0
LastDeployment = $log.LastWriteTime
}
}
$summary.Hostnames[$hostname].Total++
}
# Check if successful or failed
if ($content -match 'SUCCESS.*Complete|Setup Complete') {
$summary.Successful++
if ($hostname) {
$summary.Hostnames[$hostname].Successful++
}
}
elseif ($content -match 'ERROR|FAIL|failed') {
$summary.Failed++
if ($hostname) {
$summary.Hostnames[$hostname].Failed++
}
}
}
return $summary
}
function Show-SummaryReport {
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Deployment Summary Report" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
$summary = Get-DeploymentSummary
Write-Host "Total Logs: $($summary.Total)" -ForegroundColor White
Write-Host "Successful: $($summary.Successful)" -ForegroundColor Green
Write-Host "Failed: $($summary.Failed)" -ForegroundColor Red
Write-Host ""
if ($summary.Hostnames.Count -gt 0) {
Write-Host "Deployment by Hostname:" -ForegroundColor Yellow
Write-Host ""
$summary.Hostnames.GetEnumerator() |
Sort-Object { $_.Value.LastDeployment } -Descending |
ForEach-Object {
$hostname = $_.Key
$stats = $_.Value
$status = if ($stats.Successful -gt 0) { "SUCCESS" } else { "FAILED" }
$color = if ($stats.Successful -gt 0) { "Green" } else { "Red" }
Write-Host " $hostname - $status (Attempts: $($stats.Total), Last: $($stats.LastDeployment))" -ForegroundColor $color
}
}
Write-Host ""
}
# Main execution
try {
# Check if log directory exists
if (-not (Test-Path $LogDir)) {
Write-Host "[WARN] Log directory does not exist: $LogDir" -ForegroundColor Yellow
Write-Host "Creating log directory..." -ForegroundColor Yellow
New-Item -ItemType Directory -Path $LogDir -Force | Out-Null
Write-Host "[OK] Log directory created" -ForegroundColor Green
exit 0
}
# Handle command-line parameters
if ($Latest -gt 0) {
Write-Host "`nShowing $Latest most recent logs:" -ForegroundColor Cyan
Write-Host ""
$logs = Get-DeploymentLogs | Select-Object -First $Latest
foreach ($log in $logs) {
Write-Host "$($log.Name) - $(Get-Date $log.LastWriteTime -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor White
}
Write-Host ""
exit 0
}
if ($Hostname) {
Write-Host "`nShowing logs for hostname: $Hostname" -ForegroundColor Cyan
$logs = Get-DeploymentLogs -Filter $Hostname
if ($logs.Count -eq 0) {
Write-Host "[WARN] No logs found for hostname: $Hostname" -ForegroundColor Yellow
exit 0
}
foreach ($log in $logs) {
Show-LogContent -LogPath $log.FullName
}
exit 0
}
if ($Failed) {
Write-Host "`nShowing failed deployments:" -ForegroundColor Red
Write-Host ""
$logs = Get-DeploymentLogs
foreach ($log in $logs) {
$content = Get-Content $log.FullName -Raw
if ($content -match 'ERROR|FAIL|failed') {
Write-Host "$($log.Name) - FAILED" -ForegroundColor Red
}
}
Write-Host ""
exit 0
}
if ($Successful) {
Write-Host "`nShowing successful deployments:" -ForegroundColor Green
Write-Host ""
$logs = Get-DeploymentLogs
foreach ($log in $logs) {
$content = Get-Content $log.FullName -Raw
if ($content -match 'SUCCESS.*Complete|Setup Complete') {
Write-Host "$($log.Name) - SUCCESS" -ForegroundColor Green
}
}
Write-Host ""
exit 0
}
# Interactive menu if no parameters
while ($true) {
Show-Menu
$choice = Read-Host "Select an option"
switch ($choice) {
"1" {
Write-Host "`nAll deployment logs:" -ForegroundColor Cyan
Write-Host ""
$logs = Get-DeploymentLogs
foreach ($log in $logs) {
Write-Host "$($log.Name) - $(Get-Date $log.LastWriteTime -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor White
}
Write-Host ""
Read-Host "Press Enter to continue"
}
"2" {
$count = Read-Host "How many recent logs to show?"
Write-Host "`nShowing $count most recent logs:" -ForegroundColor Cyan
Write-Host ""
$logs = Get-DeploymentLogs | Select-Object -First ([int]$count)
foreach ($log in $logs) {
Write-Host "$($log.Name) - $(Get-Date $log.LastWriteTime -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor White
}
Write-Host ""
Read-Host "Press Enter to continue"
}
"3" {
$searchHostname = Read-Host "Enter hostname to search"
Write-Host "`nShowing logs for hostname: $searchHostname" -ForegroundColor Cyan
$logs = Get-DeploymentLogs -Filter $searchHostname
if ($logs.Count -eq 0) {
Write-Host "[WARN] No logs found for hostname: $searchHostname" -ForegroundColor Yellow
}
else {
foreach ($log in $logs) {
Show-LogContent -LogPath $log.FullName
}
}
Read-Host "Press Enter to continue"
}
"4" {
Write-Host "`nFailed deployments:" -ForegroundColor Red
Write-Host ""
$logs = Get-DeploymentLogs
foreach ($log in $logs) {
$content = Get-Content $log.FullName -Raw
if ($content -match 'ERROR|FAIL|failed') {
Write-Host "$($log.Name) - FAILED" -ForegroundColor Red
}
}
Write-Host ""
Read-Host "Press Enter to continue"
}
"5" {
Write-Host "`nSuccessful deployments:" -ForegroundColor Green
Write-Host ""
$logs = Get-DeploymentLogs
foreach ($log in $logs) {
$content = Get-Content $log.FullName -Raw
if ($content -match 'SUCCESS.*Complete|Setup Complete') {
Write-Host "$($log.Name) - SUCCESS" -ForegroundColor Green
}
}
Write-Host ""
Read-Host "Press Enter to continue"
}
"6" {
Show-SummaryReport
Read-Host "Press Enter to continue"
}
"Q" {
Write-Host "`nExiting..." -ForegroundColor Cyan
exit 0
}
default {
Write-Host "`n[ERROR] Invalid option" -ForegroundColor Red
Start-Sleep -Seconds 1
}
}
}
} catch {
Write-Host "`n[ERROR] $($_.Exception.Message)" -ForegroundColor Red
exit 1
}

236
winrm-https/deployment-package/WILDCARD-CERT-FIX.txt Normal file
View File

@@ -0,0 +1,236 @@
================================================================================
WILDCARD CERTIFICATE FIX - IMPORTANT TECHNICAL DETAIL
================================================================================
Date: 2025-10-17
Issue: Certificate CN mismatch error during HTTPS listener creation
================================================================================
PROBLEM
================================================================================
When deploying WinRM HTTPS with wildcard certificate, received error:
"The WinRM client cannot process the request. The certificate CN and
the hostname that were provided do not match."
Error Number: -2144108311 (0x803380E9)
================================================================================
ROOT CAUSE
================================================================================
WinRM HTTPS listener creation requires the hostname parameter to EXACTLY match
the certificate's Common Name (CN).
Certificate Details:
- Subject: CN=*.logon.ds.ge.com
- CN: *.logon.ds.ge.com (wildcard format)
Previous (Incorrect) Approach:
- Passed specific PC FQDN to listener: g9kn7pz3esf.logon.ds.ge.com
- WinRM compared: "*.logon.ds.ge.com" (cert CN) vs "g9kn7pz3esf.logon.ds.ge.com" (hostname)
- Result: MISMATCH → Error
================================================================================
SOLUTION
================================================================================
The listener hostname parameter must use the EXACT CN from the certificate,
which is the wildcard format: *.logon.ds.ge.com
Fixed Code (Setup-WinRM-HTTPS.ps1):
# Extract the CN value from certificate subject
if ($certSubject -match 'CN=([^,]+)') {
$certCN = $matches[1] # This captures "*.logon.ds.ge.com"
}
# Use the certificate CN (wildcard) for listener hostname
$listenerHostname = $certCN # "*.logon.ds.ge.com"
# Create listener with wildcard hostname
winrm create winrm/config/Listener?Address=*+Transport=HTTPS
@{Hostname="*.logon.ds.ge.com";CertificateThumbprint="...";Port="5986"}
================================================================================
HOW IT WORKS
================================================================================
Listener Configuration:
- Listener Hostname: *.logon.ds.ge.com (wildcard)
- Certificate CN: *.logon.ds.ge.com (wildcard)
- Match: ✓ SUCCESS
Client Connection:
- Clients still connect using specific FQDN: g9kn7pz3esf.logon.ds.ge.com
- WinRM matches this against the wildcard: *.logon.ds.ge.com
- Certificate validation succeeds because wildcard covers all subdomains
Example:
# Client connects using specific hostname
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Server listener accepts because:
# - Listener hostname: *.logon.ds.ge.com
# - Client hostname: g9kn7pz3esf.logon.ds.ge.com
# - Wildcard match: ✓ (g9kn7pz3esf matches *)
================================================================================
TECHNICAL DETAILS
================================================================================
WinRM Listener Hostname Validation:
1. WinRM creates listener with hostname="*.logon.ds.ge.com"
2. Certificate CN must match listener hostname EXACTLY
3. Wildcard CN "*.logon.ds.ge.com" = Listener hostname "*.logon.ds.ge.com" ✓
4. Listener accepts connections from any hostname matching *.logon.ds.ge.com
Certificate Validation During Connection:
1. Client connects to: g9kn7pz3esf.logon.ds.ge.com:5986
2. Server presents certificate with CN: *.logon.ds.ge.com
3. Client validates: Does "g9kn7pz3esf.logon.ds.ge.com" match "*.logon.ds.ge.com"?
4. Wildcard validation: ✓ YES (wildcard * matches "g9kn7pz3esf")
5. Connection succeeds
================================================================================
WHAT CHANGED IN THE SCRIPT
================================================================================
File: Setup-WinRM-HTTPS.ps1
Function: New-WinRMHTTPSListener
Changes:
1. Extract certificate CN from Subject field
2. Use certificate CN (wildcard) as listener hostname
3. Added logging to show both FQDN and listener hostname
4. Added explanatory notes in output
Before:
$winrmArgs = "create ... @{Hostname=`"$Hostname`";..."
# Where $Hostname = "g9kn7pz3esf.logon.ds.ge.com"
After:
$listenerHostname = $certCN # "*.logon.ds.ge.com"
$winrmArgs = "create ... @{Hostname=`"$listenerHostname`";..."
================================================================================
TESTING THE FIX
================================================================================
On Target PC:
# Check listener configuration
winrm enumerate winrm/config/listener
# Should show:
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = *.logon.ds.ge.com ← WILDCARD FORMAT
...
From Management Server:
# Test connection using specific hostname
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Should succeed because:
# - Server listener: *.logon.ds.ge.com
# - Client request: g9kn7pz3esf.logon.ds.ge.com
# - Wildcard match: ✓
================================================================================
APPLIES TO ALL PCS
================================================================================
This fix applies to ALL 175 shopfloor PCs:
- All use the same wildcard certificate
- All listeners configured with: Hostname=*.logon.ds.ge.com
- All clients connect with specific FQDN: hostname.logon.ds.ge.com
- Wildcard matching works for all PCs
Example PCs:
- g1jjvh63esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
- g1jjxh63esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
- g9kn7pz3esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
- ... (all 175 PCs match)
================================================================================
VERIFICATION COMMANDS
================================================================================
Check Listener Configuration:
winrm enumerate winrm/config/listener
# Look for:
Hostname = *.logon.ds.ge.com ← Must be wildcard!
Check Certificate:
Get-ChildItem Cert:\LocalMachine\My |
Where-Object {$_.Subject -like "*logon.ds.ge.com*"} |
Select-Object Subject, Thumbprint, NotAfter
Test Connection (from management server):
Test-WSMan -ComputerName HOSTNAME.logon.ds.ge.com -UseSSL -Port 5986
Create Remote Session:
$cred = Get-Credential
Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
================================================================================
STATUS
================================================================================
Fix Applied: ✓ YES
File Updated: Setup-WinRM-HTTPS.ps1
Ready for Testing: ✓ YES
Next Step: Re-run deployment on test PC (G9KN7PZ3ESF)
================================================================================
EXPECTED RESULTS
================================================================================
After running updated deployment script:
1. Certificate import: ✓ SUCCESS
Subject: CN=*.logon.ds.ge.com
2. Listener creation: ✓ SUCCESS
Hostname: *.logon.ds.ge.com (wildcard)
3. Test connection: ✓ SUCCESS
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL
4. Remote session: ✓ SUCCESS
Enter-PSSession with -UseSSL flag
================================================================================
ADDITIONAL NOTES
================================================================================
- This is standard behavior for wildcard certificates with WinRM
- The listener hostname MUST match the certificate CN exactly
- Clients use specific FQDNs; wildcard matching happens automatically
- This approach is documented in Microsoft's WinRM HTTPS documentation
- No changes needed on client side (management server)
================================================================================
REFERENCES
================================================================================
WinRM Configuration:
- Listener Address: * (all IP addresses)
- Transport: HTTPS
- Port: 5986
- Hostname: *.logon.ds.ge.com (must match cert CN)
- Certificate Thumbprint: C1412765B2839E9081FCEA77BB1E6D8840203509
Wildcard Certificate:
- Subject: CN=*.logon.ds.ge.com
- Valid for: All subdomains of logon.ds.ge.com
- Valid until: 2027-10-17
- Key Size: 2048-bit RSA
================================================================================