ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: Organized PowerShell scripts for ShopDB asset collection

Browse Source 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
cproudlock
2025-12-10 10:57:54 -05:00
commit 62c0c7bb06
102 changed files with 28017 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

315
winrm-https/winrm-ca-scripts/AFTER-BULK-SIGNING.txt Normal file
View File

@@ -0,0 +1,315 @@
================================================================================
AFTER RUNNING BULK CERTIFICATE SIGNING - WHAT'S NEXT?
================================================================================
You just ran: .\Sign-BulkCertificates.ps1
Now you have 175 individual certificates ready to deploy!
================================================================================
WHAT YOU HAVE NOW
================================================================================
Folder created: pc-certificates\batch-YYYYMMDD-HHMMSS\
Inside this folder:
- 175 PFX files (one per PC)
Example: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
- 175 CER files (public certificates)
Example: G9KN7PZ3ESF-logon.ds.ge.com-20251017.cer
- certificate-list.csv (spreadsheet of all certificates)
- SUMMARY.txt (summary report)
================================================================================
NEXT STEP: DEPLOY TO ONE PC (TEST FIRST!)
================================================================================
Test on: G9KN7PZ3ESF
STEP 1: Copy Certificate to the PC
-----------------------------------
From YOUR computer (H2PRFM94):
# Navigate to the certificate folder
cd pc-certificates\batch-*
# Copy to the test PC
Copy-Item "G9KN7PZ3ESF-logon.ds.ge.com-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
If that doesn't work (network path issue):
- Copy the file to a USB drive
- Or use network share location
- Or RDP to the PC and copy directly
STEP 2: Import Certificate on the PC
-------------------------------------
ON THE PC (G9KN7PZ3ESF), in PowerShell as Administrator:
# Import the certificate
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
$cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
# Show the certificate (verify it worked)
$cert | Format-List Subject, Issuer, Thumbprint, NotAfter
You should see:
Subject: CN=g9kn7pz3esf.logon.ds.ge.com
Issuer: CN=Shopfloor WinRM CA
Thumbprint: (long string)
NotAfter: (expiration date)
STEP 3: Configure WinRM HTTPS
------------------------------
Still ON THE PC (G9KN7PZ3ESF):
Option A - If you have Setup-WinRM-HTTPS.ps1 on the PC:
.\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
Option B - Manual configuration (if no script):
# Enable WinRM
Enable-PSRemoting -Force -SkipNetworkProfileCheck
# Remove old HTTPS listener (if exists)
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
# Create HTTPS listener with the certificate
$hostname = "g9kn7pz3esf.logon.ds.ge.com"
winrm create winrm/config/Listener?Address=*+Transport=HTTPS `
"@{Hostname=`"$hostname`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}"
# Create firewall rule
New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
-Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow
STEP 4: Verify Configuration on the PC
---------------------------------------
Still ON THE PC (G9KN7PZ3ESF):
# Check WinRM service
Get-Service WinRM
# Should show: Running
# Check listeners
winrm enumerate winrm/config/listener
# Should show HTTPS listener on port 5986
# Hostname should be: g9kn7pz3esf.logon.ds.ge.com
# Check port
netstat -an | findstr :5986
# Should show: 0.0.0.0:5986 LISTENING
# Check firewall
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
# Should show: Enabled = True
If any of these fail, run Test-RemotePC-Debug.bat on the PC!
STEP 5: Test Connection from YOUR Computer
-------------------------------------------
Back on YOUR computer (H2PRFM94):
# Test basic connectivity
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
Expected output:
wsmid : http://schemas.dmtf.org/...
ProtocolVersion : http://schemas.dmtf.org/...
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
✅ SUCCESS! No certificate errors!
# Test interactive session
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Expected result:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
✅ You're now connected to the remote PC!
# Try some commands:
hostname
Get-Service WinRM
Exit-PSSession
================================================================================
IF TEST PC WORKS - DEPLOY TO MORE PCs
================================================================================
Deploy to 3-5 more PCs for additional testing:
- G1JJVH63ESF
- G1JJXH63ESF
- G1JKYH63ESF
- etc.
For each PC, repeat Steps 1-5 above.
================================================================================
BULK DEPLOYMENT TO ALL 175 PCs
================================================================================
Once 5+ PCs are working successfully, deploy to all remaining PCs.
Option A - Manual Deployment (Safe but slow):
- Deploy 10-20 PCs at a time
- Verify each batch works before continuing
- Track progress in a spreadsheet
Option B - Automated Deployment (Faster):
Create a deployment script:
$pcs = Get-Content "shopfloor-hostnames.txt"
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
foreach ($pc in $pcs) {
$fqdn = "$pc.logon.ds.ge.com"
Write-Host "Deploying to $pc..." -ForegroundColor Yellow
try {
# Copy certificate
$certFile = Get-ChildItem "pc-certificates\batch-*\$pc-*.pfx"
Copy-Item $certFile.FullName -Destination "\\$fqdn\C$\Temp\"
# Import and configure remotely
Invoke-Command -ComputerName $fqdn -ScriptBlock {
param($certPath, $certPassword)
$pass = ConvertTo-SecureString $certPassword -AsPlainText -Force
$cert = Import-PfxCertificate -FilePath $certPath `
-CertStoreLocation Cert:\LocalMachine\My -Password $pass
# Configure WinRM (add WinRM configuration commands here)
} -ArgumentList "C:\Temp\$($certFile.Name)", "PCCert2025!"
Write-Host " [OK] $pc deployed successfully" -ForegroundColor Green
} catch {
Write-Host " [ERROR] $pc failed: $($_.Exception.Message)" -ForegroundColor Red
}
}
Note: You'd need to adapt this for your environment.
================================================================================
TRACKING DEPLOYMENT
================================================================================
Create a tracking spreadsheet with columns:
- Hostname
- Certificate Deployed (Yes/No/Date)
- WinRM Configured (Yes/No/Date)
- Connection Tested (Yes/No/Date)
- Notes
Use the certificate-list.csv as a starting point!
================================================================================
TROUBLESHOOTING
================================================================================
If a PC won't connect:
1. Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to that PC
2. Right-click Test-RemotePC-Debug.bat, "Run as Administrator"
3. Review the output to find the issue
Common problems:
❌ Port 5986 not listening → WinRM listener not created
❌ Certificate not found → Certificate not imported
❌ Firewall blocking → Firewall rule missing
❌ Wrong hostname in cert → Used wrong PFX file
================================================================================
VERIFICATION CHECKLIST
================================================================================
For each deployed PC, verify:
✓ Certificate imported (Cert:\LocalMachine\My)
✓ Certificate issued by "Shopfloor WinRM CA"
✓ WinRM service running
✓ HTTPS listener on port 5986
✓ Listener hostname matches PC FQDN
✓ Firewall rule enabled
✓ Port 5986 listening
✓ Can connect from management computer
✓ No certificate warnings
================================================================================
FINAL RESULT
================================================================================
After deploying all 175 PCs, you can connect to ANY of them with:
$cred = Get-Credential
Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Clean, secure, no certificate bypasses!
Run commands on multiple PCs:
$computers = @("g9kn7pz3esf", "g1jjvh63esf", "g1jjxh63esf")
Invoke-Command -ComputerName ($computers | ForEach-Object {"$_.logon.ds.ge.com"}) `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock {
Get-Service WinRM | Select-Object Name, Status
}
Collect data from all 175 PCs in seconds!
================================================================================
SUMMARY
================================================================================
Next Steps After Bulk Signing:
1. ✅ Deploy to ONE PC (G9KN7PZ3ESF) - TEST FIRST
2. ✅ Verify connection works
3. ✅ Deploy to 3-5 more PCs
4. ✅ Deploy to remaining PCs in batches
5. ✅ Track progress
6. ✅ Verify all deployments
7. ✅ Celebrate! 🎉
================================================================================
NEED HELP?
================================================================================
- Certificate issues → Run Test-RemotePC-Debug.bat on the PC
- Connection issues → Check firewall, WinRM service, listener
- Can't copy files → Check network paths, permissions
- General questions → Review README.txt
All scripts and documentation are in /home/camp/winrm-ca-scripts/
================================================================================

359
winrm-https/winrm-ca-scripts/COMPLETE-WORKFLOW.txt Normal file
View File

@@ -0,0 +1,359 @@
================================================================================
COMPLETE WORKFLOW - START TO FINISH
================================================================================
Visual guide showing the entire process from CA creation to remote access.
================================================================================
PHASE 1: SETUP (ONE TIME - 15 MINUTES)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 1: Create Certificate Authority │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
Command:
PS> .\Create-CA-Simple.ps1
Input:
- CA Password: ShopfloorCA2025!
Output:
✓ Shopfloor-WinRM-CA-20251017.pfx (CA private key - KEEP SECURE!)
✓ Shopfloor-WinRM-CA-20251017.cer (CA public certificate)
✓ CA-INFO-20251017.txt
↓ ↓ ↓
┌─────────────────────────────────────────────────────────────────┐
│ STEP 2: Install CA on YOUR Computer │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
Command:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Result:
✓ YOUR computer now trusts ALL certificates signed by this CA!
✓ No more -SessionOption needed for connections!
↓ ↓ ↓
┌─────────────────────────────────────────────────────────────────┐
│ STEP 3: Sign All 175 PC Certificates │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
Command:
PS> .\Sign-BulkCertificates.ps1
Input:
- CA Password: ShopfloorCA2025!
- PC Certificate Password: PCCert2025!
Process:
→ Reads: shopfloor-hostnames.txt (175 hostnames)
→ Signs: 175 individual certificates
→ Each PC gets unique certificate with its own hostname
Output:
✓ pc-certificates/batch-20251017-123456/
- G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
- G1JJVH63ESF-logon.ds.ge.com-20251017.pfx
- G1JJXH63ESF-logon.ds.ge.com-20251017.pfx
- ... (175 total PFX files)
- certificate-list.csv
- SUMMARY.txt
================================================================================
PHASE 2: TEST DEPLOYMENT (ONE PC - 10 MINUTES)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 4: Deploy to Test PC (G9KN7PZ3ESF) │
└─────────────────────────────────────────────────────────────────┘
A. Copy Certificate to PC
─────────────────────────────────────────────────────────────
On YOUR computer:
PS> cd pc-certificates\batch-*
PS> Copy-Item "G9KN7PZ3ESF-*.pfx" -Destination "\\G9KN7PZ3ESF\C$\Temp\"
Result:
✓ Certificate file on PC: C:\Temp\G9KN7PZ3ESF-*.pfx
B. Import Certificate on PC
─────────────────────────────────────────────────────────────
ON THE PC (G9KN7PZ3ESF), as Administrator:
PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
PS> $cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-*.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
Result:
✓ Certificate installed in: Cert:\LocalMachine\My
✓ Subject: CN=g9kn7pz3esf.logon.ds.ge.com
✓ Issuer: CN=Shopfloor WinRM CA
C. Configure WinRM HTTPS on PC
─────────────────────────────────────────────────────────────
Still ON THE PC (G9KN7PZ3ESF):
PS> .\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
Result:
✓ WinRM service running
✓ HTTPS listener created on port 5986
✓ Firewall rule enabled
✓ Hostname: g9kn7pz3esf.logon.ds.ge.com
D. Verify on PC
─────────────────────────────────────────────────────────────
Still ON THE PC (G9KN7PZ3ESF):
PS> Get-Service WinRM
# Status: Running
PS> winrm enumerate winrm/config/listener
# Shows HTTPS listener on port 5986
PS> netstat -an | findstr :5986
# Shows: 0.0.0.0:5986 LISTENING
✓ All checks passed!
↓ ↓ ↓
┌─────────────────────────────────────────────────────────────────┐
│ STEP 5: Test Connection from YOUR Computer │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
A. Test Basic Connectivity
─────────────────────────────────────────────────────────────
PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
Expected Output:
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
✓ SUCCESS! No certificate errors!
B. Test Interactive Session
─────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Expected Output:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
✓ CONNECTED! Clean and secure!
✓ No -SessionOption needed!
✓ No certificate warnings!
Try commands:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
G9KN7PZ3ESF
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM
Status Name DisplayName
------ ---- -----------
Running WinRM Windows Remote Management (WS-Manag...
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession
🎉 TEST PC DEPLOYMENT SUCCESSFUL! 🎉
================================================================================
PHASE 3: EXPANDED TESTING (3-5 PCs - 30 MINUTES)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 6: Deploy to Additional Test PCs │
└─────────────────────────────────────────────────────────────────┘
Repeat STEP 4 for these PCs:
- G1JJVH63ESF
- G1JJXH63ESF
- G1JKYH63ESF
- G1JMYH63ESF
For each PC:
1. Copy certificate
2. Import certificate
3. Configure WinRM
4. Verify
5. Test connection
Result:
✓ 5 PCs successfully deployed and tested
✓ All connections working
✓ Ready for full deployment
================================================================================
PHASE 4: FULL DEPLOYMENT (170 REMAINING PCs)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 7: Deploy to All Remaining PCs │
└─────────────────────────────────────────────────────────────────┘
Strategy: Deploy in batches of 10-20 PCs
Batch 1: PCs 6-15
Batch 2: PCs 16-25
Batch 3: PCs 26-35
... continue ...
Batch 17: PCs 166-175
For each batch:
1. Deploy certificates
2. Configure WinRM
3. Test connections
4. Document results
5. Move to next batch
OR use automated deployment script (see AFTER-BULK-SIGNING.txt)
================================================================================
PHASE 5: VERIFICATION (ALL 175 PCs)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 8: Verify All Deployments │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
Test all 175 PCs at once:
PS> $pcs = Get-Content "shopfloor-hostnames.txt"
PS> $cred = Get-Credential
PS> $results = foreach ($pc in $pcs) {
$fqdn = "$pc.logon.ds.ge.com"
Write-Host "Testing $pc..." -NoNewline
try {
Test-WSMan -ComputerName $fqdn -UseSSL -Port 5986 -ErrorAction Stop
Write-Host " OK" -ForegroundColor Green
[PSCustomObject]@{PC=$pc; Status="Success"}
} catch {
Write-Host " FAILED" -ForegroundColor Red
[PSCustomObject]@{PC=$pc; Status="Failed"}
}
}
PS> $results | Export-Csv "deployment-results.csv" -NoTypeInformation
PS> $successCount = ($results | Where-Object {$_.Status -eq "Success"}).Count
PS> Write-Host "$successCount / 175 PCs deployed successfully" -ForegroundColor Green
Result:
✓ All PCs verified
✓ Results documented
✓ Any failures identified for remediation
================================================================================
FINAL RESULT - WHAT YOU CAN DO NOW
================================================================================
Connect to ANY shopfloor PC:
─────────────────────────────────────────────────────────────
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986
Run commands on multiple PCs:
─────────────────────────────────────────────────────────────
$computers = @("g9kn7pz3esf", "g1jjvh63esf", "g1jjxh63esf")
Invoke-Command -ComputerName ($computers | ForEach-Object {"$_.logon.ds.ge.com"}) `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { hostname }
Collect data from all 175 PCs:
─────────────────────────────────────────────────────────────
$allPCs = Get-Content "shopfloor-hostnames.txt" |
ForEach-Object {"$_.logon.ds.ge.com"}
$data = Invoke-Command -ComputerName $allPCs -Credential $cred `
-UseSSL -Port 5986 -ScriptBlock {
[PSCustomObject]@{
PC = $env:COMPUTERNAME
Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
FreeMemoryGB = [math]::Round((Get-CimInstance Win32_OperatingSystem).FreePhysicalMemory/1MB,2)
Services = (Get-Service | Where-Object {$_.Status -eq 'Running'}).Count
}
}
$data | Export-Csv "shopfloor-inventory.csv" -NoTypeInformation
================================================================================
TIME INVESTMENT SUMMARY
================================================================================
Initial Setup (One Time):
- Create CA: 5 minutes
- Install CA on your computer: 2 minutes
- Sign 175 certificates: 5 minutes
- Total: ~12 minutes
Per PC Deployment:
- Copy certificate: 1 minute
- Import and configure: 2 minutes
- Test: 1 minute
- Total per PC: ~4 minutes
Full Deployment:
- Test PC: 4 minutes
- 4 additional test PCs: 16 minutes
- 170 remaining PCs (automated): 2-3 hours
- Total: ~3-4 hours for all 175 PCs
ONGOING USE:
- Connect to any PC: 5 seconds
- No certificate warnings ever again!
- Clean, secure, professional
================================================================================
WORKFLOW COMPLETE!
================================================================================
You now have:
✓ Certificate Authority created and installed
✓ 175 individual PC certificates signed
✓ All PCs configured for WinRM HTTPS
✓ Clean, secure remote access to all shopfloor PCs
✓ No certificate bypasses or warnings
✓ Enterprise-grade security
Next: Start managing your shopfloor PCs remotely! 🚀
================================================================================

155
winrm-https/winrm-ca-scripts/Create-CA-Simple.ps1 Normal file
View File

@@ -0,0 +1,155 @@
#Requires -RunAsAdministrator
param(
[string]$CACommonName = "Shopfloor WinRM CA",
[string]$OutputPath = ".",
[int]$ValidityYears = 10,
[SecureString]$ExportPassword
)
Write-Host ""
Write-Host "=== Certificate Authority Creation for WinRM HTTPS ===" -ForegroundColor Cyan
Write-Host ""
# Prompt for password if not provided
if (-not $ExportPassword) {
Write-Host "Enter a strong password to protect the CA private key:" -ForegroundColor Yellow
$ExportPassword = Read-Host "CA Password" -AsSecureString
$ExportPassword2 = Read-Host "Confirm Password" -AsSecureString
$pass1 = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($ExportPassword))
$pass2 = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($ExportPassword2))
if ($pass1 -ne $pass2) {
Write-Host "Passwords do not match!" -ForegroundColor Red
exit 1
}
}
# Create output directory
if (-not (Test-Path $OutputPath)) {
New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null
}
Write-Host "Creating Certificate Authority..." -ForegroundColor Yellow
Write-Host " Common Name: $CACommonName"
Write-Host " Valid for: $ValidityYears years"
Write-Host ""
try {
$notAfter = (Get-Date).AddYears($ValidityYears)
$caCert = New-SelfSignedCertificate `
-Subject "CN=$CACommonName" `
-KeyExportPolicy Exportable `
-KeyUsage CertSign,CRLSign,DigitalSignature `
-KeyUsageProperty All `
-KeyLength 4096 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-CertStoreLocation 'Cert:\LocalMachine\My' `
-NotAfter $notAfter `
-Type Custom `
-TextExtension '2.5.29.19={text}CA=1&pathlength=0','2.5.29.37={text}1.3.6.1.5.5.7.3.1'
Write-Host "[OK] Certificate Authority created successfully" -ForegroundColor Green
Write-Host ""
Write-Host "Certificate Details:"
Write-Host " Subject: $($caCert.Subject)"
Write-Host " Thumbprint: $($caCert.Thumbprint)"
Write-Host " Valid Until: $($caCert.NotAfter)"
Write-Host ""
} catch {
Write-Host "[ERROR] Failed to create CA certificate: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
# Export PFX
$timestamp = Get-Date -Format "yyyyMMdd"
$caFileNameBase = $CACommonName -replace '[^a-zA-Z0-9]', '-'
$pfxPath = Join-Path $OutputPath "$caFileNameBase-$timestamp.pfx"
Write-Host "Exporting CA certificate with private key..."
Write-Host " File: $pfxPath"
try {
Export-PfxCertificate -Cert $caCert -FilePath $pfxPath -Password $ExportPassword | Out-Null
Write-Host "[OK] CA certificate exported (with private key)" -ForegroundColor Green
Write-Host ""
Write-Host "WARNING: Protect this file - it contains the CA private key!" -ForegroundColor Yellow
Write-Host ""
} catch {
Write-Host "[ERROR] Failed to export PFX: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
# Export CER
$cerPath = Join-Path $OutputPath "$caFileNameBase-$timestamp.cer"
Write-Host "Exporting CA public certificate..."
Write-Host " File: $cerPath"
try {
Export-Certificate -Cert $caCert -FilePath $cerPath | Out-Null
Write-Host "[OK] CA public certificate exported" -ForegroundColor Green
Write-Host ""
Write-Host "Install this certificate on all management computers"
Write-Host ""
} catch {
Write-Host "[ERROR] Failed to export CER: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
# Create info file
$infoPath = Join-Path $OutputPath "CA-INFO-$timestamp.txt"
$infoContent = @"
Certificate Authority Information
==================================
Created: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
CA Details:
Common Name: $CACommonName
Thumbprint: $($caCert.Thumbprint)
Valid Until: $($caCert.NotAfter)
Files Created:
1. $pfxPath
- CA with private key (KEEP SECURE!)
2. $cerPath
- CA public certificate (Install on management computers)
Next Steps:
1. Install CA on YOUR computer:
Import-Certificate -FilePath '$cerPath' -CertStoreLocation Cert:\LocalMachine\Root
2. Sign PC certificates:
.\Sign-BulkCertificates.ps1 -HostnameFile shopfloor-hostnames.txt -CAPfxPath '$pfxPath'
"@
$infoContent | Out-File -FilePath $infoPath -Encoding UTF8
# Summary
Write-Host "=== CERTIFICATE AUTHORITY CREATED ===" -ForegroundColor Green
Write-Host ""
Write-Host "Files Created:"
Write-Host " 1. $pfxPath"
Write-Host " (CA with private key - KEEP SECURE!)"
Write-Host ""
Write-Host " 2. $cerPath"
Write-Host " (CA public certificate - Install on management computers)"
Write-Host ""
Write-Host " 3. $infoPath"
Write-Host " (Information file)"
Write-Host ""
Write-Host "CA Thumbprint: $($caCert.Thumbprint)" -ForegroundColor Yellow
Write-Host ""
Write-Host "Next Steps:"
Write-Host " 1. Install CA on YOUR computer:"
Write-Host " Import-Certificate -FilePath '$cerPath' -CertStoreLocation Cert:\LocalMachine\Root"
Write-Host ""
Write-Host " 2. Sign PC certificates:"
Write-Host " .\Sign-BulkCertificates.ps1 -HostnameFile shopfloor-hostnames.txt -CAPfxPath '$pfxPath'"
Write-Host ""

410
winrm-https/winrm-ca-scripts/DEPLOY-AND-TEST-ONE-PC.txt Normal file
View File

@@ -0,0 +1,410 @@
================================================================================
DEPLOY AND TEST ONE PC - PRACTICAL GUIDE
================================================================================
This guide shows EXACTLY how to deploy to G9KN7PZ3ESF and test it.
================================================================================
PART 1: SETUP ON YOUR COMPUTER (H2PRFM94) - ONE TIME
================================================================================
Step 1: Create and Install CA
─────────────────────────────────────────────────────────────
PS> cd C:\path\to\winrm-ca-scripts
PS> .\Create-CA-Simple.ps1
# Password: ShopfloorCA2025!
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
✓ Done - CA created and trusted on your computer
Step 2: Sign Certificate for Test PC
─────────────────────────────────────────────────────────────
Option A - Sign just one:
PS> "G9KN7PZ3ESF" | Out-File "test-hostname.txt"
PS> .\Sign-BulkCertificates.ps1 -HostnameFile "test-hostname.txt"
# CA Password: ShopfloorCA2025!
# PC Cert Password: PCCert2025!
Option B - Sign all 175:
PS> .\Sign-BulkCertificates.ps1
# CA Password: ShopfloorCA2025!
# PC Cert Password: PCCert2025!
✓ Certificate created: pc-certificates\batch-*\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx
================================================================================
PART 2: DEPLOY TO THE REMOTE PC (G9KN7PZ3ESF)
================================================================================
You have 3 deployment methods. Choose ONE:
METHOD 1: Network Share Deployment (EASIEST - Recommended)
════════════════════════════════════════════════════════════════════════════
Step 1: Copy files to network share (on YOUR computer)
──────────────────────────────────────────────────────────────
PS> # Copy certificates
PS> Copy-Item "pc-certificates\batch-*" `
-Destination "S:\dt\adata\script\deploy\pc-certificates\" `
-Recurse
PS> # Copy deployment scripts
PS> Copy-Item "Deploy-PCCertificate.ps1" `
-Destination "S:\dt\adata\script\deploy\"
PS> Copy-Item "Deploy-PCCertificate.bat" `
-Destination "S:\dt\adata\script\deploy\"
Step 2: Run deployment on the PC (ON G9KN7PZ3ESF)
──────────────────────────────────────────────────────────────
1. Walk to PC G9KN7PZ3ESF (or RDP to it)
2. Open File Explorer
3. Navigate to: S:\dt\adata\script\deploy\
4. RIGHT-CLICK: Deploy-PCCertificate.bat
5. Select: "Run as Administrator"
6. Enter password when prompted: PCCert2025!
7. Wait for "SUCCESS" message
✓ Script automatically:
- Finds G9KN7PZ3ESF certificate from network share
- Imports it to Local Machine store
- Configures WinRM HTTPS listener
- Creates firewall rule
- Logs to: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-*.txt
METHOD 2: Copy Files Directly to PC (If network share not accessible)
════════════════════════════════════════════════════════════════════════════
Step 1: Copy files to PC (on YOUR computer)
──────────────────────────────────────────────────────────────
PS> # Copy certificate
PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
PS> # Copy setup script
PS> Copy-Item "Setup-WinRM-HTTPS.ps1" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
Step 2: Run setup on the PC (ON G9KN7PZ3ESF)
──────────────────────────────────────────────────────────────
1. Walk to PC G9KN7PZ3ESF (or RDP to it)
2. Open PowerShell as Administrator
3. Run these commands:
PS> cd C:\Temp
PS> # Import certificate
PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
PS> $cert = Import-PfxCertificate `
-FilePath (Get-Item "G9KN7PZ3ESF-*.pfx").FullName `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
PS> # Configure WinRM
PS> Set-ExecutionPolicy Bypass -Scope Process -Force
PS> .\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
✓ Done - WinRM HTTPS configured
METHOD 3: Remote Deployment via PowerShell (If WinRM HTTP already works)
════════════════════════════════════════════════════════════════════════════
Step 1: Copy certificate to PC (on YOUR computer)
──────────────────────────────────────────────────────────────
PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
Step 2: Import and configure remotely (on YOUR computer)
──────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
# Enter your domain credentials
PS> Invoke-Command -ComputerName G9KN7PZ3ESF -Credential $cred -ScriptBlock {
# Import certificate
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
$certFile = Get-Item "C:\Temp\G9KN7PZ3ESF-*.pfx"
$cert = Import-PfxCertificate `
-FilePath $certFile.FullName `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
# Get hostname and FQDN
$hostname = $env:COMPUTERNAME
$fqdn = "$hostname.logon.ds.ge.com".ToLower()
# Enable WinRM
Enable-PSRemoting -Force -SkipNetworkProfileCheck
Set-Service WinRM -StartupType Automatic
Start-Service WinRM
# Remove old HTTPS listener
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS 2>$null
# Create HTTPS listener
$winrmCmd = "create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$fqdn`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}"
cmd.exe /c "winrm $winrmCmd"
# Create firewall rule
New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
-Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow -Force
Write-Host "WinRM HTTPS configured on $hostname" -ForegroundColor Green
}
✓ Done - Configured remotely
================================================================================
PART 3: VERIFY DEPLOYMENT ON THE PC (ON G9KN7PZ3ESF)
================================================================================
Option A: Quick Check (on the PC)
─────────────────────────────────────────────────────────────
PS> winrm enumerate winrm/config/listener
Look for:
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = g9kn7pz3esf.logon.ds.ge.com
CertificateThumbprint = (long string)
✓ If you see HTTPS listener on port 5986 → Success!
Option B: Full Verification (on the PC)
─────────────────────────────────────────────────────────────
1. Copy Test-RemotePC-Debug.bat to C:\Temp on the PC
2. Copy Test-RemotePC-Debug.ps1 to C:\Temp on the PC
3. Right-click Test-RemotePC-Debug.bat → "Run as Administrator"
4. Review the output
Check for:
✓ WinRM Service: Running
✓ HTTPS Listener on port 5986
✓ Port 5986 LISTENING
✓ Certificate in LocalMachine\My
✓ Firewall rule enabled
================================================================================
PART 4: TEST CONNECTION FROM YOUR COMPUTER (H2PRFM94)
================================================================================
Now test that YOU can connect to G9KN7PZ3ESF remotely.
Test 1: Basic WinRM Connectivity
─────────────────────────────────────────────────────────────
PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
EXPECTED OUTPUT (Success):
┌────────────────────────────────────────────────────────┐
│ wsmid : http://schemas.dmtf.org/wbem/... │
│ ProtocolVersion : http://schemas.dmtf.org/wbem/... │
│ ProductVendor : Microsoft Corporation │
│ ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0 │
└────────────────────────────────────────────────────────┘
✅ SUCCESS = WinRM HTTPS is working!
POSSIBLE ERROR (Failure):
┌────────────────────────────────────────────────────────┐
│ Test-WSMan : The server certificate on the destination │
│ computer has the following errors: │
│ The SSL certificate is signed by an unknown CA. │
└────────────────────────────────────────────────────────┘
FIX:
PS> # Install CA on your computer
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Test 2: Interactive Remote Session
─────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
# Enter your domain credentials (e.g., DOMAIN\username)
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
EXPECTED OUTPUT (Success):
┌────────────────────────────────────────────────────────┐
│ [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> │
└────────────────────────────────────────────────────────┘
✅ You're now connected to the remote PC!
Try these commands:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
G9KN7PZ3ESF
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM | Select-Object Status, Name
Running WinRM
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> $env:COMPUTERNAME
G9KN7PZ3ESF
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession
Test 3: Remote Command Execution
─────────────────────────────────────────────────────────────
PS> Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock {
[PSCustomObject]@{
Hostname = $env:COMPUTERNAME
WinRMStatus = (Get-Service WinRM).Status
Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
}
}
EXPECTED OUTPUT:
┌────────────────────────────────────────────────────────┐
│ Hostname WinRMStatus Uptime │
│ -------- ----------- ------ │
│ G9KN7PZ3ESF Running 23:15:42.1234567 │
└────────────────────────────────────────────────────────┘
✅ Remote commands work!
Test 4: No Certificate Bypass Needed
─────────────────────────────────────────────────────────────
NOTICE: You did NOT need to use:
❌ -SessionOption (no bypass needed!)
❌ -SkipCNCheck
❌ -SkipCACheck
❌ -SkipRevocationCheck
This is a CLEAN, SECURE connection because:
✓ Your computer trusts the CA
✓ Certificate is properly signed
✓ Certificate CN matches hostname
✓ Full SSL/TLS validation works
================================================================================
TROUBLESHOOTING
================================================================================
Problem: Test-WSMan fails with "cannot connect"
Solution:
1. Check PC is on network: ping g9kn7pz3esf.logon.ds.ge.com
2. Check port reachable: Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
3. On PC, verify listener: winrm enumerate winrm/config/listener
4. On PC, verify port: netstat -an | findstr :5986
Problem: Test-WSMan fails with "SSL certificate signed by unknown CA"
Solution:
Install CA on YOUR computer:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Problem: Enter-PSSession fails with "Access Denied"
Solution:
1. Verify credentials are correct
2. Verify user has admin rights on remote PC
3. Check WinRM permissions: winrm get winrm/config/service
Problem: Port 5986 not listening on PC
Solution:
1. On PC: Get-Service WinRM (should be Running)
2. On PC: winrm enumerate winrm/config/listener (check for HTTPS)
3. Re-run Setup-WinRM-HTTPS.ps1 on the PC
Problem: Certificate not found during deployment
Solution:
1. Verify certificate exists in network share or C:\Temp
2. Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx
3. Verify hostname matches: $env:COMPUTERNAME on the PC
================================================================================
SUCCESS CHECKLIST
================================================================================
✓ CA created and installed on your computer
✓ Certificate signed for G9KN7PZ3ESF
✓ Certificate deployed to G9KN7PZ3ESF
✓ WinRM HTTPS configured on G9KN7PZ3ESF
✓ Test-WSMan succeeds from your computer
✓ Enter-PSSession connects successfully
✓ No certificate bypasses needed
✓ Remote commands execute properly
When ALL checks pass → Ready to deploy to remaining PCs!
================================================================================
NEXT STEPS
================================================================================
After successful test on G9KN7PZ3ESF:
1. Test 3-5 more PCs to confirm process
2. If all work, proceed to batch deployment
3. Use same method for all 175 PCs
4. Track progress in spreadsheet
See: COMPLETE-WORKFLOW.txt for full deployment strategy
================================================================================
SUMMARY - DEPLOYMENT METHODS
================================================================================
Method 1: Network Share (Recommended)
→ Copy certs + scripts to S:\dt\adata\script\deploy\
→ On each PC: Run Deploy-PCCertificate.bat
→ Automatic deployment with logging
Method 2: Direct Copy
→ Copy cert + script to PC via \\HOSTNAME\C$\Temp\
→ On PC: Run Setup-WinRM-HTTPS.ps1 manually
→ Manual but reliable
Method 3: Remote PowerShell
→ Copy cert, deploy via Invoke-Command
→ Requires existing WinRM HTTP access
→ Fastest for bulk deployment
Choose based on your environment and access methods.
================================================================================

105
winrm-https/winrm-ca-scripts/Deploy-PCCertificate.bat Normal file
View File

@@ -0,0 +1,105 @@
@echo off
REM ============================================================================
REM Deploy-PCCertificate.bat
REM Deploys PC-specific certificate from network share
REM ============================================================================
REM Setup logging
set "LOG_DIR=S:\DT\ADATA\SCRIPT\DEPLOY\LOGS"
set "HOSTNAME=%COMPUTERNAME%"
set "TIMESTAMP=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%-%TIME:~0,2%%TIME:~3,2%%TIME:~6,2%"
set "TIMESTAMP=%TIMESTAMP: =0%"
set "LOG_FILE=%LOG_DIR%\%HOSTNAME%-%TIMESTAMP%-CERT-DEPLOY.txt"
REM Create log directory if it doesn't exist
if not exist "%LOG_DIR%" (
mkdir "%LOG_DIR%" 2>nul
)
REM Start logging
echo ============================================================================ > "%LOG_FILE%"
echo PC Certificate Deployment Log >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Hostname: %HOSTNAME% >> "%LOG_FILE%"
echo Date/Time: %DATE% %TIME% >> "%LOG_FILE%"
echo Log File: %LOG_FILE% >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo. >> "%LOG_FILE%"
echo.
echo ========================================
echo PC Certificate Deployment
echo ========================================
echo.
echo Hostname: %HOSTNAME%
echo.
echo Logging to: %LOG_FILE%
echo.
REM Check for administrator privileges
net session >nul 2>&1
if %errorLevel% neq 0 (
echo [ERROR] This script requires Administrator privileges.
echo Please right-click and select "Run as Administrator"
echo.
echo [ERROR] Administrator privileges required >> "%LOG_FILE%"
pause
exit /b 1
)
echo [OK] Running with Administrator privileges
echo [OK] Running with Administrator privileges >> "%LOG_FILE%"
echo.
REM Get the directory where this batch file is located
set "SCRIPT_DIR=%~dp0"
echo Script directory: %SCRIPT_DIR%
echo Script directory: %SCRIPT_DIR% >> "%LOG_FILE%"
echo.
REM Check if PowerShell script exists
if not exist "%SCRIPT_DIR%Deploy-PCCertificate.ps1" (
echo [ERROR] Deploy-PCCertificate.ps1 not found in script directory
echo [ERROR] Deploy-PCCertificate.ps1 not found in script directory >> "%LOG_FILE%"
echo Please ensure all files are copied from the network share
echo.
pause
exit /b 1
)
echo [OK] Required files found
echo [OK] Required files found >> "%LOG_FILE%"
echo.
REM Execute PowerShell script
echo Executing PC certificate deployment...
echo Executing PC certificate deployment... >> "%LOG_FILE%"
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
"& '%SCRIPT_DIR%Deploy-PCCertificate.ps1' -LogFile '%LOG_FILE%' -AllowedSubnets '10.48.130.0/23,10.134.48.0/24'"
if %errorLevel% neq 0 (
echo.
echo [ERROR] Deployment failed with error code: %errorLevel%
echo [ERROR] Deployment failed with error code: %errorLevel% >> "%LOG_FILE%"
echo. >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Deployment FAILED >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo.
pause
exit /b %errorLevel%
)
echo.
echo ========================================
echo [SUCCESS] Certificate Deployment Complete
echo ========================================
echo.
echo ============================================================================ >> "%LOG_FILE%"
echo [SUCCESS] Certificate Deployment Complete >> "%LOG_FILE%"
echo ============================================================================ >> "%LOG_FILE%"
echo Log saved to: %LOG_FILE%
echo.
pause

323
winrm-https/winrm-ca-scripts/Deploy-PCCertificate.ps1 Normal file
View File

@@ -0,0 +1,323 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Deploys PC-specific certificate from network share and configures WinRM HTTPS
.DESCRIPTION
This script:
1. Finds the certificate for this PC on the network share
2. Imports it to the local certificate store
3. Configures WinRM HTTPS listener with the certificate
4. Creates firewall rule
5. Logs everything
.PARAMETER NetworkSharePath
Path to network share containing PC certificates
Default: S:\dt\adata\script\deploy\pc-certificates
.PARAMETER CertificatePassword
Password for the certificate (if not provided, will prompt)
.PARAMETER Domain
Domain suffix for FQDN (default: logon.ds.ge.com)
.PARAMETER LogFile
Path to log file (optional)
.PARAMETER AllowedSubnets
Comma-separated list of allowed remote subnets in CIDR notation
Default: "10.48.130.0/23" (management subnet)
Use "Any" to allow all subnets
.EXAMPLE
.\Deploy-PCCertificate.ps1
.EXAMPLE
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
.\Deploy-PCCertificate.ps1 -CertificatePassword $certPass
.EXAMPLE
.\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23,10.134.48.0/24"
.NOTES
Author: System Administrator
Date: 2025-10-17
Run this script ON THE TARGET PC as Administrator
#>
param(
[string]$NetworkSharePath = "S:\dt\adata\script\deploy\pc-certificates",
[SecureString]$CertificatePassword,
[string]$Domain = "logon.ds.ge.com",
[string]$LogFile,
[string]$AllowedSubnets = "10.48.130.0/23"
)
function Write-Log {
param([string]$Message, [string]$Color = "White")
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$logMessage = "[$timestamp] $Message"
Write-Host $Message -ForegroundColor $Color
if ($LogFile) {
Add-Content -Path $LogFile -Value $logMessage -ErrorAction SilentlyContinue
}
}
Write-Host ""
Write-Host "========================================" -ForegroundColor Cyan
Write-Host " PC Certificate Deployment" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
# Get hostname
$hostname = $env:COMPUTERNAME
$fqdn = "$hostname.$Domain".ToLower()
Write-Log "Computer: $hostname"
Write-Log "FQDN: $fqdn"
Write-Log ""
# Check network share access
Write-Log "Checking network share access..." -Color Yellow
if (-not (Test-Path $NetworkSharePath)) {
Write-Log "[ERROR] Cannot access network share: $NetworkSharePath" -Color Red
Write-Log "Make sure the network share is accessible" -Color Yellow
exit 1
}
Write-Log "[OK] Network share accessible" -Color Green
Write-Log ""
# Find certificate for this PC
Write-Log "Looking for certificate for $hostname..." -Color Yellow
$certFiles = Get-ChildItem -Path "$NetworkSharePath\batch-*\$hostname-*.pfx" -ErrorAction SilentlyContinue
if (-not $certFiles) {
# Try alternative search
$certFiles = Get-ChildItem -Path $NetworkSharePath -Recurse -Filter "$hostname-*.pfx" -ErrorAction SilentlyContinue
}
if (-not $certFiles -or $certFiles.Count -eq 0) {
Write-Log "[ERROR] Certificate not found for $hostname" -Color Red
Write-Log "Searched in: $NetworkSharePath" -Color Yellow
Write-Log "Expected filename pattern: $hostname-*.pfx" -Color Yellow
exit 1
}
if ($certFiles.Count -gt 1) {
Write-Log "Multiple certificates found:" -Color Yellow
$certFiles | ForEach-Object { Write-Log " - $($_.FullName)" }
Write-Log "Using newest: $($certFiles[0].Name)" -Color Yellow
$certFile = $certFiles | Sort-Object LastWriteTime -Descending | Select-Object -First 1
} else {
$certFile = $certFiles[0]
}
Write-Log "[OK] Found certificate: $($certFile.Name)" -Color Green
Write-Log " Path: $($certFile.FullName)" -Color Gray
Write-Log ""
# Get password if not provided
if (-not $CertificatePassword) {
Write-Log "Enter certificate password:" -Color Yellow
$CertificatePassword = Read-Host "Password" -AsSecureString
Write-Log ""
}
# Import certificate
Write-Log "Importing certificate to Local Machine store..." -Color Yellow
try {
$cert = Import-PfxCertificate `
-FilePath $certFile.FullName `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $CertificatePassword `
-Exportable
Write-Log "[OK] Certificate imported successfully" -Color Green
Write-Log " Subject: $($cert.Subject)" -Color Gray
Write-Log " Thumbprint: $($cert.Thumbprint)" -Color Gray
Write-Log " Issuer: $($cert.Issuer)" -Color Gray
Write-Log " Valid Until: $($cert.NotAfter)" -Color Gray
Write-Log ""
} catch {
Write-Log "[ERROR] Failed to import certificate: $($_.Exception.Message)" -Color Red
exit 1
}
# Set Network Profile to Private
Write-Log "Checking network profile..." -Color Yellow
try {
$profiles = Get-NetConnectionProfile
$publicProfiles = $profiles | Where-Object { $_.NetworkCategory -eq 'Public' }
if ($publicProfiles) {
Write-Log " Found Public network profile(s), changing to Private..." -Color Gray
foreach ($profile in $publicProfiles) {
Set-NetConnectionProfile -InterfaceIndex $profile.InterfaceIndex -NetworkCategory Private -ErrorAction SilentlyContinue
}
Write-Log "[OK] Network profile set to Private" -Color Green
} else {
Write-Log "[OK] Network profile is already Private/Domain" -Color Green
}
Write-Log ""
} catch {
Write-Log "[WARN] Could not change network profile: $($_.Exception.Message)" -Color Yellow
Write-Log ""
}
# Configure WinRM Service
Write-Log "Configuring WinRM service..." -Color Yellow
try {
# Enable PowerShell Remoting
Enable-PSRemoting -Force -SkipNetworkProfileCheck | Out-Null
# Start WinRM service
Start-Service WinRM -ErrorAction SilentlyContinue
Set-Service WinRM -StartupType Automatic
# Enable certificate authentication
Set-Item WSMan:\localhost\Service\Auth\Certificate -Value $true
Write-Log "[OK] WinRM service configured" -Color Green
Write-Log ""
} catch {
Write-Log "[ERROR] Failed to configure WinRM: $($_.Exception.Message)" -Color Red
}
# Remove existing HTTPS listeners
Write-Log "Checking for existing HTTPS listeners..." -Color Yellow
try {
$existingListeners = winrm enumerate winrm/config/listener | Select-String "Transport = HTTPS"
if ($existingListeners) {
Write-Log "Removing existing HTTPS listener..." -Color Yellow
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS 2>&1 | Out-Null
Write-Log "[OK] Existing HTTPS listener removed" -Color Green
} else {
Write-Log "[OK] No existing HTTPS listener found" -Color Green
}
Write-Log ""
} catch {
Write-Log "[WARN] Could not check/remove existing listeners" -Color Yellow
}
# Create HTTPS listener
Write-Log "Creating WinRM HTTPS listener..." -Color Yellow
Write-Log " Hostname: $fqdn" -Color Gray
Write-Log " Port: 5986" -Color Gray
Write-Log " Certificate: $($cert.Thumbprint)" -Color Gray
try {
$winrmArgs = "create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$fqdn`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}"
$result = cmd.exe /c "winrm $winrmArgs" 2>&1
if ($LASTEXITCODE -ne 0) {
Write-Log "[ERROR] Failed to create HTTPS listener" -Color Red
Write-Log "Error: $result" -Color Red
exit 1
}
Write-Log "[OK] HTTPS listener created successfully" -Color Green
Write-Log ""
} catch {
Write-Log "[ERROR] Failed to create HTTPS listener: $($_.Exception.Message)" -Color Red
exit 1
}
# Configure firewall
Write-Log "Configuring Windows Firewall..." -Color Yellow
try {
$ruleName = "WinRM HTTPS-In"
# Remove existing rule if present
$existingRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if ($existingRule) {
Remove-NetFirewallRule -DisplayName $ruleName
}
# Determine remote address
if ($AllowedSubnets -eq "Any") {
$remoteAddr = "Any"
Write-Log " Remote Access: Any (all subnets)" -Color Gray
} else {
# Split comma-separated subnets
$remoteAddr = $AllowedSubnets -split "," | ForEach-Object { $_.Trim() }
Write-Log " Remote Access: $AllowedSubnets" -Color Gray
}
# Create new rule
New-NetFirewallRule -DisplayName $ruleName `
-Name $ruleName `
-Profile Any `
-LocalPort 5986 `
-Protocol TCP `
-Direction Inbound `
-Action Allow `
-RemoteAddress $remoteAddr `
-Enabled True | Out-Null
Write-Log "[OK] Firewall rule created" -Color Green
Write-Log ""
} catch {
Write-Log "[WARN] Could not configure firewall: $($_.Exception.Message)" -Color Yellow
}
# Verify configuration
Write-Log "Verifying configuration..." -Color Yellow
Write-Log ""
# Check service
$winrmService = Get-Service WinRM
Write-Log "WinRM Service: $($winrmService.Status) [$($winrmService.StartType)]" -Color $(if($winrmService.Status -eq 'Running'){'Green'}else{'Red'})
# Check listener
Write-Log ""
Write-Log "WinRM Listeners:" -Color Cyan
winrm enumerate winrm/config/listener | Out-String | ForEach-Object { Write-Log $_ -Color Gray }
# Check port
Write-Log ""
Write-Log "Port 5986 Status:" -Color Cyan
$portCheck = netstat -an | Select-String ":5986"
if ($portCheck) {
Write-Log "[OK] Port 5986 is listening" -Color Green
$portCheck | ForEach-Object { Write-Log " $_" -Color Gray }
} else {
Write-Log "[WARNING] Port 5986 is not listening" -Color Yellow
}
# Summary
Write-Log ""
Write-Log "========================================" -ForegroundColor Green
Write-Log " DEPLOYMENT COMPLETE" -ForegroundColor Green
Write-Log "========================================" -ForegroundColor Green
Write-Log ""
Write-Log "Certificate: $($cert.Subject)" -Color White
Write-Log "Thumbprint: $($cert.Thumbprint)" -Color White
Write-Log "Hostname: $fqdn" -Color White
Write-Log ""
Write-Log "Test connection from management computer:" -Color Yellow
Write-Log " Test-WSMan -ComputerName $fqdn -UseSSL -Port 5986" -Color White
Write-Log ""
Write-Log " `$cred = Get-Credential" -Color White
Write-Log " Enter-PSSession -ComputerName $fqdn -Credential `$cred -UseSSL -Port 5986" -Color White
Write-Log ""
if ($LogFile) {
Write-Log "Log saved to: $LogFile" -Color Cyan
}

64
winrm-https/winrm-ca-scripts/FILE-LOCATION.txt Normal file
View File

@@ -0,0 +1,64 @@
================================================================================
FILE LOCATION REFERENCE
================================================================================
Linux Path (for development/editing):
/home/camp/projects/powershell/winrm-https/winrm-ca-scripts/
Windows Path (when copied to Windows):
C:\path\to\winrm-ca-scripts\
(or wherever you copy these files on Windows)
Network Share Deployment Path:
S:\dt\adata\script\deploy\
S:\dt\adata\script\deploy\pc-certificates\
S:\dt\adata\script\deploy\LOGS\
================================================================================
FILES IN THIS DIRECTORY
================================================================================
Certificate Authority Scripts:
- Create-CA-Simple.ps1 (Creates Certificate Authority)
- Sign-BulkCertificates.ps1 (Signs all 175 PC certificates)
Deployment Scripts:
- Deploy-PCCertificate.ps1 (Network share deployment script)
- Deploy-PCCertificate.bat (Batch wrapper with bypass)
Configuration Scripts:
- Setup-WinRM-HTTPS.ps1 (Manual WinRM HTTPS setup)
Debug Scripts:
- Test-RemotePC-Debug.ps1 (Debug script for remote PC)
- Test-RemotePC-Debug.bat (Batch wrapper with bypass)
Data Files:
- shopfloor-hostnames.txt (175 PC hostnames from database)
Documentation:
- START-HERE.txt (Quick start guide)
- README.txt (Complete documentation)
- SIMPLE-INSTRUCTIONS.txt (Simplified instructions)
- COMPLETE-WORKFLOW.txt (End-to-end workflow)
- SINGLE-PC-TEST.txt (Single PC testing guide)
- DEPLOY-AND-TEST-ONE-PC.txt (Practical deployment guide)
- AFTER-BULK-SIGNING.txt (Post-signing instructions)
- NETWORK-SHARE-DEPLOYMENT.txt (Network share guide)
- FILE-LOCATION.txt (This file)
================================================================================
QUICK START
================================================================================
1. Copy entire winrm-ca-scripts folder to Windows computer
2. Open PowerShell as Administrator
3. cd to winrm-ca-scripts folder
4. Read START-HERE.txt for next steps
OR
For detailed single PC test:
Read DEPLOY-AND-TEST-ONE-PC.txt
================================================================================

82
winrm-https/winrm-ca-scripts/Fix-FirewallSubnet.bat Normal file
View File

@@ -0,0 +1,82 @@
@echo off
REM ============================================================================
REM Fix-FirewallSubnet.bat
REM Fixes WinRM HTTPS firewall rule to allow specific subnet(s)
REM ============================================================================
REM Setup logging
set "LOG_DIR=S:\DT\ADATA\SCRIPT\DEPLOY\LOGS"
set "HOSTNAME=%COMPUTERNAME%"
set "TIMESTAMP=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%-%TIME:~0,2%%TIME:~3,2%%TIME:~6,2%"
set "TIMESTAMP=%TIMESTAMP: =0%"
set "LOG_FILE=%LOG_DIR%\%HOSTNAME%-%TIMESTAMP%-FIREWALL-FIX.txt"
REM Create log directory if it doesn't exist
if not exist "%LOG_DIR%" (
mkdir "%LOG_DIR%" 2>nul
)
echo.
echo ========================================
echo Fix WinRM Firewall Subnet
echo ========================================
echo.
echo Hostname: %COMPUTERNAME%
echo Log File: %LOG_FILE%
echo.
REM Check for administrator privileges
net session >nul 2>&1
if %errorLevel% neq 0 (
echo [ERROR] This script requires Administrator privileges.
echo Please right-click and select "Run as Administrator"
echo.
pause
exit /b 1
)
echo [OK] Running with Administrator privileges
echo.
REM Get the directory where this batch file is located
set "SCRIPT_DIR=%~dp0"
echo Script directory: %SCRIPT_DIR%
echo.
REM Check if PowerShell script exists
if not exist "%SCRIPT_DIR%Fix-FirewallSubnet.ps1" (
echo [ERROR] Fix-FirewallSubnet.ps1 not found in script directory
echo Please ensure all files are in the same directory
echo.
pause
exit /b 1
)
echo [OK] Required files found
echo.
REM Execute PowerShell script with default subnets (management + shopfloor)
echo Fixing firewall rule to allow subnets:
echo - Management: 10.48.130.0/23
echo - Shopfloor: 10.134.48.0/24
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
"& '%SCRIPT_DIR%Fix-FirewallSubnet.ps1' -AllowedSubnets '10.48.130.0/23,10.134.48.0/24'" > "%LOG_FILE%" 2>&1
if %errorLevel% neq 0 (
echo.
echo [ERROR] Fix failed with error code: %errorLevel%
echo.
echo Log saved to: %LOG_FILE%
pause
exit /b %errorLevel%
)
echo.
echo ========================================
echo [SUCCESS] Firewall Fix Complete
echo ========================================
echo Log saved to: %LOG_FILE%
echo.
pause

115
winrm-https/winrm-ca-scripts/Fix-FirewallSubnet.ps1 Normal file
View File

@@ -0,0 +1,115 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Fixes WinRM HTTPS firewall rule to allow specific subnet(s)
.DESCRIPTION
Updates the existing "WinRM HTTPS-In" firewall rule to allow
connections from specified subnet(s). Use this to fix PCs that
were deployed before subnet restrictions were configured.
.PARAMETER AllowedSubnets
Comma-separated list of allowed remote subnets in CIDR notation
Default: "10.48.130.0/23" (management subnet)
Use "Any" to allow all subnets
.EXAMPLE
.\Fix-FirewallSubnet.ps1
Uses default subnet (10.48.130.0/23)
.EXAMPLE
.\Fix-FirewallSubnet.ps1 -AllowedSubnets "10.48.130.0/23,10.134.48.0/24"
Allows multiple subnets
.EXAMPLE
.\Fix-FirewallSubnet.ps1 -AllowedSubnets "Any"
Allows all subnets
.NOTES
Author: System Administrator
Date: 2025-10-17
Run this script ON THE TARGET PC as Administrator
#>
param(
[string]$AllowedSubnets = "10.48.130.0/23"
)
Write-Host ""
Write-Host "========================================" -ForegroundColor Cyan
Write-Host " Fix WinRM Firewall Subnet" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
$hostname = $env:COMPUTERNAME
Write-Host "Computer: $hostname" -ForegroundColor White
Write-Host ""
# Check if firewall rule exists
$ruleName = "WinRM HTTPS-In"
$rule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if (-not $rule) {
Write-Host "[ERROR] Firewall rule '$ruleName' not found" -ForegroundColor Red
Write-Host "This script is for fixing existing rules only." -ForegroundColor Yellow
Write-Host "Run Deploy-PCCertificate.bat to create the rule." -ForegroundColor Yellow
exit 1
}
Write-Host "[OK] Found firewall rule: $ruleName" -ForegroundColor Green
Write-Host ""
# Show current configuration
Write-Host "Current Configuration:" -ForegroundColor Yellow
$currentRule = Get-NetFirewallRule -DisplayName $ruleName | Get-NetFirewallAddressFilter
Write-Host " Remote Address: $($currentRule.RemoteAddress)" -ForegroundColor Gray
Write-Host ""
# Determine new remote address
if ($AllowedSubnets -eq "Any") {
$remoteAddr = "Any"
Write-Host "New Configuration:" -ForegroundColor Yellow
Write-Host " Remote Access: Any (all subnets)" -ForegroundColor Gray
} else {
# Split comma-separated subnets
$remoteAddr = $AllowedSubnets -split "," | ForEach-Object { $_.Trim() }
Write-Host "New Configuration:" -ForegroundColor Yellow
Write-Host " Remote Access: $AllowedSubnets" -ForegroundColor Gray
}
Write-Host ""
# Update the firewall rule
Write-Host "Updating firewall rule..." -ForegroundColor Yellow
try {
Set-NetFirewallRule -DisplayName $ruleName -RemoteAddress $remoteAddr
Write-Host "[OK] Firewall rule updated successfully" -ForegroundColor Green
Write-Host ""
} catch {
Write-Host "[ERROR] Failed to update firewall rule: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
# Verify the change
Write-Host "Verifying changes..." -ForegroundColor Yellow
$updatedRule = Get-NetFirewallRule -DisplayName $ruleName | Get-NetFirewallAddressFilter
Write-Host "[OK] Updated Remote Address: $($updatedRule.RemoteAddress)" -ForegroundColor Green
Write-Host ""
# Show full rule details
Write-Host "Complete Rule Configuration:" -ForegroundColor Cyan
Get-NetFirewallRule -DisplayName $ruleName | Format-List DisplayName, Enabled, Direction, Action, Profile
Get-NetFirewallRule -DisplayName $ruleName | Get-NetFirewallAddressFilter | Format-List RemoteAddress, LocalAddress
Get-NetFirewallRule -DisplayName $ruleName | Get-NetFirewallPortFilter | Format-List LocalPort, Protocol
Write-Host ""
Write-Host "========================================" -ForegroundColor Green
Write-Host " FIREWALL FIX COMPLETE" -ForegroundColor Green
Write-Host "========================================" -ForegroundColor Green
Write-Host ""
Write-Host "Test connection from management computer:" -ForegroundColor Yellow
Write-Host " Test-NetConnection $hostname.logon.ds.ge.com -Port 5986" -ForegroundColor White
Write-Host ""
Write-Host " Test-WSMan -ComputerName $hostname.logon.ds.ge.com -UseSSL -Port 5986" -ForegroundColor White
Write-Host ""

206
winrm-https/winrm-ca-scripts/LOGGING-SUMMARY.txt Normal file
View File

@@ -0,0 +1,206 @@
================================================================================
LOGGING SUMMARY - ALL SCRIPTS
================================================================================
All scripts now automatically generate log files in:
S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
Log files are created with naming format:
HOSTNAME-TIMESTAMP-SCRIPTTYPE.txt
================================================================================
LOG FILES GENERATED
================================================================================
1. Deploy-PCCertificate.bat
Log File: HOSTNAME-YYYYMMDD-HHMMSS-CERT-DEPLOY.txt
Contains:
- Certificate import details
- WinRM HTTPS listener creation
- Firewall rule configuration
- Network profile changes
- Complete deployment status
2. Test-RemotePC-Debug.bat
Log File: HOSTNAME-YYYYMMDD-HHMMSS-DEBUG.txt
Contains:
- WinRM service status
- WinRM listeners (HTTP/HTTPS)
- Port listening status (5985, 5986)
- Firewall rules (with subnet restrictions)
- Certificates in LocalMachine\My
- WinRM configuration
- Network information (hostname, FQDN, IPs)
- Network profile (Public/Private/Domain)
- Firewall profile status
- Self-connectivity test
3. Fix-FirewallSubnet.bat
Log File: HOSTNAME-YYYYMMDD-HHMMSS-FIREWALL-FIX.txt
Contains:
- Current firewall rule configuration
- New subnet configuration
- Firewall rule update results
4. Set-NetworkPrivate.bat
Log File: HOSTNAME-YYYYMMDD-HHMMSS-NETWORK-PROFILE.txt
Contains:
- Current network profile status
- Network profile changes (Public to Private)
- WinRM service restart
- Firewall rule updates
================================================================================
LOG FILE EXAMPLES
================================================================================
Deployment Log:
S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-102912-CERT-DEPLOY.txt
Debug Log:
S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-143022-DEBUG.txt
Firewall Fix Log:
S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-150000-FIREWALL-FIX.txt
Network Profile Log:
S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-151500-NETWORK-PROFILE.txt
================================================================================
ACCESSING LOG FILES
================================================================================
From Network Share:
Navigate to: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
Sort by date to see latest logs
From Command Line:
dir S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF*.txt /od
From PowerShell:
Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF*.txt |
Sort-Object LastWriteTime -Descending |
Select-Object -First 5
View Latest Log:
Get-Content (Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF*.txt |
Sort-Object LastWriteTime -Descending |
Select-Object -First 1).FullName
================================================================================
TROUBLESHOOTING WITH LOGS
================================================================================
Problem: Deployment Failed
Action:
1. Check: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\HOSTNAME-*-CERT-DEPLOY.txt
2. Look for [ERROR] messages
3. Review certificate import, listener creation, firewall steps
Problem: Cannot Connect Remotely
Action:
1. Run: Test-RemotePC-Debug.bat on the PC
2. Check: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\HOSTNAME-*-DEBUG.txt
3. Review:
- Port 5986 listening?
- Firewall rule enabled?
- Remote Address restrictions?
- Network profile (Public vs Private)?
- Certificate present?
Problem: Subnet Access Issues
Action:
1. Check: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\HOSTNAME-*-DEBUG.txt
2. Look for "TEST 4: Firewall Rules" section
3. Check "Remote Address" value
4. If wrong, run Fix-FirewallSubnet.bat
5. Check: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\HOSTNAME-*-FIREWALL-FIX.txt
Problem: Public Network Profile Blocking
Action:
1. Check: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\HOSTNAME-*-DEBUG.txt
2. Look for "TEST 8: Network Profile" section
3. If "Public", run Set-NetworkPrivate.bat
4. Check: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\HOSTNAME-*-NETWORK-PROFILE.txt
================================================================================
LOG RETENTION
================================================================================
Logs are stored indefinitely in S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
To clean up old logs (after troubleshooting):
Delete logs older than 30 days:
forfiles /p "S:\DT\ADATA\SCRIPT\DEPLOY\LOGS" /m *.txt /d -30 /c "cmd /c del @path"
Or keep only last 100 logs per PC:
Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*.txt |
Group-Object {$_.Name.Split('-')[0]} |
ForEach-Object {
$_.Group | Sort-Object LastWriteTime -Descending |
Select-Object -Skip 100 |
Remove-Item
}
================================================================================
LOG FILE PERMISSIONS
================================================================================
Required Permissions:
- Domain Computers: READ/WRITE access to S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
- This allows PCs to create and write log files
Verify Permissions:
icacls S:\DT\ADATA\SCRIPT\DEPLOY\LOGS
Grant Permissions (if needed):
icacls S:\DT\ADATA\SCRIPT\DEPLOY\LOGS /grant "Domain Computers:(OI)(CI)M" /T
================================================================================
MONITORING DEPLOYMENTS
================================================================================
Track All Deployments:
Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*-CERT-DEPLOY.txt |
Select-Object Name, LastWriteTime |
Sort-Object LastWriteTime -Descending
Check Success/Failure:
Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*-CERT-DEPLOY.txt |
ForEach-Object {
$content = Get-Content $_.FullName -Raw
[PSCustomObject]@{
PC = $_.Name.Split('-')[0]
Time = $_.LastWriteTime
Status = if($content -match '\[SUCCESS\]'){'Success'}else{'Failed'}
}
} | Format-Table -AutoSize
Recent Deployments (Last 24 Hours):
Get-ChildItem S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\*-CERT-DEPLOY.txt |
Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)} |
Select-Object Name, LastWriteTime
================================================================================
SUMMARY
================================================================================
✓ All scripts log to: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\
✓ Unique log files per execution (timestamped)
✓ Different log types for different operations:
- CERT-DEPLOY: Deployment logs
- DEBUG: Diagnostic logs
- FIREWALL-FIX: Firewall configuration logs
- NETWORK-PROFILE: Network profile change logs
✓ Logs contain complete execution details
✓ Easy to search and troubleshoot
✓ Centralized logging for all 175 PCs
Use logs to:
- Track deployment progress
- Troubleshoot connection issues
- Verify configurations
- Document changes
================================================================================

307
winrm-https/winrm-ca-scripts/NETWORK-SHARE-DEPLOYMENT.txt Normal file
View File

@@ -0,0 +1,307 @@
================================================================================
NETWORK SHARE DEPLOYMENT GUIDE
================================================================================
Network Share Location: S:\dt\adata\script\deploy\pc-certificates
This guide shows how to deploy certificates from the network share to PCs.
================================================================================
SETUP (One Time)
================================================================================
STEP 1: Create CA and Sign Certificates (On Management Computer)
-----------------------------------------------------------------
cd C:\path\to\winrm-ca-scripts
# Create CA
.\Create-CA-Simple.ps1
# Install CA on your computer
Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
# Sign all 175 certificates
.\Sign-BulkCertificates.ps1
STEP 2: Copy Certificates to Network Share
-------------------------------------------
# Copy the entire batch folder to network share
Copy-Item "pc-certificates\batch-*" `
-Destination "S:\dt\adata\script\deploy\pc-certificates\" `
-Recurse
STEP 3: Copy Deployment Scripts to Network Share
-------------------------------------------------
# Copy deployment scripts to network share
Copy-Item "Deploy-PCCertificate.ps1" `
-Destination "S:\dt\adata\script\deploy\"
Copy-Item "Deploy-PCCertificate.bat" `
-Destination "S:\dt\adata\script\deploy\"
STEP 4: Set Network Share Permissions
--------------------------------------
- Grant "Domain Computers" READ access to:
S:\dt\adata\script\deploy\pc-certificates\
S:\dt\adata\script\deploy\Deploy-PCCertificate.*
- Grant "Domain Computers" WRITE access to:
S:\dt\adata\script\deploy\LOGS\
================================================================================
NETWORK SHARE STRUCTURE
================================================================================
S:\dt\adata\script\deploy\
├── Deploy-PCCertificate.ps1 # Deployment script
├── Deploy-PCCertificate.bat # Batch wrapper
├── pc-certificates\ # Certificate folder
│ └── batch-TIMESTAMP\ # Batch of certificates
│ ├── G9KN7PZ3ESF-logon.ds.ge.com-*.pfx
│ ├── G1JJVH63ESF-logon.ds.ge.com-*.pfx
│ ├── ... (175 certificates total)
│ ├── certificate-list.csv
│ └── SUMMARY.txt
└── LOGS\ # Log files
└── HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt
================================================================================
DEPLOYMENT TO EACH PC (Method 1: Manual)
================================================================================
On each PC:
1. Navigate to: S:\dt\adata\script\deploy\
2. Right-click: Deploy-PCCertificate.bat
3. Select: "Run as Administrator"
4. Enter certificate password: PCCert2025!
5. Wait for SUCCESS message
6. Done!
The script will:
✓ Find the certificate for this PC automatically
✓ Import it to Local Machine certificate store
✓ Configure WinRM HTTPS listener
✓ Create firewall rule
✓ Log everything to S:\dt\adata\script\deploy\LOGS\
================================================================================
DEPLOYMENT TO EACH PC (Method 2: Remote PowerShell)
================================================================================
From management computer, deploy to multiple PCs:
$pcs = Get-Content "shopfloor-hostnames.txt"
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
foreach ($pc in $pcs) {
Write-Host "Deploying to $pc..." -ForegroundColor Yellow
# Copy scripts to PC (if not using network share)
# OR just invoke from network share
Invoke-Command -ComputerName $pc -ScriptBlock {
& "S:\dt\adata\script\deploy\Deploy-PCCertificate.bat"
}
Write-Host "$pc complete!" -ForegroundColor Green
}
================================================================================
WHAT HAPPENS DURING DEPLOYMENT
================================================================================
1. Script checks network share access
→ S:\dt\adata\script\deploy\pc-certificates
2. Script finds certificate for this PC
→ Searches for: HOSTNAME-*.pfx
3. Script imports certificate
→ To: Cert:\LocalMachine\My
4. Script configures WinRM HTTPS
→ Listener on port 5986
→ Uses imported certificate
5. Script creates firewall rule
→ Allow inbound TCP 5986
6. Script logs everything
→ To: S:\dt\adata\script\deploy\LOGS\HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt
================================================================================
VERIFYING DEPLOYMENT
================================================================================
On the PC (after deployment):
# Check certificate
Get-ChildItem Cert:\LocalMachine\My | Where-Object {
$_.Subject -like "*$env:COMPUTERNAME*"
}
# Check WinRM listener
winrm enumerate winrm/config/listener
# Check firewall rule
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
# Check port listening
netstat -an | findstr :5986
From Management Computer:
# Test connection
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Create session
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
================================================================================
DEPLOYMENT LOG EXAMPLE
================================================================================
Log file: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt
============================================================================
PC Certificate Deployment Log
============================================================================
Hostname: G9KN7PZ3ESF
Date/Time: 10/17/2025 14:30:22
Log File: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt
============================================================================
[2025-10-17 14:30:22] Computer: G9KN7PZ3ESF
[2025-10-17 14:30:22] FQDN: g9kn7pz3esf.logon.ds.ge.com
[2025-10-17 14:30:22] Checking network share access...
[2025-10-17 14:30:22] [OK] Network share accessible
[2025-10-17 14:30:22] Looking for certificate for G9KN7PZ3ESF...
[2025-10-17 14:30:23] [OK] Found certificate: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
[2025-10-17 14:30:23] Importing certificate to Local Machine store...
[2025-10-17 14:30:24] [OK] Certificate imported successfully
[2025-10-17 14:30:24] Subject: CN=g9kn7pz3esf.logon.ds.ge.com
[2025-10-17 14:30:24] Thumbprint: ABC123...
[2025-10-17 14:30:24] Issuer: CN=Shopfloor WinRM CA
[2025-10-17 14:30:24] Configuring WinRM service...
[2025-10-17 14:30:25] [OK] WinRM service configured
[2025-10-17 14:30:25] Creating WinRM HTTPS listener...
[2025-10-17 14:30:26] [OK] HTTPS listener created successfully
[2025-10-17 14:30:26] Configuring Windows Firewall...
[2025-10-17 14:30:27] [OK] Firewall rule created
============================================================================
[SUCCESS] Certificate Deployment Complete
============================================================================
================================================================================
TROUBLESHOOTING
================================================================================
Problem: "Cannot access network share"
Solution:
- Verify S:\dt\adata\script\deploy\ is accessible from the PC
- Check network connectivity
- Verify permissions (Domain Computers should have READ access)
Problem: "Certificate not found for HOSTNAME"
Solution:
- Verify certificate exists in S:\dt\adata\script\deploy\pc-certificates\batch-*\
- Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx
- Run Sign-BulkCertificates.ps1 if certificates weren't created
Problem: "Wrong password"
Solution:
- Default password is: PCCert2025!
- If you used different password, use that instead
Problem: "Port 5986 not listening after deployment"
Solution:
- Check deployment log in S:\dt\adata\script\deploy\LOGS\
- Run Test-RemotePC-Debug.bat on the PC
- Check for errors in listener creation
Problem: "Cannot connect from management computer"
Solution:
- Verify CA certificate is installed on management computer:
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}
- Test port: Test-NetConnection -ComputerName HOSTNAME -Port 5986
- Check firewall on both computers
================================================================================
BATCH DEPLOYMENT
================================================================================
To deploy to all 175 PCs at once:
Option 1: Group Policy (Recommended for large deployments)
- Create GPO that runs Deploy-PCCertificate.bat at startup
- Assign to OU containing shopfloor PCs
- PCs will deploy on next reboot
Option 2: PowerShell Remote Execution
- Use Invoke-Command to run deployment on multiple PCs
- Requires existing WinRM access (HTTP on 5985)
Option 3: Manual in Batches
- Deploy to 10-20 PCs at a time
- Verify each batch before continuing
- Track progress in spreadsheet
================================================================================
ADVANTAGES OF THIS APPROACH
================================================================================
✓ Centralized certificate storage (network share)
✓ Automatic certificate detection (finds correct cert for each PC)
✓ Self-contained deployment (one script does everything)
✓ Comprehensive logging (every deployment logged)
✓ Easy to deploy (just run the .bat file)
✓ Secure (each PC gets unique certificate)
✓ Clean connections (no -SessionOption needed)
================================================================================
SUMMARY
================================================================================
1. Sign certificates (once)
2. Copy to network share: S:\dt\adata\script\deploy\pc-certificates\
3. On each PC: Run Deploy-PCCertificate.bat
4. Connect cleanly from management computer
Simple and effective!
================================================================================

175
winrm-https/winrm-ca-scripts/README.txt Normal file
View File

@@ -0,0 +1,175 @@
================================================================================
WinRM HTTPS Certificate Authority Scripts
================================================================================
Files Included:
---------------
1. Create-CA-Simple.ps1
- Creates a Certificate Authority
- Run this FIRST on your management computer
- Generates CA certificate files
2. Sign-BulkCertificates.ps1
- Signs certificates for all 175 PCs
- Run this AFTER creating the CA
- Requires: CA PFX file and shopfloor-hostnames.txt
3. Test-RemotePC-Debug.ps1
- Debug script to run ON THE REMOTE PC
- Checks WinRM configuration, certificates, firewall, etc.
4. Test-RemotePC-Debug.bat
- Batch file to run the debug script
- Right-click "Run as Administrator"
================================================================================
QUICK START
================================================================================
STEP 1: Create Certificate Authority
-------------------------------------
On YOUR computer (H2PRFM94), as Administrator:
PS> cd C:\users\570005354\Downloads\winrm-ca-scripts
PS> .\Create-CA-Simple.ps1
Enter password: ShopfloorCA2025!
Confirm password: ShopfloorCA2025!
Files created:
- Shopfloor-WinRM-CA-YYYYMMDD.pfx (CA private key - KEEP SECURE!)
- Shopfloor-WinRM-CA-YYYYMMDD.cer (CA public certificate)
- CA-INFO-YYYYMMDD.txt (Information)
STEP 2: Install CA on Your Computer
------------------------------------
On YOUR computer (H2PRFM94), as Administrator:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-YYYYMMDD.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
This makes your computer trust all certificates signed by this CA!
STEP 3: Sign PC Certificates
-----------------------------
On YOUR computer (H2PRFM94), as Administrator:
PS> $caPass = ConvertTo-SecureString "ShopfloorCA2025!" -AsPlainText -Force
PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
PS> .\Sign-BulkCertificates.ps1 `
-HostnameFile "C:\path\to\shopfloor-hostnames.txt" `
-CAPfxPath "Shopfloor-WinRM-CA-YYYYMMDD.pfx" `
-CAPassword $caPass `
-CertificatePassword $certPass
Creates:
- pc-certificates/batch-TIMESTAMP/ (folder with 175 PFX files)
STEP 4: Debug Remote PC (If Issues)
------------------------------------
Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to the remote PC.
On the remote PC, right-click Test-RemotePC-Debug.bat and "Run as Administrator"
This will show:
- WinRM service status
- Listeners configured
- Ports listening
- Firewall rules
- Certificates installed
- Network information
Use this output to troubleshoot issues!
STEP 5: Deploy to One PC (Test)
--------------------------------
For PC: G9KN7PZ3ESF
A. Copy certificate to PC:
PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
B. On the PC (G9KN7PZ3ESF), import certificate:
PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
PS> $cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
C. Configure WinRM:
PS> .\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
STEP 6: Test Connection
------------------------
From YOUR computer (H2PRFM94):
PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
PS> $cred = Get-Credential
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
No -SessionOption needed! Clean and secure!
================================================================================
TROUBLESHOOTING
================================================================================
Problem: Cannot create CA
Solution: Make sure running as Administrator
Problem: Sign-BulkCertificates.ps1 fails
Solution: Check that CA PFX file exists and password is correct
Problem: Cannot connect to remote PC
Solution:
1. Run Test-RemotePC-Debug.bat on the remote PC
2. Check that port 5986 is listening
3. Check that HTTPS listener exists
4. Check that certificate is imported
5. Check that firewall rule exists
Problem: Certificate not trusted
Solution: Make sure CA certificate is installed on YOUR computer:
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}
================================================================================
PASSWORDS USED
================================================================================
CA Password: ShopfloorCA2025!
- Protects CA private key (PFX file)
- Keep secure!
PC Certificate Password: PCCert2025!
- Same password for all 175 PC certificates
- Used when importing certificates on PCs
================================================================================
SECURITY NOTES
================================================================================
1. CA Private Key (PFX file):
- KEEP SECURE! Can sign certificates for any PC
- Store in password manager or secure vault
- Never share via email or chat
2. CA Public Certificate (CER file):
- Safe to distribute to all management computers
- Install in Trusted Root Certification Authorities
3. PC Certificates:
- Each PC gets its own unique certificate
- All use same password for simplicity
- Only deploy to the specific PC (not others)
================================================================================

153
winrm-https/winrm-ca-scripts/SIMPLE-INSTRUCTIONS.txt Normal file
View File

@@ -0,0 +1,153 @@
================================================================================
SIMPLIFIED INSTRUCTIONS - WinRM HTTPS with Certificate Authority
================================================================================
Location: /home/camp/winrm-ca-scripts/
All scripts now auto-detect files automatically!
================================================================================
STEP 1: Create Certificate Authority
================================================================================
On Windows, in PowerShell as Administrator:
cd C:\path\to\winrm-ca-scripts
.\Create-CA-Simple.ps1
Enter password: ShopfloorCA2025!
Creates:
- Shopfloor-WinRM-CA-20251017.pfx (CA private key)
- Shopfloor-WinRM-CA-20251017.cer (CA public cert)
================================================================================
STEP 2: Install CA on Your Computer
================================================================================
Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
(Replace date with actual file)
================================================================================
STEP 3: Sign All 175 PC Certificates
================================================================================
SIMPLE VERSION (Auto-detects everything):
.\Sign-BulkCertificates.ps1
The script will:
✓ Automatically find shopfloor-hostnames.txt in current directory
✓ Automatically find the CA .pfx file
✓ Prompt for CA password
✓ Prompt for PC certificate password
✓ Sign all 175 certificates
Creates:
- pc-certificates/batch-TIMESTAMP/
- 175 PFX files (one per PC)
- certificate-list.csv
- SUMMARY.txt
================================================================================
WHAT CHANGED
================================================================================
BEFORE (Manual):
.\Sign-BulkCertificates.ps1 `
-HostnameFile "shopfloor-hostnames.txt" `
-CAPfxPath "Shopfloor-WinRM-CA-20251017.pfx" `
-CAPassword $caPass `
-CertificatePassword $certPass
AFTER (Automatic):
.\Sign-BulkCertificates.ps1
Much simpler! Just run it and answer the prompts.
================================================================================
DEPLOYING TO PCS
================================================================================
For each PC (example: G9KN7PZ3ESF):
1. Copy certificate to PC:
Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
2. On the PC, import:
$pass = Read-Host "Certificate Password" -AsSecureString
$cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-*.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $pass
3. Configure WinRM:
.\Setup-WinRM-HTTPS.ps1 -CertificateThumbprint $cert.Thumbprint -Domain "logon.ds.ge.com"
================================================================================
TESTING CONNECTION
================================================================================
From YOUR computer:
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
No -SessionOption needed! Clean and secure!
================================================================================
TROUBLESHOOTING A REMOTE PC
================================================================================
Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to the PC.
Right-click Test-RemotePC-Debug.bat and "Run as Administrator"
Shows:
- WinRM service status
- Listeners
- Ports
- Firewall rules
- Certificates
- Network info
================================================================================
PASSWORDS
================================================================================
CA Password: ShopfloorCA2025!
PC Certificate Password: PCCert2025!
(Or use your own passwords)
================================================================================
FILES IN THIS DIRECTORY
================================================================================
1. Create-CA-Simple.ps1 - Creates CA
2. Sign-BulkCertificates.ps1 - Signs all 175 certs (AUTO-DETECTS FILES!)
3. Test-RemotePC-Debug.ps1 - Debug script for remote PCs
4. Test-RemotePC-Debug.bat - Batch wrapper with bypass
5. shopfloor-hostnames.txt - 175 PC hostnames
6. README.txt - Full detailed instructions
7. START-HERE.txt - Quick start
8. SIMPLE-INSTRUCTIONS.txt - This file (simplified!)
================================================================================
THAT'S IT!
================================================================================
Just run:
1. .\Create-CA-Simple.ps1
2. Import-Certificate (CA cert to Trusted Root)
3. .\Sign-BulkCertificates.ps1
Then deploy to PCs!
================================================================================

353
winrm-https/winrm-ca-scripts/SINGLE-PC-TEST.txt Normal file
View File

@@ -0,0 +1,353 @@
================================================================================
SINGLE PC TEST - QUICK START
================================================================================
Test the entire certificate deployment on ONE PC before deploying to all 175.
Test PC: G9KN7PZ3ESF
================================================================================
STEP 1: CREATE CA (ONE TIME - 5 MINUTES)
================================================================================
On YOUR computer (H2PRFM94):
PS> cd C:\path\to\winrm-ca-scripts
PS> .\Create-CA-Simple.ps1
Enter password: ShopfloorCA2025!
Output:
✓ Shopfloor-WinRM-CA-20251017.pfx
✓ Shopfloor-WinRM-CA-20251017.cer
================================================================================
STEP 2: INSTALL CA ON YOUR COMPUTER (2 MINUTES)
================================================================================
Still on YOUR computer:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Result:
✓ Your computer now trusts all certificates signed by this CA
================================================================================
STEP 3: SIGN CERTIFICATE FOR TEST PC (2 MINUTES)
================================================================================
Option A: Sign just ONE certificate
────────────────────────────────────────────────────────────────
Create a test file with just one hostname:
PS> "G9KN7PZ3ESF" | Out-File "test-hostname.txt"
PS> .\Sign-BulkCertificates.ps1 -HostnameFile "test-hostname.txt"
Enter CA password: ShopfloorCA2025!
Enter PC cert password: PCCert2025!
Output:
✓ pc-certificates\batch-TIMESTAMP\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx
Option B: Sign ALL 175, but only deploy one
────────────────────────────────────────────────────────────────
PS> .\Sign-BulkCertificates.ps1
Enter CA password: ShopfloorCA2025!
Enter PC cert password: PCCert2025!
Output:
✓ pc-certificates\batch-TIMESTAMP\ (175 certificates)
You'll only deploy one for testing
================================================================================
STEP 4: DEPLOY TO TEST PC (5 MINUTES)
================================================================================
Method 1: Network Share Deployment (Recommended)
────────────────────────────────────────────────────────────────
A. Copy to network share:
PS> Copy-Item "pc-certificates\batch-*" `
-Destination "S:\dt\adata\script\deploy\pc-certificates\" `
-Recurse
PS> Copy-Item "Deploy-PCCertificate.ps1" `
-Destination "S:\dt\adata\script\deploy\"
PS> Copy-Item "Deploy-PCCertificate.bat" `
-Destination "S:\dt\adata\script\deploy\"
B. On the test PC (G9KN7PZ3ESF):
1. Navigate to: S:\dt\adata\script\deploy\
2. Right-click: Deploy-PCCertificate.bat
3. Select: "Run as Administrator"
4. Enter password: PCCert2025!
5. Wait for SUCCESS message
Result:
✓ Certificate automatically found and imported
✓ WinRM HTTPS configured
✓ Firewall rule created
✓ Log saved to: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-*.txt
Method 2: Manual Deployment (If network share not ready)
────────────────────────────────────────────────────────────────
A. Copy certificate to PC:
PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
PS> Copy-Item "Setup-WinRM-HTTPS.ps1" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
B. On the PC (G9KN7PZ3ESF), as Administrator:
PS> cd C:\Temp
# Import certificate
PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
PS> $cert = Import-PfxCertificate `
-FilePath "G9KN7PZ3ESF-*.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
# Configure WinRM
PS> .\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
Result:
✓ Certificate imported
✓ WinRM HTTPS listener created
✓ Firewall configured
================================================================================
STEP 5: VERIFY ON THE PC (2 MINUTES)
================================================================================
On the test PC (G9KN7PZ3ESF):
# Check certificate
PS> Get-ChildItem Cert:\LocalMachine\My | Where-Object {
$_.Subject -like "*G9KN7PZ3ESF*"
} | Format-List Subject, Issuer, Thumbprint
Expected:
Subject : CN=g9kn7pz3esf.logon.ds.ge.com
Issuer : CN=Shopfloor WinRM CA
Thumbprint : (long string)
# Check WinRM service
PS> Get-Service WinRM
Expected:
Status Name DisplayName
------ ---- -----------
Running WinRM Windows Remote Management (WS-Manag...
# Check listener
PS> winrm enumerate winrm/config/listener
Expected:
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = g9kn7pz3esf.logon.ds.ge.com
...
# Check port
PS> netstat -an | findstr :5986
Expected:
TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING
✓ All checks passed!
================================================================================
STEP 6: TEST CONNECTION FROM YOUR COMPUTER (3 MINUTES)
================================================================================
Back on YOUR computer (H2PRFM94):
A. Test basic connectivity
─────────────────────────────────────────────────────────────
PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
Expected Output:
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
✅ SUCCESS = WinRM is working with HTTPS!
B. Test interactive session
─────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
# Enter your domain credentials
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Expected:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
✅ SUCCESS = You're connected!
Try commands:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
G9KN7PZ3ESF
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM
Running WinRM Windows Remote Management
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession
C. Test remote command execution
─────────────────────────────────────────────────────────────
PS> Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { Get-ComputerInfo | Select-Object CsName, WindowsVersion }
Expected:
CsName WindowsVersion
------ --------------
G9KN7PZ3ESF 2009
✅ SUCCESS = Remote commands work!
================================================================================
KEY OBSERVATIONS
================================================================================
Notice what you DON'T need:
❌ No -SessionOption parameter
❌ No -SkipCNCheck
❌ No -SkipCACheck
❌ No -SkipRevocationCheck
❌ No certificate bypass tricks
This is CLEAN and SECURE because:
✓ Your computer trusts the CA
✓ PC certificate is signed by trusted CA
✓ Certificate CN matches hostname
✓ Full certificate chain validation works
================================================================================
TROUBLESHOOTING
================================================================================
If Test-WSMan fails:
────────────────────────────────────────────────────────────────
1. Copy Test-RemotePC-Debug.bat to the PC
2. Run it as Administrator on the PC
3. Review output to identify the issue
Common issues:
- Port 5986 not listening → Re-run Setup-WinRM-HTTPS.ps1
- Certificate not found → Re-import certificate
- Firewall blocking → Check firewall rule
- DNS not resolving → Use IP address for testing
If connection works but certificate errors appear:
────────────────────────────────────────────────────────────────
Check if CA is installed on YOUR computer:
PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
$_.Subject -like "*Shopfloor*"
}
If not found:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
================================================================================
SUCCESS CRITERIA
================================================================================
The test is successful when:
✓ Test-WSMan works without errors
✓ Enter-PSSession connects without -SessionOption
✓ No certificate warnings
✓ Remote commands execute successfully
✓ Connection is clean and secure
================================================================================
AFTER SUCCESSFUL TEST
================================================================================
Once ONE PC works perfectly:
1. Test 3-5 more PCs using same process
2. If all tests pass, proceed to full deployment
3. Deploy to remaining 170 PCs in batches
4. Use COMPLETE-WORKFLOW.txt for full deployment guide
================================================================================
TIME ESTIMATE
================================================================================
Total time to test ONE PC:
- Create CA: 5 minutes (one time)
- Install CA on your computer: 2 minutes (one time)
- Sign certificate for test PC: 2 minutes
- Deploy to PC: 5 minutes
- Verify configuration: 2 minutes
- Test connection: 3 minutes
─────────────────────────────────
Total: ~20 minutes for first PC
Subsequent PCs: ~4 minutes each (CA already created)
================================================================================
SUMMARY
================================================================================
Single PC Test Process:
1. Create CA (one time)
2. Install CA on your computer (one time)
3. Sign certificate for G9KN7PZ3ESF
4. Deploy certificate to G9KN7PZ3ESF
5. Test connection from your computer
6. Verify clean, secure connection
If successful → Deploy to all 175 PCs
If issues → Debug on test PC before continuing
================================================================================

153
winrm-https/winrm-ca-scripts/START-HERE.txt Normal file
View File

@@ -0,0 +1,153 @@
================================================================================
START HERE - WinRM HTTPS Certificate Authority Setup
================================================================================
Location: /tmp/winrm-ca-scripts/
All files have been created and are ready to use!
================================================================================
COPY THESE FILES TO YOUR WINDOWS COMPUTER
================================================================================
Copy ALL files in /tmp/winrm-ca-scripts/ to:
C:\users\570005354\Downloads\winrm-ca-scripts\
Files to copy:
1. Create-CA-Simple.ps1 - Creates Certificate Authority
2. Sign-BulkCertificates.ps1 - Signs 175 PC certificates
3. Test-RemotePC-Debug.ps1 - Debug script for remote PCs
4. Test-RemotePC-Debug.bat - Batch wrapper for debug script
5. shopfloor-hostnames.txt - List of 175 PC hostnames
6. README.txt - Full instructions
7. START-HERE.txt - This file
================================================================================
STEP-BY-STEP INSTRUCTIONS
================================================================================
STEP 1: Copy Files to Windows
------------------------------
From Linux terminal:
# If you have direct access to Windows filesystem:
cp -r /tmp/winrm-ca-scripts /mnt/c/users/570005354/Downloads/
# OR use WinSCP, scp, or any file transfer method
STEP 2: Create Certificate Authority
-------------------------------------
On Windows, in PowerShell as Administrator:
cd C:\users\570005354\Downloads\winrm-ca-scripts
.\Create-CA-Simple.ps1
Enter password when prompted: ShopfloorCA2025!
This creates:
- Shopfloor-WinRM-CA-YYYYMMDD.pfx (CA private key)
- Shopfloor-WinRM-CA-YYYYMMDD.cer (CA public cert)
STEP 3: Install CA on Your Computer
------------------------------------
Still in PowerShell as Administrator:
Import-Certificate -FilePath "Shopfloor-WinRM-CA-YYYYMMDD.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Replace YYYYMMDD with the actual date from Step 2.
STEP 4: Sign All 175 PC Certificates
-------------------------------------
Still in PowerShell as Administrator:
$caPass = ConvertTo-SecureString "ShopfloorCA2025!" -AsPlainText -Force
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
.\Sign-BulkCertificates.ps1 `
-HostnameFile "shopfloor-hostnames.txt" `
-CAPfxPath "Shopfloor-WinRM-CA-YYYYMMDD.pfx" `
-CAPassword $caPass `
-CertificatePassword $certPass
This creates pc-certificates/batch-TIMESTAMP/ folder with 175 certificates.
STEP 5: Test on ONE PC First
-----------------------------
Deploy to G9KN7PZ3ESF for testing:
A. Copy certificate to PC:
Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
B. On G9KN7PZ3ESF, import certificate:
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
$cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-*.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
C. Configure WinRM (if Setup-WinRM-HTTPS.ps1 is available):
.\Setup-WinRM-HTTPS.ps1 -CertificateThumbprint $cert.Thumbprint -Domain "logon.ds.ge.com"
STEP 6: Test Connection
------------------------
From YOUR computer:
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
SUCCESS! No -SessionOption needed!
STEP 7: Deploy to Remaining PCs
--------------------------------
Repeat Step 5 for each of the remaining 174 PCs.
Or create an automated deployment script (ask for help if needed).
================================================================================
TROUBLESHOOTING
================================================================================
If Remote PC Has Issues:
1. Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to the PC
2. Right-click Test-RemotePC-Debug.bat and "Run as Administrator"
3. Review the output to see what's wrong
Common Issues:
- Port 5986 not listening → WinRM listener not configured
- Certificate not found → Certificate not imported
- Firewall blocking → Firewall rule missing
================================================================================
WHAT YOU GET
================================================================================
BEFORE (Wildcard with bypasses):
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName PC -Credential $cred -UseSSL -SessionOption $sessionOption
⚠️ Certificate warnings, security bypasses
AFTER (CA with proper certs):
Enter-PSSession -ComputerName PC -Credential $cred -UseSSL -Port 5986
✅ Clean, secure, no warnings!
================================================================================
NEED HELP?
================================================================================
Read README.txt for full instructions.
All scripts are ready to use - just copy to Windows and run!
================================================================================

214
winrm-https/winrm-ca-scripts/SUBNET-CONFIGURATION.txt Normal file
View File

@@ -0,0 +1,214 @@
================================================================================
SUBNET CONFIGURATION FOR WINRM HTTPS
================================================================================
The deployment scripts have been updated to allow specific subnets for WinRM
HTTPS access, addressing cross-subnet firewall restrictions.
================================================================================
DEFAULT CONFIGURATION
================================================================================
Management Subnet: 10.48.130.0/23
Shopfloor Subnet: 10.134.48.0/24
By default, the firewall rule allows connections from: 10.48.130.0/23
================================================================================
HOW IT WORKS
================================================================================
The Deploy-PCCertificate.ps1 script now has an -AllowedSubnets parameter:
Default (built into batch file):
-AllowedSubnets "10.48.130.0/23"
This creates a firewall rule that ONLY allows connections from your
management subnet (10.48.130.0/23).
================================================================================
CONFIGURATION OPTIONS
================================================================================
Option 1: Single Subnet (Default - Most Secure)
────────────────────────────────────────────────────────────────
Deploy-PCCertificate.bat automatically uses:
-AllowedSubnets "10.48.130.0/23"
Only your management subnet can connect.
Option 2: Multiple Subnets
────────────────────────────────────────────────────────────────
Edit Deploy-PCCertificate.bat, line 80:
-AllowedSubnets "10.48.130.0/23,10.134.48.0/24"
Allows both management and shopfloor subnets.
Option 3: Allow All Subnets
────────────────────────────────────────────────────────────────
Edit Deploy-PCCertificate.bat, line 80:
-AllowedSubnets "Any"
Allows connections from any IP address (less secure).
Option 4: Manual PowerShell Deployment
────────────────────────────────────────────────────────────────
If running PowerShell directly:
.\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23"
.\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23,10.50.0.0/16"
.\Deploy-PCCertificate.ps1 -AllowedSubnets "Any"
================================================================================
FIXING G9KN7PZ3ESF (Already Deployed)
================================================================================
Since G9KN7PZ3ESF was deployed before this update, fix the firewall rule:
On G9KN7PZ3ESF:
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23"
Or to allow any:
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any
================================================================================
VERIFYING THE CONFIGURATION
================================================================================
On the PC (after deployment):
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" |
Get-NetFirewallAddressFilter |
Select-Object RemoteAddress
Expected Output:
RemoteAddress
-------------
10.48.130.0/23
From Management Computer:
Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
Expected:
TcpTestSucceeded : True
================================================================================
SUBNET NOTATION (CIDR)
================================================================================
Examples:
10.48.130.0/23
- Network: 10.48.130.0
- Netmask: 255.255.254.0
- Range: 10.48.130.0 - 10.48.131.255
- 512 IP addresses
10.134.48.0/24
- Network: 10.134.48.0
- Netmask: 255.255.255.0
- Range: 10.134.48.0 - 10.134.48.255
- 256 IP addresses
10.0.0.0/8
- Entire 10.x.x.x private network
- All Class A private addresses
================================================================================
SECURITY RECOMMENDATIONS
================================================================================
Best Practice: Use Specific Subnets
✓ Only allow known management subnets
✓ Reduces attack surface
✓ Prevents unauthorized access from other networks
Acceptable: Multiple Known Subnets
✓ Allow management subnet + shopfloor subnet
✓ Useful for PC-to-PC communication on shopfloor
✓ Still restricted to known networks
Not Recommended: "Any"
❌ Allows connections from anywhere
❌ Higher security risk
❌ Only use for testing or isolated networks
================================================================================
DEPLOYING TO ALL 175 PCs
================================================================================
Since Deploy-PCCertificate.bat now includes -AllowedSubnets "10.48.130.0/23":
1. Copy updated Deploy-PCCertificate.bat to network share:
S:\dt\adata\script\deploy\Deploy-PCCertificate.bat
2. Copy updated Deploy-PCCertificate.ps1 to network share:
S:\dt\adata\script\deploy\Deploy-PCCertificate.ps1
3. On each PC, run:
S:\dt\adata\script\deploy\Deploy-PCCertificate.bat
The firewall rule will automatically allow your management subnet.
================================================================================
TROUBLESHOOTING
================================================================================
Problem: TcpTestSucceeded = False after deployment
Solution:
1. Check firewall rule on PC:
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Get-NetFirewallAddressFilter
2. Verify your IP is in allowed subnet:
On your computer: ipconfig /all
Compare with allowed subnet
3. Update firewall rule if needed:
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "your-subnet/mask"
Problem: Need to add another subnet
Solution:
On PC:
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress @("10.48.130.0/23", "10.50.0.0/16")
Or update Deploy-PCCertificate.bat for future deployments
Problem: Accidentally blocked management access
Solution:
1. Physically access the PC
2. Run: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23"
3. Or temporarily allow all: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any
================================================================================
SUMMARY
================================================================================
✓ Deploy-PCCertificate.ps1 now supports -AllowedSubnets parameter
✓ Default: 10.48.130.0/23 (your management subnet)
✓ Can specify multiple subnets: "subnet1,subnet2,subnet3"
✓ Can allow all: "Any"
✓ Built into Deploy-PCCertificate.bat for automatic deployment
✓ More secure than allowing all subnets
✓ Solves cross-subnet firewall restriction issues
================================================================================

80
winrm-https/winrm-ca-scripts/Set-NetworkPrivate.bat Normal file
View File

@@ -0,0 +1,80 @@
@echo off
REM ============================================================================
REM Set-NetworkPrivate.bat
REM Changes network profile from Public to Private for WinRM HTTPS
REM ============================================================================
REM Setup logging
set "LOG_DIR=S:\DT\ADATA\SCRIPT\DEPLOY\LOGS"
set "HOSTNAME=%COMPUTERNAME%"
set "TIMESTAMP=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%-%TIME:~0,2%%TIME:~3,2%%TIME:~6,2%"
set "TIMESTAMP=%TIMESTAMP: =0%"
set "LOG_FILE=%LOG_DIR%\%HOSTNAME%-%TIMESTAMP%-NETWORK-PROFILE.txt"
REM Create log directory if it doesn't exist
if not exist "%LOG_DIR%" (
mkdir "%LOG_DIR%" 2>nul
)
echo.
echo ========================================
echo Set Network Profile to Private
echo ========================================
echo.
echo Hostname: %COMPUTERNAME%
echo Log File: %LOG_FILE%
echo.
REM Check for administrator privileges
net session >nul 2>&1
if %errorLevel% neq 0 (
echo [ERROR] This script requires Administrator privileges.
echo Please right-click and select "Run as Administrator"
echo.
pause
exit /b 1
)
echo [OK] Running with Administrator privileges
echo.
REM Get the directory where this batch file is located
set "SCRIPT_DIR=%~dp0"
echo Script directory: %SCRIPT_DIR%
echo.
REM Check if PowerShell script exists
if not exist "%SCRIPT_DIR%Set-NetworkPrivate.ps1" (
echo [ERROR] Set-NetworkPrivate.ps1 not found in script directory
echo Please ensure all files are in the same directory
echo.
pause
exit /b 1
)
echo [OK] Required files found
echo.
REM Execute PowerShell script
echo Changing network profile to Private...
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
"& '%SCRIPT_DIR%Set-NetworkPrivate.ps1'" > "%LOG_FILE%" 2>&1
if %errorLevel% neq 0 (
echo.
echo [ERROR] Failed with error code: %errorLevel%
echo.
echo Log saved to: %LOG_FILE%
pause
exit /b %errorLevel%
)
echo.
echo ========================================
echo [SUCCESS] Network Profile Updated
echo ========================================
echo Log saved to: %LOG_FILE%
echo.
pause

109
winrm-https/winrm-ca-scripts/Set-NetworkPrivate.ps1 Normal file
View File

@@ -0,0 +1,109 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Sets network profile to Private for WinRM HTTPS connectivity
.DESCRIPTION
Changes the network connection profile from Public to Private.
This allows firewall rules to work more reliably for WinRM HTTPS.
Public profiles often have more restrictive firewall settings.
.EXAMPLE
.\Set-NetworkPrivate.ps1
.NOTES
Author: System Administrator
Date: 2025-10-17
Run this script ON THE TARGET PC as Administrator
#>
Write-Host ""
Write-Host "========================================" -ForegroundColor Cyan
Write-Host " Set Network Profile to Private" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
$hostname = $env:COMPUTERNAME
Write-Host "Computer: $hostname" -ForegroundColor White
Write-Host ""
# Get current network profiles
Write-Host "Current Network Profiles:" -ForegroundColor Yellow
$profiles = Get-NetConnectionProfile
$profiles | Format-Table Name, InterfaceAlias, NetworkCategory, IPv4Connectivity -AutoSize
Write-Host ""
# Change all profiles to Private
Write-Host "Changing network profiles to Private..." -ForegroundColor Yellow
Write-Host ""
$changed = 0
foreach ($profile in $profiles) {
if ($profile.NetworkCategory -eq 'Public') {
try {
Write-Host " Changing '$($profile.Name)' from Public to Private..." -ForegroundColor Gray
Set-NetConnectionProfile -InterfaceIndex $profile.InterfaceIndex -NetworkCategory Private
Write-Host " [OK] Changed to Private" -ForegroundColor Green
$changed++
} catch {
Write-Host " [ERROR] Failed: $($_.Exception.Message)" -ForegroundColor Red
}
} elseif ($profile.NetworkCategory -eq 'Private') {
Write-Host " '$($profile.Name)' is already Private" -ForegroundColor Green
} elseif ($profile.NetworkCategory -eq 'DomainAuthenticated') {
Write-Host " '$($profile.Name)' is Domain (optimal)" -ForegroundColor Green
}
}
Write-Host ""
# Show updated profiles
Write-Host "Updated Network Profiles:" -ForegroundColor Yellow
Get-NetConnectionProfile | Format-Table Name, InterfaceAlias, NetworkCategory, IPv4Connectivity -AutoSize
Write-Host ""
# Update firewall rule to ensure it works with Private profile
Write-Host "Updating WinRM HTTPS firewall rule for Private profile..." -ForegroundColor Yellow
$ruleName = "WinRM HTTPS-In"
$rule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if ($rule) {
try {
Set-NetFirewallRule -DisplayName $ruleName -Profile Any -Enabled True
Write-Host "[OK] Firewall rule updated for all profiles" -ForegroundColor Green
} catch {
Write-Host "[WARN] Could not update firewall rule: $($_.Exception.Message)" -ForegroundColor Yellow
}
} else {
Write-Host "[WARN] WinRM HTTPS-In firewall rule not found" -ForegroundColor Yellow
}
Write-Host ""
# Restart WinRM service to apply changes
Write-Host "Restarting WinRM service..." -ForegroundColor Yellow
try {
Restart-Service WinRM -Force
Write-Host "[OK] WinRM service restarted" -ForegroundColor Green
} catch {
Write-Host "[WARN] Could not restart WinRM: $($_.Exception.Message)" -ForegroundColor Yellow
}
Write-Host ""
Write-Host "========================================" -ForegroundColor Green
Write-Host " NETWORK PROFILE UPDATED" -ForegroundColor Green
Write-Host "========================================" -ForegroundColor Green
Write-Host ""
if ($changed -gt 0) {
Write-Host "[OK] Changed $changed network profile(s) to Private" -ForegroundColor Green
} else {
Write-Host "[OK] All network profiles already configured" -ForegroundColor Green
}
Write-Host ""
Write-Host "Test connection from management computer:" -ForegroundColor Yellow
Write-Host " Test-NetConnection $hostname.logon.ds.ge.com -Port 5986" -ForegroundColor White
Write-Host ""
Write-Host " Test-WSMan -ComputerName $hostname.logon.ds.ge.com -UseSSL -Port 5986" -ForegroundColor White
Write-Host ""

227
winrm-https/winrm-ca-scripts/Sign-BulkCertificates.ps1 Normal file
View File

@@ -0,0 +1,227 @@
#Requires -RunAsAdministrator
param(
[Parameter(Mandatory=$false)]
[string]$HostnameFile = "shopfloor-hostnames.txt",
[Parameter(Mandatory=$false)]
[string]$CAPfxPath,
[string]$Domain = "logon.ds.ge.com",
[string]$OutputPath = ".\pc-certificates",
[int]$ValidityYears = 2,
[SecureString]$CAPassword,
[SecureString]$CertificatePassword
)
Write-Host ""
Write-Host "=== Bulk PC Certificate Signing ===" -ForegroundColor Cyan
Write-Host ""
# Check hostname file
if (-not (Test-Path $HostnameFile)) {
Write-Host "[ERROR] Hostname file not found: $HostnameFile" -ForegroundColor Red
Write-Host "Looking for: $HostnameFile" -ForegroundColor Yellow
exit 1
}
$hostnames = Get-Content $HostnameFile | Where-Object {$_ -match '\S'} | ForEach-Object {$_.Trim()}
Write-Host "Found $($hostnames.Count) hostnames to process"
Write-Host ""
# Auto-detect CA file if not specified
if (-not $CAPfxPath) {
Write-Host "Looking for CA certificate file..." -ForegroundColor Yellow
$caFiles = Get-ChildItem -Filter "*CA*.pfx" | Sort-Object LastWriteTime -Descending
if ($caFiles.Count -eq 0) {
Write-Host "[ERROR] No CA PFX file found in current directory" -ForegroundColor Red
Write-Host "Please specify -CAPfxPath parameter or ensure CA PFX file is in current directory" -ForegroundColor Yellow
exit 1
}
if ($caFiles.Count -gt 1) {
Write-Host "Multiple CA files found:" -ForegroundColor Yellow
for ($i = 0; $i -lt $caFiles.Count; $i++) {
Write-Host " [$i] $($caFiles[$i].Name) (Modified: $($caFiles[$i].LastWriteTime))"
}
$selection = Read-Host "Select CA file number (0-$($caFiles.Count - 1))"
$CAPfxPath = $caFiles[$selection].FullName
} else {
$CAPfxPath = $caFiles[0].FullName
Write-Host "[OK] Found CA file: $($caFiles[0].Name)" -ForegroundColor Green
}
Write-Host ""
}
# Check CA file
if (-not (Test-Path $CAPfxPath)) {
Write-Host "[ERROR] CA PFX file not found: $CAPfxPath" -ForegroundColor Red
exit 1
}
# Get passwords
if (-not $CAPassword) {
$CAPassword = Read-Host "Enter CA certificate password" -AsSecureString
}
if (-not $CertificatePassword) {
$CertificatePassword = Read-Host "Enter password for PC certificates (same for all)" -AsSecureString
}
# Load CA certificate
Write-Host "Loading CA certificate..."
try {
$caCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CAPfxPath, $CAPassword, 'Exportable')
Write-Host "[OK] CA loaded: $($caCert.Subject)"
Write-Host " Thumbprint: $($caCert.Thumbprint)"
Write-Host ""
} catch {
Write-Host "[ERROR] Failed to load CA: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
if (-not $caCert.HasPrivateKey) {
Write-Host "[ERROR] CA certificate does not have private key" -ForegroundColor Red
exit 1
}
# Create output directory
$timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
$batchPath = Join-Path $OutputPath "batch-$timestamp"
New-Item -ItemType Directory -Path $batchPath -Force | Out-Null
Write-Host "Output directory: $batchPath"
Write-Host ""
Write-Host "Processing certificates..."
Write-Host ""
$results = @()
$successCount = 0
$failCount = 0
$counter = 0
foreach ($hostname in $hostnames) {
$counter++
$hostname = $hostname.Trim() -replace "\.$Domain$", ""
$fqdn = "$hostname.$Domain".ToLower()
Write-Host "[$counter/$($hostnames.Count)] $hostname ... " -NoNewline
try {
$notAfter = (Get-Date).AddYears($ValidityYears)
$pcCert = New-SelfSignedCertificate `
-Subject "CN=$fqdn" `
-DnsName @($fqdn, $hostname) `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature,KeyEncipherment `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-CertStoreLocation 'Cert:\LocalMachine\My' `
-NotAfter $notAfter `
-TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1' `
-Signer $caCert
# Export PFX
$pfxPath = Join-Path $batchPath "$hostname-$Domain-$timestamp.pfx"
Export-PfxCertificate -Cert $pcCert -FilePath $pfxPath -Password $CertificatePassword | Out-Null
# Export CER
$cerPath = Join-Path $batchPath "$hostname-$Domain-$timestamp.cer"
Export-Certificate -Cert $pcCert -FilePath $cerPath | Out-Null
# Remove from store
Remove-Item "Cert:\LocalMachine\My\$($pcCert.Thumbprint)" -Force -ErrorAction SilentlyContinue
Write-Host "OK" -ForegroundColor Green
$results += [PSCustomObject]@{
Hostname = $hostname
FQDN = $fqdn
Thumbprint = $pcCert.Thumbprint
ValidUntil = $pcCert.NotAfter
PFXFile = Split-Path $pfxPath -Leaf
Status = "Success"
Error = $null
}
$successCount++
} catch {
Write-Host "FAILED: $($_.Exception.Message)" -ForegroundColor Red
$results += [PSCustomObject]@{
Hostname = $hostname
FQDN = $fqdn
Thumbprint = $null
ValidUntil = $null
PFXFile = $null
Status = "Failed"
Error = $_.Exception.Message
}
$failCount++
}
}
# Export results
$csvPath = Join-Path $batchPath "certificate-list.csv"
$results | Export-Csv -Path $csvPath -NoTypeInformation
$summaryPath = Join-Path $batchPath "SUMMARY.txt"
$summaryContent = @"
Certificate Signing Summary
===========================
Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
Batch: $timestamp
Statistics:
Total: $($hostnames.Count)
Successful: $successCount
Failed: $failCount
CA Certificate:
Subject: $($caCert.Subject)
Thumbprint: $($caCert.Thumbprint)
Output Directory: $batchPath
Files:
- $successCount PFX files (certificates with private keys)
- $successCount CER files (public certificates)
- certificate-list.csv (spreadsheet)
Next Steps:
1. Install CA certificate on management computers:
Import-Certificate -FilePath 'CA.cer' -CertStoreLocation Cert:\LocalMachine\Root
2. Deploy certificates to PCs (each PC gets its own):
- Copy PFX file to PC
- Import: Import-PfxCertificate -FilePath 'HOSTNAME.pfx' -CertStoreLocation Cert:\LocalMachine\My -Password `$pass
- Configure WinRM: .\Setup-WinRM-HTTPS.ps1 -CertificateThumbprint THUMBPRINT -Domain logon.ds.ge.com
3. Connect from management computer:
Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com -Credential `$cred -UseSSL -Port 5986
(No -SessionOption needed!)
"@
$summaryContent | Out-File -FilePath $summaryPath -Encoding UTF8
Write-Host ""
Write-Host "=== CERTIFICATE SIGNING COMPLETE ===" -ForegroundColor Green
Write-Host ""
Write-Host "Summary:"
Write-Host " Total: $($hostnames.Count)"
Write-Host " Successful: $successCount" -ForegroundColor Green
Write-Host " Failed: $failCount" -ForegroundColor $(if($failCount -gt 0){'Red'}else{'Green'})
Write-Host ""
Write-Host "Output: $batchPath"
Write-Host ""
Write-Host "Files:"
Write-Host " - certificate-list.csv (list of all certificates)"
Write-Host " - SUMMARY.txt (detailed summary)"
Write-Host " - $successCount PFX files (one per PC)"
Write-Host ""

317
winrm-https/winrm-ca-scripts/TROUBLESHOOT-CONNECTION.txt Normal file
View File

@@ -0,0 +1,317 @@
================================================================================
TROUBLESHOOTING CONNECTION ISSUES
================================================================================
Error: "WinRM cannot complete the operation. Verify that the specified
computer name is valid, that the computer is accessible over the
network..."
This means WinRM can't reach the remote PC. Follow these steps:
================================================================================
STEP 1: VERIFY NETWORK CONNECTIVITY
================================================================================
On YOUR computer (H2PRFM94):
A. Test DNS Resolution
──────────────────────────────────────────────────────────────
PS> Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com
Expected: Should return IP address (e.g., 10.134.48.255)
If fails:
- Try with just hostname: Resolve-DnsName G9KN7PZ3ESF
- Try with IP directly: Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986
B. Test Basic Ping
──────────────────────────────────────────────────────────────
PS> Test-Connection g9kn7pz3esf.logon.ds.ge.com -Count 2
Expected: Should get replies
If fails:
- PC might be blocking ICMP (that's OK, continue)
- Try: Test-Connection G9KN7PZ3ESF
- Try IP: Test-Connection 10.134.48.255
C. Test Port 5986 Connectivity
──────────────────────────────────────────────────────────────
PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
Expected:
ComputerName : g9kn7pz3esf.logon.ds.ge.com
RemoteAddress : 10.134.48.255
RemotePort : 5986
InterfaceAlias : Ethernet
SourceAddress : 10.x.x.x
TcpTestSucceeded : True
If TcpTestSucceeded = False:
- Port 5986 is blocked by firewall
- Continue to STEP 2
================================================================================
STEP 2: CHECK FIREWALL ON REMOTE PC (G9KN7PZ3ESF)
================================================================================
ON THE REMOTE PC (G9KN7PZ3ESF):
A. Check Windows Firewall Rule
──────────────────────────────────────────────────────────────
PS> Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Format-List
Expected:
DisplayName : WinRM HTTPS-In
Enabled : True
Direction : Inbound
Action : Allow
If Enabled = False:
PS> Enable-NetFirewallRule -DisplayName "WinRM HTTPS-In"
B. Check Firewall Profile
──────────────────────────────────────────────────────────────
PS> Get-NetFirewallProfile | Select-Object Name, Enabled
If firewall is ON for Public profile, the rule might not apply.
Fix:
PS> Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any
C. Verify Port 5986 is Listening
──────────────────────────────────────────────────────────────
PS> netstat -an | findstr :5986
Expected:
TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING
TCP [::]:5986 [::]:0 LISTENING
If not listening:
- WinRM listener not created properly
- Re-run Deploy-PCCertificate.bat
D. Check WinRM Service
──────────────────────────────────────────────────────────────
PS> Get-Service WinRM | Select-Object Status, StartType
Expected:
Status : Running
StartType : Automatic
If not running:
PS> Start-Service WinRM
PS> Set-Service WinRM -StartupType Automatic
================================================================================
STEP 3: CHECK NETWORK FIREWALL (Between PCs)
================================================================================
If local firewalls are OK but still can't connect:
A. Check if Corporate Firewall Blocks Port 5986
──────────────────────────────────────────────────────────────
Some networks block high ports or only allow specific ports.
Test from YOUR computer:
PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
If TcpTestSucceeded = False:
- Network firewall is blocking port 5986
- Contact network admin to allow TCP 5986 between management PC and shopfloor PCs
B. Check if Same Subnet
──────────────────────────────────────────────────────────────
WinRM public profile default only allows same subnet.
On YOUR computer:
PS> Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.IPAddress -notlike '169.*'}
On REMOTE PC:
PS> Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.IPAddress -notlike '169.*'}
Compare:
- Your IP: 10.x.y.z
- Remote IP: 10.134.48.255
If different subnets and Public profile:
- Either change network profile to Private/Domain
- Or configure firewall to allow remote subnet
================================================================================
STEP 4: ALTERNATIVE - USE IP ADDRESS INSTEAD OF FQDN
================================================================================
Sometimes DNS or certificate CN issues prevent FQDN connections.
From YOUR computer, try with IP:
──────────────────────────────────────────────────────────────
PS> Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986
If this works but FQDN doesn't:
- DNS issue, use IP address for now
- Certificate CN might not match (but should work with proper CA)
================================================================================
STEP 5: CHECK YOUR COMPUTER'S WINRM CLIENT
================================================================================
On YOUR computer (H2PRFM94):
A. Enable WinRM Client
──────────────────────────────────────────────────────────────
PS> Enable-PSRemoting -Force
This configures YOUR computer as WinRM client.
B. Check WinRM Service on YOUR Computer
──────────────────────────────────────────────────────────────
PS> Get-Service WinRM
Expected: Running
If not:
PS> Start-Service WinRM
C. Set Trusted Hosts (if needed)
──────────────────────────────────────────────────────────────
Only needed if not using HTTPS with proper certificates.
Check current:
PS> Get-Item WSMan:\localhost\Client\TrustedHosts
If blank and having issues:
PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*.logon.ds.ge.com" -Force
================================================================================
STEP 6: VERIFY CA CERTIFICATE ON YOUR COMPUTER
================================================================================
On YOUR computer (H2PRFM94):
A. Check if CA is Installed
──────────────────────────────────────────────────────────────
PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
$_.Subject -like "*Shopfloor*"
}
Expected: Should show "CN=Shopfloor WinRM CA"
If NOT found:
PS> Import-Certificate -FilePath "C:\path\to\Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
B. Verify Certificate is Trusted
──────────────────────────────────────────────────────────────
PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
$_.Subject -like "*Shopfloor*"
} | Format-List Subject, Thumbprint, NotAfter
Make sure:
- Subject matches: CN=Shopfloor WinRM CA
- NotAfter is in the future
- No errors
================================================================================
STEP 7: DIAGNOSTIC COMMANDS CHECKLIST
================================================================================
Run these in order on YOUR computer:
1. Test DNS:
PS> Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com
2. Test Ping:
PS> Test-Connection g9kn7pz3esf.logon.ds.ge.com -Count 2
3. Test Port:
PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
4. Check CA installed:
PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}
5. Test WinRM:
PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
Run these on REMOTE PC (G9KN7PZ3ESF):
1. Check firewall:
PS> Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
2. Check port listening:
PS> netstat -an | findstr :5986
3. Check service:
PS> Get-Service WinRM
4. Check listener:
PS> winrm enumerate winrm/config/listener
================================================================================
COMMON SOLUTIONS
================================================================================
Issue: TcpTestSucceeded = False
Solution:
1. On remote PC: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any
2. On remote PC: Enable-NetFirewallRule -DisplayName "WinRM HTTPS-In"
3. Contact network admin if corporate firewall blocks port 5986
Issue: Certificate errors
Solution:
1. Install CA on your computer: Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" -CertStoreLocation Cert:\LocalMachine\Root
2. Verify CA is in Trusted Root
Issue: DNS not resolving
Solution:
1. Use IP address: Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986
2. Or use short hostname: Test-WSMan -ComputerName G9KN7PZ3ESF -UseSSL -Port 5986
Issue: Different subnets
Solution:
1. Change firewall rule profile: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any
2. Or configure firewall to allow your management PC's IP
================================================================================
QUICK FIX COMMANDS
================================================================================
On REMOTE PC (G9KN7PZ3ESF):
──────────────────────────────────────────────────────────────
# Enable firewall rule for all profiles
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any -Enabled True
# Restart WinRM service
Restart-Service WinRM
On YOUR computer (H2PRFM94):
──────────────────────────────────────────────────────────────
# Enable WinRM client
Enable-PSRemoting -Force
# Install CA certificate (if not already)
Import-Certificate -FilePath "C:\path\to\Shopfloor-WinRM-CA-*.cer" -CertStoreLocation Cert:\LocalMachine\Root
# Test connection
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
================================================================================

65
winrm-https/winrm-ca-scripts/Test-RemotePC-Debug.bat Normal file
View File

@@ -0,0 +1,65 @@
@echo off
REM ============================================================================
REM Test-RemotePC-Debug.bat
REM Runs WinRM HTTPS debug test with execution policy bypass
REM ============================================================================
REM Setup logging
set "LOG_DIR=S:\DT\ADATA\SCRIPT\DEPLOY\LOGS"
set "HOSTNAME=%COMPUTERNAME%"
set "TIMESTAMP=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%-%TIME:~0,2%%TIME:~3,2%%TIME:~6,2%"
set "TIMESTAMP=%TIMESTAMP: =0%"
set "LOG_FILE=%LOG_DIR%\%HOSTNAME%-%TIMESTAMP%-DEBUG.txt"
REM Create log directory if it doesn't exist
if not exist "%LOG_DIR%" (
mkdir "%LOG_DIR%" 2>nul
)
echo.
echo ========================================
echo WinRM HTTPS Debug Test
echo ========================================
echo.
echo Computer: %HOSTNAME%
echo Log File: %LOG_FILE%
echo.
REM Check for administrator privileges
net session >nul 2>&1
if %errorLevel% neq 0 (
echo [ERROR] This script requires Administrator privileges.
echo Please right-click and select "Run as Administrator"
echo.
pause
exit /b 1
)
echo [OK] Running with Administrator privileges
echo.
REM Get the directory where this batch file is located
set "SCRIPT_DIR=%~dp0"
REM Check if PowerShell script exists
if not exist "%SCRIPT_DIR%Test-RemotePC-Debug.ps1" (
echo [ERROR] Test-RemotePC-Debug.ps1 not found in script directory
echo.
pause
exit /b 1
)
echo Running debug test...
echo.
REM Execute PowerShell script with bypass and log file
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
"& '%SCRIPT_DIR%Test-RemotePC-Debug.ps1' -LogFile '%LOG_FILE%'"
echo.
echo ========================================
echo Test Complete
echo ========================================
echo Log saved to: %LOG_FILE%
echo.
pause

468
winrm-https/winrm-ca-scripts/Test-RemotePC-Debug.ps1 Normal file
View File

@@ -0,0 +1,468 @@
#Requires -RunAsAdministrator
param(
[Parameter(Mandatory=$false)]
[string]$ComputerName = $env:COMPUTERNAME,
[Parameter(Mandatory=$false)]
[string]$LogFile
)
# Setup logging function
function Write-Log {
param(
[string]$Message,
[string]$Color = "White"
)
# Write to console
if ($Color -ne "White") {
Write-Host $Message -ForegroundColor $Color
} else {
Write-Host $Message
}
# Write to log file (strip color codes, just text)
if ($LogFile) {
Add-Content -Path $LogFile -Value $Message -ErrorAction SilentlyContinue
}
}
# Create log file if not specified
if (-not $LogFile) {
$logDir = "S:\DT\ADATA\SCRIPT\DEPLOY\LOGS"
if (Test-Path $logDir) {
$timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
$LogFile = "$logDir\$ComputerName-$timestamp-DEBUG.txt"
}
}
# Create log directory if needed
if ($LogFile) {
$logDir = Split-Path $LogFile -Parent
if (-not (Test-Path $logDir)) {
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}
# Start log file
"============================================================================" | Out-File $LogFile
"WinRM HTTPS Debug Test Log" | Out-File $LogFile -Append
"============================================================================" | Out-File $LogFile -Append
"Computer: $ComputerName" | Out-File $LogFile -Append
"Date/Time: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" | Out-File $LogFile -Append
"Log File: $LogFile" | Out-File $LogFile -Append
"============================================================================" | Out-File $LogFile -Append
"" | Out-File $LogFile -Append
}
Write-Log ""
Write-Log "======================================" -Color Cyan
Write-Log " WinRM HTTPS Debug Test" -Color Cyan
Write-Log "======================================" -Color Cyan
Write-Log ""
Write-Log "Computer: $ComputerName"
Write-Log "Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
if ($LogFile) {
Write-Log "Log File: $LogFile" -Color Cyan
}
Write-Log ""
# Test 1: WinRM Service
Write-Log "TEST 1: WinRM Service Status" -Color Yellow
Write-Log "------------------------------"
try {
$winrmService = Get-Service WinRM
if ($winrmService.Status -eq 'Running') {
Write-Log "[OK] WinRM service is RUNNING" -Color Green
} else {
Write-Log "[ERROR] WinRM service is $($winrmService.Status)" -Color Red
}
Write-Log " Status: $($winrmService.Status)"
Write-Log " StartType: $($winrmService.StartType)"
} catch {
Write-Log "[ERROR] Cannot check WinRM service: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 2: WinRM Listeners
Write-Log "TEST 2: WinRM Listeners" -Color Yellow
Write-Log "------------------------------"
try {
$listeners = winrm enumerate winrm/config/listener
if ($listeners) {
Write-Log $listeners
# Check for HTTPS listener
if ($listeners -match 'Transport = HTTPS') {
Write-Log "[OK] HTTPS listener found" -Color Green
} else {
Write-Log "[WARNING] No HTTPS listener found" -Color Yellow
}
} else {
Write-Log "[WARNING] No listeners configured" -Color Yellow
}
} catch {
Write-Log "[ERROR] Cannot enumerate listeners: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 3: Port Listening
Write-Log "TEST 3: Port Listening Status" -Color Yellow
Write-Log "------------------------------"
$ports = @(5985, 5986)
foreach ($port in $ports) {
$listening = netstat -an | Select-String ":$port"
if ($listening) {
Write-Log "[OK] Port $port is LISTENING" -Color Green
$listening | ForEach-Object { Write-Log " $_" -Color Gray }
} else {
Write-Log "[WARNING] Port $port is NOT listening" -Color Yellow
}
}
Write-Log ""
# Test 4: Firewall Rules
Write-Log "TEST 4: Firewall Rules" -Color Yellow
Write-Log "------------------------------"
try {
$winrmRules = Get-NetFirewallRule | Where-Object {
$_.DisplayName -like "*WinRM*"
}
if ($winrmRules) {
Write-Log "[OK] Found $($winrmRules.Count) WinRM firewall rule(s)" -Color Green
foreach ($rule in $winrmRules) {
$portFilter = $rule | Get-NetFirewallPortFilter
$addressFilter = $rule | Get-NetFirewallAddressFilter
$status = if ($rule.Enabled) { "ENABLED" } else { "DISABLED" }
$statusColor = if ($rule.Enabled) { "Green" } else { "Red" }
Write-Log ""
Write-Log " Rule: $($rule.DisplayName)" -Color White
Write-Log " Status: $status" -Color $statusColor
Write-Log " Direction: $($rule.Direction)"
Write-Log " Action: $($rule.Action)"
Write-Log " Profile: $($rule.Profile)"
Write-Log " Local Port: $($portFilter.LocalPort)"
Write-Log " Protocol: $($portFilter.Protocol)"
Write-Log " Remote Address: $($addressFilter.RemoteAddress)"
Write-Log " Local Address: $($addressFilter.LocalAddress)"
}
} else {
Write-Log "[WARNING] No WinRM firewall rules found" -Color Yellow
}
} catch {
Write-Log "[ERROR] Cannot check firewall: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 5: Certificates
Write-Log "TEST 5: Certificates" -Color Yellow
Write-Log "------------------------------"
try {
$certs = Get-ChildItem Cert:\LocalMachine\My | Where-Object {
$_.Subject -like "*$env:COMPUTERNAME*" -or
$_.Subject -like "*.logon.ds.ge.com*" -or
$_.DnsNameList -like "*$env:COMPUTERNAME*"
}
if ($certs) {
Write-Log "[OK] Found $($certs.Count) certificate(s)" -Color Green
foreach ($cert in $certs) {
Write-Log ""
Write-Log " Subject: $($cert.Subject)" -Color White
Write-Log " Thumbprint: $($cert.Thumbprint)"
Write-Log " Issuer: $($cert.Issuer)"
Write-Log " Valid Until: $($cert.NotAfter)"
Write-Log " Has Private Key: $($cert.HasPrivateKey)"
if ($cert.DnsNameList) {
Write-Log " DNS Names: $($cert.DnsNameList.Unicode -join ', ')"
}
}
} else {
Write-Log "[WARNING] No matching certificates found" -Color Yellow
}
} catch {
Write-Log "[ERROR] Cannot check certificates: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 6: WinRM Configuration
Write-Log "TEST 6: WinRM Configuration" -Color Yellow
Write-Log "------------------------------"
try {
$config = winrm get winrm/config
Write-Log $config
} catch {
Write-Log "[ERROR] Cannot get WinRM config: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 7: Network Information
Write-Log "TEST 7: Network Information" -Color Yellow
Write-Log "------------------------------"
try {
$hostname = $env:COMPUTERNAME
$fqdn = [System.Net.Dns]::GetHostByName($hostname).HostName
$ips = Get-NetIPAddress -AddressFamily IPv4 | Where-Object {
$_.IPAddress -notlike "127.*" -and $_.IPAddress -notlike "169.254.*"
}
Write-Log " Hostname: $hostname"
Write-Log " FQDN: $fqdn"
Write-Log ""
Write-Log " IP Addresses:"
foreach ($ip in $ips) {
Write-Log " - $($ip.IPAddress) [$($ip.InterfaceAlias)]"
}
} catch {
Write-Log "[ERROR] Cannot get network info: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 8: Network Profile
Write-Log "TEST 8: Network Profile" -Color Yellow
Write-Log "------------------------------"
try {
$profiles = Get-NetConnectionProfile
if ($profiles) {
foreach ($profile in $profiles) {
$category = $profile.NetworkCategory
$categoryColor = switch ($category) {
'Private' { 'Green' }
'DomainAuthenticated' { 'Green' }
'Public' { 'Yellow' }
default { 'White' }
}
Write-Log ""
Write-Log " Interface: $($profile.InterfaceAlias)" -Color White
Write-Log " Name: $($profile.Name)"
Write-Log " Category: $category" -Color $categoryColor
Write-Log " IPv4 Connectivity: $($profile.IPv4Connectivity)"
Write-Log " IPv6 Connectivity: $($profile.IPv6Connectivity)"
}
# Warning for Public profiles
$publicProfiles = $profiles | Where-Object { $_.NetworkCategory -eq 'Public' }
if ($publicProfiles) {
Write-Log ""
Write-Log " [WARNING] Public network profile detected!" -Color Yellow
Write-Log " Public profiles may restrict WinRM connectivity" -Color Yellow
Write-Log " Run Set-NetworkPrivate.bat to change to Private" -Color Yellow
}
} else {
Write-Log "[WARNING] No network profiles found" -Color Yellow
}
} catch {
Write-Log "[ERROR] Cannot get network profile: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 9: Firewall Profile Status
Write-Log "TEST 9: Firewall Profile Status" -Color Yellow
Write-Log "------------------------------"
try {
$firewallProfiles = Get-NetFirewallProfile
foreach ($fwProfile in $firewallProfiles) {
$status = if ($fwProfile.Enabled) { "ENABLED" } else { "DISABLED" }
$statusColor = if ($fwProfile.Enabled) { "Yellow" } else { "Green" }
Write-Log ""
Write-Log " Profile: $($fwProfile.Name)" -Color White
Write-Log " Firewall: $status" -Color $statusColor
Write-Log " Default Inbound Action: $($fwProfile.DefaultInboundAction)"
Write-Log " Default Outbound Action: $($fwProfile.DefaultOutboundAction)"
}
} catch {
Write-Log "[ERROR] Cannot get firewall profiles: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 10: Group Policy Information
Write-Log "TEST 10: Group Policy Information" -Color Yellow
Write-Log "------------------------------"
try {
# Check if domain joined
$computerSystem = Get-WmiObject -Class Win32_ComputerSystem
$isDomainJoined = $computerSystem.PartOfDomain
Write-Log ""
Write-Log " Domain Status:" -Color White
if ($isDomainJoined) {
Write-Log " Domain Joined: YES" -Color Green
Write-Log " Domain: $($computerSystem.Domain)"
} else {
Write-Log " Domain Joined: NO (Workgroup)" -Color Yellow
Write-Log " Workgroup: $($computerSystem.Workgroup)"
}
Write-Log ""
Write-Log " Applied Group Policies:" -Color White
# Get GPResult summary
$gpResult = gpresult /r 2>&1 | Out-String
# Extract Computer Configuration section
if ($gpResult -match "COMPUTER SETTINGS[\s\S]*?Applied Group Policy Objects[\s\S]*?The following GPOs were not applied") {
$computerGPOs = $matches[0]
Write-Log " (Displaying first 20 lines of computer GPOs)" -Color Gray
$computerGPOs -split "`n" | Select-Object -First 20 | ForEach-Object {
Write-Log " $_" -Color Gray
}
} elseif ($gpResult -match "Applied Group Policy Objects[\s\S]*?-{3,}") {
$gpos = $matches[0] -split "`n" | Where-Object { $_ -match '\S' } | Select-Object -First 15
$gpos | ForEach-Object { Write-Log " $_" -Color Gray }
} else {
Write-Log " [WARN] Could not extract GPO list" -Color Yellow
}
# Check for firewall GPO settings
Write-Log ""
Write-Log " Firewall Group Policy:" -Color White
$firewallGPO = gpresult /r 2>&1 | Select-String -Pattern "firewall" -Context 0,2
if ($firewallGPO) {
$firewallGPO | ForEach-Object { Write-Log " $_" -Color Gray }
} else {
Write-Log " No firewall-specific GPOs detected" -Color Gray
}
# Check for WinRM GPO settings
Write-Log ""
Write-Log " WinRM Group Policy:" -Color White
$winrmGPO = gpresult /r 2>&1 | Select-String -Pattern "winrm|remote" -Context 0,2
if ($winrmGPO) {
$winrmGPO | Select-Object -First 10 | ForEach-Object { Write-Log " $_" -Color Gray }
} else {
Write-Log " No WinRM-specific GPOs detected" -Color Gray
}
} catch {
Write-Log "[ERROR] Cannot get Group Policy info: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 11: Firewall Rule Policy Source
Write-Log "TEST 11: Firewall Rule Policy Source" -Color Yellow
Write-Log "------------------------------"
try {
$winrmRules = Get-NetFirewallRule | Where-Object {
$_.DisplayName -like "*WinRM*"
}
if ($winrmRules) {
foreach ($rule in $winrmRules) {
$policySource = $rule.PolicyStoreSource
$sourceColor = switch ($policySource) {
'GroupPolicy' { 'Yellow' }
'PersistentStore' { 'Green' }
default { 'White' }
}
Write-Log ""
Write-Log " Rule: $($rule.DisplayName)" -Color White
Write-Log " Policy Source: $policySource" -Color $sourceColor
Write-Log " Enabled: $($rule.Enabled)"
Write-Log " Profile: $($rule.Profile)"
if ($policySource -eq 'GroupPolicy') {
Write-Log " [INFO] Rule is managed by Group Policy" -Color Yellow
Write-Log " Local changes will be overwritten by GPO" -Color Yellow
} elseif ($policySource -eq 'PersistentStore') {
Write-Log " [INFO] Rule is locally configured" -Color Green
Write-Log " Can be modified locally" -Color Green
}
}
} else {
Write-Log " [WARNING] No WinRM firewall rules found" -Color Yellow
}
} catch {
Write-Log "[ERROR] Cannot check firewall policy source: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 12: Network Category and GPO Override
Write-Log "TEST 12: Network Category Control" -Color Yellow
Write-Log "------------------------------"
try {
# Check if network category is controlled by GPO
Write-Log " Checking if Network Category is GPO-controlled..." -Color White
Write-Log ""
$nlmKey = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkListManager"
if (Test-Path $nlmKey) {
Write-Log " [INFO] Network List Manager GPO key exists" -Color Yellow
Write-Log " Network category may be controlled by Group Policy" -Color Yellow
$nlmValues = Get-ItemProperty -Path $nlmKey -ErrorAction SilentlyContinue
if ($nlmValues) {
$nlmValues.PSObject.Properties | Where-Object {
$_.Name -notlike "PS*"
} | ForEach-Object {
Write-Log " $($_.Name) = $($_.Value)" -Color Gray
}
}
} else {
Write-Log " [OK] Network category is not GPO-controlled" -Color Green
Write-Log " Can be changed locally" -Color Green
}
# Check current network profiles again with category source
Write-Log ""
Write-Log " Current Network Profiles:" -Color White
$profiles = Get-NetConnectionProfile
foreach ($profile in $profiles) {
$category = $profile.NetworkCategory
Write-Log ""
Write-Log " Interface: $($profile.InterfaceAlias)" -Color White
Write-Log " Category: $category"
Write-Log " Name: $($profile.Name)"
# Determine if can be changed
if (Test-Path $nlmKey) {
Write-Log " Can Change: NO (GPO Controlled)" -Color Yellow
} else {
Write-Log " Can Change: YES (Local Control)" -Color Green
}
}
} catch {
Write-Log "[ERROR] Cannot check network category control: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Test 13: Self-Connectivity Test
Write-Log "TEST 13: Self-Connectivity Test" -Color Yellow
Write-Log "------------------------------"
try {
$hostname = $env:COMPUTERNAME
$fqdn = "$hostname.logon.ds.ge.com".ToLower()
Write-Log " Testing local connectivity to port 5986..."
$portTest = Test-NetConnection -ComputerName localhost -Port 5986 -WarningAction SilentlyContinue
if ($portTest.TcpTestSucceeded) {
Write-Log " [OK] Port 5986 is reachable locally" -Color Green
} else {
Write-Log " [ERROR] Port 5986 is NOT reachable locally" -Color Red
Write-Log " This indicates WinRM HTTPS is not properly configured" -Color Yellow
}
Write-Log ""
Write-Log " Remote computers should connect to:" -Color Cyan
Write-Log " $fqdn:5986" -Color White
} catch {
Write-Log "[ERROR] Cannot test connectivity: $($_.Exception.Message)" -Color Red
}
Write-Log ""
# Summary
Write-Log "======================================" -Color Cyan
Write-Log " Debug Test Complete" -Color Cyan
Write-Log "======================================" -Color Cyan
Write-Log ""
Write-Log "Save this output for troubleshooting!"
Write-Log ""

175
winrm-https/winrm-ca-scripts/shopfloor-hostnames.txt Normal file
View File

@@ -0,0 +1,175 @@
G1JJVH63ESF
G1JJXH63ESF
G1JKYH63ESF
G1JLXH63ESF
G1JMWH63ESF
G1K76CW3ESF
G1KMP7X2ESF
G1KQQ7X2ESF
G1P9PWM3ESF
G1QXSXK2ESF
G1VPY5X3ESF
G1X29PZ3ESF
G1XN78Y3ESF
G25TJRT3ESF
G2GY4SY3ESF
G2WHKN34ESF
G317T5X3ESF
G31N20R3ESF
G32DD5K3ESF
G33N20R3ESF
G3Z33SZ2ESF
G3ZFCSZ2ESF
G3ZH3SZ2ESF
G3ZJBSZ2ESF
G3ZN2SZ2ESF
G41733Z3ESF
G4393DX3ESF
G49GMPR3ESF
G4H8KF33ESF
G4H9KF33ESF
G4HBHF33ESF
G4HBLF33ESF
G4HCBF33ESF
G4HCDF33ESF
G4HCHF33ESF
G4HCKF33ESF
G4MT28Y3ESF
G4S96WX3ESF
G5B48FZ3ESF
G5G9S624ESF
G5PRTW04ESF
G5W5V7V3ESF
G62DD5K3ESF
G6JLMSZ2ESF
G6JQFSZ2ESF
G6PLY5X3ESF
G6S0QRT3ESF
G6S96WX3ESF
G73N20R3ESF
G7B48FZ3ESF
G7D48FZ3ESF
G7DYR7Y3ESF
G7N9PWM3ESF
G7QLY5X3ESF
G7S96WX3ESF
G7W5V7V3ESF
G7WP26X3ESF
G7YPWH63ESF
G7YQ9673ESF
G7YQVH63ESF
G7YQWH63ESF
G82C4853ESF
G82CZ753ESF
G82D3853ESF
G82D6853ESF
G83N20R3ESF
G89TP7V3ESF
G8CPG0M3ESF
G8QLY5X3ESF
G8RJ20R3ESF
G8TJY7V3ESF
G8YTNCX3ESF
G907T5X3ESF
G9K76CW3ESF
G9KN7PZ3ESF
G9N2JNZ3ESF
G9TJ20R3ESF
G9WMFDW2ESF
G9WP26X3ESF
G9WQ7DW2ESF
G9WQDDW2ESF
G9WRDDW2ESF
G9YTNCX3ESF
GB07T5X3ESF
GB0VNCX3ESF
GB1GTRT3ESF
GB9TP7V3ESF
GBB8Q2W2ESF
GBCLXRZ2ESF
GBCTZRZ2ESF
GBD5DN34ESF
GBDC6WX3ESF
GBF8WRZ2ESF
GBK76CW3ESF
GBKN7PZ3ESF
GBN0XRZ2ESF
GC07T5X3ESF
GC5R20R3ESF
GCKTCRP2ESF
GCNNY2Z3ESF
GCQLY5X3ESF
GCTJ20R3ESF
GD0N20R3ESF
GD6KW0R3ESF
GDDBF673ESF
GDGSGH04ESF
GDJCTJB2ESF
GDJGFRP2ESF
GDK76CW3ESF
GDMT28Y3ESF
GDNLY5X3ESF
GDNWYRT3ESF
GDNYTBM2ESF
GDP9TBM2ESF
GDQLY5X3ESF
GDR658B3ESF
GDR6B8B3ESF
GDR978B3ESF
GF1DD5K3ESF
GF3N20R3ESF
GF7ZN7V3ESF
GF9F52Z3ESF
GFBWSH63ESF
GFBWTH63ESF
GFBXNH63ESF
GFBXPH63ESF
GFBYNH63ESF
GFBZMH63ESF
GFC48FZ3ESF
GFDBWRT3ESF
GFG48DW2ESF
GFG6FDW2ESF
GFG7DDW2ESF
GFG8DDW2ESF
GFG8FDW2ESF
GFGD7DW2ESF
GFGF8DW2ESF
GFGKFDW2ESF
GFGLFDW2ESF
GFN9PWM3ESF
GFQNX044ESF
GFSJ20R3ESF
GFZQFPR3ESF
GG1J98Y3ESF
GGBWRMH3ESF
GGBWSMH3ESF
GGBWTMH3ESF
GGBWVMH3ESF
GGBWYMH3ESF
GGBX0NH3ESF
GGBX2NH3ESF
GGDBWRT3ESF
GGGMF1V3ESF
GGNWYRT3ESF
GGQNX044ESF
GGT6J673ESF
GGT7H673ESF
GGT8K673ESF
GGYTNCX3ESF
GH1DD5K3ESF
GH20Y2W2ESF
GH2N20R3ESF
GH9ZN7V3ESF
GHBRHCW3ESF
GHR96WX3ESF
GHTC52Z3ESF
GHV5V7V3ESF
GJ0LYMH3ESF
GJ1DD5K3ESF
GJ5KW0R3ESF
GJBJC724ESF
GJJ76CW3ESF
GJN9PWM3ESF
GJWDB673ESF
GJYTNCX3ESF