ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove all emojis from markdown documentation

Browse Source 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
cproudlock
2025-12-10 11:03:45 -05:00
parent fc6be8a876
commit 96cb1dd946
22 changed files with 256 additions and 256 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
winrm-https/CA-APPROACH-GUIDE.md
View File

@@ -113,7 +113,7 @@ Your Computer Remote PC
│ CN=*.logon.ds.ge.com │
│ Self-signed (untrusted) │
│ │
├─ ERROR: Untrusted certificate │
├─ ERROR: Untrusted certificate │
│ │
└─ Must use -SessionOption
to skip validation
@@ -136,7 +136,7 @@ Your Computer Remote PC
├─ Checks issuer: Shopfloor WinRM CA │
├─ Do I trust this issuer? │
├─ YES! (CA is in Trusted Root) │
├─ Certificate trusted │
├─ Certificate trusted │
│ │
└─ Connection succeeds! ◄─────────────┘
No -SessionOption needed!
@@ -230,7 +230,7 @@ $cert = Import-PfxCertificate `
# Test basic connectivity - NO -SessionOption needed!
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Works! No certificate errors!
# Works! No certificate errors!
# Get credentials
$cred = Get-Credential
@@ -238,7 +238,7 @@ $cred = Get-Credential
# Interactive session - NO -SessionOption needed!
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# Connected! No certificate warnings!
# Connected! No certificate warnings!
# Run remote command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
@@ -265,10 +265,10 @@ Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
```
**Problems:**
- Certificate validation bypassed (insecure)
- Same certificate on all 175 PCs
- If compromised, affects all PCs
- Certificate CN mismatch errors
- Certificate validation bypassed (insecure)
- Same certificate on all 175 PCs
- If compromised, affects all PCs
- Certificate CN mismatch errors
---
@@ -281,12 +281,12 @@ Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
```
**Benefits:**
- Proper certificate validation (secure)
- Each PC has its own certificate
- If one compromised, only affects one PC
- Proper hostname in certificate (no CN mismatch)
- Easy to revoke individual certificates
- Professional enterprise approach
- Proper certificate validation (secure)
- Each PC has its own certificate
- If one compromised, only affects one PC
- Proper hostname in certificate (no CN mismatch)
- Easy to revoke individual certificates
- Professional enterprise approach
---
@@ -380,9 +380,9 @@ When you connect, Windows automatically validates:
4. YES! Found in Cert:\LocalMachine\Root
5. Certificate trusted
5. Certificate trusted
6. Connection allowed
6. Connection allowed
```
---

16
winrm-https/GETTING_STARTED.md
View File

@@ -128,7 +128,7 @@ STEP 3: Verify WinRM Configuration
STEP 4: Test Local HTTPS Connection
[OK] Local HTTPS connection successful
Test setup complete!
Test setup complete!
```
**If you see errors:**
@@ -175,7 +175,7 @@ CsName OsName WindowsVersion
YOUR-PC Microsoft Windows 11 Pro 10.0.22631
```
** Success!** If this works, you're ready to move to the next phase.
** Success!** If this works, you're ready to move to the next phase.
---
@@ -338,7 +338,7 @@ Failed: 0
Collection completed. Success: 3, Failed: 0
```
** Success!** If this works, you're ready for full deployment.
** Success!** If this works, you're ready for full deployment.
---
@@ -754,14 +754,14 @@ Get-Content .\logs\remote-collection-https.log -Tail 50
Follow these phases:
1. **Phase 1:** Test on single device (your computer)
2. **Phase 2:** Test on 3-5 shopfloor PCs
3. **Phase 3:** Deploy to all 175 PCs in batches
4. **Daily Ops:** Run automated collection
1. **Phase 1:** Test on single device (your computer)
2. **Phase 2:** Test on 3-5 shopfloor PCs
3. **Phase 3:** Deploy to all 175 PCs in batches
4. **Daily Ops:** Run automated collection
**Total Time:**
- Phase 1: 15-30 minutes
- Phase 2: 1-2 hours
- Phase 3: 4-8 hours (depending on method)
**Good luck with your deployment!** 🚀
**Good luck with your deployment!**

88
winrm-https/NETWORK_SHARE_DEPLOYMENT.md
View File

@@ -32,7 +32,7 @@ New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone"
**Or manually:**
1. Create folder: `C:\Deployment\WinRM-HTTPS`
2. Copy all files from `winrm-https` folder
3. Right-click folder Properties Sharing Advanced Sharing
3. Right-click folder Properties Sharing Advanced Sharing
4. Check "Share this folder"
5. Share name: `WinRM-HTTPS`
6. Permissions: Give "Everyone" Read access (or specific security group)
@@ -49,10 +49,10 @@ Get-ChildItem "\\SERVER\WinRM-HTTPS"
```
Expected files:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
- Other PS1 scripts
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
- Other PS1 scripts
---
@@ -105,13 +105,13 @@ Include everything for troubleshooting:
6. Wait for completion
**Advantages:**
- Simple - no copying needed
- Always uses latest files
- No local disk space used
- Simple - no copying needed
- Always uses latest files
- No local disk space used
**Disadvantages:**
- ⚠️ Requires network connectivity during install
- ⚠️ Slower if network is congested
- Requires network connectivity during install
- Slower if network is congested
---
@@ -139,13 +139,13 @@ Deploy-WinRM-HTTPS.bat
```
**Advantages:**
- Faster execution
- Works if network connection lost
- Can verify files before running
- Faster execution
- Works if network connection lost
- Can verify files before running
**Disadvantages:**
- ⚠️ Uses local disk space
- ⚠️ Extra copy step
- Uses local disk space
- Extra copy step
---
@@ -193,14 +193,14 @@ foreach ($hostname in $targetPCs) {
```
**Advantages:**
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
**Disadvantages:**
- ⚠️ Requires existing remote access (WinRM or admin shares)
- ⚠️ More complex
- ⚠️ Password visible in script (use secure credential management)
- Requires existing remote access (WinRM or admin shares)
- More complex
- Password visible in script (use secure credential management)
---
@@ -219,8 +219,8 @@ foreach ($hostname in $targetPCs) {
- Edit GPO
3. **Add Startup Script:**
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Script: `\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat`
4. **Link GPO to OU:**
@@ -228,14 +228,14 @@ foreach ($hostname in $targetPCs) {
- PCs will run script on next reboot
**Advantages:**
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
**Disadvantages:**
- ⚠️ Requires domain environment
- ⚠️ Requires restart
- ⚠️ Password handling more complex
- Requires domain environment
- Requires restart
- Password handling more complex
---
@@ -270,7 +270,7 @@ REM Set on each PC or via GPO
setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M
```
**⚠️ Never:**
** Never:**
- Hardcode password in batch file on network share (readable by everyone)
- Email password in plaintext
- Store password in unencrypted text file
@@ -293,7 +293,7 @@ Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -Access
The certificate PFX file contains the private key. Protect it:
1. **Use share permissions** to restrict access
2. **Use certificate password** (you did )
2. **Use certificate password** (you did )
3. **Monitor access** to the share
4. **Delete from share** after deployment complete
@@ -315,7 +315,7 @@ The certificate PFX file contains the private key. Protect it:
```
For each test PC:
1. Navigate to \\SERVER\WinRM-HTTPS
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
3. Enter password when prompted
4. Verify success
5. Test connection from management server
@@ -378,7 +378,7 @@ Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS"
**On test PC (G1JJVH63ESF):**
1. Open Explorer: `\\MANAGEMENT-SERVER\WinRM-HTTPS`
2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator
2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator
3. Enter password: `XqHuyaLZSyCYEcpsMz6h5`
4. Wait for completion
@@ -462,7 +462,7 @@ Get-SmbShareAccess -Name "WinRM-HTTPS"
### Problem: "Access Denied" running batch file
**Solution:**
- Right-click Run as Administrator
- Right-click Run as Administrator
- User must be local admin on PC
- Check UAC settings
@@ -514,15 +514,15 @@ Save as `README.txt` in the share.
**Best Practice for Your Scenario:**
1. Create network share: `\\SERVER\WinRM-HTTPS`
2. Include:
1. Create network share: `\\SERVER\WinRM-HTTPS`
2. Include:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
3. Deploy to 3-5 test PCs manually
4. Verify each deployment
5. Deploy to remaining PCs in batches
6. Remove certificate from share when done
3. Deploy to 3-5 test PCs manually
4. Verify each deployment
5. Deploy to remaining PCs in batches
6. Remove certificate from share when done
**Certificate Password Storage:**
- Store in password manager
@@ -530,7 +530,7 @@ Save as `README.txt` in the share.
- Use encrypted files for automation
**The batch files handle:**
- Administrator check
- File verification
- Error handling
- User feedback
- Administrator check
- File verification
- Error handling
- User feedback

102
winrm-https/PROJECT-SUMMARY.md
View File

@@ -4,7 +4,7 @@
**Objective**: Deploy secure WinRM over HTTPS to 175 shopfloor PCs using a wildcard certificate for `*.logon.ds.ge.com`
**Status**: READY FOR TESTING
**Status**: READY FOR TESTING
**Certificate Generated**: `wildcard-logon-ds-ge-com-20251017.pfx`
**Certificate Password**: `XqHuyaLZSyCYEcpsMz6h5`
@@ -45,13 +45,13 @@
## Key Features Implemented
### Certificate Generation
### Certificate Generation
- Self-signed wildcard certificate for `*.logon.ds.ge.com`
- Alternative generation methods to avoid smart card conflicts
- 2048-bit RSA with SHA256
- Valid for 2 years (expires 2027-10-17)
### Deployment Scripts
### Deployment Scripts
- **Two deployment methods**:
- `Deploy-WinRM-HTTPS.bat` - Secure (prompts for password)
- `Deploy-WinRM-HTTPS-AutoPassword.bat` - Testing (auto-password)
@@ -60,7 +60,7 @@
- Execution policy bypass (`-ExecutionPolicy Bypass`)
- Network share compatible
### Comprehensive Logging
### Comprehensive Logging
- **Log Location**: `S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\`
- **Log Format**: `HOSTNAME-YYYYMMDD-HHMMSS.txt`
- **Logged Information**:
@@ -72,7 +72,7 @@
- Success/failure status
- All error messages
### WinRM HTTPS Configuration
### WinRM HTTPS Configuration
- Creates HTTPS listener on port 5986
- Uses wildcard certificate for all PCs
- Constructs FQDN: `hostname.logon.ds.ge.com`
@@ -80,13 +80,13 @@
- Enables certificate authentication
- Maintains HTTP listener (port 5985)
### Testing & Validation
### Testing & Validation
- Test scripts for connectivity verification
- Log viewer with filtering capabilities
- Summary report generation
- Remote connection examples
### Documentation
### Documentation
- Quick start guides
- Detailed deployment instructions
- Security best practices
@@ -139,17 +139,17 @@ PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
### 1. Smart Card Device Error
**Problem**: Certificate generation failed with "smart card device is read-only"
**Solution**: Created alternative script using `certreq.exe` with fallback methods
**Status**: Resolved - Certificate generated successfully
**Status**: Resolved - Certificate generated successfully
### 2. LogFile Parameter Not Found
**Problem**: Batch file tried to pass `-LogFile` parameter that didn't exist
**Solution**: Added `-LogFile` parameter to `Setup-WinRM-HTTPS.ps1` param block
**Status**: Resolved - Logging now works correctly
**Status**: Resolved - Logging now works correctly
### 3. WinRM HTTPS Listener Creation Failed (First Issue)
**Problem**: Listener creation failed due to PowerShell string escaping issues
**Solution**: Changed from `Invoke-Expression` to `cmd.exe /c` execution
**Status**: Resolved - Command execution fixed
**Status**: Resolved - Command execution fixed
### 4. Certificate CN Mismatch Error (Critical Fix)
**Problem**: Listener creation failed with error "The certificate CN and the hostname that were provided do not match"
@@ -177,23 +177,23 @@ winrm create ... @{Hostname="*.logon.ds.ge.com";...}
- WinRM matches specific hostname against wildcard pattern
- Certificate validation succeeds for all subdomains
**Status**: Resolved - Wildcard matching now works correctly
**Status**: Resolved - Wildcard matching now works correctly
**Documentation**: See `WILDCARD-CERT-FIX.txt` for detailed explanation
### 5. Plaintext Password in Examples
**Problem**: Security concern with plaintext passwords in documentation
**Solution**: Created `SECURE_CREDENTIAL_MANAGEMENT.md` and updated all examples
**Status**: Resolved - All examples use secure methods
**Status**: Resolved - All examples use secure methods
---
## Deployment Workflow
### Phase 1: Preparation (CURRENT PHASE)
1. Generate wildcard certificate
2. Create deployment scripts
3. Setup logging infrastructure
4. Create documentation
1. Generate wildcard certificate
2. Create deployment scripts
3. Setup logging infrastructure
4. Create documentation
5. ⏳ Copy certificate to deployment-package folder
6. ⏳ Copy deployment-package to network share
7. ⏳ Set permissions on network share
@@ -230,9 +230,9 @@ winrm create ... @{Hostname="*.logon.ds.ge.com";...}
**Hostname List**: `shopfloor-hostnames.txt`
**Example Hostnames**:
- G1JJVH63ESF g1jjvh63esf.logon.ds.ge.com
- G1JJXH63ESF g1jjxh63esf.logon.ds.ge.com
- G9KN7PZ3ESF g9kn7pz3esf.logon.ds.ge.com (test PC)
- G1JJVH63ESF g1jjvh63esf.logon.ds.ge.com
- G1JJXH63ESF g1jjxh63esf.logon.ds.ge.com
- G9KN7PZ3ESF g9kn7pz3esf.logon.ds.ge.com (test PC)
- ... (172 more)
---
@@ -279,24 +279,24 @@ Get-Service WinRM | Select-Object Name, Status, StartType
## Security Considerations
### Certificate Security
- Self-signed certificate (appropriate for internal use)
- Private key marked as exportable (for backup purposes)
- Stored in Local Machine certificate store
- 2048-bit RSA encryption
- ⚠️ Certificate password stored in deployment scripts (testing only)
- Self-signed certificate (appropriate for internal use)
- Private key marked as exportable (for backup purposes)
- Stored in Local Machine certificate store
- 2048-bit RSA encryption
- Certificate password stored in deployment scripts (testing only)
### Deployment Security
- Two versions: secure (production) and auto-password (testing)
- Documentation emphasizes deleting auto-password version
- Network share requires proper permissions
- Administrator privileges required for deployment
- All examples use secure credential methods
- Two versions: secure (production) and auto-password (testing)
- Documentation emphasizes deleting auto-password version
- Network share requires proper permissions
- Administrator privileges required for deployment
- All examples use secure credential methods
### Credential Management
- Documented 5 secure methods in `SECURE_CREDENTIAL_MANAGEMENT.md`
- No plaintext passwords in production examples
- Recommendations for Azure Key Vault integration
- Windows Credential Manager integration documented
- Documented 5 secure methods in `SECURE_CREDENTIAL_MANAGEMENT.md`
- No plaintext passwords in production examples
- Recommendations for Azure Key Vault integration
- Windows Credential Manager integration documented
---
@@ -348,8 +348,8 @@ Executing WinRM HTTPS setup...
## Files Ready for Deployment
### Required Files (Must Copy to Network Share)
- `deployment-package/` folder (all contents)
- ⚠️ `wildcard-logon-ds-ge-com-20251017.pfx` (MUST ADD to deployment-package!)
- `deployment-package/` folder (all contents)
- `wildcard-logon-ds-ge-com-20251017.pfx` (MUST ADD to deployment-package!)
### Network Share Setup
```
@@ -405,25 +405,25 @@ Executing WinRM HTTPS setup...
## Success Criteria
### Deployment Success
- Certificate imported to Local Machine store
- HTTPS listener created on port 5986
- Firewall rule "WinRM HTTPS-In" created
- WinRM service running and set to automatic
- Log file created with SUCCESS status
- No errors in log file
- Certificate imported to Local Machine store
- HTTPS listener created on port 5986
- Firewall rule "WinRM HTTPS-In" created
- WinRM service running and set to automatic
- Log file created with SUCCESS status
- No errors in log file
### Connectivity Success
- `Test-WSMan` succeeds from management server
- Can create remote PSSession with `-UseSSL`
- Can execute remote commands via HTTPS
- Certificate validation passes
- `Test-WSMan` succeeds from management server
- Can create remote PSSession with `-UseSSL`
- Can execute remote commands via HTTPS
- Certificate validation passes
### Project Success
- All 175 PCs deployed successfully
- All deployments logged
- Remote connectivity verified
- Asset inventory updated
- Documentation complete
- All 175 PCs deployed successfully
- All deployments logged
- Remote connectivity verified
- Asset inventory updated
- Documentation complete
---
@@ -503,4 +503,4 @@ The WinRM HTTPS deployment project is **complete and ready for testing**. All sc
**Document Version**: 1.0
**Last Updated**: 2025-10-17
**Status**: READY FOR TESTING
**Status**: READY FOR TESTING

6
winrm-https/README.md
View File

@@ -31,7 +31,7 @@ This folder contains scripts and documentation for setting up secure WinRM over
|------|-------------|
| **WINRM_HTTPS_DEPLOYMENT_GUIDE.md** | Complete deployment guide with troubleshooting |
## 🚀 Quick Start
## Quick Start
### 1. Generate Certificate (Testing)
@@ -84,14 +84,14 @@ $certPass = ConvertTo-SecureString "YourPassword" -AsPlainText -Force
- Protect the PFX file password
- Use `-SkipCertificateCheck` only for testing
## 📊 Shopfloor PCs
## Shopfloor PCs
- **Total PCs**: 175
- **Source**: Database query filtered by `pctypeid = 3` (Shopfloor type)
- **FQDN Format**: `{hostname}.logon.ds.ge.com`
- **Example**: `G1JJVH63ESF.logon.ds.ge.com`
## 🔧 Workflow
## Workflow
1. **Generate/Obtain Certificate**
- Use `Generate-WildcardCert.ps1` for testing

40
winrm-https/SECURE_CREDENTIAL_MANAGEMENT.md
View File

@@ -2,7 +2,7 @@
This guide covers secure methods for handling passwords and credentials in PowerShell, avoiding plaintext passwords in scripts and command history.
## ⚠️ Never Do This
## Never Do This
```powershell
# BAD - Password visible in script and command history
@@ -18,7 +18,7 @@ $certPass = ConvertTo-SecureString "MyPassword123!" -AsPlainText -Force
---
## Secure Methods
## Secure Methods
### Method 1: Interactive Prompt (Most Secure for Manual Use)
@@ -92,10 +92,10 @@ $certPass = Import-Clixml -Path "C:\Secure\cert-password.xml"
```
**Important notes:**
- Encrypted files can ONLY be decrypted by the same user on the same computer
- Safe to store in version control (but not recommended)
- ⚠️ Won't work if script runs as different user (e.g., scheduled task with service account)
- ⚠️ Won't work on different computer
- Encrypted files can ONLY be decrypted by the same user on the same computer
- Safe to store in version control (but not recommended)
- Won't work if script runs as different user (e.g., scheduled task with service account)
- Won't work on different computer
---
@@ -131,10 +131,10 @@ $cred = Get-StoredCredential -Target "ShopfloorAdmin"
```
**Advantages:**
- Works with scheduled tasks
- Can be used by service accounts
- Centralized management
- Encrypted by Windows
- Works with scheduled tasks
- Can be used by service accounts
- Centralized management
- Encrypted by Windows
---
@@ -152,7 +152,7 @@ $env:WINRM_CERT_PATH = "C:\Certs\wildcard.pfx"
-Domain $env:WINRM_DOMAIN
```
**⚠️ Do NOT use for passwords:**
** Do NOT use for passwords:**
```powershell
# BAD - Environment variables are not secure for passwords
$env:CERT_PASSWORD = "MyPassword" # DON'T DO THIS
@@ -350,7 +350,7 @@ $cred = Get-StoredCredential -Target "ShopfloorAdmin"
## 🛡️ Security Best Practices
### Do's
### Do's
1. **Always use SecureString for passwords**
```powershell
@@ -386,7 +386,7 @@ $cred = Get-StoredCredential -Target "ShopfloorAdmin"
[System.GC]::Collect()
```
### Don'ts
### Don'ts
1. **Never hardcode passwords**
```powershell
@@ -420,7 +420,7 @@ $cred = Get-StoredCredential -Target "ShopfloorAdmin"
---
## 🔧 Setting Up Secure Credential Storage
## Setting Up Secure Credential Storage
### Step 1: Create Secure Directory
@@ -543,15 +543,15 @@ $cred = Get-DomainCredential
---
## 📊 Summary Comparison
## Summary Comparison
| Method | Security | Ease of Use | Automation | Cross-User | Enterprise |
|--------|----------|-------------|------------|------------|------------|
| Interactive Prompt | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | | | |
| Encrypted File | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | | | |
| Credential Manager | ⭐⭐⭐⭐ | ⭐⭐⭐ | | | ⭐⭐⭐ |
| Azure Key Vault | ⭐⭐⭐⭐⭐ | ⭐⭐ | | | ⭐⭐⭐⭐⭐ |
| Plaintext (DON'T) | | ⭐⭐⭐⭐⭐ | | | |
| Interactive Prompt | | | | | |
| Encrypted File | | | | | |
| Credential Manager | | | | | |
| Azure Key Vault | | | | | |
| Plaintext (DON'T) | | | | | |
---

14
winrm-https/TEST-REMOTE-CONNECTION-GUIDE.md
View File

@@ -503,13 +503,13 @@ Remove-PSSession $session
## Next Steps
1. Run the updated deployment on test PC (with wildcard CN fix)
2. Use these commands to test connectivity
3. Verify remote commands work correctly
4. If successful, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with production rollout
1. Run the updated deployment on test PC (with wildcard CN fix)
2. Use these commands to test connectivity
3. Verify remote commands work correctly
4. If successful, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with production rollout
---

12
winrm-https/TROUBLESHOOTING_CERTIFICATE_GENERATION.md
View File

@@ -137,7 +137,7 @@ If the above methods don't work, generate the certificate on a computer without
**Solution:**
```powershell
# Run PowerShell as Administrator
# Right-click PowerShell Run as Administrator
# Right-click PowerShell Run as Administrator
# Verify admin rights
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
@@ -413,11 +413,11 @@ If none of these solutions work:
**Recommended approach when you see smart card error:**
1. Try `Generate-WildcardCert-Alternative.ps1` (uses certreq)
2. Try disabling smart card service temporarily
3. Try different crypto provider
4. Generate on different computer without restrictions
5. Request certificate from your organization's CA
1. Try `Generate-WildcardCert-Alternative.ps1` (uses certreq)
2. Try disabling smart card service temporarily
3. Try different crypto provider
4. Generate on different computer without restrictions
5. Request certificate from your organization's CA
**For production deployment:**
- Always get certificates from trusted Certificate Authority

88
winrm-https/deployment-package/NETWORK_SHARE_DEPLOYMENT.md
View File

@@ -32,7 +32,7 @@ New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone"
**Or manually:**
1. Create folder: `C:\Deployment\WinRM-HTTPS`
2. Copy all files from `winrm-https` folder
3. Right-click folder Properties Sharing Advanced Sharing
3. Right-click folder Properties Sharing Advanced Sharing
4. Check "Share this folder"
5. Share name: `WinRM-HTTPS`
6. Permissions: Give "Everyone" Read access (or specific security group)
@@ -49,10 +49,10 @@ Get-ChildItem "\\SERVER\WinRM-HTTPS"
```
Expected files:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
- Other PS1 scripts
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
- Other PS1 scripts
---
@@ -105,13 +105,13 @@ Include everything for troubleshooting:
6. Wait for completion
**Advantages:**
- Simple - no copying needed
- Always uses latest files
- No local disk space used
- Simple - no copying needed
- Always uses latest files
- No local disk space used
**Disadvantages:**
- ⚠️ Requires network connectivity during install
- ⚠️ Slower if network is congested
- Requires network connectivity during install
- Slower if network is congested
---
@@ -139,13 +139,13 @@ Deploy-WinRM-HTTPS.bat
```
**Advantages:**
- Faster execution
- Works if network connection lost
- Can verify files before running
- Faster execution
- Works if network connection lost
- Can verify files before running
**Disadvantages:**
- ⚠️ Uses local disk space
- ⚠️ Extra copy step
- Uses local disk space
- Extra copy step
---
@@ -193,14 +193,14 @@ foreach ($hostname in $targetPCs) {
```
**Advantages:**
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
**Disadvantages:**
- ⚠️ Requires existing remote access (WinRM or admin shares)
- ⚠️ More complex
- ⚠️ Password visible in script (use secure credential management)
- Requires existing remote access (WinRM or admin shares)
- More complex
- Password visible in script (use secure credential management)
---
@@ -219,8 +219,8 @@ foreach ($hostname in $targetPCs) {
- Edit GPO
3. **Add Startup Script:**
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Script: `\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat`
4. **Link GPO to OU:**
@@ -228,14 +228,14 @@ foreach ($hostname in $targetPCs) {
- PCs will run script on next reboot
**Advantages:**
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
**Disadvantages:**
- ⚠️ Requires domain environment
- ⚠️ Requires restart
- ⚠️ Password handling more complex
- Requires domain environment
- Requires restart
- Password handling more complex
---
@@ -270,7 +270,7 @@ REM Set on each PC or via GPO
setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M
```
**⚠️ Never:**
** Never:**
- Hardcode password in batch file on network share (readable by everyone)
- Email password in plaintext
- Store password in unencrypted text file
@@ -293,7 +293,7 @@ Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -Access
The certificate PFX file contains the private key. Protect it:
1. **Use share permissions** to restrict access
2. **Use certificate password** (you did )
2. **Use certificate password** (you did )
3. **Monitor access** to the share
4. **Delete from share** after deployment complete
@@ -315,7 +315,7 @@ The certificate PFX file contains the private key. Protect it:
```
For each test PC:
1. Navigate to \\SERVER\WinRM-HTTPS
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
3. Enter password when prompted
4. Verify success
5. Test connection from management server
@@ -378,7 +378,7 @@ Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS"
**On test PC (G1JJVH63ESF):**
1. Open Explorer: `\\MANAGEMENT-SERVER\WinRM-HTTPS`
2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator
2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator
3. Enter password: `XqHuyaLZSyCYEcpsMz6h5`
4. Wait for completion
@@ -462,7 +462,7 @@ Get-SmbShareAccess -Name "WinRM-HTTPS"
### Problem: "Access Denied" running batch file
**Solution:**
- Right-click Run as Administrator
- Right-click Run as Administrator
- User must be local admin on PC
- Check UAC settings
@@ -514,15 +514,15 @@ Save as `README.txt` in the share.
**Best Practice for Your Scenario:**
1. Create network share: `\\SERVER\WinRM-HTTPS`
2. Include:
1. Create network share: `\\SERVER\WinRM-HTTPS`
2. Include:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
3. Deploy to 3-5 test PCs manually
4. Verify each deployment
5. Deploy to remaining PCs in batches
6. Remove certificate from share when done
3. Deploy to 3-5 test PCs manually
4. Verify each deployment
5. Deploy to remaining PCs in batches
6. Remove certificate from share when done
**Certificate Password Storage:**
- Store in password manager
@@ -530,7 +530,7 @@ Save as `README.txt` in the share.
- Use encrypted files for automation
**The batch files handle:**
- Administrator check
- File verification
- Error handling
- User feedback
- Administrator check
- File verification
- Error handling
- User feedback

14
winrm-https/deployment-package/TEST-REMOTE-CONNECTION-GUIDE.md
View File

@@ -503,13 +503,13 @@ Remove-PSSession $session
## Next Steps
1. Run the updated deployment on test PC (with wildcard CN fix)
2. Use these commands to test connectivity
3. Verify remote commands work correctly
4. If successful, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with production rollout
1. Run the updated deployment on test PC (with wildcard CN fix)
2. Use these commands to test connectivity
3. Verify remote commands work correctly
4. If successful, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with production rollout
---