# WinRM HTTPS Configuration This folder contains scripts and documentation for setting up secure WinRM over HTTPS using a wildcard certificate for the `*.logon.ds.ge.com` domain. ## 📁 Files ### Setup Scripts | File | Description | |------|-------------| | **Generate-WildcardCert.ps1** | Generates a self-signed wildcard certificate for `*.logon.ds.ge.com` | | **Setup-WinRM-HTTPS.ps1** | Configures WinRM HTTPS on a target computer | | **Test-WinRM-HTTPS-Setup.ps1** | Automated test workflow for single-device setup | ### Collection Scripts | File | Description | |------|-------------| | **Invoke-RemoteAssetCollection-HTTPS.ps1** | Executes remote asset collection via WinRM HTTPS | ### Data Files | File | Description | |------|-------------| | **shopfloor-hostnames.txt** | Live list of 175 shopfloor PC hostnames from database | | **shopfloor-hostnames-example.txt** | Example hostname list format | ### Documentation | File | Description | |------|-------------| | **WINRM_HTTPS_DEPLOYMENT_GUIDE.md** | Complete deployment guide with troubleshooting | ## 🚀 Quick Start ### 1. Generate Certificate (Testing) ```powershell # Run as Administrator cd C:\path\to\winrm-https # Generate self-signed wildcard certificate .\Generate-WildcardCert.ps1 ``` ### 2. Test on Single Device ```powershell # Automated test (recommended) .\Test-WinRM-HTTPS-Setup.ps1 # Or manual setup $certPass = ConvertTo-SecureString "YourPassword" -AsPlainText -Force .\Setup-WinRM-HTTPS.ps1 -CertificatePath ".\wildcard-*.pfx" ` -CertificatePassword $certPass -Domain "logon.ds.ge.com" ``` ### 3. Deploy to Shopfloor PCs ```powershell # Test connections first .\Invoke-RemoteAssetCollection-HTTPS.ps1 ` -HostnameListFile ".\shopfloor-hostnames.txt" ` -Domain "logon.ds.ge.com" ` -TestConnections # Run collection .\Invoke-RemoteAssetCollection-HTTPS.ps1 ` -HostnameListFile ".\shopfloor-hostnames.txt" ` -Domain "logon.ds.ge.com" ``` ## 📋 Prerequisites - Windows PowerShell 5.1 or later - Administrator privileges - Network connectivity - Wildcard certificate for `*.logon.ds.ge.com` (PFX format with private key) ## 🔐 Security Notes - **Self-signed certificates** are for TESTING only - For production, obtain a certificate from a trusted Certificate Authority - Protect the PFX file password - Use `-SkipCertificateCheck` only for testing ## 📊 Shopfloor PCs - **Total PCs**: 175 - **Source**: Database query filtered by `pctypeid = 3` (Shopfloor type) - **FQDN Format**: `{hostname}.logon.ds.ge.com` - **Example**: `G1JJVH63ESF.logon.ds.ge.com` ## 🔧 Workflow 1. **Generate/Obtain Certificate** - Use `Generate-WildcardCert.ps1` for testing - Or obtain from CA for production 2. **Setup Target PCs** - Copy certificate PFX to each PC - Run `Setup-WinRM-HTTPS.ps1` - Verify with `Test-WSMan` 3. **Configure Management Server** - Install root CA certificate (if self-signed) - Prepare hostname list - Test connections 4. **Run Collection** - Use `Invoke-RemoteAssetCollection-HTTPS.ps1` - Monitor logs - Review results ## 📖 Documentation See [WINRM_HTTPS_DEPLOYMENT_GUIDE.md](./WINRM_HTTPS_DEPLOYMENT_GUIDE.md) for: - Detailed deployment procedures - Troubleshooting guide - Security best practices - Certificate management - Production deployment steps ## 🐛 Troubleshooting ### Common Issues **Certificate not found** ```powershell # Verify certificate is installed Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*logon.ds.ge.com*"} ``` **Connection fails** ```powershell # Test DNS resolution Resolve-DnsName "hostname.logon.ds.ge.com" # Test port connectivity Test-NetConnection -ComputerName "hostname.logon.ds.ge.com" -Port 5986 # Test WinRM Test-WSMan -ComputerName "hostname.logon.ds.ge.com" -UseSSL -Port 5986 ``` **Firewall blocking** ```powershell # Check firewall rule Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" # Create if missing New-NetFirewallRule -DisplayName "WinRM HTTPS-In" ` -Name "WinRM HTTPS-In" -Profile Any -LocalPort 5986 ` -Protocol TCP -Direction Inbound -Action Allow ``` ## 📞 Support For detailed help: 1. Check [WINRM_HTTPS_DEPLOYMENT_GUIDE.md](./WINRM_HTTPS_DEPLOYMENT_GUIDE.md) 2. Review PowerShell script help: `Get-Help .\Setup-WinRM-HTTPS.ps1 -Full` 3. Check logs in `.\logs\` directory