================================================================================ DEPLOY AND TEST ONE PC - PRACTICAL GUIDE ================================================================================ This guide shows EXACTLY how to deploy to G9KN7PZ3ESF and test it. ================================================================================ PART 1: SETUP ON YOUR COMPUTER (H2PRFM94) - ONE TIME ================================================================================ Step 1: Create and Install CA ───────────────────────────────────────────────────────────── PS> cd C:\path\to\winrm-ca-scripts PS> .\Create-CA-Simple.ps1 # Password: ShopfloorCA2025! PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" ` -CertStoreLocation Cert:\LocalMachine\Root ✓ Done - CA created and trusted on your computer Step 2: Sign Certificate for Test PC ───────────────────────────────────────────────────────────── Option A - Sign just one: PS> "G9KN7PZ3ESF" | Out-File "test-hostname.txt" PS> .\Sign-BulkCertificates.ps1 -HostnameFile "test-hostname.txt" # CA Password: ShopfloorCA2025! # PC Cert Password: PCCert2025! Option B - Sign all 175: PS> .\Sign-BulkCertificates.ps1 # CA Password: ShopfloorCA2025! # PC Cert Password: PCCert2025! ✓ Certificate created: pc-certificates\batch-*\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx ================================================================================ PART 2: DEPLOY TO THE REMOTE PC (G9KN7PZ3ESF) ================================================================================ You have 3 deployment methods. Choose ONE: METHOD 1: Network Share Deployment (EASIEST - Recommended) ════════════════════════════════════════════════════════════════════════════ Step 1: Copy files to network share (on YOUR computer) ────────────────────────────────────────────────────────────── PS> # Copy certificates PS> Copy-Item "pc-certificates\batch-*" ` -Destination "S:\dt\adata\script\deploy\pc-certificates\" ` -Recurse PS> # Copy deployment scripts PS> Copy-Item "Deploy-PCCertificate.ps1" ` -Destination "S:\dt\adata\script\deploy\" PS> Copy-Item "Deploy-PCCertificate.bat" ` -Destination "S:\dt\adata\script\deploy\" Step 2: Run deployment on the PC (ON G9KN7PZ3ESF) ────────────────────────────────────────────────────────────── 1. Walk to PC G9KN7PZ3ESF (or RDP to it) 2. Open File Explorer 3. Navigate to: S:\dt\adata\script\deploy\ 4. RIGHT-CLICK: Deploy-PCCertificate.bat 5. Select: "Run as Administrator" 6. Enter password when prompted: PCCert2025! 7. Wait for "SUCCESS" message ✓ Script automatically: - Finds G9KN7PZ3ESF certificate from network share - Imports it to Local Machine store - Configures WinRM HTTPS listener - Creates firewall rule - Logs to: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-*.txt METHOD 2: Copy Files Directly to PC (If network share not accessible) ════════════════════════════════════════════════════════════════════════════ Step 1: Copy files to PC (on YOUR computer) ────────────────────────────────────────────────────────────── PS> # Copy certificate PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" ` -Destination "\\G9KN7PZ3ESF\C$\Temp\" PS> # Copy setup script PS> Copy-Item "Setup-WinRM-HTTPS.ps1" ` -Destination "\\G9KN7PZ3ESF\C$\Temp\" Step 2: Run setup on the PC (ON G9KN7PZ3ESF) ────────────────────────────────────────────────────────────── 1. Walk to PC G9KN7PZ3ESF (or RDP to it) 2. Open PowerShell as Administrator 3. Run these commands: PS> cd C:\Temp PS> # Import certificate PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force PS> $cert = Import-PfxCertificate ` -FilePath (Get-Item "G9KN7PZ3ESF-*.pfx").FullName ` -CertStoreLocation Cert:\LocalMachine\My ` -Password $certPass PS> # Configure WinRM PS> Set-ExecutionPolicy Bypass -Scope Process -Force PS> .\Setup-WinRM-HTTPS.ps1 ` -CertificateThumbprint $cert.Thumbprint ` -Domain "logon.ds.ge.com" ✓ Done - WinRM HTTPS configured METHOD 3: Remote Deployment via PowerShell (If WinRM HTTP already works) ════════════════════════════════════════════════════════════════════════════ Step 1: Copy certificate to PC (on YOUR computer) ────────────────────────────────────────────────────────────── PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" ` -Destination "\\G9KN7PZ3ESF\C$\Temp\" Step 2: Import and configure remotely (on YOUR computer) ────────────────────────────────────────────────────────────── PS> $cred = Get-Credential # Enter your domain credentials PS> Invoke-Command -ComputerName G9KN7PZ3ESF -Credential $cred -ScriptBlock { # Import certificate $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force $certFile = Get-Item "C:\Temp\G9KN7PZ3ESF-*.pfx" $cert = Import-PfxCertificate ` -FilePath $certFile.FullName ` -CertStoreLocation Cert:\LocalMachine\My ` -Password $certPass # Get hostname and FQDN $hostname = $env:COMPUTERNAME $fqdn = "$hostname.logon.ds.ge.com".ToLower() # Enable WinRM Enable-PSRemoting -Force -SkipNetworkProfileCheck Set-Service WinRM -StartupType Automatic Start-Service WinRM # Remove old HTTPS listener winrm delete winrm/config/Listener?Address=*+Transport=HTTPS 2>$null # Create HTTPS listener $winrmCmd = "create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$fqdn`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}" cmd.exe /c "winrm $winrmCmd" # Create firewall rule New-NetFirewallRule -DisplayName "WinRM HTTPS-In" ` -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow -Force Write-Host "WinRM HTTPS configured on $hostname" -ForegroundColor Green } ✓ Done - Configured remotely ================================================================================ PART 3: VERIFY DEPLOYMENT ON THE PC (ON G9KN7PZ3ESF) ================================================================================ Option A: Quick Check (on the PC) ───────────────────────────────────────────────────────────── PS> winrm enumerate winrm/config/listener Look for: Listener Address = * Transport = HTTPS Port = 5986 Hostname = g9kn7pz3esf.logon.ds.ge.com CertificateThumbprint = (long string) ✓ If you see HTTPS listener on port 5986 → Success! Option B: Full Verification (on the PC) ───────────────────────────────────────────────────────────── 1. Copy Test-RemotePC-Debug.bat to C:\Temp on the PC 2. Copy Test-RemotePC-Debug.ps1 to C:\Temp on the PC 3. Right-click Test-RemotePC-Debug.bat → "Run as Administrator" 4. Review the output Check for: ✓ WinRM Service: Running ✓ HTTPS Listener on port 5986 ✓ Port 5986 LISTENING ✓ Certificate in LocalMachine\My ✓ Firewall rule enabled ================================================================================ PART 4: TEST CONNECTION FROM YOUR COMPUTER (H2PRFM94) ================================================================================ Now test that YOU can connect to G9KN7PZ3ESF remotely. Test 1: Basic WinRM Connectivity ───────────────────────────────────────────────────────────── PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 EXPECTED OUTPUT (Success): ┌────────────────────────────────────────────────────────┐ │ wsmid : http://schemas.dmtf.org/wbem/... │ │ ProtocolVersion : http://schemas.dmtf.org/wbem/... │ │ ProductVendor : Microsoft Corporation │ │ ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0 │ └────────────────────────────────────────────────────────┘ ✅ SUCCESS = WinRM HTTPS is working! POSSIBLE ERROR (Failure): ┌────────────────────────────────────────────────────────┐ │ Test-WSMan : The server certificate on the destination │ │ computer has the following errors: │ │ The SSL certificate is signed by an unknown CA. │ └────────────────────────────────────────────────────────┘ FIX: PS> # Install CA on your computer PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" ` -CertStoreLocation Cert:\LocalMachine\Root Test 2: Interactive Remote Session ───────────────────────────────────────────────────────────── PS> $cred = Get-Credential # Enter your domain credentials (e.g., DOMAIN\username) PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 EXPECTED OUTPUT (Success): ┌────────────────────────────────────────────────────────┐ │ [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> │ └────────────────────────────────────────────────────────┘ ✅ You're now connected to the remote PC! Try these commands: [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname G9KN7PZ3ESF [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM | Select-Object Status, Name Running WinRM [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> $env:COMPUTERNAME G9KN7PZ3ESF [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession Test 3: Remote Command Execution ───────────────────────────────────────────────────────────── PS> Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 ` -ScriptBlock { [PSCustomObject]@{ Hostname = $env:COMPUTERNAME WinRMStatus = (Get-Service WinRM).Status Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime } } EXPECTED OUTPUT: ┌────────────────────────────────────────────────────────┐ │ Hostname WinRMStatus Uptime │ │ -------- ----------- ------ │ │ G9KN7PZ3ESF Running 23:15:42.1234567 │ └────────────────────────────────────────────────────────┘ ✅ Remote commands work! Test 4: No Certificate Bypass Needed ───────────────────────────────────────────────────────────── NOTICE: You did NOT need to use: ❌ -SessionOption (no bypass needed!) ❌ -SkipCNCheck ❌ -SkipCACheck ❌ -SkipRevocationCheck This is a CLEAN, SECURE connection because: ✓ Your computer trusts the CA ✓ Certificate is properly signed ✓ Certificate CN matches hostname ✓ Full SSL/TLS validation works ================================================================================ TROUBLESHOOTING ================================================================================ Problem: Test-WSMan fails with "cannot connect" Solution: 1. Check PC is on network: ping g9kn7pz3esf.logon.ds.ge.com 2. Check port reachable: Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986 3. On PC, verify listener: winrm enumerate winrm/config/listener 4. On PC, verify port: netstat -an | findstr :5986 Problem: Test-WSMan fails with "SSL certificate signed by unknown CA" Solution: Install CA on YOUR computer: PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" ` -CertStoreLocation Cert:\LocalMachine\Root Problem: Enter-PSSession fails with "Access Denied" Solution: 1. Verify credentials are correct 2. Verify user has admin rights on remote PC 3. Check WinRM permissions: winrm get winrm/config/service Problem: Port 5986 not listening on PC Solution: 1. On PC: Get-Service WinRM (should be Running) 2. On PC: winrm enumerate winrm/config/listener (check for HTTPS) 3. Re-run Setup-WinRM-HTTPS.ps1 on the PC Problem: Certificate not found during deployment Solution: 1. Verify certificate exists in network share or C:\Temp 2. Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx 3. Verify hostname matches: $env:COMPUTERNAME on the PC ================================================================================ SUCCESS CHECKLIST ================================================================================ ✓ CA created and installed on your computer ✓ Certificate signed for G9KN7PZ3ESF ✓ Certificate deployed to G9KN7PZ3ESF ✓ WinRM HTTPS configured on G9KN7PZ3ESF ✓ Test-WSMan succeeds from your computer ✓ Enter-PSSession connects successfully ✓ No certificate bypasses needed ✓ Remote commands execute properly When ALL checks pass → Ready to deploy to remaining PCs! ================================================================================ NEXT STEPS ================================================================================ After successful test on G9KN7PZ3ESF: 1. Test 3-5 more PCs to confirm process 2. If all work, proceed to batch deployment 3. Use same method for all 175 PCs 4. Track progress in spreadsheet See: COMPLETE-WORKFLOW.txt for full deployment strategy ================================================================================ SUMMARY - DEPLOYMENT METHODS ================================================================================ Method 1: Network Share (Recommended) → Copy certs + scripts to S:\dt\adata\script\deploy\ → On each PC: Run Deploy-PCCertificate.bat → Automatic deployment with logging Method 2: Direct Copy → Copy cert + script to PC via \\HOSTNAME\C$\Temp\ → On PC: Run Setup-WinRM-HTTPS.ps1 manually → Manual but reliable Method 3: Remote PowerShell → Copy cert, deploy via Invoke-Command → Requires existing WinRM HTTP access → Fastest for bulk deployment Choose based on your environment and access methods. ================================================================================