#Requires -RunAsAdministrator <# .SYNOPSIS Fixes WinRM HTTPS firewall rule to allow specific subnet(s) .DESCRIPTION Updates the existing "WinRM HTTPS-In" firewall rule to allow connections from specified subnet(s). Use this to fix PCs that were deployed before subnet restrictions were configured. .PARAMETER AllowedSubnets Comma-separated list of allowed remote subnets in CIDR notation Default: "10.48.130.0/23" (management subnet) Use "Any" to allow all subnets .EXAMPLE .\Fix-FirewallSubnet.ps1 Uses default subnet (10.48.130.0/23) .EXAMPLE .\Fix-FirewallSubnet.ps1 -AllowedSubnets "10.48.130.0/23,10.134.48.0/24" Allows multiple subnets .EXAMPLE .\Fix-FirewallSubnet.ps1 -AllowedSubnets "Any" Allows all subnets .NOTES Author: System Administrator Date: 2025-10-17 Run this script ON THE TARGET PC as Administrator #> param( [string]$AllowedSubnets = "10.48.130.0/23" ) Write-Host "" Write-Host "========================================" -ForegroundColor Cyan Write-Host " Fix WinRM Firewall Subnet" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "" $hostname = $env:COMPUTERNAME Write-Host "Computer: $hostname" -ForegroundColor White Write-Host "" # Check if firewall rule exists $ruleName = "WinRM HTTPS-In" $rule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue if (-not $rule) { Write-Host "[ERROR] Firewall rule '$ruleName' not found" -ForegroundColor Red Write-Host "This script is for fixing existing rules only." -ForegroundColor Yellow Write-Host "Run Deploy-PCCertificate.bat to create the rule." -ForegroundColor Yellow exit 1 } Write-Host "[OK] Found firewall rule: $ruleName" -ForegroundColor Green Write-Host "" # Show current configuration Write-Host "Current Configuration:" -ForegroundColor Yellow $currentRule = Get-NetFirewallRule -DisplayName $ruleName | Get-NetFirewallAddressFilter Write-Host " Remote Address: $($currentRule.RemoteAddress)" -ForegroundColor Gray Write-Host "" # Determine new remote address if ($AllowedSubnets -eq "Any") { $remoteAddr = "Any" Write-Host "New Configuration:" -ForegroundColor Yellow Write-Host " Remote Access: Any (all subnets)" -ForegroundColor Gray } else { # Split comma-separated subnets $remoteAddr = $AllowedSubnets -split "," | ForEach-Object { $_.Trim() } Write-Host "New Configuration:" -ForegroundColor Yellow Write-Host " Remote Access: $AllowedSubnets" -ForegroundColor Gray } Write-Host "" # Update the firewall rule Write-Host "Updating firewall rule..." -ForegroundColor Yellow try { Set-NetFirewallRule -DisplayName $ruleName -RemoteAddress $remoteAddr Write-Host "[OK] Firewall rule updated successfully" -ForegroundColor Green Write-Host "" } catch { Write-Host "[ERROR] Failed to update firewall rule: $($_.Exception.Message)" -ForegroundColor Red exit 1 } # Verify the change Write-Host "Verifying changes..." -ForegroundColor Yellow $updatedRule = Get-NetFirewallRule -DisplayName $ruleName | Get-NetFirewallAddressFilter Write-Host "[OK] Updated Remote Address: $($updatedRule.RemoteAddress)" -ForegroundColor Green Write-Host "" # Show full rule details Write-Host "Complete Rule Configuration:" -ForegroundColor Cyan Get-NetFirewallRule -DisplayName $ruleName | Format-List DisplayName, Enabled, Direction, Action, Profile Get-NetFirewallRule -DisplayName $ruleName | Get-NetFirewallAddressFilter | Format-List RemoteAddress, LocalAddress Get-NetFirewallRule -DisplayName $ruleName | Get-NetFirewallPortFilter | Format-List LocalPort, Protocol Write-Host "" Write-Host "========================================" -ForegroundColor Green Write-Host " FIREWALL FIX COMPLETE" -ForegroundColor Green Write-Host "========================================" -ForegroundColor Green Write-Host "" Write-Host "Test connection from management computer:" -ForegroundColor Yellow Write-Host " Test-NetConnection $hostname.logon.ds.ge.com -Port 5986" -ForegroundColor White Write-Host "" Write-Host " Test-WSMan -ComputerName $hostname.logon.ds.ge.com -UseSSL -Port 5986" -ForegroundColor White Write-Host ""