================================================================================ SINGLE PC TEST - QUICK START ================================================================================ Test the entire certificate deployment on ONE PC before deploying to all 175. Test PC: G9KN7PZ3ESF ================================================================================ STEP 1: CREATE CA (ONE TIME - 5 MINUTES) ================================================================================ On YOUR computer (H2PRFM94): PS> cd C:\path\to\winrm-ca-scripts PS> .\Create-CA-Simple.ps1 Enter password: ShopfloorCA2025! Output: ✓ Shopfloor-WinRM-CA-20251017.pfx ✓ Shopfloor-WinRM-CA-20251017.cer ================================================================================ STEP 2: INSTALL CA ON YOUR COMPUTER (2 MINUTES) ================================================================================ Still on YOUR computer: PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" ` -CertStoreLocation Cert:\LocalMachine\Root Result: ✓ Your computer now trusts all certificates signed by this CA ================================================================================ STEP 3: SIGN CERTIFICATE FOR TEST PC (2 MINUTES) ================================================================================ Option A: Sign just ONE certificate ──────────────────────────────────────────────────────────────── Create a test file with just one hostname: PS> "G9KN7PZ3ESF" | Out-File "test-hostname.txt" PS> .\Sign-BulkCertificates.ps1 -HostnameFile "test-hostname.txt" Enter CA password: ShopfloorCA2025! Enter PC cert password: PCCert2025! Output: ✓ pc-certificates\batch-TIMESTAMP\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx Option B: Sign ALL 175, but only deploy one ──────────────────────────────────────────────────────────────── PS> .\Sign-BulkCertificates.ps1 Enter CA password: ShopfloorCA2025! Enter PC cert password: PCCert2025! Output: ✓ pc-certificates\batch-TIMESTAMP\ (175 certificates) You'll only deploy one for testing ================================================================================ STEP 4: DEPLOY TO TEST PC (5 MINUTES) ================================================================================ Method 1: Network Share Deployment (Recommended) ──────────────────────────────────────────────────────────────── A. Copy to network share: PS> Copy-Item "pc-certificates\batch-*" ` -Destination "S:\dt\adata\script\deploy\pc-certificates\" ` -Recurse PS> Copy-Item "Deploy-PCCertificate.ps1" ` -Destination "S:\dt\adata\script\deploy\" PS> Copy-Item "Deploy-PCCertificate.bat" ` -Destination "S:\dt\adata\script\deploy\" B. On the test PC (G9KN7PZ3ESF): 1. Navigate to: S:\dt\adata\script\deploy\ 2. Right-click: Deploy-PCCertificate.bat 3. Select: "Run as Administrator" 4. Enter password: PCCert2025! 5. Wait for SUCCESS message Result: ✓ Certificate automatically found and imported ✓ WinRM HTTPS configured ✓ Firewall rule created ✓ Log saved to: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-*.txt Method 2: Manual Deployment (If network share not ready) ──────────────────────────────────────────────────────────────── A. Copy certificate to PC: PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" ` -Destination "\\G9KN7PZ3ESF\C$\Temp\" PS> Copy-Item "Setup-WinRM-HTTPS.ps1" ` -Destination "\\G9KN7PZ3ESF\C$\Temp\" B. On the PC (G9KN7PZ3ESF), as Administrator: PS> cd C:\Temp # Import certificate PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force PS> $cert = Import-PfxCertificate ` -FilePath "G9KN7PZ3ESF-*.pfx" ` -CertStoreLocation Cert:\LocalMachine\My ` -Password $certPass # Configure WinRM PS> .\Setup-WinRM-HTTPS.ps1 ` -CertificateThumbprint $cert.Thumbprint ` -Domain "logon.ds.ge.com" Result: ✓ Certificate imported ✓ WinRM HTTPS listener created ✓ Firewall configured ================================================================================ STEP 5: VERIFY ON THE PC (2 MINUTES) ================================================================================ On the test PC (G9KN7PZ3ESF): # Check certificate PS> Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*G9KN7PZ3ESF*" } | Format-List Subject, Issuer, Thumbprint Expected: Subject : CN=g9kn7pz3esf.logon.ds.ge.com Issuer : CN=Shopfloor WinRM CA Thumbprint : (long string) # Check WinRM service PS> Get-Service WinRM Expected: Status Name DisplayName ------ ---- ----------- Running WinRM Windows Remote Management (WS-Manag... # Check listener PS> winrm enumerate winrm/config/listener Expected: Listener Address = * Transport = HTTPS Port = 5986 Hostname = g9kn7pz3esf.logon.ds.ge.com ... # Check port PS> netstat -an | findstr :5986 Expected: TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING ✓ All checks passed! ================================================================================ STEP 6: TEST CONNECTION FROM YOUR COMPUTER (3 MINUTES) ================================================================================ Back on YOUR computer (H2PRFM94): A. Test basic connectivity ───────────────────────────────────────────────────────────── PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 Expected Output: wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0 ✅ SUCCESS = WinRM is working with HTTPS! B. Test interactive session ───────────────────────────────────────────────────────────── PS> $cred = Get-Credential # Enter your domain credentials PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 Expected: [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> ✅ SUCCESS = You're connected! Try commands: [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname G9KN7PZ3ESF [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM Running WinRM Windows Remote Management [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession C. Test remote command execution ───────────────────────────────────────────────────────────── PS> Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 ` -ScriptBlock { Get-ComputerInfo | Select-Object CsName, WindowsVersion } Expected: CsName WindowsVersion ------ -------------- G9KN7PZ3ESF 2009 ✅ SUCCESS = Remote commands work! ================================================================================ KEY OBSERVATIONS ================================================================================ Notice what you DON'T need: ❌ No -SessionOption parameter ❌ No -SkipCNCheck ❌ No -SkipCACheck ❌ No -SkipRevocationCheck ❌ No certificate bypass tricks This is CLEAN and SECURE because: ✓ Your computer trusts the CA ✓ PC certificate is signed by trusted CA ✓ Certificate CN matches hostname ✓ Full certificate chain validation works ================================================================================ TROUBLESHOOTING ================================================================================ If Test-WSMan fails: ──────────────────────────────────────────────────────────────── 1. Copy Test-RemotePC-Debug.bat to the PC 2. Run it as Administrator on the PC 3. Review output to identify the issue Common issues: - Port 5986 not listening → Re-run Setup-WinRM-HTTPS.ps1 - Certificate not found → Re-import certificate - Firewall blocking → Check firewall rule - DNS not resolving → Use IP address for testing If connection works but certificate errors appear: ──────────────────────────────────────────────────────────────── Check if CA is installed on YOUR computer: PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "*Shopfloor*" } If not found: PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" ` -CertStoreLocation Cert:\LocalMachine\Root ================================================================================ SUCCESS CRITERIA ================================================================================ The test is successful when: ✓ Test-WSMan works without errors ✓ Enter-PSSession connects without -SessionOption ✓ No certificate warnings ✓ Remote commands execute successfully ✓ Connection is clean and secure ================================================================================ AFTER SUCCESSFUL TEST ================================================================================ Once ONE PC works perfectly: 1. Test 3-5 more PCs using same process 2. If all tests pass, proceed to full deployment 3. Deploy to remaining 170 PCs in batches 4. Use COMPLETE-WORKFLOW.txt for full deployment guide ================================================================================ TIME ESTIMATE ================================================================================ Total time to test ONE PC: - Create CA: 5 minutes (one time) - Install CA on your computer: 2 minutes (one time) - Sign certificate for test PC: 2 minutes - Deploy to PC: 5 minutes - Verify configuration: 2 minutes - Test connection: 3 minutes ───────────────────────────────── Total: ~20 minutes for first PC Subsequent PCs: ~4 minutes each (CA already created) ================================================================================ SUMMARY ================================================================================ Single PC Test Process: 1. Create CA (one time) 2. Install CA on your computer (one time) 3. Sign certificate for G9KN7PZ3ESF 4. Deploy certificate to G9KN7PZ3ESF 5. Test connection from your computer 6. Verify clean, secure connection If successful → Deploy to all 175 PCs If issues → Debug on test PC before continuing ================================================================================