================================================================================ COMPLETE WORKFLOW - START TO FINISH ================================================================================ Visual guide showing the entire process from CA creation to remote access. ================================================================================ PHASE 1: SETUP (ONE TIME - 15 MINUTES) ================================================================================ ┌─────────────────────────────────────────────────────────────────┐ │ STEP 1: Create Certificate Authority │ │ On YOUR computer (H2PRFM94) │ └─────────────────────────────────────────────────────────────────┘ Command: PS> .\Create-CA-Simple.ps1 Input: - CA Password: ShopfloorCA2025! Output: ✓ Shopfloor-WinRM-CA-20251017.pfx (CA private key - KEEP SECURE!) ✓ Shopfloor-WinRM-CA-20251017.cer (CA public certificate) ✓ CA-INFO-20251017.txt ↓ ↓ ↓ ┌─────────────────────────────────────────────────────────────────┐ │ STEP 2: Install CA on YOUR Computer │ │ On YOUR computer (H2PRFM94) │ └─────────────────────────────────────────────────────────────────┘ Command: PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" ` -CertStoreLocation Cert:\LocalMachine\Root Result: ✓ YOUR computer now trusts ALL certificates signed by this CA! ✓ No more -SessionOption needed for connections! ↓ ↓ ↓ ┌─────────────────────────────────────────────────────────────────┐ │ STEP 3: Sign All 175 PC Certificates │ │ On YOUR computer (H2PRFM94) │ └─────────────────────────────────────────────────────────────────┘ Command: PS> .\Sign-BulkCertificates.ps1 Input: - CA Password: ShopfloorCA2025! - PC Certificate Password: PCCert2025! Process: → Reads: shopfloor-hostnames.txt (175 hostnames) → Signs: 175 individual certificates → Each PC gets unique certificate with its own hostname Output: ✓ pc-certificates/batch-20251017-123456/ - G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx - G1JJVH63ESF-logon.ds.ge.com-20251017.pfx - G1JJXH63ESF-logon.ds.ge.com-20251017.pfx - ... (175 total PFX files) - certificate-list.csv - SUMMARY.txt ================================================================================ PHASE 2: TEST DEPLOYMENT (ONE PC - 10 MINUTES) ================================================================================ ┌─────────────────────────────────────────────────────────────────┐ │ STEP 4: Deploy to Test PC (G9KN7PZ3ESF) │ └─────────────────────────────────────────────────────────────────┘ A. Copy Certificate to PC ───────────────────────────────────────────────────────────── On YOUR computer: PS> cd pc-certificates\batch-* PS> Copy-Item "G9KN7PZ3ESF-*.pfx" -Destination "\\G9KN7PZ3ESF\C$\Temp\" Result: ✓ Certificate file on PC: C:\Temp\G9KN7PZ3ESF-*.pfx B. Import Certificate on PC ───────────────────────────────────────────────────────────── ON THE PC (G9KN7PZ3ESF), as Administrator: PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force PS> $cert = Import-PfxCertificate ` -FilePath "C:\Temp\G9KN7PZ3ESF-*.pfx" ` -CertStoreLocation Cert:\LocalMachine\My ` -Password $certPass Result: ✓ Certificate installed in: Cert:\LocalMachine\My ✓ Subject: CN=g9kn7pz3esf.logon.ds.ge.com ✓ Issuer: CN=Shopfloor WinRM CA C. Configure WinRM HTTPS on PC ───────────────────────────────────────────────────────────── Still ON THE PC (G9KN7PZ3ESF): PS> .\Setup-WinRM-HTTPS.ps1 ` -CertificateThumbprint $cert.Thumbprint ` -Domain "logon.ds.ge.com" Result: ✓ WinRM service running ✓ HTTPS listener created on port 5986 ✓ Firewall rule enabled ✓ Hostname: g9kn7pz3esf.logon.ds.ge.com D. Verify on PC ───────────────────────────────────────────────────────────── Still ON THE PC (G9KN7PZ3ESF): PS> Get-Service WinRM # Status: Running PS> winrm enumerate winrm/config/listener # Shows HTTPS listener on port 5986 PS> netstat -an | findstr :5986 # Shows: 0.0.0.0:5986 LISTENING ✓ All checks passed! ↓ ↓ ↓ ┌─────────────────────────────────────────────────────────────────┐ │ STEP 5: Test Connection from YOUR Computer │ │ On YOUR computer (H2PRFM94) │ └─────────────────────────────────────────────────────────────────┘ A. Test Basic Connectivity ───────────────────────────────────────────────────────────── PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 Expected Output: wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0 ✓ SUCCESS! No certificate errors! B. Test Interactive Session ───────────────────────────────────────────────────────────── PS> $cred = Get-Credential PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 Expected Output: [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> ✓ CONNECTED! Clean and secure! ✓ No -SessionOption needed! ✓ No certificate warnings! Try commands: [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname G9KN7PZ3ESF [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM Status Name DisplayName ------ ---- ----------- Running WinRM Windows Remote Management (WS-Manag... [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession 🎉 TEST PC DEPLOYMENT SUCCESSFUL! 🎉 ================================================================================ PHASE 3: EXPANDED TESTING (3-5 PCs - 30 MINUTES) ================================================================================ ┌─────────────────────────────────────────────────────────────────┐ │ STEP 6: Deploy to Additional Test PCs │ └─────────────────────────────────────────────────────────────────┘ Repeat STEP 4 for these PCs: - G1JJVH63ESF - G1JJXH63ESF - G1JKYH63ESF - G1JMYH63ESF For each PC: 1. Copy certificate 2. Import certificate 3. Configure WinRM 4. Verify 5. Test connection Result: ✓ 5 PCs successfully deployed and tested ✓ All connections working ✓ Ready for full deployment ================================================================================ PHASE 4: FULL DEPLOYMENT (170 REMAINING PCs) ================================================================================ ┌─────────────────────────────────────────────────────────────────┐ │ STEP 7: Deploy to All Remaining PCs │ └─────────────────────────────────────────────────────────────────┘ Strategy: Deploy in batches of 10-20 PCs Batch 1: PCs 6-15 Batch 2: PCs 16-25 Batch 3: PCs 26-35 ... continue ... Batch 17: PCs 166-175 For each batch: 1. Deploy certificates 2. Configure WinRM 3. Test connections 4. Document results 5. Move to next batch OR use automated deployment script (see AFTER-BULK-SIGNING.txt) ================================================================================ PHASE 5: VERIFICATION (ALL 175 PCs) ================================================================================ ┌─────────────────────────────────────────────────────────────────┐ │ STEP 8: Verify All Deployments │ │ On YOUR computer (H2PRFM94) │ └─────────────────────────────────────────────────────────────────┘ Test all 175 PCs at once: PS> $pcs = Get-Content "shopfloor-hostnames.txt" PS> $cred = Get-Credential PS> $results = foreach ($pc in $pcs) { $fqdn = "$pc.logon.ds.ge.com" Write-Host "Testing $pc..." -NoNewline try { Test-WSMan -ComputerName $fqdn -UseSSL -Port 5986 -ErrorAction Stop Write-Host " OK" -ForegroundColor Green [PSCustomObject]@{PC=$pc; Status="Success"} } catch { Write-Host " FAILED" -ForegroundColor Red [PSCustomObject]@{PC=$pc; Status="Failed"} } } PS> $results | Export-Csv "deployment-results.csv" -NoTypeInformation PS> $successCount = ($results | Where-Object {$_.Status -eq "Success"}).Count PS> Write-Host "$successCount / 175 PCs deployed successfully" -ForegroundColor Green Result: ✓ All PCs verified ✓ Results documented ✓ Any failures identified for remediation ================================================================================ FINAL RESULT - WHAT YOU CAN DO NOW ================================================================================ Connect to ANY shopfloor PC: ───────────────────────────────────────────────────────────── $cred = Get-Credential Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986 Run commands on multiple PCs: ───────────────────────────────────────────────────────────── $computers = @("g9kn7pz3esf", "g1jjvh63esf", "g1jjxh63esf") Invoke-Command -ComputerName ($computers | ForEach-Object {"$_.logon.ds.ge.com"}) ` -Credential $cred -UseSSL -Port 5986 ` -ScriptBlock { hostname } Collect data from all 175 PCs: ───────────────────────────────────────────────────────────── $allPCs = Get-Content "shopfloor-hostnames.txt" | ForEach-Object {"$_.logon.ds.ge.com"} $data = Invoke-Command -ComputerName $allPCs -Credential $cred ` -UseSSL -Port 5986 -ScriptBlock { [PSCustomObject]@{ PC = $env:COMPUTERNAME Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime FreeMemoryGB = [math]::Round((Get-CimInstance Win32_OperatingSystem).FreePhysicalMemory/1MB,2) Services = (Get-Service | Where-Object {$_.Status -eq 'Running'}).Count } } $data | Export-Csv "shopfloor-inventory.csv" -NoTypeInformation ================================================================================ TIME INVESTMENT SUMMARY ================================================================================ Initial Setup (One Time): - Create CA: 5 minutes - Install CA on your computer: 2 minutes - Sign 175 certificates: 5 minutes - Total: ~12 minutes Per PC Deployment: - Copy certificate: 1 minute - Import and configure: 2 minutes - Test: 1 minute - Total per PC: ~4 minutes Full Deployment: - Test PC: 4 minutes - 4 additional test PCs: 16 minutes - 170 remaining PCs (automated): 2-3 hours - Total: ~3-4 hours for all 175 PCs ONGOING USE: - Connect to any PC: 5 seconds - No certificate warnings ever again! - Clean, secure, professional ================================================================================ WORKFLOW COMPLETE! ================================================================================ You now have: ✓ Certificate Authority created and installed ✓ 175 individual PC certificates signed ✓ All PCs configured for WinRM HTTPS ✓ Clean, secure remote access to all shopfloor PCs ✓ No certificate bypasses or warnings ✓ Enterprise-grade security Next: Start managing your shopfloor PCs remotely! 🚀 ================================================================================