ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
powershell-scripts/winrm-https/README.md
cproudlock 96cb1dd946 Remove all emojis from markdown documentation 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 11:03:45 -05:00

163 lines
4.3 KiB
Markdown
Raw Permalink Blame History

# WinRM HTTPS Configuration
This folder contains scripts and documentation for setting up secure WinRM over HTTPS using a wildcard certificate for the `*.logon.ds.ge.com` domain.
## 📁 Files
### Setup Scripts
| File | Description |
|------|-------------|
| **Generate-WildcardCert.ps1** | Generates a self-signed wildcard certificate for `*.logon.ds.ge.com` |
| **Setup-WinRM-HTTPS.ps1** | Configures WinRM HTTPS on a target computer |
| **Test-WinRM-HTTPS-Setup.ps1** | Automated test workflow for single-device setup |
### Collection Scripts
| File | Description |
|------|-------------|
| **Invoke-RemoteAssetCollection-HTTPS.ps1** | Executes remote asset collection via WinRM HTTPS |
### Data Files
| File | Description |
|------|-------------|
| **shopfloor-hostnames.txt** | Live list of 175 shopfloor PC hostnames from database |
| **shopfloor-hostnames-example.txt** | Example hostname list format |
### Documentation
| File | Description |
|------|-------------|
| **WINRM_HTTPS_DEPLOYMENT_GUIDE.md** | Complete deployment guide with troubleshooting |
## Quick Start
### 1. Generate Certificate (Testing)
```powershell
# Run as Administrator
cd C:\path\to\winrm-https
# Generate self-signed wildcard certificate
.\Generate-WildcardCert.ps1
```
### 2. Test on Single Device
```powershell
# Automated test (recommended)
.\Test-WinRM-HTTPS-Setup.ps1
# Or manual setup
$certPass = ConvertTo-SecureString "YourPassword" -AsPlainText -Force
.\Setup-WinRM-HTTPS.ps1 -CertificatePath ".\wildcard-*.pfx" `
-CertificatePassword $certPass -Domain "logon.ds.ge.com"
```
### 3. Deploy to Shopfloor PCs
```powershell
# Test connections first
.\Invoke-RemoteAssetCollection-HTTPS.ps1 `
-HostnameListFile ".\shopfloor-hostnames.txt" `
-Domain "logon.ds.ge.com" `
-TestConnections
# Run collection
.\Invoke-RemoteAssetCollection-HTTPS.ps1 `
-HostnameListFile ".\shopfloor-hostnames.txt" `
-Domain "logon.ds.ge.com"
```
## 📋 Prerequisites
- Windows PowerShell 5.1 or later
- Administrator privileges
- Network connectivity
- Wildcard certificate for `*.logon.ds.ge.com` (PFX format with private key)
## 🔐 Security Notes
- **Self-signed certificates** are for TESTING only
- For production, obtain a certificate from a trusted Certificate Authority
- Protect the PFX file password
- Use `-SkipCertificateCheck` only for testing
## Shopfloor PCs
- **Total PCs**: 175
- **Source**: Database query filtered by `pctypeid = 3` (Shopfloor type)
- **FQDN Format**: `{hostname}.logon.ds.ge.com`
- **Example**: `G1JJVH63ESF.logon.ds.ge.com`
## Workflow
1. **Generate/Obtain Certificate**
- Use `Generate-WildcardCert.ps1` for testing
- Or obtain from CA for production
2. **Setup Target PCs**
- Copy certificate PFX to each PC
- Run `Setup-WinRM-HTTPS.ps1`
- Verify with `Test-WSMan`
3. **Configure Management Server**
- Install root CA certificate (if self-signed)
- Prepare hostname list
- Test connections
4. **Run Collection**
- Use `Invoke-RemoteAssetCollection-HTTPS.ps1`
- Monitor logs
- Review results
## 📖 Documentation
See [WINRM_HTTPS_DEPLOYMENT_GUIDE.md](./WINRM_HTTPS_DEPLOYMENT_GUIDE.md) for:
- Detailed deployment procedures
- Troubleshooting guide
- Security best practices
- Certificate management
- Production deployment steps
## 🐛 Troubleshooting
### Common Issues
**Certificate not found**
```powershell
# Verify certificate is installed
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*logon.ds.ge.com*"}
```
**Connection fails**
```powershell
# Test DNS resolution
Resolve-DnsName "hostname.logon.ds.ge.com"
# Test port connectivity
Test-NetConnection -ComputerName "hostname.logon.ds.ge.com" -Port 5986
# Test WinRM
Test-WSMan -ComputerName "hostname.logon.ds.ge.com" -UseSSL -Port 5986
```
**Firewall blocking**
```powershell
# Check firewall rule
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
# Create if missing
New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
-Name "WinRM HTTPS-In" -Profile Any -LocalPort 5986 `
-Protocol TCP -Direction Inbound -Action Allow
```
## 📞 Support
For detailed help:
1. Check [WINRM_HTTPS_DEPLOYMENT_GUIDE.md](./WINRM_HTTPS_DEPLOYMENT_GUIDE.md)
2. Review PowerShell script help: `Get-Help .\Setup-WinRM-HTTPS.ps1 -Full`
3. Check logs in `.\logs\` directory
Reference in New Issue View Git Blame Copy Permalink