ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
powershell-scripts/winrm-https/WINRM_HTTPS_DEPLOYMENT_GUIDE.md
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

16 KiB
Raw Permalink Blame History

WinRM HTTPS Deployment Guide for Shopfloor PCs

This guide covers deploying WinRM over HTTPS to shopfloor PCs using a wildcard certificate for the *.logon.ds.ge.com domain.

Overview

WinRM HTTPS provides secure, encrypted PowerShell remoting for asset collection across multiple shopfloor computers. This deployment uses a wildcard certificate to simplify certificate management across all PCs in the domain.

Components

  1. Setup-WinRM-HTTPS.ps1 - Configures WinRM HTTPS on target computers
  2. Invoke-RemoteAssetCollection-HTTPS.ps1 - Executes remote asset collection via HTTPS
  3. Wildcard Certificate - *.logon.ds.ge.com certificate (PFX format with private key)

Advantages Over HTTP WinRM

  • Encrypted traffic - All data and credentials encrypted in transit
  • No TrustedHosts - No need to configure TrustedHosts on management server
  • Better security - Industry standard for production environments
  • Certificate authentication - Mutual authentication support
  • Compliance - Meets security compliance requirements

Prerequisites

Certificate Requirements

  • Wildcard certificate for *.logon.ds.ge.com
  • Certificate format: PFX (with private key)
  • Certificate type: Server Authentication
  • Must not be expired or revoked
  • Same certificate can be used on all shopfloor PCs

Target Computers (Shopfloor PCs)

  • Windows 10/11 or Windows Server 2016+
  • PowerShell 5.1 or later
  • Network connectivity
  • Administrator account for setup
  • Hostnames that resolve to hostname.logon.ds.ge.com

Management Server

  • Windows with PowerShell 5.1 or later
  • Network connectivity to shopfloor PCs on port 5986
  • Administrator credentials for target computers
  • DNS resolution for *.logon.ds.ge.com

Deployment Steps

Phase 1: Prepare Certificate Distribution

  1. Obtain Wildcard Certificate

    # Ensure you have the wildcard certificate PFX file
# Example: wildcard-logon-ds-ge-com.pfx
# Store in a secure location: C:\Certs\wildcard.pfx

  2. Create Distribution Package

    Create a deployment folder with:
- wildcard.pfx (the certificate)
- Setup-WinRM-HTTPS.ps1
- deploy-winrm-https.bat (optional batch file)

  3. Secure Certificate Password

    # Store certificate password securely
# Document password in secure password manager
# Share with authorized personnel only

Phase 2: Deploy to Target Computers

Option A: Manual Deployment (Single Computer)

  1. Copy files to target computer

    Copy to C:\Temp\WinRM-HTTPS-Setup\:
- wildcard.pfx
- Setup-WinRM-HTTPS.ps1

  2. Run setup script as Administrator

    cd C:\Temp\WinRM-HTTPS-Setup

# Interactive mode (will prompt for certificate password)
.\Setup-WinRM-HTTPS.ps1 -CertificatePath ".\wildcard.pfx" -Domain "logon.ds.ge.com"

# Or with password parameter
$certPass = ConvertTo-SecureString "YourCertPassword" -AsPlainText -Force
.\Setup-WinRM-HTTPS.ps1 -CertificatePath ".\wildcard.pfx" `
    -CertificatePassword $certPass -Domain "logon.ds.ge.com"

  3. Verify setup

    # Check WinRM listeners
winrm enumerate winrm/config/listener

# Should show HTTPS listener on port 5986

Option B: Batch Deployment (Multiple Computers)

  1. Create deployment script 
    # deploy-to-all.ps1
$computers = Get-Content ".\shopfloor-hostnames.txt"
$domain = "logon.ds.ge.com"
$certPath = "C:\Certs\wildcard.pfx"
$certPass = ConvertTo-SecureString "YourPassword" -AsPlainText -Force
$cred = Get-Credential  # Domain admin credentials

foreach ($hostname in $computers) {
    $fqdn = "$hostname.$domain"
    Write-Host "Deploying to $fqdn..." -ForegroundColor Yellow

    # Copy files
    $remotePath = "\\$fqdn\C$\Temp\WinRM-Setup"
    New-Item -Path $remotePath -ItemType Directory -Force
    Copy-Item ".\wildcard.pfx" -Destination $remotePath
    Copy-Item ".\Setup-WinRM-HTTPS.ps1" -Destination $remotePath

    # Execute remotely (requires existing WinRM/admin access)
    Invoke-Command -ComputerName $fqdn -Credential $cred -ScriptBlock {
        param($CertPath, $CertPass, $Domain)
        Set-Location C:\Temp\WinRM-Setup
        .\Setup-WinRM-HTTPS.ps1 -CertificatePath $CertPath `
            -CertificatePassword $CertPass -Domain $Domain
    } -ArgumentList "C:\Temp\WinRM-Setup\wildcard.pfx", $certPass, $domain

    Write-Host "Completed: $fqdn" -ForegroundColor Green
}

Option C: Group Policy Deployment

  1. Import certificate via GPO

    • Computer Configuration > Policies > Windows Settings > Security Settings
    • Public Key Policies > Certificates (Local Computer > Personal)
    • Import wildcard.pfx

  2. Deploy setup script via GPO

    • Computer Configuration > Policies > Windows Settings > Scripts
    • Startup script: Setup-WinRM-HTTPS.ps1

Phase 3: Test Connections

  1. Create hostname list file

    # shopfloor-hostnames.txt
SHOPPC001
SHOPPC002
SHOPPC003
PROD-LINE-01
PROD-LINE-02

  2. Test HTTPS connections

    .\Invoke-RemoteAssetCollection-HTTPS.ps1 `
    -HostnameListFile ".\shopfloor-hostnames.txt" `
    -Domain "logon.ds.ge.com" `
    -TestConnections

  3. Verify each connection

    Expected output:
Resolving SHOPPC001.logon.ds.ge.com... [192.168.x.x]
Testing SHOPPC001.logon.ds.ge.com... [OK]

Phase 4: Deploy Asset Collection

  1. Run asset collection

    # Get credentials once
$cred = Get-Credential

# Run collection across all shopfloor PCs
.\Invoke-RemoteAssetCollection-HTTPS.ps1 `
    -HostnameListFile ".\shopfloor-hostnames.txt" `
    -Domain "logon.ds.ge.com" `
    -Credential $cred `
    -MaxConcurrent 10

  2. Monitor progress

    Watch console output for:
- DNS resolution results
- Connection validation
- Batch processing progress
- Success/failure summary

  3. Review logs

    # Check log file
Get-Content ".\logs\remote-collection-https.log" -Tail 50

Configuration Options

Setup-WinRM-HTTPS.ps1 Parameters

Parameter Description Default
CertificatePath Path to PFX file -
CertificatePassword SecureString password (prompts)
CertificateThumbprint Use existing cert by thumbprint -
Domain Domain suffix (e.g., logon.ds.ge.com) Required
Port HTTPS port 5986
SkipFirewall Skip firewall configuration false
TestConnection Test after setup false

Invoke-RemoteAssetCollection-HTTPS.ps1 Parameters

Parameter Description Default
HostnameList Array of hostnames @()
HostnameListFile Path to hostname list file -
Domain Domain suffix Required
Credential PSCredential object (prompts)
MaxConcurrent Max parallel sessions 5
Port HTTPS port 5986
ScriptPath Remote script path C:\Scripts\Update-PC-CompleteAsset.ps1
SkipCertificateCheck Skip cert validation false
TestConnections Test only, no collection false

Troubleshooting

Certificate Issues

Problem: "Certificate not found"

# Solution: Verify certificate is installed
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*logon.ds.ge.com*"}

Problem: "Certificate has no private key"

# Solution: Re-import certificate with private key
# Ensure PFX file includes private key
# Check "Mark this key as exportable" during import

Problem: "Certificate expired"

# Solution: Check certificate expiration
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*logon.ds.ge.com*"}
$cert.NotAfter  # Shows expiration date

Connection Issues

Problem: "Unable to connect to remote server"

# Check 1: Test DNS resolution
Resolve-DnsName "shoppc001.logon.ds.ge.com"

# Check 2: Test port connectivity
Test-NetConnection -ComputerName "shoppc001.logon.ds.ge.com" -Port 5986

# Check 3: Test WinRM HTTPS
Test-WSMan -ComputerName "shoppc001.logon.ds.ge.com" -Port 5986 -UseSSL

Problem: "The SSL certificate is signed by an unknown authority"

# Solution 1: Install root CA certificate on management server
# Import the CA certificate to Trusted Root Certification Authorities

# Solution 2: Use SkipCertificateCheck (not recommended for production)
.\Invoke-RemoteAssetCollection-HTTPS.ps1 -SkipCertificateCheck ...

Firewall Issues

Problem: "Connection timeout"

# On target computer, verify firewall rule
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"

# If missing, create manually
New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
    -Name "WinRM HTTPS-In" `
    -Profile Any `
    -LocalPort 5986 `
    -Protocol TCP `
    -Direction Inbound `
    -Action Allow `
    -Enabled True

Authentication Issues

Problem: "Access denied"

# Solution: Verify credentials have admin rights
# Check user is member of local Administrators group on target computer

# Test credentials
$cred = Get-Credential
Test-WSMan -ComputerName "shoppc001.logon.ds.ge.com" -Credential $cred -UseSSL -Port 5986

Diagnostic Commands

# On target computer (run as Administrator)

# Show all WinRM configuration
winrm get winrm/config

# Show listeners
winrm enumerate winrm/config/listener

# Show service status
Get-Service WinRM

# Test local HTTPS listener
Test-WSMan -ComputerName localhost -UseSSL -Port 5986

# Check certificate in use
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*logon.ds.ge.com*"}
$cert | Format-List *

Security Best Practices

Certificate Management

  1. Protect Private Key

    • Store PFX files in encrypted storage
    • Limit access to certificate files
    • Use strong passwords for PFX files
    • Delete PFX files after installation

  2. Monitor Expiration

    # Create reminder for certificate renewal
# Typical certificate lifetime: 1-2 years
# Plan renewal 30-60 days before expiration

  3. Certificate Revocation

    • Have process for certificate revocation if compromised
    • Distribute new certificate to all PCs
    • Remove old certificate from all systems

Network Security

  1. Firewall Configuration

    • Limit port 5986 to specific management IPs if possible
    • Use Windows Firewall with Advanced Security
    • Document firewall rules

  2. Network Segmentation

    • Keep shopfloor network segregated
    • Use VLANs for additional isolation
    • Restrict management access

Credential Management

  1. Service Accounts

    # Use dedicated service account for automation
# Grant minimum required permissions
# Rotate passwords regularly

  2. Credential Storage

    # For scheduled tasks, use Credential Manager
# Never hardcode passwords in scripts
# Use SecureString for password handling

Maintenance

Certificate Renewal

When wildcard certificate needs renewal:

  1. Obtain new certificate

    • Request renewal from certificate authority
    • Export as PFX with private key

  2. Deploy new certificate

    # Run on each target computer
.\Setup-WinRM-HTTPS.ps1 -CertificatePath ".\new-wildcard.pfx" `
    -CertificatePassword $certPass -Domain "logon.ds.ge.com"

# This will replace the HTTPS listener with new certificate

  3. Verify deployment

    # Test connections with new certificate
.\Invoke-RemoteAssetCollection-HTTPS.ps1 -TestConnections ...

  4. Remove old certificate

    # On each computer, remove old certificate
Get-ChildItem Cert:\LocalMachine\My |
    Where-Object {$_.Thumbprint -eq "OLD_THUMBPRINT"} |
    Remove-Item

Regular Checks

# Monthly verification script
$computers = Get-Content ".\shopfloor-hostnames.txt"
$domain = "logon.ds.ge.com"

foreach ($hostname in $computers) {
    $fqdn = "$hostname.$domain"

    try {
        $result = Test-WSMan -ComputerName $fqdn -UseSSL -Port 5986 -ErrorAction Stop
        Write-Host "[OK] $fqdn" -ForegroundColor Green
    }
    catch {
        Write-Host "[FAIL] $fqdn - $($_.Exception.Message)" -ForegroundColor Red
    }
}

Migration from HTTP to HTTPS

If currently using WinRM HTTP, follow these steps:

  1. Continue running HTTP during transition

    • HTTPS and HTTP listeners can coexist
    • Test HTTPS thoroughly before removing HTTP

  2. Deploy HTTPS to all computers

    • Use deployment procedures above
    • Verify each computer is accessible via HTTPS

  3. Update collection scripts

    • Switch from Invoke-RemoteAssetCollection.ps1
    • To Invoke-RemoteAssetCollection-HTTPS.ps1
    • Test with small batch first

  4. Remove HTTP listeners (optional)

    # Only after HTTPS is fully verified
winrm delete winrm/config/Listener?Address=*+Transport=HTTP

Example Workflows

Daily Asset Collection

# scheduled-collection.ps1
# Run this as a scheduled task

$domain = "logon.ds.ge.com"
$hostnameFile = "C:\Scripts\shopfloor-hostnames.txt"
$logPath = "C:\Logs\asset-collection-$(Get-Date -Format 'yyyyMMdd').log"

# Use stored credentials (setup via Credential Manager)
$username = "DOMAIN\svc-assetcollection"
$password = Get-Content "C:\Secure\svc-pass.txt" | ConvertTo-SecureString
$cred = New-Object PSCredential($username, $password)

# Run collection
.\Invoke-RemoteAssetCollection-HTTPS.ps1 `
    -HostnameListFile $hostnameFile `
    -Domain $domain `
    -Credential $cred `
    -MaxConcurrent 10 `
    -LogPath $logPath

Ad-Hoc Single Computer Collection

# Quick collection from one computer
.\Invoke-RemoteAssetCollection-HTTPS.ps1 `
    -HostnameList @("SHOPPC001") `
    -Domain "logon.ds.ge.com"

Batch Collection with Reporting

# Run collection and generate report
$result = .\Invoke-RemoteAssetCollection-HTTPS.ps1 `
    -HostnameListFile ".\shopfloor-hostnames.txt" `
    -Domain "logon.ds.ge.com" `
    -MaxConcurrent 10

# Send email report
$summary = Get-Content ".\logs\remote-collection-https.log" | Select-Object -Last 20
Send-MailMessage -To "it-team@example.com" `
    -Subject "Asset Collection Complete - $(Get-Date -Format 'yyyy-MM-dd')" `
    -Body ($summary -join "`n") `
    -SmtpServer "smtp.example.com"

Reference

Default Ports

  • HTTP WinRM: 5985 (not recommended)
  • HTTPS WinRM: 5986 (recommended)

File Locations

  • Certificates: Cert:\LocalMachine\My
  • WinRM Config: WSMan:\localhost
  • Logs: .\logs\remote-collection-https.log

Useful Commands

# Test HTTPS connection
Test-WSMan -ComputerName "hostname.logon.ds.ge.com" -UseSSL -Port 5986

# Create session
New-PSSession -ComputerName "hostname.logon.ds.ge.com" -UseSSL -Port 5986 -Credential $cred

# Interactive session
Enter-PSSession -ComputerName "hostname.logon.ds.ge.com" -UseSSL -Port 5986 -Credential $cred

# View WinRM configuration
winrm get winrm/config

# View listeners
winrm enumerate winrm/config/listener

Additional Resources

Support

For issues or questions:

  1. Check troubleshooting section above
  2. Review log files in .\logs\
  3. Verify prerequisites are met
  4. Test with single computer first
  5. Contact IT support team
Reference in New Issue View Git Blame Copy Permalink