ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
powershell-scripts/winrm-https/winrm-ca-scripts/COMPLETE-WORKFLOW.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

360 lines
15 KiB
Plaintext
Raw Permalink Blame History

================================================================================
COMPLETE WORKFLOW - START TO FINISH
================================================================================
Visual guide showing the entire process from CA creation to remote access.
================================================================================
PHASE 1: SETUP (ONE TIME - 15 MINUTES)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 1: Create Certificate Authority │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
Command:
PS> .\Create-CA-Simple.ps1
Input:
- CA Password: ShopfloorCA2025!
Output:
✓ Shopfloor-WinRM-CA-20251017.pfx (CA private key - KEEP SECURE!)
✓ Shopfloor-WinRM-CA-20251017.cer (CA public certificate)
✓ CA-INFO-20251017.txt
↓ ↓ ↓
┌─────────────────────────────────────────────────────────────────┐
│ STEP 2: Install CA on YOUR Computer │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
Command:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Result:
✓ YOUR computer now trusts ALL certificates signed by this CA!
✓ No more -SessionOption needed for connections!
↓ ↓ ↓
┌─────────────────────────────────────────────────────────────────┐
│ STEP 3: Sign All 175 PC Certificates │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
Command:
PS> .\Sign-BulkCertificates.ps1
Input:
- CA Password: ShopfloorCA2025!
- PC Certificate Password: PCCert2025!
Process:
→ Reads: shopfloor-hostnames.txt (175 hostnames)
→ Signs: 175 individual certificates
→ Each PC gets unique certificate with its own hostname
Output:
✓ pc-certificates/batch-20251017-123456/
- G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
- G1JJVH63ESF-logon.ds.ge.com-20251017.pfx
- G1JJXH63ESF-logon.ds.ge.com-20251017.pfx
- ... (175 total PFX files)
- certificate-list.csv
- SUMMARY.txt
================================================================================
PHASE 2: TEST DEPLOYMENT (ONE PC - 10 MINUTES)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 4: Deploy to Test PC (G9KN7PZ3ESF) │
└─────────────────────────────────────────────────────────────────┘
A. Copy Certificate to PC
─────────────────────────────────────────────────────────────
On YOUR computer:
PS> cd pc-certificates\batch-*
PS> Copy-Item "G9KN7PZ3ESF-*.pfx" -Destination "\\G9KN7PZ3ESF\C$\Temp\"
Result:
✓ Certificate file on PC: C:\Temp\G9KN7PZ3ESF-*.pfx
B. Import Certificate on PC
─────────────────────────────────────────────────────────────
ON THE PC (G9KN7PZ3ESF), as Administrator:
PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
PS> $cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-*.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
Result:
✓ Certificate installed in: Cert:\LocalMachine\My
✓ Subject: CN=g9kn7pz3esf.logon.ds.ge.com
✓ Issuer: CN=Shopfloor WinRM CA
C. Configure WinRM HTTPS on PC
─────────────────────────────────────────────────────────────
Still ON THE PC (G9KN7PZ3ESF):
PS> .\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
Result:
✓ WinRM service running
✓ HTTPS listener created on port 5986
✓ Firewall rule enabled
✓ Hostname: g9kn7pz3esf.logon.ds.ge.com
D. Verify on PC
─────────────────────────────────────────────────────────────
Still ON THE PC (G9KN7PZ3ESF):
PS> Get-Service WinRM
# Status: Running
PS> winrm enumerate winrm/config/listener
# Shows HTTPS listener on port 5986
PS> netstat -an | findstr :5986
# Shows: 0.0.0.0:5986 LISTENING
✓ All checks passed!
↓ ↓ ↓
┌─────────────────────────────────────────────────────────────────┐
│ STEP 5: Test Connection from YOUR Computer │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
A. Test Basic Connectivity
─────────────────────────────────────────────────────────────
PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
Expected Output:
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
✓ SUCCESS! No certificate errors!
B. Test Interactive Session
─────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Expected Output:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
✓ CONNECTED! Clean and secure!
✓ No -SessionOption needed!
✓ No certificate warnings!
Try commands:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
G9KN7PZ3ESF
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM
Status Name DisplayName
------ ---- -----------
Running WinRM Windows Remote Management (WS-Manag...
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession
🎉 TEST PC DEPLOYMENT SUCCESSFUL! 🎉
================================================================================
PHASE 3: EXPANDED TESTING (3-5 PCs - 30 MINUTES)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 6: Deploy to Additional Test PCs │
└─────────────────────────────────────────────────────────────────┘
Repeat STEP 4 for these PCs:
- G1JJVH63ESF
- G1JJXH63ESF
- G1JKYH63ESF
- G1JMYH63ESF
For each PC:
1. Copy certificate
2. Import certificate
3. Configure WinRM
4. Verify
5. Test connection
Result:
✓ 5 PCs successfully deployed and tested
✓ All connections working
✓ Ready for full deployment
================================================================================
PHASE 4: FULL DEPLOYMENT (170 REMAINING PCs)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 7: Deploy to All Remaining PCs │
└─────────────────────────────────────────────────────────────────┘
Strategy: Deploy in batches of 10-20 PCs
Batch 1: PCs 6-15
Batch 2: PCs 16-25
Batch 3: PCs 26-35
... continue ...
Batch 17: PCs 166-175
For each batch:
1. Deploy certificates
2. Configure WinRM
3. Test connections
4. Document results
5. Move to next batch
OR use automated deployment script (see AFTER-BULK-SIGNING.txt)
================================================================================
PHASE 5: VERIFICATION (ALL 175 PCs)
================================================================================
┌─────────────────────────────────────────────────────────────────┐
│ STEP 8: Verify All Deployments │
│ On YOUR computer (H2PRFM94) │
└─────────────────────────────────────────────────────────────────┘
Test all 175 PCs at once:
PS> $pcs = Get-Content "shopfloor-hostnames.txt"
PS> $cred = Get-Credential
PS> $results = foreach ($pc in $pcs) {
$fqdn = "$pc.logon.ds.ge.com"
Write-Host "Testing $pc..." -NoNewline
try {
Test-WSMan -ComputerName $fqdn -UseSSL -Port 5986 -ErrorAction Stop
Write-Host " OK" -ForegroundColor Green
[PSCustomObject]@{PC=$pc; Status="Success"}
} catch {
Write-Host " FAILED" -ForegroundColor Red
[PSCustomObject]@{PC=$pc; Status="Failed"}
}
}
PS> $results | Export-Csv "deployment-results.csv" -NoTypeInformation
PS> $successCount = ($results | Where-Object {$_.Status -eq "Success"}).Count
PS> Write-Host "$successCount / 175 PCs deployed successfully" -ForegroundColor Green
Result:
✓ All PCs verified
✓ Results documented
✓ Any failures identified for remediation
================================================================================
FINAL RESULT - WHAT YOU CAN DO NOW
================================================================================
Connect to ANY shopfloor PC:
─────────────────────────────────────────────────────────────
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986
Run commands on multiple PCs:
─────────────────────────────────────────────────────────────
$computers = @("g9kn7pz3esf", "g1jjvh63esf", "g1jjxh63esf")
Invoke-Command -ComputerName ($computers | ForEach-Object {"$_.logon.ds.ge.com"}) `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { hostname }
Collect data from all 175 PCs:
─────────────────────────────────────────────────────────────
$allPCs = Get-Content "shopfloor-hostnames.txt" |
ForEach-Object {"$_.logon.ds.ge.com"}
$data = Invoke-Command -ComputerName $allPCs -Credential $cred `
-UseSSL -Port 5986 -ScriptBlock {
[PSCustomObject]@{
PC = $env:COMPUTERNAME
Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
FreeMemoryGB = [math]::Round((Get-CimInstance Win32_OperatingSystem).FreePhysicalMemory/1MB,2)
Services = (Get-Service | Where-Object {$_.Status -eq 'Running'}).Count
}
}
$data | Export-Csv "shopfloor-inventory.csv" -NoTypeInformation
================================================================================
TIME INVESTMENT SUMMARY
================================================================================
Initial Setup (One Time):
- Create CA: 5 minutes
- Install CA on your computer: 2 minutes
- Sign 175 certificates: 5 minutes
- Total: ~12 minutes
Per PC Deployment:
- Copy certificate: 1 minute
- Import and configure: 2 minutes
- Test: 1 minute
- Total per PC: ~4 minutes
Full Deployment:
- Test PC: 4 minutes
- 4 additional test PCs: 16 minutes
- 170 remaining PCs (automated): 2-3 hours
- Total: ~3-4 hours for all 175 PCs
ONGOING USE:
- Connect to any PC: 5 seconds
- No certificate warnings ever again!
- Clean, secure, professional
================================================================================
WORKFLOW COMPLETE!
================================================================================
You now have:
✓ Certificate Authority created and installed
✓ 175 individual PC certificates signed
✓ All PCs configured for WinRM HTTPS
✓ Clean, secure remote access to all shopfloor PCs
✓ No certificate bypasses or warnings
✓ Enterprise-grade security
Next: Start managing your shopfloor PCs remotely! 🚀
================================================================================
Reference in New Issue View Git Blame Copy Permalink