ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
powershell-scripts/winrm-https/winrm-ca-scripts/DEPLOY-AND-TEST-ONE-PC.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

411 lines
17 KiB
Plaintext
Raw Permalink Blame History

================================================================================
DEPLOY AND TEST ONE PC - PRACTICAL GUIDE
================================================================================
This guide shows EXACTLY how to deploy to G9KN7PZ3ESF and test it.
================================================================================
PART 1: SETUP ON YOUR COMPUTER (H2PRFM94) - ONE TIME
================================================================================
Step 1: Create and Install CA
─────────────────────────────────────────────────────────────
PS> cd C:\path\to\winrm-ca-scripts
PS> .\Create-CA-Simple.ps1
# Password: ShopfloorCA2025!
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
✓ Done - CA created and trusted on your computer
Step 2: Sign Certificate for Test PC
─────────────────────────────────────────────────────────────
Option A - Sign just one:
PS> "G9KN7PZ3ESF" | Out-File "test-hostname.txt"
PS> .\Sign-BulkCertificates.ps1 -HostnameFile "test-hostname.txt"
# CA Password: ShopfloorCA2025!
# PC Cert Password: PCCert2025!
Option B - Sign all 175:
PS> .\Sign-BulkCertificates.ps1
# CA Password: ShopfloorCA2025!
# PC Cert Password: PCCert2025!
✓ Certificate created: pc-certificates\batch-*\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx
================================================================================
PART 2: DEPLOY TO THE REMOTE PC (G9KN7PZ3ESF)
================================================================================
You have 3 deployment methods. Choose ONE:
METHOD 1: Network Share Deployment (EASIEST - Recommended)
════════════════════════════════════════════════════════════════════════════
Step 1: Copy files to network share (on YOUR computer)
──────────────────────────────────────────────────────────────
PS> # Copy certificates
PS> Copy-Item "pc-certificates\batch-*" `
-Destination "S:\dt\adata\script\deploy\pc-certificates\" `
-Recurse
PS> # Copy deployment scripts
PS> Copy-Item "Deploy-PCCertificate.ps1" `
-Destination "S:\dt\adata\script\deploy\"
PS> Copy-Item "Deploy-PCCertificate.bat" `
-Destination "S:\dt\adata\script\deploy\"
Step 2: Run deployment on the PC (ON G9KN7PZ3ESF)
──────────────────────────────────────────────────────────────
1. Walk to PC G9KN7PZ3ESF (or RDP to it)
2. Open File Explorer
3. Navigate to: S:\dt\adata\script\deploy\
4. RIGHT-CLICK: Deploy-PCCertificate.bat
5. Select: "Run as Administrator"
6. Enter password when prompted: PCCert2025!
7. Wait for "SUCCESS" message
✓ Script automatically:
- Finds G9KN7PZ3ESF certificate from network share
- Imports it to Local Machine store
- Configures WinRM HTTPS listener
- Creates firewall rule
- Logs to: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-*.txt
METHOD 2: Copy Files Directly to PC (If network share not accessible)
════════════════════════════════════════════════════════════════════════════
Step 1: Copy files to PC (on YOUR computer)
──────────────────────────────────────────────────────────────
PS> # Copy certificate
PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
PS> # Copy setup script
PS> Copy-Item "Setup-WinRM-HTTPS.ps1" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
Step 2: Run setup on the PC (ON G9KN7PZ3ESF)
──────────────────────────────────────────────────────────────
1. Walk to PC G9KN7PZ3ESF (or RDP to it)
2. Open PowerShell as Administrator
3. Run these commands:
PS> cd C:\Temp
PS> # Import certificate
PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
PS> $cert = Import-PfxCertificate `
-FilePath (Get-Item "G9KN7PZ3ESF-*.pfx").FullName `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
PS> # Configure WinRM
PS> Set-ExecutionPolicy Bypass -Scope Process -Force
PS> .\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
✓ Done - WinRM HTTPS configured
METHOD 3: Remote Deployment via PowerShell (If WinRM HTTP already works)
════════════════════════════════════════════════════════════════════════════
Step 1: Copy certificate to PC (on YOUR computer)
──────────────────────────────────────────────────────────────
PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
Step 2: Import and configure remotely (on YOUR computer)
──────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
# Enter your domain credentials
PS> Invoke-Command -ComputerName G9KN7PZ3ESF -Credential $cred -ScriptBlock {
# Import certificate
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
$certFile = Get-Item "C:\Temp\G9KN7PZ3ESF-*.pfx"
$cert = Import-PfxCertificate `
-FilePath $certFile.FullName `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
# Get hostname and FQDN
$hostname = $env:COMPUTERNAME
$fqdn = "$hostname.logon.ds.ge.com".ToLower()
# Enable WinRM
Enable-PSRemoting -Force -SkipNetworkProfileCheck
Set-Service WinRM -StartupType Automatic
Start-Service WinRM
# Remove old HTTPS listener
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS 2>$null
# Create HTTPS listener
$winrmCmd = "create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$fqdn`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}"
cmd.exe /c "winrm $winrmCmd"
# Create firewall rule
New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
-Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow -Force
Write-Host "WinRM HTTPS configured on $hostname" -ForegroundColor Green
}
✓ Done - Configured remotely
================================================================================
PART 3: VERIFY DEPLOYMENT ON THE PC (ON G9KN7PZ3ESF)
================================================================================
Option A: Quick Check (on the PC)
─────────────────────────────────────────────────────────────
PS> winrm enumerate winrm/config/listener
Look for:
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = g9kn7pz3esf.logon.ds.ge.com
CertificateThumbprint = (long string)
✓ If you see HTTPS listener on port 5986 → Success!
Option B: Full Verification (on the PC)
─────────────────────────────────────────────────────────────
1. Copy Test-RemotePC-Debug.bat to C:\Temp on the PC
2. Copy Test-RemotePC-Debug.ps1 to C:\Temp on the PC
3. Right-click Test-RemotePC-Debug.bat → "Run as Administrator"
4. Review the output
Check for:
✓ WinRM Service: Running
✓ HTTPS Listener on port 5986
✓ Port 5986 LISTENING
✓ Certificate in LocalMachine\My
✓ Firewall rule enabled
================================================================================
PART 4: TEST CONNECTION FROM YOUR COMPUTER (H2PRFM94)
================================================================================
Now test that YOU can connect to G9KN7PZ3ESF remotely.
Test 1: Basic WinRM Connectivity
─────────────────────────────────────────────────────────────
PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
EXPECTED OUTPUT (Success):
┌────────────────────────────────────────────────────────┐
│ wsmid : http://schemas.dmtf.org/wbem/... │
│ ProtocolVersion : http://schemas.dmtf.org/wbem/... │
│ ProductVendor : Microsoft Corporation │
│ ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0 │
└────────────────────────────────────────────────────────┘
✅ SUCCESS = WinRM HTTPS is working!
POSSIBLE ERROR (Failure):
┌────────────────────────────────────────────────────────┐
│ Test-WSMan : The server certificate on the destination │
│ computer has the following errors: │
│ The SSL certificate is signed by an unknown CA. │
└────────────────────────────────────────────────────────┘
FIX:
PS> # Install CA on your computer
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Test 2: Interactive Remote Session
─────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
# Enter your domain credentials (e.g., DOMAIN\username)
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
EXPECTED OUTPUT (Success):
┌────────────────────────────────────────────────────────┐
│ [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> │
└────────────────────────────────────────────────────────┘
✅ You're now connected to the remote PC!
Try these commands:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
G9KN7PZ3ESF
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM | Select-Object Status, Name
Running WinRM
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> $env:COMPUTERNAME
G9KN7PZ3ESF
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession
Test 3: Remote Command Execution
─────────────────────────────────────────────────────────────
PS> Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock {
[PSCustomObject]@{
Hostname = $env:COMPUTERNAME
WinRMStatus = (Get-Service WinRM).Status
Uptime = (Get-Date) - (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
}
}
EXPECTED OUTPUT:
┌────────────────────────────────────────────────────────┐
│ Hostname WinRMStatus Uptime │
│ -------- ----------- ------ │
│ G9KN7PZ3ESF Running 23:15:42.1234567 │
└────────────────────────────────────────────────────────┘
✅ Remote commands work!
Test 4: No Certificate Bypass Needed
─────────────────────────────────────────────────────────────
NOTICE: You did NOT need to use:
❌ -SessionOption (no bypass needed!)
❌ -SkipCNCheck
❌ -SkipCACheck
❌ -SkipRevocationCheck
This is a CLEAN, SECURE connection because:
✓ Your computer trusts the CA
✓ Certificate is properly signed
✓ Certificate CN matches hostname
✓ Full SSL/TLS validation works
================================================================================
TROUBLESHOOTING
================================================================================
Problem: Test-WSMan fails with "cannot connect"
Solution:
1. Check PC is on network: ping g9kn7pz3esf.logon.ds.ge.com
2. Check port reachable: Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
3. On PC, verify listener: winrm enumerate winrm/config/listener
4. On PC, verify port: netstat -an | findstr :5986
Problem: Test-WSMan fails with "SSL certificate signed by unknown CA"
Solution:
Install CA on YOUR computer:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Problem: Enter-PSSession fails with "Access Denied"
Solution:
1. Verify credentials are correct
2. Verify user has admin rights on remote PC
3. Check WinRM permissions: winrm get winrm/config/service
Problem: Port 5986 not listening on PC
Solution:
1. On PC: Get-Service WinRM (should be Running)
2. On PC: winrm enumerate winrm/config/listener (check for HTTPS)
3. Re-run Setup-WinRM-HTTPS.ps1 on the PC
Problem: Certificate not found during deployment
Solution:
1. Verify certificate exists in network share or C:\Temp
2. Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx
3. Verify hostname matches: $env:COMPUTERNAME on the PC
================================================================================
SUCCESS CHECKLIST
================================================================================
✓ CA created and installed on your computer
✓ Certificate signed for G9KN7PZ3ESF
✓ Certificate deployed to G9KN7PZ3ESF
✓ WinRM HTTPS configured on G9KN7PZ3ESF
✓ Test-WSMan succeeds from your computer
✓ Enter-PSSession connects successfully
✓ No certificate bypasses needed
✓ Remote commands execute properly
When ALL checks pass → Ready to deploy to remaining PCs!
================================================================================
NEXT STEPS
================================================================================
After successful test on G9KN7PZ3ESF:
1. Test 3-5 more PCs to confirm process
2. If all work, proceed to batch deployment
3. Use same method for all 175 PCs
4. Track progress in spreadsheet
See: COMPLETE-WORKFLOW.txt for full deployment strategy
================================================================================
SUMMARY - DEPLOYMENT METHODS
================================================================================
Method 1: Network Share (Recommended)
→ Copy certs + scripts to S:\dt\adata\script\deploy\
→ On each PC: Run Deploy-PCCertificate.bat
→ Automatic deployment with logging
Method 2: Direct Copy
→ Copy cert + script to PC via \\HOSTNAME\C$\Temp\
→ On PC: Run Setup-WinRM-HTTPS.ps1 manually
→ Manual but reliable
Method 3: Remote PowerShell
→ Copy cert, deploy via Invoke-Command
→ Requires existing WinRM HTTP access
→ Fastest for bulk deployment
Choose based on your environment and access methods.
================================================================================
Reference in New Issue View Git Blame Copy Permalink