powershell-scripts/winrm-https/README.md

WinRM HTTPS Configuration

This folder contains scripts and documentation for setting up secure WinRM over HTTPS using a wildcard certificate for the *.logon.ds.ge.com domain.

📁 Files

Setup Scripts

File	Description
Generate-WildcardCert.ps1	Generates a self-signed wildcard certificate for *.logon.ds.ge.com
Setup-WinRM-HTTPS.ps1	Configures WinRM HTTPS on a target computer
Test-WinRM-HTTPS-Setup.ps1	Automated test workflow for single-device setup

Collection Scripts

File	Description
Invoke-RemoteAssetCollection-HTTPS.ps1	Executes remote asset collection via WinRM HTTPS

Data Files

File	Description
shopfloor-hostnames.txt	Live list of 175 shopfloor PC hostnames from database
shopfloor-hostnames-example.txt	Example hostname list format

Documentation

File	Description
WINRM_HTTPS_DEPLOYMENT_GUIDE.md	Complete deployment guide with troubleshooting

🚀 Quick Start

1. Generate Certificate (Testing)

# Run as Administrator
cd C:\path\to\winrm-https

# Generate self-signed wildcard certificate
.\Generate-WildcardCert.ps1

2. Test on Single Device

# Automated test (recommended)
.\Test-WinRM-HTTPS-Setup.ps1

# Or manual setup
$certPass = ConvertTo-SecureString "YourPassword" -AsPlainText -Force
.\Setup-WinRM-HTTPS.ps1 -CertificatePath ".\wildcard-*.pfx" `
    -CertificatePassword $certPass -Domain "logon.ds.ge.com"

3. Deploy to Shopfloor PCs

# Test connections first
.\Invoke-RemoteAssetCollection-HTTPS.ps1 `
    -HostnameListFile ".\shopfloor-hostnames.txt" `
    -Domain "logon.ds.ge.com" `
    -TestConnections

# Run collection
.\Invoke-RemoteAssetCollection-HTTPS.ps1 `
    -HostnameListFile ".\shopfloor-hostnames.txt" `
    -Domain "logon.ds.ge.com"

📋 Prerequisites

• Windows PowerShell 5.1 or later
• Administrator privileges
• Network connectivity
• Wildcard certificate for *.logon.ds.ge.com (PFX format with private key)

🔐 Security Notes

• Self-signed certificates are for TESTING only
• For production, obtain a certificate from a trusted Certificate Authority
• Protect the PFX file password
• Use -SkipCertificateCheck only for testing

📊 Shopfloor PCs

• Total PCs: 175
• Source: Database query filtered by pctypeid = 3 (Shopfloor type)
• FQDN Format: {hostname}.logon.ds.ge.com
• Example: G1JJVH63ESF.logon.ds.ge.com

🔧 Workflow

1. Generate/Obtain Certificate

   • Use Generate-WildcardCert.ps1 for testing
   • Or obtain from CA for production

2. Setup Target PCs

   • Copy certificate PFX to each PC
   • Run Setup-WinRM-HTTPS.ps1
   • Verify with Test-WSMan

3. Configure Management Server

   • Install root CA certificate (if self-signed)
   • Prepare hostname list
   • Test connections

4. Run Collection

   • Use Invoke-RemoteAssetCollection-HTTPS.ps1
   • Monitor logs
   • Review results

📖 Documentation

See WINRM_HTTPS_DEPLOYMENT_GUIDE.md for:

• Detailed deployment procedures
• Troubleshooting guide
• Security best practices
• Certificate management
• Production deployment steps

🐛 Troubleshooting

Common Issues

Certificate not found

# Verify certificate is installed
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*logon.ds.ge.com*"}

Connection fails

# Test DNS resolution
Resolve-DnsName "hostname.logon.ds.ge.com"

# Test port connectivity
Test-NetConnection -ComputerName "hostname.logon.ds.ge.com" -Port 5986

# Test WinRM
Test-WSMan -ComputerName "hostname.logon.ds.ge.com" -UseSSL -Port 5986

Firewall blocking

# Check firewall rule
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"

# Create if missing
New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
    -Name "WinRM HTTPS-In" -Profile Any -LocalPort 5986 `
    -Protocol TCP -Direction Inbound -Action Allow

📞 Support

For detailed help:

1. Check WINRM_HTTPS_DEPLOYMENT_GUIDE.md
2. Review PowerShell script help: Get-Help .\Setup-WinRM-HTTPS.ps1 -Full
3. Check logs in .\logs\ directory