Structure: - asset-collection/: Local PC data collection scripts - remote-execution/: WinRM remote execution scripts - setup-utilities/: Configuration and testing utilities - registry-backup/: GE registry backup scripts - winrm-https/: WinRM HTTPS certificate setup - docs/: Complete documentation Each folder includes a README with detailed documentation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
316 lines
9.6 KiB
Plaintext
316 lines
9.6 KiB
Plaintext
================================================================================
|
|
AFTER RUNNING BULK CERTIFICATE SIGNING - WHAT'S NEXT?
|
|
================================================================================
|
|
|
|
You just ran: .\Sign-BulkCertificates.ps1
|
|
|
|
Now you have 175 individual certificates ready to deploy!
|
|
|
|
================================================================================
|
|
WHAT YOU HAVE NOW
|
|
================================================================================
|
|
|
|
Folder created: pc-certificates\batch-YYYYMMDD-HHMMSS\
|
|
|
|
Inside this folder:
|
|
- 175 PFX files (one per PC)
|
|
Example: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
|
|
|
|
- 175 CER files (public certificates)
|
|
Example: G9KN7PZ3ESF-logon.ds.ge.com-20251017.cer
|
|
|
|
- certificate-list.csv (spreadsheet of all certificates)
|
|
- SUMMARY.txt (summary report)
|
|
|
|
================================================================================
|
|
NEXT STEP: DEPLOY TO ONE PC (TEST FIRST!)
|
|
================================================================================
|
|
|
|
Test on: G9KN7PZ3ESF
|
|
|
|
STEP 1: Copy Certificate to the PC
|
|
-----------------------------------
|
|
From YOUR computer (H2PRFM94):
|
|
|
|
# Navigate to the certificate folder
|
|
cd pc-certificates\batch-*
|
|
|
|
# Copy to the test PC
|
|
Copy-Item "G9KN7PZ3ESF-logon.ds.ge.com-*.pfx" `
|
|
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
|
|
|
|
If that doesn't work (network path issue):
|
|
- Copy the file to a USB drive
|
|
- Or use network share location
|
|
- Or RDP to the PC and copy directly
|
|
|
|
|
|
STEP 2: Import Certificate on the PC
|
|
-------------------------------------
|
|
ON THE PC (G9KN7PZ3ESF), in PowerShell as Administrator:
|
|
|
|
# Import the certificate
|
|
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
|
|
|
|
$cert = Import-PfxCertificate `
|
|
-FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" `
|
|
-CertStoreLocation Cert:\LocalMachine\My `
|
|
-Password $certPass
|
|
|
|
# Show the certificate (verify it worked)
|
|
$cert | Format-List Subject, Issuer, Thumbprint, NotAfter
|
|
|
|
You should see:
|
|
Subject: CN=g9kn7pz3esf.logon.ds.ge.com
|
|
Issuer: CN=Shopfloor WinRM CA
|
|
Thumbprint: (long string)
|
|
NotAfter: (expiration date)
|
|
|
|
|
|
STEP 3: Configure WinRM HTTPS
|
|
------------------------------
|
|
Still ON THE PC (G9KN7PZ3ESF):
|
|
|
|
Option A - If you have Setup-WinRM-HTTPS.ps1 on the PC:
|
|
|
|
.\Setup-WinRM-HTTPS.ps1 `
|
|
-CertificateThumbprint $cert.Thumbprint `
|
|
-Domain "logon.ds.ge.com"
|
|
|
|
Option B - Manual configuration (if no script):
|
|
|
|
# Enable WinRM
|
|
Enable-PSRemoting -Force -SkipNetworkProfileCheck
|
|
|
|
# Remove old HTTPS listener (if exists)
|
|
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
|
|
|
|
# Create HTTPS listener with the certificate
|
|
$hostname = "g9kn7pz3esf.logon.ds.ge.com"
|
|
|
|
winrm create winrm/config/Listener?Address=*+Transport=HTTPS `
|
|
"@{Hostname=`"$hostname`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}"
|
|
|
|
# Create firewall rule
|
|
New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
|
|
-Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow
|
|
|
|
|
|
STEP 4: Verify Configuration on the PC
|
|
---------------------------------------
|
|
Still ON THE PC (G9KN7PZ3ESF):
|
|
|
|
# Check WinRM service
|
|
Get-Service WinRM
|
|
# Should show: Running
|
|
|
|
# Check listeners
|
|
winrm enumerate winrm/config/listener
|
|
# Should show HTTPS listener on port 5986
|
|
# Hostname should be: g9kn7pz3esf.logon.ds.ge.com
|
|
|
|
# Check port
|
|
netstat -an | findstr :5986
|
|
# Should show: 0.0.0.0:5986 LISTENING
|
|
|
|
# Check firewall
|
|
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
|
|
# Should show: Enabled = True
|
|
|
|
If any of these fail, run Test-RemotePC-Debug.bat on the PC!
|
|
|
|
|
|
STEP 5: Test Connection from YOUR Computer
|
|
-------------------------------------------
|
|
Back on YOUR computer (H2PRFM94):
|
|
|
|
# Test basic connectivity
|
|
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
|
|
|
|
Expected output:
|
|
wsmid : http://schemas.dmtf.org/...
|
|
ProtocolVersion : http://schemas.dmtf.org/...
|
|
ProductVendor : Microsoft Corporation
|
|
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
|
|
|
|
✅ SUCCESS! No certificate errors!
|
|
|
|
# Test interactive session
|
|
$cred = Get-Credential
|
|
|
|
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
|
|
-Credential $cred -UseSSL -Port 5986
|
|
|
|
Expected result:
|
|
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
|
|
|
|
✅ You're now connected to the remote PC!
|
|
|
|
# Try some commands:
|
|
hostname
|
|
Get-Service WinRM
|
|
Exit-PSSession
|
|
|
|
|
|
================================================================================
|
|
IF TEST PC WORKS - DEPLOY TO MORE PCs
|
|
================================================================================
|
|
|
|
Deploy to 3-5 more PCs for additional testing:
|
|
- G1JJVH63ESF
|
|
- G1JJXH63ESF
|
|
- G1JKYH63ESF
|
|
- etc.
|
|
|
|
For each PC, repeat Steps 1-5 above.
|
|
|
|
|
|
================================================================================
|
|
BULK DEPLOYMENT TO ALL 175 PCs
|
|
================================================================================
|
|
|
|
Once 5+ PCs are working successfully, deploy to all remaining PCs.
|
|
|
|
Option A - Manual Deployment (Safe but slow):
|
|
- Deploy 10-20 PCs at a time
|
|
- Verify each batch works before continuing
|
|
- Track progress in a spreadsheet
|
|
|
|
Option B - Automated Deployment (Faster):
|
|
|
|
Create a deployment script:
|
|
|
|
$pcs = Get-Content "shopfloor-hostnames.txt"
|
|
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
|
|
|
|
foreach ($pc in $pcs) {
|
|
$fqdn = "$pc.logon.ds.ge.com"
|
|
Write-Host "Deploying to $pc..." -ForegroundColor Yellow
|
|
|
|
try {
|
|
# Copy certificate
|
|
$certFile = Get-ChildItem "pc-certificates\batch-*\$pc-*.pfx"
|
|
Copy-Item $certFile.FullName -Destination "\\$fqdn\C$\Temp\"
|
|
|
|
# Import and configure remotely
|
|
Invoke-Command -ComputerName $fqdn -ScriptBlock {
|
|
param($certPath, $certPassword)
|
|
|
|
$pass = ConvertTo-SecureString $certPassword -AsPlainText -Force
|
|
$cert = Import-PfxCertificate -FilePath $certPath `
|
|
-CertStoreLocation Cert:\LocalMachine\My -Password $pass
|
|
|
|
# Configure WinRM (add WinRM configuration commands here)
|
|
|
|
} -ArgumentList "C:\Temp\$($certFile.Name)", "PCCert2025!"
|
|
|
|
Write-Host " [OK] $pc deployed successfully" -ForegroundColor Green
|
|
|
|
} catch {
|
|
Write-Host " [ERROR] $pc failed: $($_.Exception.Message)" -ForegroundColor Red
|
|
}
|
|
}
|
|
|
|
Note: You'd need to adapt this for your environment.
|
|
|
|
|
|
================================================================================
|
|
TRACKING DEPLOYMENT
|
|
================================================================================
|
|
|
|
Create a tracking spreadsheet with columns:
|
|
- Hostname
|
|
- Certificate Deployed (Yes/No/Date)
|
|
- WinRM Configured (Yes/No/Date)
|
|
- Connection Tested (Yes/No/Date)
|
|
- Notes
|
|
|
|
Use the certificate-list.csv as a starting point!
|
|
|
|
|
|
================================================================================
|
|
TROUBLESHOOTING
|
|
================================================================================
|
|
|
|
If a PC won't connect:
|
|
|
|
1. Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to that PC
|
|
2. Right-click Test-RemotePC-Debug.bat, "Run as Administrator"
|
|
3. Review the output to find the issue
|
|
|
|
Common problems:
|
|
❌ Port 5986 not listening → WinRM listener not created
|
|
❌ Certificate not found → Certificate not imported
|
|
❌ Firewall blocking → Firewall rule missing
|
|
❌ Wrong hostname in cert → Used wrong PFX file
|
|
|
|
|
|
================================================================================
|
|
VERIFICATION CHECKLIST
|
|
================================================================================
|
|
|
|
For each deployed PC, verify:
|
|
|
|
✓ Certificate imported (Cert:\LocalMachine\My)
|
|
✓ Certificate issued by "Shopfloor WinRM CA"
|
|
✓ WinRM service running
|
|
✓ HTTPS listener on port 5986
|
|
✓ Listener hostname matches PC FQDN
|
|
✓ Firewall rule enabled
|
|
✓ Port 5986 listening
|
|
✓ Can connect from management computer
|
|
✓ No certificate warnings
|
|
|
|
|
|
================================================================================
|
|
FINAL RESULT
|
|
================================================================================
|
|
|
|
After deploying all 175 PCs, you can connect to ANY of them with:
|
|
|
|
$cred = Get-Credential
|
|
Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com `
|
|
-Credential $cred -UseSSL -Port 5986
|
|
|
|
Clean, secure, no certificate bypasses!
|
|
|
|
Run commands on multiple PCs:
|
|
|
|
$computers = @("g9kn7pz3esf", "g1jjvh63esf", "g1jjxh63esf")
|
|
|
|
Invoke-Command -ComputerName ($computers | ForEach-Object {"$_.logon.ds.ge.com"}) `
|
|
-Credential $cred -UseSSL -Port 5986 `
|
|
-ScriptBlock {
|
|
Get-Service WinRM | Select-Object Name, Status
|
|
}
|
|
|
|
Collect data from all 175 PCs in seconds!
|
|
|
|
|
|
================================================================================
|
|
SUMMARY
|
|
================================================================================
|
|
|
|
Next Steps After Bulk Signing:
|
|
|
|
1. ✅ Deploy to ONE PC (G9KN7PZ3ESF) - TEST FIRST
|
|
2. ✅ Verify connection works
|
|
3. ✅ Deploy to 3-5 more PCs
|
|
4. ✅ Deploy to remaining PCs in batches
|
|
5. ✅ Track progress
|
|
6. ✅ Verify all deployments
|
|
7. ✅ Celebrate! 🎉
|
|
|
|
================================================================================
|
|
NEED HELP?
|
|
================================================================================
|
|
|
|
- Certificate issues → Run Test-RemotePC-Debug.bat on the PC
|
|
- Connection issues → Check firewall, WinRM service, listener
|
|
- Can't copy files → Check network paths, permissions
|
|
- General questions → Review README.txt
|
|
|
|
All scripts and documentation are in /home/camp/winrm-ca-scripts/
|
|
|
|
================================================================================
|