Created
June 1, 2016 20:27
-
-
Save jonathanmorley/0bc12567b2bc63bd6df1a2214a7bb07c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $log = "C:\winrm.log" | |
| $http_port = 5985 | |
| $https_port = 5986 | |
| $appid = '{afebb9ad-9b97-4a91-9ab5-daf4d59122f6}' | |
| "winrm_setup started" | tee $log | |
| # Does everything required for WinRM over HTTP. It also starts and enables the WinRM service | |
| "Using quickconfig to setup WinRM over HTTP" | tee -Append $log | |
| &winrm quickconfig -quiet | |
| # Enables HTTPS traffic through the firewall | |
| $firewall_rules = &netsh advfirewall firewall show rule name="Windows Remote Management (HTTPS-In)" | |
| If (!$firewall_rules) { | |
| "Creating firewall inbound rule for TCP port $https_port" | tee -Append $log | |
| &netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" ` | |
| dir=in action=allow enable=yes profile="private,domain" ` | |
| localip=any remoteip=any localport=$https_port remoteport=any protocol=tcp | |
| "Firewall inbound rule created for TCP port $https_port" | tee -Append $log | |
| } Else { | |
| "Firewall inbound rule already exists for TCP port $https_port" | tee -Append $log | |
| } | |
| # A certificate is necessary for WinRM over SSL. Self-signed is the easiest. | |
| $selfsigned_certs = Get-ChildItem -Path Cert:\LocalMachine\My |? { $_.Subject -eq "CN=$(hostname)" } | |
| If (!$selfsigned_certs) { | |
| "Creating self signed SSL certificate" | tee -Append $log | |
| &selfssl /N:CN=$(hostname) /V:9999 /Q /T /P:$https_port | |
| } Else { | |
| "Self signed certificate already exists" | tee -Append $log | |
| } | |
| $cert = Get-ChildItem -Path Cert:\LocalMachine\My |? { $_.Subject -eq "CN=$(hostname)" } | Select -First 1 | |
| $listeners = &winrm enumerate winrm/config/Listener | |
| If (!($listeners -match 'Transport\s*=\s*HTTPS')) { | |
| "Creating WinRM HTTPS listener" | tee -Append $log | |
| &winrm create winrm/config/Listener?Address=*+Transport=HTTPS `@`{Hostname=`"$(hostname)`"`;CertificateThumbprint=`"$($cert.Thumbprint)`"`} | |
| } Else { | |
| "WinRM HTTPS listener already exists" | tee -Append $log | |
| } | |
| # Rebind the certificate to the port so that the SSLCertName gets set correctly | |
| $ssl_binding = &netsh http show sslcert ipport=0.0.0.0:$https_port | |
| If (!($ssl_binding -match 'Certificate Store Name\s*:\s+My')) { | |
| "Unbinding certificate from $https_port" | tee -Append $log | |
| &netsh http delete sslcert ipport=0.0.0.0:$https_port | |
| "Binding certificate to $https_port" | tee -Append $log | |
| &netsh http add sslcert ipport=0.0.0.0:$https_port certhash=$($cert.Thumbprint) appid="$appid" certstorename=My | |
| } Else { | |
| "Certificate binding has correct store" | tee -Append $log | |
| } | |
| "Testing WinRM" | tee -Append $log | |
| Test-WSMan -Port $http_port | |
| Test-WSMan $(hostname) -UseSSL -Port $https_port | |
| "winrm_setup finished" | tee -Append $log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment