Setup-WinRMHttps.ps1

Setup-WinRMHttps.ps1

#############################################################
##               Get machine certificate info              ##
#############################################################

$domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
$domainDN = "DC=" + $domain -replace '\.', ", DC="
$CA = [ADSI]"LDAP://CN=Enrollment Services, CN=Public Key Services, CN=Services, CN=Configuration, $domainDN"
$caDN = $ca.psbase.children.cacertificatedn
$machineCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*$($env:COMPUTERNAME).$((gwmi WIN32_ComputerSystem).Domain)" -and $_.issuer -eq "$caDN"}

If(!$machineCert){

    Write-Host "Unable to find a machine certificate for HTTPS binding...exiting..."

    exit
    #Get-Certificate -Template SslWebServer -DnsName www.contoso.com,www.fabrikam.com -Url https://www.contoso.com/Policy/service.svc -Credential $up -CertStoreLocation cert:\LocalMachine\My

}


#############################################################
##         Add/Configure the HTTPs WinRM listener          ##
#############################################################

$httpsWinRMInstance = Get-WSManInstance -resourceURI winrm/config/listener -selectorset @{Address="*";Transport="https"} 
If($httpsWinRMInstance){

    Write-Host "A listener for HTTPs already exists"

    If($httpsWinRMInstance.CertificateThumbprint -replace "\s","" -ne $machineCert.Thumbprint){

        Write-Host "The thumbprint currently configured is different than that of the machine certificate.  Updating it now..."

        #Set the certificate on the HTTPs WinRM listener
        Set-WSManInstance -resourceURI winrm/config/listener -selectorset @{Address="*";Transport="https"} -ValueSet @{CertificateThumbprint="$($machineCert.Thumbprint)"}

    }
    Else{

        Write-Host "The thumbprint currently configured matches the machine certificate.  Nothing to do here..."

    }

}
Else{
    
    Write-Host "A listener for HTTPs doesn't exist. Creating one now..."

    #Create the HTTPs WinRM listener
    New-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address="*";Transport="HTTPS"} -ValueSet @{Hostname="$(($machineCert.Subject -split "=")[1])";CertificateThumbprint="$($machineCert.Thumbprint)"}

}


#############################################################
##    Add the WinRM HTTPs firewall rule if it's missing    ##
#############################################################

$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
If ($fwtest1.count -lt 5){

    Write-Host "Adding firewall rule to allow WinRM HTTPS."
    netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow

}
ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)){

    Write-Host "Updating firewall rule to allow WinRM HTTPS for any profile."
    netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any

}
Else{

    Write-Host "Firewall rule already exists to allow WinRM HTTPS."

}


#############################################################
##     Enable Basic Authentication if it isn't already     ##
#############################################################

# Check for basic authentication.
$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"}

If (($basicAuthSetting.Value) -eq $false){

    Write-Host "Enabling basic auth support."
    Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true

}
Else{

    Write-Host "Basic auth is already enabled."

}