Skip to content

Instantly share code, notes, and snippets.

@rukas
Created July 25, 2018 21:14
Show Gist options
  • Save rukas/538e5f1a79434fce23931e53108a2106 to your computer and use it in GitHub Desktop.
Save rukas/538e5f1a79434fce23931e53108a2106 to your computer and use it in GitHub Desktop.
Setup-WinRMHttps.ps1
#############################################################
## Get machine certificate info ##
#############################################################
$domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
$domainDN = "DC=" + $domain -replace '\.', ", DC="
$CA = [ADSI]"LDAP://CN=Enrollment Services, CN=Public Key Services, CN=Services, CN=Configuration, $domainDN"
$caDN = $ca.psbase.children.cacertificatedn
$machineCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*$($env:COMPUTERNAME).$((gwmi WIN32_ComputerSystem).Domain)" -and $_.issuer -eq "$caDN"}
If(!$machineCert){
Write-Host "Unable to find a machine certificate for HTTPS binding...exiting..."
exit
#Get-Certificate -Template SslWebServer -DnsName www.contoso.com,www.fabrikam.com -Url https://www.contoso.com/Policy/service.svc -Credential $up -CertStoreLocation cert:\LocalMachine\My
}
#############################################################
## Add/Configure the HTTPs WinRM listener ##
#############################################################
$httpsWinRMInstance = Get-WSManInstance -resourceURI winrm/config/listener -selectorset @{Address="*";Transport="https"}
If($httpsWinRMInstance){
Write-Host "A listener for HTTPs already exists"
If($httpsWinRMInstance.CertificateThumbprint -replace "\s","" -ne $machineCert.Thumbprint){
Write-Host "The thumbprint currently configured is different than that of the machine certificate. Updating it now..."
#Set the certificate on the HTTPs WinRM listener
Set-WSManInstance -resourceURI winrm/config/listener -selectorset @{Address="*";Transport="https"} -ValueSet @{CertificateThumbprint="$($machineCert.Thumbprint)"}
}
Else{
Write-Host "The thumbprint currently configured matches the machine certificate. Nothing to do here..."
}
}
Else{
Write-Host "A listener for HTTPs doesn't exist. Creating one now..."
#Create the HTTPs WinRM listener
New-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address="*";Transport="HTTPS"} -ValueSet @{Hostname="$(($machineCert.Subject -split "=")[1])";CertificateThumbprint="$($machineCert.Thumbprint)"}
}
#############################################################
## Add the WinRM HTTPs firewall rule if it's missing ##
#############################################################
$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
If ($fwtest1.count -lt 5){
Write-Host "Adding firewall rule to allow WinRM HTTPS."
netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow
}
ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)){
Write-Host "Updating firewall rule to allow WinRM HTTPS for any profile."
netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any
}
Else{
Write-Host "Firewall rule already exists to allow WinRM HTTPS."
}
#############################################################
## Enable Basic Authentication if it isn't already ##
#############################################################
# Check for basic authentication.
$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"}
If (($basicAuthSetting.Value) -eq $false){
Write-Host "Enabling basic auth support."
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
}
Else{
Write-Host "Basic auth is already enabled."
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment