Monday, August 17, 2020

Set-WinRMCert Script to easily set the Certificate for remote PowerShell

 I had to figure out from articles on the web how to set up Remote PowerShell to use SS:/HTTP

It was a PITA. 

I came up with this script recently to automate the task. 

It assumes that you already have a certificate loaded on the computer in the usual location that we put out computer certs.   "Cert:\LocalMachine\My"  If you put your cert in some different spot in the CERT: store, you will need to adjust this path. 

One important thing is that when you want to remote to a computer over SSL/https  you must connect with the FQDN.   So no shortcut, you need to do something like:

  • ' Enter-PSSession -UseSSL -ComputerName  Server01.famricam.com '

Running this script is only needed to be done once.  Assuming you get a success. 
Until your certificate expires. then you will need to re-run it. 

Here is the script. 

Set-WinRMCert.ps1

<#  
    .NOTES
    ===========================================================================
     Created with:  SAPIEN Technologies, Inc., PowerShell Studio 2020 v5.7.179
     Created on:    8/13/2020 10:15 AM
     Created by:    Richard Stoddart
     Filename:      Set-WinRMCert.ps1
    ===========================================================================
    .DESCRIPTION
        Enables Remote PS (WinRM) SSL HTTPS service.
        Sets certificate to default WinRM  port. Port 5986
#>

#Requires -RunAsAdministrator
#enable WinRM HTTPS service
& winrm quickconfig -transport:https -q
Start-Sleep -Seconds 2

#get Certificate
$CertPath = "Cert:\LocalMachine\My"
$cert = ((Get-ChildItem $CertPath | Sort-Object NotAfter )[-1] )
if (!$cert) { Write-error "Certificate not found in $CertPath "; return }

# Create text for CMD file
'CSCRIPT ' +
$env:SystemRoot +
'\System32\winrm.vbs ' + 
'set winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="'+
$Cert.FriendlyName + 
'";CertificateThumbprint="' + 
$cert.Thumbprint +
'"}' |
Out-File -FilePath .\TempSetWinRM.cmd -Encoding oem

# Add below line Will turn off the HTTP WinRM port if not controled by GPO
# + "`n" +'winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Enabled="false"}'

# Execute TempSetWinRM.CMD file
$Out = & .\TempSetWinRM.cmd

#vailidate config worked, catch error
$CertInstalled =
    (($out | ? { $_.trim() -like "CertificateThumbprint*" }).split("=")[1]).trim()

If ($CertInstalled -eq $cert.Thumbprint)
    { Write-Output "Sucess: Certificate $($cert.Thumbprint) $($Cert.Subject)" }
Else { Write-Error $out[0];  return}
Write-Output "`n"

#Output WinRM settings
Write-Output "Winrm Setting results `n --------------------------"

& Winrm enumerate winrm/config/listener

Remove-Item -Path '.\TempSetWinRM.cmd'

#GI WSMan:\localhost\Service\CertificateThumbprint | Set-Item -Value ""
END
Posted by at No comments:
Labels: , , , ,

Tuesday, March 3, 2020

Updating Powershell

My work laptop got refreshed / re-imaged.

I put a script together for my friends to update the help files and the Functions in PowerShell V5


We have a proxy server so we need to tell PowerShell to use that.
This works as a script, but not well from paste to command line.
and it will pop up some errors, when It can't find updates for some things.
The error output is acceptable to me.

Update-Powershell.PS1
#Requires -Version 5
#Requires -RunAsAdministrator
Start-Transcript Update-Powershell.txt

#Proxy
$wc = New-Object Net.WebClient
$wc.UseDefaultCredentials = $true
$wc.Proxy.Credentials = $wc.Credentials

#enable TLS*
if ([Net.ServicePointManager]::SecurityProtocol -ne ([Net.SecurityProtocolType].GetEnumNames() | ? { $_ -like "Tls*" }))
{ [Net.ServicePointManager]::SecurityProtocol = ([Net.SecurityProtocolType].GetEnumNames() | ? { $_ -like "Tls*" }) }

#Update Help Files
Update-Help -Force -ErrorAction Continue


#Fix the Repositiory defaults 
Register-PSRepository -Default
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted


Install-Module PowershellGet -Force
Install-PackageProvider -Name NuGet -Force

# Update modules

Get-Module -ListAvailable -verbose | Update-Module -verbose

# Import-Module
#Find-Module -Name PSWriteHTML | Install-Module
Install-Module -Name Az -AllowClobber -Scope AllUsers

Stop-Transcript

notepad Update-Powershell.txt

Please comment if you find this useful or could make improvements / additions. 
Posted by at No comments:
Subscribe to: Posts (Atom)