Configure WinRM over HTTPS on Multiple Computers with Powershell

Question

Configure WinRM over HTTPS on Multiple Computers with Powershell

I have the following script that I put together to configure WinRM over HTTPS and it works great on per machine. I am having a tough time recoding it to run remotely on multiple machines located in a text file.

Also as a bonus, i would like some kind of logging and checking in place for machines that fail or bring back any type of errors.

Any help would be greatly appreciated.

$user = "Account to Use - Service Account Suggested"
$Certname = "HOSTNAME FQDN"
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint
WinRM e winrm/config/listener
#winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="$Certname"; CertificateThumbprint=$thumbprint}'
New-Item WSMan:\localhost\Listener -Address * -Transport HTTPS -HostName $Certname -CertificateThumbPrint $thumbprint
$port=5986
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$port
net localgroup "Remote Management Users" /add $user
net localgroup "Event Log Readers" /add $user
Restart-Service WinRM
Restart-Service Winmgmt -Force


#Adding the below script should replace "winrm configSDDL default"
$GENERIC_READ = 0x80000000
$GENERIC_WRITE = 0x40000000
$GENERIC_EXECUTE = 0x20000000
$GENERIC_ALL = 0x10000000

# get SID of user/group to add

$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier])

# get the existing SDDL of the WinRM listener
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value

# convert the SDDL string to a SecurityDescriptor object
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl

# apply a new DACL to the SecurityDescriptor object
$sd.DiscretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,
$user_sid,
($GENERIC_READ -bor $GENERIC_EXECUTE),
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None
)

# get the SDDL string from the changed SecurityDescriptor object
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)

# apply the new SDDL to the WinRM listener
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force```

powershell

for-loop

foreach

winrm

foreach-object

asked on Stack Overflow Aug 13, 2020 by

ak41

2 Answers

A follow-up to our comment exchange.

Assuming this line ...

$user       = "Account to Use - Service Account Suggested"

... would be the same for all systems, then pre-populate this with whatever that is, then...

Get-ADComputer (activedirectory) | Microsoft Docs

about_Foreach - PowerShell | Microsoft Docs

(Get-ADComputer -Filter 'OperatingSystem -NotLike "*Server" -and enabled -eq "True"').Name | 
ForEach {
    $user       = "Account to Use - Service Account Suggested"
    $Certname   = $PSItem
...
}

You are already asking for the certname dynamically here...

$Cert       = New-SelfSignedCertificate -certstorelocation 'cert:\localmachine\my' -dnsname $Certname
$pw         = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint

... so nothing to pass in.

Yet, to run this script on a remote target, just use the normal default PSRemoting remote session setup.

about_Remote - PowerShell | Microsoft Docs

about_Remote_Requirements - PowerShell | Microsoft Docs

Invoke-Command -ComputerName Server01 -ScriptBlock {Get-Culture}

So, like this...

$Creds = Get-Credential -Credential "$env:USERDOMAIN\$env:USERNAME"
(Get-ADComputer -Filter 'OperatingSystem -NotLike "*Server" -and enabled -eq "True"').Name | 
ForEach {
    Invoke-Command -ComputerName $PSItem -ScriptBlock {
        $user       = "Account to Use - Service Account Suggested"
        $Certname   = $PSItem
        ...
    } -Credential $Creds

}

answered on Stack Overflow Aug 13, 2020 by

postanote

The below script gives me the following error

CloneCert and DnsName parameters cannot both be empty
    + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificate], ParameterBindingException
    + FullyQualifiedErrorId : RuntimeException,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand
    + PSComputerName        : XXX.local
 
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 172.17.62.29, ::1, fe80::c5c5:a94f:341c:48fa%13

Cannot validate argument on parameter 'HostName'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
    + CategoryInfo          : InvalidData: (:) [New-Item], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.NewItemCommand
    + PSComputerName        : XXXX.local
 

An error occurred while attempting to contact the  Windows Firewall service. Make sure that the service is running and try your request again.

$Computers = get-content "C:\temp\regkey.txt"
Foreach ($Computer in $Computers)
{

Invoke-Command -ComputerName $Computer -ScriptBlock {

    $user = "bmonitor-ps"
    #$Certname = $Computer
    $Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Computer
    $thumbprint = $Cert.Thumbprint


WinRM e winrm/config/listener
#winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="$Certname"; CertificateThumbprint=$thumbprint}'
New-Item WSMan:\localhost\Listener -Address * -Transport HTTPS -HostName $Computer -CertificateThumbPrint $thumbprint
$port=5986
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$port
net localgroup "Remote Management Users" /add $user
net localgroup "Event Log Readers" /add $user
Restart-Service WinRM
Restart-Service Winmgmt -Force


#Adding the below script should replace "winrm configSDDL default"
$GENERIC_READ = 0x80000000
$GENERIC_WRITE = 0x40000000
$GENERIC_EXECUTE = 0x20000000
$GENERIC_ALL = 0x10000000

# get SID of user/group to add

$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier])

# get the existing SDDL of the WinRM listener
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value

# convert the SDDL string to a SecurityDescriptor object
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl

# apply a new DACL to the SecurityDescriptor object
$sd.DiscretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,
$user_sid,
($GENERIC_READ -bor $GENERIC_EXECUTE),
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None
)

# get the SDDL string from the changed SecurityDescriptor object
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)

# apply the new SDDL to the WinRM listener
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force


}
}

answered on Stack Overflow Aug 22, 2020 by

ak41

User contributions licensed under CC BY-SA 3.0