public/ZBXWinRMConfig
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: public:Fix-creating-new-cert
Branches Tags
public:main public:Fix-creating-new-cert public:Testuji
..
compare: public:Testuji
Branches Tags
public:main public:Fix-creating-new-cert public:Testuji

1 Commits
Fix-creati ... Testuji

Author SHA1 Message Date
Horák Michal
9c3f731a54 zmena verze 1.06 2025-08-12 10:59:38 +02:00
3 changed files with 4 additions and 77 deletions
Expand all files Collapse all files

15
.vscode/launch.json vendored
View File

@@ -1,15 +0,0 @@
{
// Use IntelliSense to learn about possible attributes.
// Hover to view descriptions of existing attributes.
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [
{
"name": "PowerShell: Launch Current File",
"type": "PowerShell",
"request": "launch",
"script": "${file}",
"args": []
}
]
}

47
ConfigWinRM.ps1
View File

@@ -3,7 +3,7 @@
<#PSScriptInfo <#PSScriptInfo
.VERSION 1.02 .VERSION 1.06
.GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa .GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa
@@ -39,10 +39,6 @@
Updated by Jordan Borean <jborean93@gmail.com> Updated by Jordan Borean <jborean93@gmail.com>
Updated by Erwan Quélin <erwan.quelin@gmail.com> Updated by Erwan Quélin <erwan.quelin@gmail.com>
Updated by David Norman <david@dkn.email> Updated by David Norman <david@dkn.email>
Version 1.01 - Fixed issue with HTTPS when certificate in HTTPS listener doesn't match the cert in local store
Updated by Michal Horák
Verison 1.02 - Fixed issue when script fails on removing listeners if only HTTP listener exists (no HTTPS listener exists)
Updated by Michal Horák
#> #>
<# <#
@@ -599,31 +595,7 @@ Function Run
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.")
} }
#-------------------------------------------------------------------------------------------------- #--------------------------------------------------------------------------------------------------
# Get WinRM HTTPS listener thumbprint if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" )
$winrmOutput = winrm e winrm/config/listener
$winrmThumbprint = ($winrmOutput | Where-Object { $_ -match 'CertificateThumbprint' }) -replace '.*CertificateThumbprint\s*=\s*', ''
# Get local self-signed certificate thumbprint (adjust subject name as needed)
$DN = $env:COMPUTERNAME
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
$_.Subject -like "*CN=$DN*" -and $_.Issuer -eq $_.Subject
}
$localThumbprint = $cert.Thumbprint
# Compare the thumbprints
if ($localThumbprint -contains $winrmThumbprint)
{
$certisinwinrm = "yes"
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is used in WinRM HTTPS listener.")
}
else
{$certisinwinrm = "no"
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is not used in WinRM HTTPS listener.")
}
if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" -or $certisinwinrm -eq "no" )
{ {
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.")
try try
@@ -649,13 +621,8 @@ if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transp
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener")
try try
{ {
$existingHttpsListener = $RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
if ($existingHttpsListener) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM SSL listener removed.")
Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM SSL listener removed.")
} else {
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTPS listener exists, nothing to remove.")
}
} catch } catch
{ {
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!")
@@ -681,9 +648,6 @@ if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transp
#-------------------------------------------------------------------------------------------------- #--------------------------------------------------------------------------------------------------
if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable") if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable")
{ {
# Check for existing HTTPS listener before creating certificate
$existingHttpsListener = Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate | Where-Object { $_.Transport -eq "HTTPS" }
if (-not $existingHttpsListener) {
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener.") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener.")
try try
{ {
@@ -717,9 +681,6 @@ if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transp
$MyError = $true $MyError = $true
} }
} }
} else {
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener already exists, skipping creation and certificate issuance.")
}
} }
#-------------------------------------------------------------------------------------------------- #--------------------------------------------------------------------------------------------------
if (-not $MyError -and $RunningConfig.WinRMListeners) if (-not $MyError -and $RunningConfig.WinRMListeners)

19
ConfigWinRM.xml
View File

@@ -1,19 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<ConfigWinRM>
<Options>
<LocalAccountTokenFilterPolicy>Enable</LocalAccountTokenFilterPolicy> <!-- Enable / Disable / Leave ( do nothing ) -->
<WinRMHTTP>Leave</WinRMHTTP> <!-- Enable ( Create ) / Disable ( Remove ) / Leave ( do nothing ) Win-RM HTTP Listener -->
<WinRMHTTPS>Enable</WinRMHTTPS> <!-- Enable ( Create ) / Disable ( Remove ) / Leave ( do nothing ) Win-RM HTTPS Listener -->
<FWWinRMHTTP>Leave</FWWinRMHTTP> <!-- Enable ( Enable or Create ) / Disable / Leave ( do nothing ) Win-RM HTTP firewall rule -->
<FWWinRMHTTPS>Enable</FWWinRMHTTPS> <!-- Enable ( Enable or Create ) / Disable / Leave ( do nothing ) Win-RM HTTPS firewall rule -->
<FWWinRMTrustedHosts>192.168.10.254</FWWinRMTrustedHosts> <!-- Host(s) that are allowed in local firewall configuration - Any / X.X.X.X - WinRM-(HTTPS-In) / Windows Remote Management (HTTPS-In) -->
<SelfCertForce>False</SelfCertForce> <!-- (Enable or False) Force issuing new self-signed certificate when old one exists and use for WinRM-HTTPS -->
<SelfCertValidityDays>1460</SelfCertValidityDays> <!-- Self-certificate validity for XX Days. 1460 - 4 years. -->
<BasicAuth>Disable</BasicAuth> <!-- Enable / Disable / Leave ( as ist ) -->
<KerberosAuth>Enable</KerberosAuth> <!-- Enable / Disable / Leave ( as ist ) -->
<CredSSPAuth>Enable</CredSSPAuth> <!-- Enable / Disable / Leave ( as ist ) -->
<DigestAuth>Leave</DigestAuth> <!-- Enable / Disable / Leave ( as ist ) -->
<NegotiateAuth>Leave</NegotiateAuth> <!-- Enable / Disable / Leave ( as ist ) Do NOT use, do NOT disable !!! :-) -->
<CertificateAuth>Leave</CertificateAuth> <!-- Enable / Disable / Leave ( as ist ) -->
</Options>
</ConfigWinRM>