From 792f30b747d93ad8b587e70d38f343b07728e718 Mon Sep 17 00:00:00 2001 From: Fabio Scotto di Santolo Date: Thu, 2 Apr 2026 11:56:19 +0200 Subject: [PATCH] Fix WinRM HTTPS bootstrap on public networks --- scripts/bootstrap_windows_workstation.ps1 | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/scripts/bootstrap_windows_workstation.ps1 b/scripts/bootstrap_windows_workstation.ps1 index a545729..65d0ebf 100644 --- a/scripts/bootstrap_windows_workstation.ps1 +++ b/scripts/bootstrap_windows_workstation.ps1 @@ -50,6 +50,16 @@ function Ensure-WinRMHttpsListener { return $false } +function Test-WinRMHttpsListener { + $listener = Get-ChildItem -Path WSMan:\localhost\Listener | + Where-Object { + $_.Keys -match 'Transport=HTTPS' + } | + Select-Object -First 1 + + return $null -ne $listener +} + function Ensure-LocalAccountTokenFilterPolicy { $registryPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' $propertyName = 'LocalAccountTokenFilterPolicy' @@ -113,13 +123,15 @@ $httpsListenerChanged = Ensure-WinRMHttpsListener -CertificateThumbprint $winrmC $rebootRequired = (Ensure-LocalAccountTokenFilterPolicy) -or $rebootRequired $remoteManagementGroupState = Ensure-CurrentUserInRemoteManagementGroup -Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false - $httpsFirewallRule = Get-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -ErrorAction SilentlyContinue if ($null -eq $httpsFirewallRule) { New-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986 | Out-Null } +if (-not (Test-WinRMHttpsListener)) { + throw 'WinRM HTTPS listener was not created successfully. Verify certificate creation and WSMan listener configuration.' +} + Write-Host '' Write-Host 'Bootstrap completato.' Write-Host 'Passi successivi:'