fscotto/infra
1
0
Fork 0
mirror of https://github.com/fscotto/infra.git synced 2026-05-31 07:49:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix WinRM HTTPS bootstrap on public networks

Browse Source
This commit is contained in:
Fabio Scotto di Santolo
2026-04-02 11:56:19 +02:00
parent a409c8d519
commit a5deac335b
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
scripts/bootstrap_windows_workstation.ps1
View File

@@ -50,6 +50,16 @@ function Ensure-WinRMHttpsListener {
return $false return $false
} }
function Test-WinRMHttpsListener {
$listener = Get-ChildItem -Path WSMan:\localhost\Listener |
Where-Object {
$_.Keys -match 'Transport=HTTPS'
} |
Select-Object -First 1
return $null -ne $listener
}
function Ensure-LocalAccountTokenFilterPolicy { function Ensure-LocalAccountTokenFilterPolicy {
$registryPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' $registryPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$propertyName = 'LocalAccountTokenFilterPolicy' $propertyName = 'LocalAccountTokenFilterPolicy'
@@ -113,13 +123,15 @@ $httpsListenerChanged = Ensure-WinRMHttpsListener -CertificateThumbprint $winrmC
$rebootRequired = (Ensure-LocalAccountTokenFilterPolicy) -or $rebootRequired $rebootRequired = (Ensure-LocalAccountTokenFilterPolicy) -or $rebootRequired
$remoteManagementGroupState = Ensure-CurrentUserInRemoteManagementGroup $remoteManagementGroupState = Ensure-CurrentUserInRemoteManagementGroup
Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false
$httpsFirewallRule = Get-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -ErrorAction SilentlyContinue $httpsFirewallRule = Get-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -ErrorAction SilentlyContinue
if ($null -eq $httpsFirewallRule) { if ($null -eq $httpsFirewallRule) {
New-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986 | Out-Null New-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986 | Out-Null
} }
if (-not (Test-WinRMHttpsListener)) {
throw 'WinRM HTTPS listener was not created successfully. Verify certificate creation and WSMan listener configuration.'
}
Write-Host '' Write-Host ''
Write-Host 'Bootstrap completato.' Write-Host 'Bootstrap completato.'
Write-Host 'Passi successivi:' Write-Host 'Passi successivi:'