Ansible Winrm HTTPS Listener configuration via GPO

Question

I am new to group policy and i'm having an issue automating the creation of an https winrm listener on domain computers.

Goal: Automate Windows creation of Winrm https listener with distributed ad cs ssl certificate via gpo.

Currently:

• Reading this to set up https winrm listener per ansible documentation: https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#winrm-setup

• The SSL certificates are deploying as intended from AD Certificate Services

• The certs are duplicated from the computer certificate template set to auto-enroll

• I have script signing configured and the script is signed

• Another gpo is setting the execution policy to remote signed

• I have a working powershell script(outside of the gpo) that has been placed on a DFS share (\dom.ain\share\scripts\configure-winrm-listener.ps1)

Problem: GPO doesn't seem to be running this script.

Tried:

• Logon script under the powershell tab

• Logon script under the scripts tab pointing to powershell with a few switches

• Startup script under the powershell tab

• Startup script under the scripts tab pointing to powershell with a few switches

Questions:

• How do i turn this script into a working GPO?

• Is it not working because the GPO is running from the domain controller?

• Does the script need to be configured to run remotely? Like using Invoke-Command..

• Is it better to copy the script to the computer? What's the best practice

$FQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname

$CertThumbPrint = (Get-ChildItem Cert:\LocalMachine\my | ? {$.Extensions | ? {$.oid.friendlyname -match "Certificate Template Information" -and $_.Format(0) -match "WinRM"}}).Thumbprint

New-WSManInstance winrm/config/Listener -SelectorSet @{Address='*';Transport="HTTPS"} -ValueSet @{Hostname=$FQDN;CertificateThumbprint=$CertThumbPrint} | Out-File C:\winrm.txt

Answer 1

Consider using this script I wrote a few years back, and continue to use at work today. The Description of the script help explains how to set everything up. The only catch is your WinRM certificate needs to come from a certificate template named WinRM (though you could always modify the script to whatever template name you used in your environment). To quote the relevant parts of the help:

1. Fire on 1001 or 1006 event ids in the CertificateServicesClient-Lifecycle-System event log
2. Use the -FindCert parameter to select the most recent valid certificate created from the 'WinRM' certificate template.

Since the parameterized way doesn't work with tasks deployed via GPO, place this script somewhere on the network, and deploy a scheduled task to run this script with the -FindCerts parameter. This ends up searching for the latest available certificate from a deployed from a certificate template named WinRM and configures it. As long as you are running 2012R2 or newer you can rely on the certificate lifecycle events to trigger the script. For earlier versions (which hopefully you aren't still on 2008R2) you can run this on an interval instead of certificate lifecycle events.

We cycle our certificates every six weeks and this will automatically run and refresh the certificate when the new cert has been deployed to a server. If firing on certificate lifecycle events, it does end up running every time a certificate is deployed or renewed on the server, but the script is designed to silently exit if it's not a certificate we are expecting.